Work around CVE-2025-48924 for Checkstyle as well

marcphilipp · marcphilipp · commit b0a7077c2ff6 · 2025-07-17T14:00:26.000+02:00
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -14,7 +14,6 @@ junit4 = "4.13.2"
 junit4Min = "4.12"
 ktlint = "1.7.0"
 log4j = "2.25.1"
-logback = "1.5.18"
 opentest4j = "1.3.0"
 openTestReporting = "0.2.4"
 snapshotTests = "1.11.0"
@@ -82,7 +81,6 @@ eclipse-platform = { module = "org.eclipse.platform:org.eclipse.platform", versi
 jacoco = { module = "org.jacoco:jacoco", version.ref = "jacoco" }
 junit4-latest = { module = "junit:junit", version.ref = "junit4" }
 junit4-bundle = { module = "org.apache.servicemix.bundles:org.apache.servicemix.bundles.junit", version = "4.13.2_1" }
-logback-core = { module = "ch.qos.logback:logback-core", version.ref = "logback" }
 ktlint-cli = { module = "com.pinterest.ktlint:ktlint-cli", version.ref = "ktlint" }
 
 [bundles]
diff --git a/gradle/plugins/common/src/main/kotlin/junitbuild.checkstyle-conventions.gradle.kts b/gradle/plugins/common/src/main/kotlin/junitbuild.checkstyle-conventions.gradle.kts
@@ -5,6 +5,17 @@ plugins {
 	checkstyle
 }
 
+dependencies {
+	constraints {
+		checkstyle("org.apache.commons:commons-lang3") {
+			version {
+				require("3.18.0")
+			}
+			because("Workaround for CVE-2025-48924")
+		}
+	}
+}
+
 checkstyle {
 	toolVersion = requiredVersionFromLibs("checkstyle")
 	configDirectory = rootProject.layout.projectDirectory.dir("gradle/config/checkstyle")
diff --git a/gradle/plugins/common/src/main/kotlin/junitbuild.checkstyle-nohttp.gradle.kts b/gradle/plugins/common/src/main/kotlin/junitbuild.checkstyle-nohttp.gradle.kts
@@ -7,19 +7,17 @@ plugins {
 
 dependencies {
 	checkstyle(dependencyFromLibs("nohttp-checkstyle"))
-}
-
-configurations.checkstyle {
-	resolutionStrategy {
-		eachDependency {
-			// Workaround for CVE-2024-12798 and CVE-2024-12801
-			if (requested.group == "ch.qos.logback") {
-				useVersion(requiredVersionFromLibs("logback"))
+	constraints {
+		checkstyle("com.puppycrawl.tools:checkstyle") {
+			version {
+				require(requiredVersionFromLibs("checkstyle"))
 			}
-			// Workaround for CVE-2025-48734
-			if (requested.group == "commons-beanutils") {
-				useVersion("1.11.0")
+		}
+		checkstyle("ch.qos.logback:logback-classic") {
+			version {
+				require("1.5.18")
 			}
+			because("Workaround for CVE-2024-12798 and CVE-2024-12801")
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -7,19 +7,17 @@ plugins {`
`7`	`7`
`8`	`8`	`dependencies {`
`9`	`9`	`checkstyle(dependencyFromLibs("nohttp-checkstyle"))`
`10`		`-}`
`11`		`-`
`12`		`-configurations.checkstyle {`
`13`		`- resolutionStrategy {`
`14`		`- eachDependency {`
`15`		`- // Workaround for CVE-2024-12798 and CVE-2024-12801`
`16`		`- if (requested.group == "ch.qos.logback") {`
`17`		`- useVersion(requiredVersionFromLibs("logback"))`
	`10`	`+ constraints {`
	`11`	`+ checkstyle("com.puppycrawl.tools:checkstyle") {`
	`12`	`+ version {`
	`13`	`+ require(requiredVersionFromLibs("checkstyle"))`
`18`	`14`	`}`
`19`		`- // Workaround for CVE-2025-48734`
`20`		`- if (requested.group == "commons-beanutils") {`
`21`		`- useVersion("1.11.0")`
	`15`	`+ }`
	`16`	`+ checkstyle("ch.qos.logback:logback-classic") {`
	`17`	`+ version {`
	`18`	`+ require("1.5.18")`
`22`	`19`	`}`
	`20`	`+ because("Workaround for CVE-2024-12798 and CVE-2024-12801")`
`23`	`21`	`}`
`24`	`22`	`}`
`25`	`23`	`}`