Work around CVE-2024-12798 and CVE-2024-12801 in Logback

Author: marcphilipp

gradle/libs.versions.toml

@@ -14,6 +14,7 @@ junit4 = "4.13.2"
 junit4Min = "4.12"
 ktlint = "1.5.0"
 log4j = "2.24.3"
+logback = "1.5.15"
 mockito = "5.14.2"
 opentest4j = "1.3.0"
 openTestReporting = "0.2.0-SNAPSHOT"
@@ -76,6 +77,7 @@ eclipse-platform = { module = "org.eclipse.platform:org.eclipse.platform", versi
 jacoco = { module = "org.jacoco:jacoco", version.ref = "jacoco" }
 junit4-latest = { module = "junit:junit", version.ref = "junit4" }
 junit4-bundle = { module = "org.apache.servicemix.bundles:org.apache.servicemix.bundles.junit", version = "4.13.2_1" }
+logback-core = { module = "ch.qos.logback:logback-core", version.ref = "logback" }
 ktlint-cli = { module = "com.pinterest.ktlint:ktlint-cli", version.ref = "ktlint" }
 
 [bundles]

gradle/plugins/common/src/main/kotlin/junitbuild.checkstyle-nohttp.gradle.kts

@@ -6,6 +6,17 @@ dependencies {
 	checkstyle(dependencyFromLibs("nohttp-checkstyle"))
 }
 
+configurations.checkstyle {
+	resolutionStrategy {
+		eachDependency {
+			// Workaround for CVE-2024-12798 and CVE-2024-12801
+			if (requested.group == "ch.qos.logback") {
+				useVersion(requiredVersionFromLibs("logback"))
+			}
+		}
+	}
+}
+
 tasks.register<Checkstyle>("checkstyleNohttp") {
 	group = "verification"
 	description = "Checks for illegal uses of http://"

gradle/plugins/common/src/main/kotlin/junitbuild.spotless-conventions.gradle.kts

@@ -46,6 +46,16 @@ spotless {
 			trimTrailingWhitespace()
 			endWithNewline()
 		}
+		configurations.named { it.startsWith("spotless") }.configureEach {
+			// Workaround for CVE-2024-12798 and CVE-2024-12801
+			resolutionStrategy {
+				eachDependency {
+					if (requested.group == "ch.qos.logback") {
+						useVersion(requiredVersionFromLibs("logback"))
+					}
+				}
+			}
+		}
 	}
 }