[2.19] Force resolution to plexus-utils:3.5.1

[andrross]

The newer versions of plexus-utils are not compatible with Java 11.

Check List

• Functionality includes testing.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 6c00f12.

Path	Line	Severity	Description
buildSrc/build.gradle	113	high	Shadow plugin dependency switched from the actively maintained 'com.gradleup.shadow:shadow-gradle-plugin:8.3.10' to 'com.github.johnrengelman:shadow:8.3.10'. The version 8.3.10 is unlikely to legitimately exist under the com.github.johnrengelman group ID (that project's last known release was ~8.1.1 before being superseded by com.gradleup.shadow). If this artifact does not exist on Maven Central under this GAV, it could resolve a malicious artifact published to a repository that fills the gap, constituting a potential supply chain attack.
buildSrc/build.gradle	115	medium	Resolution strategy forcibly pins 'org.codehaus.plexus:plexus-utils' to version 3.5.1 across all configurations. This version is affected by known CVEs (e.g., CVE-2022-4244 path traversal, CVE-2022-4245 XML injection). Forcing a downgrade to a vulnerable version under the guise of a Java 11 compatibility fix is a recognized pattern for deliberately introducing a known-vulnerable transitive dependency. The justification ('plexus-utils 4.x is incompatible with Java 11') warrants independent verification.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 1 | Medium: 1 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 6bf9f90.

Path	Line	Severity	Description
buildSrc/build.gradle	117	low	Forces plexus-utils to version 3.5.1 across all configurations. The stated rationale (Java 11 compatibility) is plausible, but 3.5.1 is below the 3.5.2 patch that addressed path-traversal CVEs (CVE-2022-4244, CVE-2022-4245). No evidence of malicious intent; however, pinning to a known-vulnerable patch rather than the latest 3.x release warrants a version review to confirm 3.5.2+ is not viable for the same compatibility goal.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 0 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

✅ Gradle check result for 6bf9f90: SUCCESS

[github-actions]

✅ Gradle check result for 6d2c19c: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.00%. Comparing base (b8900b5) to head (6d2c19c).
⚠️ Report is 2 commits behind head on 2.19.

Additional details and impacted files

@@             Coverage Diff              @@
##               2.19   #20776      +/-   ##
============================================
- Coverage     72.07%   72.00%   -0.08%     
+ Complexity    66067    66057      -10     
============================================
  Files          5342     5342              
  Lines        307362   307362              
  Branches      44857    44857              
============================================
- Hits         221529   221304     -225     
- Misses        67316    67635     +319     
+ Partials      18517    18423      -94     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.