feat: bump vulnerable dependencies

Update junit/jaxb/spock

Author: meotchwilliams

build.gradle

@@ -1,7 +1,7 @@
 plugins {
   id "idea"
-  id "com.github.mxenabled.coppuccino" version "4.+" apply false
-  id "com.github.mxenabled.vogue" version "1.+"
+  id "com.github.mxenabled.coppuccino" version "4.4.2" apply false
+  id "com.github.mxenabled.vogue" version "1.1.0"
   id "io.freefair.lombok" version "8.+" apply false
   id "io.github.gradle-nexus.publish-plugin" version "1.1.+"
 }
@@ -29,8 +29,8 @@ allprojects {
   group "com.mx.path-core"
   description "MX Path Core"
   version rootProject.version
-  sourceCompatibility = 1.8
-  targetCompatibility = 1.8
+  sourceCompatibility = JavaVersion.VERSION_11
+  targetCompatibility = JavaVersion.VERSION_11
 
   repositories {
     mavenCentral()
@@ -52,8 +52,8 @@ subprojects {
 
     ext {
       mockitoVersion = "[4.0,5.0)"
-      spockVersion = "2.4-M1-groovy-4.0"
-      junitVersion = "[5.9.0,5.10.0)"
+      spockVersion = "2.4-M6-groovy-3.0"
+      junitVersion = "5.14.0"
     }
 
     dependencies {
@@ -80,7 +80,7 @@ subprojects {
         }
         api("com.google.guava:guava") {
           version {
-            require "[31.0,32.0)"
+              require "[32.0,33.0)"
           }
         }
         api("com.github.rholder:guava-retrying") {
@@ -101,7 +101,7 @@ subprojects {
         api "jakarta.xml.bind:jakarta.xml.bind-api:2.3.3!!"
         api "jakarta.xml.soap:jakarta.xml.soap-api:1.4.2!!"
         api "com.sun.xml.bind:jaxb-impl:2.3.1!!"
-        api "org.glassfish.jaxb:jaxb-runtime:2.3.7!!"
+        api "org.glassfish.jaxb:jaxb-runtime:2.3.9!!"
         // -----------------------------------------------------------------
       }
 
@@ -251,6 +251,6 @@ task subdependencies {
 project.tasks.getByPath("dependencies").finalizedBy("subdependencies")
 
 wrapper {
-  gradleVersion = "7.5.1"
-  distributionType = Wrapper.DistributionType.BIN
+  gradleVersion = "7.6.3"
+  distributionType = Wrapper.DistributionType.ALL
 }

common/build.gradle

@@ -1,14 +1,14 @@
 coppuccino {
   coverage {
-    minimumCoverage = 0.69
+    minimumCoverage = 0.75
   }
 }
 
 dependencies {
   api "org.apache.commons:commons-text:latest.release" // For string manipulation utilities. There is a very small overlap with Guava's strings class, but adds many more features.
   api "com.google.guava:guava"
   api "com.github.rholder:guava-retrying" // For Request retries
-  api "com.github.spotbugs:spotbugs-annotations:4.7.2" // For annotating classes and methods to suppress SpotBugs violations
+  api "com.github.spotbugs:spotbugs-annotations:4.9.8" // For annotating classes and methods to suppress SpotBugs violations
   api "com.google.code.gson:gson"
   api "org.yaml:snakeyaml:1.33"
   implementation "org.slf4j:slf4j-api"

common/gradle.lockfile

@@ -1,86 +1,102 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-antlr:antlr:2.7.7=checkstyle
 com.beust:jcommander:1.48=pmd
 com.github.rholder:guava-retrying:2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.github.spotbugs:spotbugs-annotations:4.7.2=runtimeClasspath,testRuntimeClasspath
-com.github.spotbugs:spotbugs-annotations:4.8.2=compileClasspath,spotbugs,testCompileClasspath
-com.github.spotbugs:spotbugs:4.8.2=spotbugs
+com.github.spotbugs:spotbugs-annotations:4.9.8=compileClasspath,runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
+com.github.spotbugs:spotbugs:4.9.8=spotbugs
 com.github.stephenc.jcip:jcip-annotations:1.0-1=spotbugs
 com.google.code.findbugs:jsr305:3.0.2=checkstyle,compileClasspath,runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
-com.google.code.gson:gson:2.10.1=spotbugs
+com.google.code.gson:gson:2.13.2=spotbugs
 com.google.code.gson:gson:2.8.9=pmd
 com.google.code.gson:gson:2.9.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.errorprone:error_prone_annotations:2.11.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.errorprone:error_prone_annotations:2.3.4=checkstyle
-com.google.guava:failureaccess:1.0.1=checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.guava:guava:28.2-jre=checkstyle
-com.google.guava:guava:31.1-jre=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.21.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.36.0=checkstyle
+com.google.errorprone:error_prone_annotations:2.41.0=spotbugs
+com.google.guava:failureaccess:1.0.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.3=checkstyle
+com.google.guava:guava:32.1.3-jre=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:33.4.8-jre=checkstyle
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.j2objc:j2objc-annotations:1.3=checkstyle,compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.puppycrawl.tools:checkstyle:8.29=checkstyle
-commons-beanutils:commons-beanutils:1.9.4=checkstyle
-commons-codec:commons-codec:1.15=spotbugs
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,testCompileClasspath
+com.google.j2objc:j2objc-annotations:3.0.0=checkstyle
+com.puppycrawl.tools:checkstyle:10.25.0=checkstyle
+commons-beanutils:commons-beanutils:1.11.0=checkstyle
+commons-codec:commons-codec:1.15=checkstyle
 commons-collections:commons-collections:3.2.2=checkstyle
-info.picocli:picocli:4.1.4=checkstyle
+commons-io:commons-io:2.20.0=spotbugs
+info.picocli:picocli:4.7.7=checkstyle
+io.leangen.geantyref:geantyref:1.3.16=testRuntimeClasspath
 jaxen:jaxen:2.0.0=spotbugs
 net.bytebuddy:byte-buddy-agent:1.12.19=testCompileClasspath,testRuntimeClasspath
 net.bytebuddy:byte-buddy:1.12.19=testCompileClasspath,testRuntimeClasspath
-net.sf.saxon:Saxon-HE:12.3=spotbugs
-net.sf.saxon:Saxon-HE:9.9.1-6=checkstyle
-net.sourceforge.pmd:pmd-core:6.54.0=pmd
-net.sourceforge.pmd:pmd-java:6.54.0=pmd
+net.sf.saxon:Saxon-HE:12.5=checkstyle
+net.sf.saxon:Saxon-HE:12.9=spotbugs
+net.sourceforge.pmd:pmd-core:6.55.0=pmd
+net.sourceforge.pmd:pmd-java:6.55.0=pmd
 net.sourceforge.saxon:saxon:9.1.0.8=pmd
+org.antlr:antlr4-runtime:4.13.2=checkstyle
 org.antlr:antlr4-runtime:4.7.2=pmd
-org.antlr:antlr4-runtime:4.8-1=checkstyle
-org.apache.bcel:bcel:6.6.1=spotbugs
-org.apache.commons:commons-lang3:3.13.0=spotbugs
+org.apache.bcel:bcel:6.11.0=spotbugs
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.commons:commons-lang3:3.8.1=pmd
-org.apache.commons:commons-text:1.10.0=spotbugs
-org.apache.commons:commons-text:1.14.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.groovy:groovy-bom:4.0.6=testCompileClasspath,testRuntimeClasspath
-org.apache.groovy:groovy:4.0.6=testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.1.3=spotbugs
-org.apache.httpcomponents.core5:httpcore5-h2:5.1.3=spotbugs
-org.apache.httpcomponents.core5:httpcore5:5.1.3=spotbugs
-org.apache.logging.log4j:log4j-api:2.22.0=spotbugs
-org.apache.logging.log4j:log4j-core:2.22.0=spotbugs
+org.apache.commons:commons-lang3:3.19.0=spotbugs
+org.apache.commons:commons-lang3:3.8.1=checkstyle,pmd
+org.apache.commons:commons-text:1.14.0=compileClasspath,runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
+org.apache.commons:commons-text:1.3=checkstyle
+org.apache.httpcomponents.client5:httpclient5:5.1.3=checkstyle
+org.apache.httpcomponents.core5:httpcore5-h2:5.1.3=checkstyle
+org.apache.httpcomponents.core5:httpcore5:5.1.3=checkstyle
+org.apache.httpcomponents:httpclient:4.5.13=checkstyle
+org.apache.httpcomponents:httpcore:4.4.14=checkstyle
+org.apache.logging.log4j:log4j-api:2.25.2=spotbugs
+org.apache.logging.log4j:log4j-core:2.25.2=spotbugs
+org.apache.maven.doxia:doxia-core:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-logging-api:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-module-xdoc:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-sink-api:1.12.0=checkstyle
+org.apache.xbean:xbean-reflect:3.7=checkstyle
 org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
-org.checkerframework:checker-qual:2.10.0=checkstyle
-org.checkerframework:checker-qual:3.12.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.dom4j:dom4j:2.1.4=spotbugs
-org.hamcrest:hamcrest:2.2=testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.37.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.checkerframework:checker-qual:3.49.3=checkstyle
+org.codehaus.groovy:groovy:3.0.24=testCompileClasspath,testRuntimeClasspath
+org.codehaus.plexus:plexus-classworlds:2.6.0=checkstyle
+org.codehaus.plexus:plexus-component-annotations:2.1.0=checkstyle
+org.codehaus.plexus:plexus-container-default:2.1.0=checkstyle
+org.codehaus.plexus:plexus-utils:3.3.0=checkstyle
+org.dom4j:dom4j:2.2.0=spotbugs
+org.hamcrest:hamcrest:3.0=testCompileClasspath,testRuntimeClasspath
 org.jacoco:org.jacoco.agent:0.8.8=jacocoAgent,jacocoAnt
 org.jacoco:org.jacoco.ant:0.8.8=jacocoAnt
 org.jacoco:org.jacoco.core:0.8.8=jacocoAnt
 org.jacoco:org.jacoco.report:0.8.8=jacocoAnt
-org.junit.jupiter:junit-jupiter-api:5.9.3=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-commons:1.9.3=testCompileClasspath,testRuntimeClasspath
-org.junit.platform:junit-platform-engine:1.9.3=testCompileClasspath,testRuntimeClasspath
-org.junit:junit-bom:5.9.0=runtimeClasspath
-org.junit:junit-bom:5.9.3=testCompileClasspath,testRuntimeClasspath
+org.javassist:javassist:3.28.0-GA=checkstyle
+org.jspecify:jspecify:1.0.0=checkstyle
+org.junit.jupiter:junit-jupiter-api:5.14.0=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.14.0=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.14.0=testCompileClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.14.0=runtimeClasspath,spotbugs,testCompileClasspath,testRuntimeClasspath
 org.mockito:mockito-core:4.11.0=testCompileClasspath,testRuntimeClasspath
 org.mockito:mockito-inline:4.11.0=testCompileClasspath,testRuntimeClasspath
 org.objenesis:objenesis:3.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.opentest4j:opentest4j:1.2.0=testCompileClasspath,testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
 org.ow2.asm:asm-analysis:9.2=jacocoAnt
-org.ow2.asm:asm-analysis:9.6=spotbugs
+org.ow2.asm:asm-analysis:9.9=spotbugs
 org.ow2.asm:asm-commons:9.2=jacocoAnt
-org.ow2.asm:asm-commons:9.6=spotbugs
+org.ow2.asm:asm-commons:9.9=spotbugs
 org.ow2.asm:asm-tree:9.2=jacocoAnt
-org.ow2.asm:asm-tree:9.6=spotbugs
-org.ow2.asm:asm-util:9.6=spotbugs
+org.ow2.asm:asm-tree:9.9=spotbugs
+org.ow2.asm:asm-util:9.9=spotbugs
 org.ow2.asm:asm:9.2=jacocoAnt
-org.ow2.asm:asm:9.3=pmd
-org.ow2.asm:asm:9.6=spotbugs
+org.ow2.asm:asm:9.4=pmd
+org.ow2.asm:asm:9.9=spotbugs
 org.projectlombok:lombok:1.18.42=annotationProcessor,compileClasspath,lombok,testAnnotationProcessor,testCompileClasspath
+org.reflections:reflections:0.10.2=checkstyle
 org.slf4j:slf4j-api:1.7.30=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.slf4j:slf4j-api:2.0.0=spotbugsSlf4j
-org.slf4j:slf4j-api:2.0.9=spotbugs
-org.slf4j:slf4j-simple:2.0.0=spotbugsSlf4j
-org.spockframework:spock-core:2.4-M1-groovy-4.0=testCompileClasspath,testRuntimeClasspath
-org.xmlresolver:xmlresolver:5.2.0=spotbugs
+org.slf4j:slf4j-api:2.0.17=spotbugs,spotbugsSlf4j
+org.slf4j:slf4j-simple:2.0.17=spotbugsSlf4j
+org.spockframework:spock-bom:2.4-M6-groovy-3.0=testCompileClasspath,testRuntimeClasspath
+org.spockframework:spock-core:2.4-M6-groovy-3.0=testCompileClasspath,testRuntimeClasspath
+org.xmlresolver:xmlresolver:5.2.2=checkstyle
+org.xmlresolver:xmlresolver:5.3.3=spotbugs
 org.yaml:snakeyaml:1.33=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 empty=signatures,spotbugsPlugins

common/src/main/java/com/mx/path/core/common/connect/Request.java

@@ -567,7 +567,7 @@ public final void setTimeout(Duration timeout) {
   /**
    * Called before the request starts. Sets start time. Override to add behavior. Be sure to call {@code super.start()}
    */
-  public void start() {
+  public synchronized void start() {
     if (attemptCount < 1) {
       attemptCount = 1;
     }
@@ -579,7 +579,7 @@ public void start() {
   /**
    * Called before retrying request. Sets start time. Override to add behavior. Be sure to call {@code super.startRetry()}
    */
-  public void startRetry() {
+  public synchronized void startRetry() {
     attemptCount++;
     startNano = 0;
   }

common/src/main/java/com/mx/path/core/common/http/MimeType.java

@@ -277,7 +277,7 @@ private boolean isQuotedString(String s) {
     }
   }
 
-  protected String unquote(String s) {
+  protected final String unquote(String s) {
     return (isQuotedString(s) ? s.substring(1, s.length() - 1) : s);
   }
 
@@ -350,7 +350,7 @@ public Charset getCharset() {
    * @return the parameter value, or {@code null} if not present
    */
   @Nullable
-  public String getParameter(String name) {
+  public final String getParameter(String name) {
     return this.parameters.get(name);
   }
 
@@ -611,4 +611,12 @@ private static Map<String, String> addCharsetParameter(Charset charset, Map<Stri
     return map;
   }
 
+  /**
+   * This has been added to protect against a Finalizer attack (because MimeType constructor can throw an exception)
+   * See https://wiki.sei.cmu.edu/confluence/display/java/OBJ11-J.+Be+wary+of+letting+constructors+throw+exceptions for more details
+   */
+  @Override
+  protected final void finalize() {
+    // Do nothing
+  }
 }

common/src/main/java/com/mx/path/core/common/model/ModelList.java

@@ -9,8 +9,6 @@
 import java.util.ListIterator;
 import java.util.Map;
 
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-
 import com.google.gson.reflect.TypeToken;
 
 /**
@@ -22,7 +20,6 @@ public class ModelList<T extends ModelBase<?>> implements List<T>, ModelWrappabl
   private static final Map<Class<?>, Class<?>> CACHED_TYPE_TO_LIST_TYPE = new LinkedHashMap<>();
   private static final Map<Class<?>, Type> CACHED_TYPE_TO_LIST_TYPETOKEN = new LinkedHashMap<>();
 
-  @SuppressFBWarnings("DM_NEW_FOR_GETCLASS")
   public static <T extends ModelBase<?>> Class<?> ofClass(Class<T> klass) {
     if (!CACHED_TYPE_TO_LIST_TYPE.containsKey(klass)) {
       CACHED_TYPE_TO_LIST_TYPE.put(klass, ModelList.class);

common/src/main/java/com/mx/path/core/common/serialization/ThrowableTypeAdapter.java

@@ -98,7 +98,7 @@ public final void write(JsonWriter out, Throwable value) throws IOException {
   }
 
   @Data
-  private static class ErrorInfo {
+  private static final class ErrorInfo {
     private String throwableType = null;
     private String payloadFallbackType = null;
     private Throwable cause = null;