Skip to content

Commit

Permalink
CORE-18813 - enable Dependabot (#1375)
Browse files Browse the repository at this point in the history
- Use gradle catalogue using a versions toml file to define library versions.
- Enable Dependabot so it can raise PRs to update dependencies
  • Loading branch information
driessamyn authored Dec 11, 2023
1 parent ccf9d8b commit 1f25021
Show file tree
Hide file tree
Showing 23 changed files with 140 additions and 180 deletions.
4 changes: 1 addition & 3 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,4 @@ updates:
directory: "/"
schedule:
interval: "daily"
rebase-strategy: "disabled"
# for testing only:
target-branch: "driessamyn/poc/version-catalogue"
rebase-strategy: "disabled"
1 change: 0 additions & 1 deletion application/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,4 @@ dependencies {
compileOnly 'org.osgi:osgi.core'

testApi 'org.jetbrains.kotlin:kotlin-osgi-bundle'
testImplementation "org.assertj:assertj-core:$assertjVersion"
}
1 change: 0 additions & 1 deletion base/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,4 @@ dependencies {
compileOnly 'org.osgi:osgi.annotation'

testApi 'org.jetbrains.kotlin:kotlin-osgi-bundle'
testImplementation "org.assertj:assertj-core:$assertjVersion"
}
56 changes: 12 additions & 44 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,22 @@ buildscript {
ext {
vcsUrl = System.getenv('GIT_URL') ?: 'https://github.com/corda/corda-api.git'
}

dependencies {
classpath "org.jetbrains.dokka:dokka-core:$dokkaVersion"
constraints {
classpath("org.jsoup:jsoup:1.15.3") {
because "required until dokka plugin updates it's internal version of jsoup, not fixed as of dokka 1.7.10"
}
}
}
}

plugins {
id 'net.corda.cordapp.cordapp-configuration'
id 'org.jetbrains.kotlin.jvm' apply false
id 'org.jetbrains.kotlin.plugin.allopen' apply false
id 'org.jetbrains.kotlin.plugin.jpa' apply false
id 'io.gitlab.arturbosch.detekt' apply false
id 'io.snyk.gradle.plugin.snykplugin'
id 'org.ajoberstar.grgit' // used for GIT interaction (e.g. extract commit hash)
alias libs.plugins.detekt apply false
alias libs.plugins.snyk
alias libs.plugins.grgit // used for GIT interaction (e.g. extract commit hash)
id 'corda.root-publish'
id 'jacoco' // test coverage
id 'com.dorongold.task-tree' // utility to visualise Gradle task DAG
id 'org.jetbrains.dokka'
id 'com.github.ben-manes.versions' // discover possible dependency version upgrades
id 'org.cyclonedx.bom' apply false
alias libs.plugins.task.tree // utility to visualise Gradle task DAG
alias libs.plugins.dokka
alias libs.plugins.dependency.check.versions // discover possible dependency version upgrades
alias libs.plugins.cyclonedx.bom apply false
}

snyk {
Expand Down Expand Up @@ -108,7 +99,9 @@ subprojects {
releasable = true // all corda-api jars are externally consumable
}

apply plugin: 'org.cyclonedx.bom'
// NOTE: according to this we shouldn't be using subprojects:
// https://discuss.gradle.org/t/apply-plugin-with-version-catalog/43029
apply plugin: libs.plugins.cyclonedx.bom.get().pluginId
cyclonedxBom {
includeConfigs = ["runtimeClasspath"]
skipProjects = [rootProject.name]
Expand Down Expand Up @@ -162,21 +155,7 @@ subprojects {
// thinking is that for the test dependencies it's ok as it'll keep things consistent.
// we can add exclusions, or review this if necessary.
dependencies {
// Test libraries -> keep consistent across modules
testImplementation "org.jetbrains.kotlin:kotlin-test:$kotlinVersion"
testImplementation "org.mockito:mockito-core:$mockitoVersion"
testImplementation("org.mockito.kotlin:mockito-kotlin:$mockitoKotlinVersion") {
// Excluding mockito-core and adding it implicitly above. This is done to allow the use of the latest version of mockito.
exclude group: 'mockito-core'
}

testImplementation "org.junit.jupiter:junit-jupiter:$junitVersion"

// Test runtime libraries -> also keep consistent
testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'

detektPlugins "io.gitlab.arturbosch.detekt:detekt-formatting:$detektPluginVersion"
detektPlugins libs.detekt.formatting
}

// Making all persistence entity open and with an empty constructor to allow Hibernate to work.
Expand Down Expand Up @@ -259,17 +238,6 @@ subprojects {
}
}

pluginManager.withPlugin('io.gitlab.arturbosch.detekt'){
dependencies {
detekt "io.gitlab.arturbosch.detekt:detekt-cli:$detektPluginVersion"
constraints {
detekt("org.yaml:snakeyaml:$snakeyamlVersion") {
because "required until detekt plugin updates it's internal version of snakeYaml, not fixed as of detekt version 1.21"
}
}
}
}

// we do this to allow for Gradle task caching. OSGI attribute Bnd-LastModified breaks gradle caching as it is a timestamp
// below block tells Gradle to ignore specifically the Bnd-LastModified attribute of the manifest when checking if
// a task is up-to-date, this has no impact on publishing or production of jar.
Expand Down Expand Up @@ -407,4 +375,4 @@ if (project.hasProperty('generateSBOM')) {
artifactoryPublish {
publications('sbom')
}
}
}
22 changes: 4 additions & 18 deletions buildSrc/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ repositories {
// So we'll load it into our own object to grab what we need.
def constants = new Properties()
file("$rootDir/../gradle.properties").withInputStream { InputStream input -> constants.load(input) }
def bndVersion = constants.getProperty('bndVersion')
def bndlibVersion = constants.getProperty('bndlibVersion')
def internalPluginVersion = constants.getProperty('internalPluginVersion')
def artifactoryContextUrl = constants.getProperty('artifactoryContextUrl')

Expand Down Expand Up @@ -51,23 +49,11 @@ repositories {

dependencies {
constraints {
implementation('biz.aQute.bnd:biz.aQute.bndlib') {
version {
require bndlibVersion
}
}
implementation('biz.aQute.bnd:biz.aQute.bnd.embedded-repo') {
version {
require bndlibVersion
}
}
implementation('biz.aQute.bnd:biz.aQute.resolve') {
version {
require bndlibVersion
}
}
implementation libs.bnd.lib
implementation libs.bnd.embedded.repo
implementation libs.bnd.resolve
}
implementation "biz.aQute.bnd:biz.aQute.bnd.gradle:$bndVersion"
implementation libs.bnd.gradle

if (System.getenv('CORDA_ARTIFACTORY_USERNAME') != null || project.hasProperty('cordaArtifactoryUsername')) {
implementation "com.r3.internal.gradle.plugins:publish:$internalPluginVersion"
Expand Down
7 changes: 7 additions & 0 deletions buildSrc/settings.gradle
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
dependencyResolutionManagement {
versionCatalogs {
create('libs', { from(files("../gradle/libs.versions.toml")) })
}
}

rootProject.name = 'buildSrc'
6 changes: 3 additions & 3 deletions buildSrc/src/main/groovy/corda-api.common-library.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

plugins {
id 'java-library'
id 'org.jetbrains.kotlin.jvm'
id 'biz.aQute.bnd.builder'
}

Expand All @@ -26,9 +27,8 @@ configurations {

dependencies {
compileOnly "org.jetbrains:annotations:$jetbrainsAnnotationsVersion"
testImplementation "org.junit.jupiter:junit-jupiter:$junitVersion"
testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
testImplementation libs.bundles.test
testRuntimeOnly libs.bundles.test.runtime
}

tasks.named('jar', Jar) {
Expand Down
17 changes: 10 additions & 7 deletions buildSrc/src/main/groovy/corda.java-only.gradle
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
plugins {
id 'org.jetbrains.kotlin.jvm'
}

tasks.named('compileKotlin') {
doFirst {
throw new InvalidUserCodeException("Module '${project.path}' should only contain Java classes")
/**
* Apply this plugin to projects that must be implemented in pure Java.
* We cannot prevent such projects from applying the Kotlin Gradle plugin,
* but we can throw an exception if they try to compile any Kotlin classes.
*/
pluginManager.withPlugin('org.jetbrains.kotlin.jvm') {
tasks.named('compileKotlin') {
doFirst {
throw new InvalidUserCodeException("Module '${project.path}' should only contain Java classes")
}
}
}
29 changes: 4 additions & 25 deletions corda-api/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -26,41 +26,20 @@ dependencies {
api project(':membership')
api project(':serialization')

api('javax.persistence:javax.persistence-api') {
version {
require javaxPersistenceApiVersion
}
}
api(libs.javax.persistence.api)
api('org.jetbrains.kotlin:kotlin-osgi-bundle') {
version {
require kotlinVersion
require kotlinVersion
}
}
api('org.jetbrains:annotations') {
version {
require jetbrainsAnnotationsVersion
}
}
api('org.osgi:osgi.annotation') {
version {
require osgiAnnotationVersion
}
}
api('org.osgi:osgi.core') {
version {
require osgiVersion
}
}
api('org.osgi:org.osgi.service.component.annotations') {
version {
require osgiScrAnnotationVersion
}
}
api('org.slf4j:slf4j-api') {
api(libs.bundles.osgi)
api(libs.slf4j) {
because 'Corda 5.1 only supports SLF4J 1.x'
version {
strictly slf4jVersion
}
}
}
}
Expand Down
5 changes: 2 additions & 3 deletions cordapp-configuration/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,8 @@ java {
}

dependencies {
testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
testImplementation libs.bundles.test
testRuntimeOnly libs.bundles.test.runtime
}

tasks.named('jar', Jar) {
Expand Down
4 changes: 1 addition & 3 deletions cordapp-configuration/gradle.properties
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
org.gradle.java.installations.auto-download=false
org.gradle.jvmargs=-XX:+UseG1GC -Xmx1g
org.gradle.caching=false

junitVersion=5.7.2
org.gradle.caching=false
3 changes: 3 additions & 0 deletions cordapp-configuration/settings.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,7 @@ dependencyResolutionManagement {
repositories {
mavenCentral()
}
versionCatalogs {
create('libs', { from(files("../gradle/libs.versions.toml")) })
}
}
5 changes: 1 addition & 4 deletions crypto/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ dependencies {
api platform(project(':corda-api'))
api project(':base')

testImplementation "org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion"
testImplementation "org.bouncycastle:bcpkix-jdk18on:$bouncycastleVersion"
testImplementation "org.assertj:assertj-core:$assertjVersion"
testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
testImplementation libs.bundles.bouncycastle
}

10 changes: 5 additions & 5 deletions data/avro-schema/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,17 @@ plugins {
id 'corda-api.common-library'
id 'corda.common-publishing'
id 'corda.java-only'
id "com.github.davidmc24.gradle.plugin.avro-base"
alias libs.plugins.avro.gradle
}

dependencies {
api "org.apache.avro:avro:$avroVersion"
api libs.avro
constraints {
implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion") {
implementation(libs.jackson.databind) {
because "required until new version of Avro available which updates Jackson"
}

implementation("org.apache.commons:commons-compress:$commonsCompressVersion") {
implementation(libs.commons.compress) {
because "CVE-2023-42503, current version of Avro uses an outdated version"
}
}
Expand All @@ -30,7 +30,7 @@ dependencies {
configurations.all {
resolutionStrategy {
// CVE-2023-42503, current version of Avro uses an outdated version
force "org.apache.commons:commons-compress:$commonsCompressVersion"
force libs.commons.compress
}
}

Expand Down
5 changes: 2 additions & 3 deletions data/topic-schema/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,8 @@ description 'Definition of Topics'
dependencies {
implementation platform(project(':corda-api'))

testImplementation "org.assertj:assertj-core:$assertjVersion"
testImplementation "com.fasterxml.jackson.module:jackson-module-kotlin:$jacksonVersion"
testImplementation "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion"
testImplementation libs.jackson.kotlin
testImplementation libs.jackson.yaml

compileOnly 'org.osgi:osgi.annotation'
}
Expand Down
42 changes: 1 addition & 41 deletions gradle.properties
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
# This file is parsed from Python in the docs/source/conf.py file
# because some versions here need to be matched by app authors in
# their own projects. So don't get fancy with syntax!

org.gradle.java.installations.auto-download=false

# Versioning
Expand Down Expand Up @@ -30,48 +26,12 @@ publicArtifactURL = https://download.corda.net/maven
# dokka need more metaspace - https://github.com/Kotlin/dokka/issues/1405
org.gradle.jvmargs=-Dfile.encoding=UTF-8 -XX:MaxMetaspaceSize=2g
internalPluginVersion = 1.+
dokkaVersion = 1.8.+
detektPluginVersion = 1.22.+
dependencyCheckVersion=0.46.+
artifactoryPluginVersion = 4.28.2
snakeyamlVersion=2.0

# Logging
slf4jVersion = 1.7.36

# Main implementation dependencies
avroGradlePluginVersion=1.3.0
avroVersion = 1.11.3
commonsCompressVersion = 1.24.0
bouncycastleVersion = 1.73
grgitPluginVersion = 5.2.0
taskTreePluginVersion = 2.1.1
javaxPersistenceApiVersion = 2.2
jacksonVersion = 2.15.2

# Testing
assertjVersion = 3.24.+
junitVersion = 5.10.0
mockitoVersion = 5.3.+
mockitoKotlinVersion = 4.1.+

# OSGi
bndVersion = 6.4.0
bndlibVersion = 6.4.1
osgiVersion = 8.0.0
osgiAnnotationVersion = 8.1.0
osgiScrAnnotationVersion = 1.5.1

gradleEnterpriseVersion = 3.14.1
gradleDataPlugin = 1.8.2
org.gradle.caching = true
gradleEnterpriseUrl = https://gradle.dev.r3.com

#snyk version
snykVersion = 0.4

# Kotlin build
kotlin.build.report.output=file,build_scan

# Cyclonedx Bom generation version
cyclonedxVersion = 1.7.4
kotlin.build.report.output=file,build_scan
Loading

0 comments on commit 1f25021

Please sign in to comment.