Skip to content

Gradle migration follow-ups (post-#326) #337

Description

@pacmano1

PR #326 migrated the build from Ant to Gradle with output verified byte-identical. To keep that PR reviewable and parity-checkable, several improvements were deliberately deferred. This issue tracks them. Parent: #52.

Build tooling

Dependencies

  • Enable transitive dependency resolution. The migration intentionally pins a non-transitive, audited set matching the historical vendored jars. Move to normal transitive resolution one coordinate at a time, re-verifying each with the parity harness.
  • CVE burn-down. An initial dependency-check baseline flagged ~54 distinct CVEs across ~46 jars. Start with the one-line, parity-checkable bumps (netty, jackson-databind, pdfbox), then the harder ones: Jetty 9.4.57 (EOL line), MyBatis ([SECURITY] Update MyBatis library #320), Derby, iText -> OpenPDF (Determine if itext is still used and remove it if it is not #289), commons-httpclient -> httpclient5. See also [SECURITY] 4.6.0 release notes should list fixed CVEs #304.
  • Adopt byte-identical repackaged jars from Maven Central. 13 vendored jars are content-identical to Central artifacts (the HAPI 2.3 set, jtds, sqlite-jdbc, rsyntaxtextarea, autocomplete) and can be sourced from Central. The 3 genuine forks (javaparser 1.0.8, zip4j 1.3.3, not-going-to-be-commons-ssl) stay vendored.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions