Force newer version of Eclipse core transitive dependency (resolves C…

…VE-2023-4218) (#3737) ### Description The Spotless Gradle Plugin brings in a transitive dependency on Eclipse Core Runtime 3.26.100. That version is impacted by a CVE. This forces the newest version, currently 3.29.0. Note that newer versions than 3.26 require JDK17+ to run spotless. Signed-off-by: Daniel Widdis <[email protected]>
opensearch-project · Nov 17, 2023 · b72a9cf · b72a9cf
1 parent ca8aafe
commit b72a9cf
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/.github/workflows/code-hygiene.yml b/.github/workflows/code-hygiene.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/setup-java@v3
         with:
           distribution: temurin # Temurin is a distribution of adoptium
-          java-version: 11
+          java-version: 17
 
       - uses: gradle/gradle-build-action@v2
         with:

diff --git a/build.gradle b/build.gradle
@@ -488,6 +488,9 @@ configurations {
             // for spotbugs dependency conflict
             force "org.apache.commons:commons-lang3:${versions.commonslang}"
 
+            // for spotless transitive dependency CVE
+            force "org.eclipse.platform:org.eclipse.core.runtime:3.29.0"
+
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"