From b72a9cf96a77caefb4a0cd9ba816168408efeb1b Mon Sep 17 00:00:00 2001
From: Daniel Widdis <widdis@gmail.com>
Date: Fri, 17 Nov 2023 13:16:41 -0800
Subject: [PATCH] Force newer version of Eclipse core transitive dependency
 (resolves CVE-2023-4218) (#3737)

### Description

The Spotless Gradle Plugin brings in a transitive dependency on Eclipse
Core Runtime 3.26.100. That version is impacted by a CVE.

This forces the newest version, currently 3.29.0. Note that newer
versions than 3.26 require JDK17+ to run spotless.

Signed-off-by: Daniel Widdis <widdis@gmail.com>
---
 .github/workflows/code-hygiene.yml | 2 +-
 build.gradle                       | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/code-hygiene.yml b/.github/workflows/code-hygiene.yml
index 1b46c65a63..6ed51248e9 100644
--- a/.github/workflows/code-hygiene.yml
+++ b/.github/workflows/code-hygiene.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/setup-java@v3
         with:
           distribution: temurin # Temurin is a distribution of adoptium
-          java-version: 11
+          java-version: 17
 
       - uses: gradle/gradle-build-action@v2
         with:
diff --git a/build.gradle b/build.gradle
index 2f933c8886..ea5df5419e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -488,6 +488,9 @@ configurations {
             // for spotbugs dependency conflict
             force "org.apache.commons:commons-lang3:${versions.commonslang}"
 
+            // for spotless transitive dependency CVE
+            force "org.eclipse.platform:org.eclipse.core.runtime:3.29.0"
+
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"