build(deps): bump org.apache.maven.plugins:maven-site-plugin from 3.12.1 to 3.20.0

[dependabot]

Bumps org.apache.maven.plugins:maven-site-plugin from 3.12.1 to 3.20.0.

Release notes

Sourced from org.apache.maven.plugins:maven-site-plugin's releases.

maven-site-plugin-3.20.0

Full Changelog: apache/maven-site-plugin@maven-site-plugin-3.12.1...maven-site-plugin-3.20.0

Commits

• fd65715 [maven-release-plugin] prepare release maven-site-plugin-3.20.0
• be35f64 [MSITE-945] Remove dependency on Commons IO
• 6fc5d17 [MSITE-945] More modern temporary file handling (#203)
• eb0b0f6 Remove debugging strings from test output (#204)
• 54faaa8 Earlier detection of mkdirs failure (#201)
• 73b57d3 Replace deprecated methods (#198)
• cf5c504 Add version to mrm-maven-plugin
• 688714c Use charset in test (#199)
• adc67e1 Use try with resources to avoid deprecated class (#200)
• 2e867c6 Update history
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[aikebah]

Needs a detailed look. We might want to stay at 3.12.x for a while, 3.20.0 requires the fluido skin to be upgraded to 2.x

https://lists.apache.org/list.html?announce@maven.apache.org

Note: This is a Doxia 2.0.0 compatible version for Maven 3.x. Using this version requires you also to upgrade the Maven Fluido Skin to 2.0.0.

From https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=235836144#TowardsDoxia2.0.0Stack-MavenSitePlugin3.20.0/4.0.0

Note that 3.20.0 is a Doxia 2.0.0 compatible version for Maven 3.x while 4.0.0 is reserved for Maven 4. The jump to 3.20.0 is on purpose leaving a gap between 3.12.x.

[aikebah]

@jeremylong Integrating this would require users that have DependencyCheck configured as a reporting plugin to also upgrade to maven-site-plugin 3.20.0 or later (Doxia 2.x reporting stack)

Leave the final call on integrating it in ODC 11 or waiting for a later release to you. If integrated it deserves a notion on the release notes, as on older maven-site-plugin versions it will break with

[WARNING] An issue has occurred with dependency-check-maven:11.0.0-SNAPSHOT:check report, skipping LinkageError
 Receiver class org.owasp.dependencycheck.maven.CheckMojo does not define or inherit an implementation of the resolved 
method 'abstract void generate(org.codehaus.doxia.sink.Sink, java.util.Locale)' of interface 
org.apache.maven.reporting.MavenReport., please report an issue to Maven dev team.

java.lang.AbstractMethodError: Receiver class org.owasp.dependencycheck.maven.CheckMojo does not define or inherit an 
implementation of the resolved method 'abstract void generate(org.codehaus.doxia.sink.Sink, java.util.Locale)' of interface 
org.apache.maven.reporting.MavenReport.

(the deprecated generate(org.codehaus.doxia.sink.Sink, java.util.Locale) method was removed as upgrading to Fluido 2.x skin also required upgrading the maven-reporting-api to Doxia 2.x (4.0.0-M12) thereby removing the deprecated org.codehaus.doxia.sink.Sink class from the classpath)

Maven-users that use it as a build plugin can still use any version of the maven site plugin. Only in case ODC is used as reporting plugin the error is triggered.

[jeremylong]

@aikebah given that this is a breaking change - I think we should include the upgrade in 11.0. I'll work on the upgrade this week and hopefully release 11.0 the weekend of the 12th.

[aikebah]

Might be good to closely watch the various maven plugins for futher reporting related minor releases. Doxia 2.0.0 was released on 1 Oct, so I can imagine several plugins releasing in near future to also bump their dependency to the 2.0 non-milestone version of the Doxia framework.

Nevertheless agree that 11.0 seems to be the best moment to jump to Doxia 2.x series (otherwise we would have to wait for another new major to make the jump).

On the part of H2 there is still the current flaky test-behaviour during initial database upgrades (the series of sql upgrades run in the DbTestCase on initial start after unzipping the test-resource CVE DB from the zip-file when not yet available in the testcase data folder) with H2 breaking on a datafile assertion issue during its housekeeping, which appears to be a hard-to-diagnose issue: h2database/h2database#4048

Have not seen any symptoms of it locally, but it is a testfailure I've seen happening on more than one occurrence in our CI pipeline.