Upgraded dependencies and Gradle wrapper

.github/workflows/integration.yml

@@ -34,4 +34,4 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
           chmod +x gradlew
-          ./gradlew --continue build sonar
+          ./gradlew build sonar

.github/workflows/publish.yml

@@ -0,0 +1,35 @@
+# Publish to Maven Central
+
+name: publish
+
+on:
+  repository_dispatch:
+    types: manual-publish
+  release:
+    types: [ created ]
+
+jobs:
+  publish:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'adopt'
+          java-version: '17'
+          cache: 'gradle'
+
+      - name: Publish
+        run: |
+          chmod +x gradlew
+          ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
+        env:
+          ORG_GRADLE_PROJECT_nexusUsername: ${{ secrets.NEXUS_USERNAME }}
+          ORG_GRADLE_PROJECT_nexusPassword: ${{ secrets.NEXUS_PASSWORD }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SEER_GPG_SECRET_KEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SEER_GPG_PASSWORD }}

build.gradle

@@ -1,13 +1,15 @@
+import java.time.Duration
+
 plugins {
     id 'java-library'
     id 'jacoco'
-    id 'com.github.spotbugs' version '5.0.14'
+    id 'com.github.spotbugs' version '5.2.1'
     id 'maven-publish'
     id 'signing'
-    id 'io.github.gradle-nexus.publish-plugin' version '1.3.0'
-    id 'org.sonatype.gradle.plugins.scan' version '2.6.0'
-    id "com.github.ben-manes.versions" version '0.47.0'
-    id "org.sonarqube" version "4.2.1.3168"
+    id 'io.github.gradle-nexus.publish-plugin' version '1.3.0' // publish to Maven Central
+    id 'com.github.ben-manes.versions' version '0.49.0' // check for out-of-date dependencies (run 'dependencyUpdates' manually)
+    id 'org.sonatype.gradle.plugins.scan' version '2.6.1' // scan for vulnerabilities
+    id 'org.sonarqube' version '4.4.1.3373' // sonarQube analysis
 }
 
 group = 'com.imsweb'
@@ -21,21 +23,21 @@ repositories {
 }
 
 dependencies {
-    implementation 'org.apache.commons:commons-lang3:3.12.0'
-    implementation 'org.apache.commons:commons-compress:1.22'
-    implementation 'commons-io:commons-io:2.13.0'
+    implementation 'org.apache.commons:commons-lang3:3.13.0'
+    implementation 'org.apache.commons:commons-compress:1.24.0'
+    implementation 'commons-io:commons-io:2.14.0'
 
     testImplementation 'junit:junit:4.13.2'
 }
 
 // enforce UTF-8, display the compilation warnings
-tasks.withType(JavaCompile) {
+tasks.withType(JavaCompile).configureEach {
     options.encoding = 'UTF-8'
     options.compilerArgs << '-Xlint:unchecked' << '-Xlint:deprecation'
 }
 
 // the Javadoc was made way too strict in Java 8 and it's not worth the time fixing everything!
-tasks.withType(Javadoc) {
+tasks.withType(Javadoc).configureEach {
     options.addStringOption('Xdoclint:none', '-quiet')
 }
 
@@ -65,7 +67,7 @@ jar {
 
 // spotbugs plugin settings
 spotbugs {
-    excludeFilter = file('config/spotbugs/spotbugs-exclude.xml')
+    excludeFilter.set(file('config/spotbugs/spotbugs-exclude.xml'))
 }
 
 jacocoTestReport {
@@ -77,9 +79,10 @@ test.finalizedBy jacocoTestReport
 
 sonarqube {
     properties {
-        property "sonar.projectKey", "imsweb_seerutils"
-        property "sonar.organization", "imsweb"
-        property "sonar.host.url", "https://sonarcloud.io"
+        property 'sonar.projectKey', 'imsweb_seerutils'
+        property 'sonar.organization', 'imsweb'
+        property 'sonar.host.url', 'https://sonarcloud.io'
+        //property 'sonar.gradle.skipCompile', 'true' // this is supposed to remove the warning about the compilation timing, but it doesn't :-(
     }
 }
 
@@ -88,6 +91,7 @@ ossIndexAudit {
     outputFormat = 'DEPENDENCY_GRAPH'
     printBanner = false
 }
+check.dependsOn 'ossIndexAudit'
 
 def isNonStable = { String version ->
     def stableKeyword = ['RELEASE', 'FINAL', 'GA'].any { it -> version.toUpperCase().contains(it) }
@@ -150,8 +154,10 @@ publishing {
 
 // setup JAR signing
 signing {
-    def signingKey = project.findProperty('signing.armored.key') ?: ''
-    def signingPassword = project.findProperty('signing.armored.password') ?: ''
+    required { !project.version.endsWith('-SNAPSHOT') }
+
+    String signingKey = project.findProperty('signing.armored.key') ?: ''
+    String signingPassword = project.findProperty('signing.armored.password') ?: ''
 
     useInMemoryPgpKeys(signingKey, signingPassword)
 
@@ -169,23 +175,17 @@ nexusPublishing {
         }
     }
 
-    clientTimeout = java.time.Duration.ofSeconds(300)
-    connectTimeout = java.time.Duration.ofSeconds(60)
+    clientTimeout = Duration.ofSeconds(300)
+    connectTimeout = Duration.ofSeconds(60)
 
     transitionCheckOptions {
         maxRetries.set(50)
-        delayBetween.set(java.time.Duration.ofMillis(5000))
+        delayBetween.set(Duration.ofMillis(5000))
     }
 }
 
-// don't try to release a snapshot to a non-snapshot repository, that won't work anyway
-if (version.endsWith('-SNAPSHOT')) {
-    gradle.startParameter.excludedTaskNames += 'signMavenJavaPublication'
-    gradle.startParameter.excludedTaskNames += 'closeAndReleaseSonatypeStagingRepository'
-}
-
 // Gradle wrapper, this allows to build the project without having to install Gradle!
 wrapper {
-    gradleVersion = '8.2.1'
+    gradleVersion = '8.4'
     distributionType = Wrapper.DistributionType.ALL
 }

config/spotbugs/spotbugs-exclude.xml

@@ -8,4 +8,8 @@
         <Class name="com.imsweb.seerutils.zip.ZipArchiveThresholdInputStream"/>
         <Bug code="DCN"/>
     </Match>
+    <Match>
+        <Class name="com.imsweb.seerutils.zip.ZipSecureFile"/>
+        <Bug code="CT"/>
+    </Match>
 </FindBugsFilter>

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-all.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

settings.gradle

@@ -1 +1,4 @@
-rootProject.name = 'seerutils'
+rootProject.name = 'seerutils'
+
+// following can be removed when sonarQube plugin is upgraded to 5.x
+System.setProperty('sonar.gradle.skipCompile', 'true')

src/main/java/com/imsweb/seerutils/zip/ZipArchiveThresholdInputStream.java

@@ -31,11 +31,6 @@ public class ZipArchiveThresholdInputStream extends FilterInputStream {
 
     public ZipArchiveThresholdInputStream(InputStream is) {
         super(is);
-
-        if (!(is instanceof InputStreamStatistics))
-            throw new IllegalArgumentException("InputStream of class " + is.getClass() + " is not implementing InputStreamStatistics.");
-
-        // set defaults but they will always be set by ZipSecureFile.getInputStream
         _minInflateRatio = 0.01d;
         _maxEntrySize = 0xFFFFFFFFL;
     }
@@ -93,6 +88,9 @@ private void checkThreshold() throws IOException {
         if (!_guardState)
             return;
 
+        if (!(in instanceof InputStreamStatistics))
+            throw new IllegalArgumentException("InputStream of class " + in.getClass() + " is not implementing InputStreamStatistics.");
+
         final InputStreamStatistics stats = (InputStreamStatistics)in;
         final long payloadSize = stats.getUncompressedCount();