deps: Upgrade JGit to address CVE-2025-4949 and build system modernizations

sschuberth · web-flow · commit 34f7c0012027 · 2025-06-28T17:11:13.000+02:00
* test: Do not rely on the current working directory in functional tests Create a clean temporary directory instead. * build: Migrate dependency versions to a version catalog A central version catalog is easier to maintain and has become the de-facto standard. * build: Remove the Kotlin stdlib as an explicit dependency The Kotlin Gradle Plugin add this automatically. * deps: Upgrade JGit to address CVE-2025-4949
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -3,9 +3,9 @@ plugins {
     `java-gradle-plugin`
 
     // Apply the Kotlin JVM plugin to add support for Kotlin.
-    kotlin("jvm") version "1.9.10"
-    id("com.gradle.plugin-publish") version "1.2.1"
-    id("com.github.jmongard.git-semver-plugin") version "0.13.0"
+    alias(libs.plugins.kotlin.jvm)
+    alias(libs.plugins.plugin.publish)
+    alias(libs.plugins.git.semver)
     id("jacoco")
 }
 
@@ -22,14 +22,13 @@ repositories {
 }
 
 dependencies {
-    implementation(kotlin("stdlib"))
-    implementation("org.eclipse.jgit:org.eclipse.jgit:7.1.0.202411261347-r")
-    implementation("org.eclipse.jgit:org.eclipse.jgit.gpg.bc:7.1.0.202411261347-r")
-    implementation("org.slf4j:slf4j-api:1.7.36")
+    implementation(libs.jgit.core)
+    implementation(libs.jgit.gpg)
+    implementation(libs.slf4j.api)
 
-    testImplementation(kotlin("test-junit5"))
-    testImplementation("org.junit.jupiter:junit-jupiter-params")
-    testImplementation("org.assertj:assertj-core:3.27.2")
+    testImplementation(libs.kotlin.test.junit5)
+    testImplementation(libs.junit.jupiter.params)
+    testImplementation(libs.assertj.core)
 }
 
 gradlePlugin {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -0,0 +1,20 @@
+[versions]
+assertj = "3.27.2"
+git-semver-plugin = "0.13.0"
+jgit = "7.3.0.202506031305-r"
+kotlin = "1.9.10"
+plugin-publish = "1.2.1"
+slf4j = "1.7.36"
+
+[plugins]
+git-semver = { id = "com.github.jmongard.git-semver-plugin", version.ref = "git-semver-plugin" }
+kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }
+plugin-publish = { id = "com.gradle.plugin-publish", version.ref = "plugin-publish" }
+
+[libraries]
+assertj-core = { module = "org.assertj:assertj-core", version.ref = "assertj" }
+jgit-core = { module = "org.eclipse.jgit:org.eclipse.jgit", version.ref = "jgit" }
+jgit-gpg = { module = "org.eclipse.jgit:org.eclipse.jgit.gpg.bc", version.ref = "jgit" }
+junit-jupiter-params = { module = "org.junit.jupiter:junit-jupiter-params" }
+kotlin-test-junit5 = { module = "org.jetbrains.kotlin:kotlin-test-junit5" }
+slf4j-api = { module = "org.slf4j:slf4j-api", version.ref = "slf4j" }
diff --git a/src/functionalTest/kotlin/git/semver/plugin/gradle/GitSemverPluginFunctionalTest.kt b/src/functionalTest/kotlin/git/semver/plugin/gradle/GitSemverPluginFunctionalTest.kt
@@ -5,6 +5,7 @@ import org.eclipse.jgit.api.Git
 import org.gradle.testkit.runner.BuildResult
 import org.gradle.testkit.runner.GradleRunner
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.io.TempDir
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.Arguments
 import org.junit.jupiter.params.provider.CsvSource
@@ -18,6 +19,9 @@ import java.io.File
 class GitSemverPluginFunctionalTest {
 
     companion object {
+        @TempDir
+        lateinit var tempDir: File
+
         @JvmStatic
         fun gradleVersions(): List<Arguments> {
             return listOf(
@@ -125,7 +129,7 @@ class GitSemverPluginFunctionalTest {
         """.trimIndent();
 
         // Setup the test build
-        val projectDir = File("build/functionalTest")
+        val projectDir = tempDir.resolve("build/functionalTest")
         projectDir.mkdirs()
         projectDir.resolve(".gitignore").writeText(".gradle")
         projectDir.resolve("settings.gradle").writeText("include ':sub1'")
