helidon-labs: Use Java 25

.github/workflows/validate.yml

@@ -4,8 +4,8 @@ name: "Validate"
 on: [pull_request, push]
 
 env:
-  JAVA_VERSION: '24'
-  JAVA_DISTRO: 'jdk.java.net'
+  JAVA_VERSION: '25'
+  JAVA_DISTRO: 'oracle.com'
   MAVEN_HTTP_ARGS: '-Dmaven.wagon.httpconnectionManager.ttlSeconds=60 -Dmaven.wagon.http.retryHandler.count=3'
 
 concurrency:
@@ -21,7 +21,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Set up JDK ${{ env.JAVA_VERSION }}
-        uses: oracle-actions/setup-java@v1.4.0
+        uses: oracle-actions/setup-java@v1.5.0
         with:
           website: ${{ env.JAVA_DISTRO }}
           release: ${{ env.JAVA_VERSION }}
@@ -34,7 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up JDK ${{ env.JAVA_VERSION }}
-        uses: oracle-actions/setup-java@v1.4.0
+        uses: oracle-actions/setup-java@v1.5.0
         with:
           website: ${{ env.JAVA_DISTRO }}
           release: ${{ env.JAVA_VERSION }}
@@ -50,7 +50,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up JDK ${{ env.JAVA_VERSION }}
-        uses: oracle-actions/setup-java@v1.4.0
+        uses: oracle-actions/setup-java@v1.5.0
         with:
           website: ${{ env.JAVA_DISTRO }}
           release: ${{ env.JAVA_VERSION }}
@@ -64,7 +64,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up JDK ${{ env.JAVA_VERSION }}
-        uses: oracle-actions/setup-java@v1.4.0
+        uses: oracle-actions/setup-java@v1.5.0
         with:
           website: ${{ env.JAVA_DISTRO }}
           release: ${{ env.JAVA_VERSION }}
@@ -77,7 +77,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up JDK ${{ env.JAVA_VERSION }}
-        uses: oracle-actions/setup-java@v1.4.0
+        uses: oracle-actions/setup-java@v1.5.0
         with:
           website: ${{ env.JAVA_DISTRO }}
           release: ${{ env.JAVA_VERSION }}

etc/scripts/owasp-dependency-check.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -e
 #
-# Copyright (c) 2020, 2024 Oracle and/or its affiliates.
+# Copyright (c) 2020, 2025 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,14 +19,6 @@ set -o pipefail || true  # trace ERR through pipes
 set -o errtrace || true # trace ERR through commands and functions
 set -o errexit || true  # exit the script if any statement returns a non-true return value
 
-on_error(){
-    CODE="${?}" && \
-    set +x && \
-    printf "[ERROR] Error(code=%s) occurred at %s:%s command: %s\n" \
-        "${CODE}" "${BASH_SOURCE[0]}" "${LINENO}" "${BASH_COMMAND}"
-}
-trap on_error ERR
-
 # Path to this script
 if [ -h "${0}" ] ; then
     SCRIPT_PATH="$(readlink "${0}")"
@@ -39,10 +31,17 @@ readonly SCRIPT_PATH
 # Path to the root of the workspace
 # shellcheck disable=SC2046
 WS_DIR=$(cd $(dirname -- "${SCRIPT_PATH}") ; cd ../.. ; pwd -P)
-readonly WS_DIR
 
-# shellcheck disable=SC2155
-readonly RESULT_FILE=$(mktemp -t XXXdependency-check-result)
+on_error(){
+    CODE="${?}" && \
+    set +x && \
+    printf "[ERROR] Error(code=%s) occurred at %s:%s command: %s\n" \
+        "${CODE}" "${BASH_SOURCE[0]}" "${LINENO}" "${BASH_COMMAND}"
+}
+trap on_error ERR
+
+RESULT_FILE=$(mktemp -t XXXdependency-check-result)
+readonly  RESULT_FILE
 
 die() { cat "${RESULT_FILE}" ; echo "Dependency report in ${WS_DIR}/target" ; echo "${1}" ; exit 1 ;}
 
@@ -52,13 +51,24 @@ if [ "${PIPELINE}" = "true" ] ; then
     mvn ${MAVEN_ARGS} -f "${WS_DIR}"/pom.xml clean install -DskipTests
 fi
 
+# The Sonatype OSS Index analyzer requires authentication
+# See https://ossindex.sonatype.org/doc/auth-required
+# Set OSS_INDEX_USERNAME and OSS_INDEX_PASSWORD to authenticate.
+# Otherwise OSS Index analyzer will be disabled
+# And yes, this option uses a lower case i while Username and Password has an upper case I
+OSS_INDEX_OPTIONS="-DossindexAnalyzerEnabled=false"
+if [ -n "${OSS_INDEX_PASSWORD}" ] && [ -n "${OSS_INDEX_USERNAME}" ]; then
+    OSS_INDEX_OPTIONS="-DossindexAnalyzerEnabled=true -DossIndexUsername=${OSS_INDEX_USERNAME} -DossIndexPassword=${OSS_INDEX_PASSWORD}"
+fi
+
 # Setting NVD_API_KEY is not required but improves behavior of NVD API throttling
 
 # shellcheck disable=SC2086
 mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate \
         -f "${WS_DIR}"/pom.xml \
         -Dtop.parent.basedir="${WS_DIR}" \
-        -Dnvd-api-key="${NVD_API_KEY}" \
+        -DnvdApiKey="${NVD_API_KEY}" \
+        ${OSS_INDEX_OPTIONS} \
         > "${RESULT_FILE}" || die "Error running the Maven command"
 
 grep -i "One or more dependencies were identified with known vulnerabilities" "${RESULT_FILE}" \

incubator/virtual-threads-metrics/pom.xml

@@ -32,8 +32,8 @@
     <name>Helidon Labs Incubator - Virtual Threads Metrics</name>
 
     <properties>
-        <version.java>24</version.java>
-        <version.lib.asm>9.7.1</version.lib.asm>
+        <version.java>25</version.java>
+        <version.lib.asm>9.8</version.lib.asm>
     </properties>
 
     <dependencies>

pom.xml

@@ -39,10 +39,10 @@
 
         <version.lib.checkstyle>10.13.0</version.lib.checkstyle>
         <version.plugin.checkstyle>3.3.1</version.plugin.checkstyle>
-        <version.plugin.dependency-check>12.1.0</version.plugin.dependency-check>
+        <version.plugin.dependency-check>12.1.5</version.plugin.dependency-check>
         <version.plugin.directory>1.0</version.plugin.directory>
         <version.plugin.failsafe>3.2.5</version.plugin.failsafe>
-        <version.plugin.spotbugs>4.8.5.0</version.plugin.spotbugs>
+        <version.plugin.spotbugs>4.9.6.0</version.plugin.spotbugs>
         <version.plugin.findsecbugs>1.13.0</version.plugin.findsecbugs>
         <version.plugin.helidon-build-tools>4.0.14</version.plugin.helidon-build-tools>
     </properties>