Add Graal SDK 25.0.2 bundle

[madurangasiriwardena]

Summary by CodeRabbit

• Chores
  • Added build and publishing configuration for a GraalVM SDK OSGi bundle (v25.0.2.wso2v1), including dependency management for required GraalVM components.
  • Configured repository and distribution settings to enable publication to the project’s artifact repository and snapshots location.

[coderabbitai]

Walkthrough

Adds a new Maven POM at graal-sdk/25.0.2.wso2v1/pom.xml that builds an OSGi bundle for GraalVM SDK, pins GraalVM dependency versions to 25.0.2, configures maven-bundle-plugin (exports, embeds, imports, DynamicImport-Package), and adds WSO2 Nexus repository and distributionManagement entries.

Changes

Cohort / File(s)

Summary

GraalVM SDK Bundle Configuration graal-sdk/25.0.2.wso2v1/pom.xml

New Maven POM defining an OSGi bundle (packaging: bundle) for graal-sdk (version 25.0.2.wso2v1). Declares properties graalvm.version and graalvm.export.version, dependencies on graal-sdk, collections, nativeimage, word, polyglot, js-language, truffle-api, regex, icu4j (pinned to ${graalvm.version}), configures maven-bundle-plugin (5.1.8) to export org.graalvm.polyglot.* and org.graalvm.* at the export version, embeds core dependencies, sets Import-Package resolution to optional and enables DynamicImport-Package: *, and adds WSO2 Nexus repository and distributionManagement entries for releases and snapshots.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
A pom hops in with tidy cheer,
Bundles bundled, versions clear,
Exported paths and embeds snug,
Nexus waits — give it a hug! 🎀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, missing all required sections from the template including Purpose, Goals, Approach, and other critical information.	Add a comprehensive pull request description following the repository template, including Purpose, Goals, Approach, User stories, Release notes, Documentation, and other required sections.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a new Graal SDK 25.0.2 OSGi bundle with version 25.0.2.wso2v1.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@graal-sdk/25.0.5.wso2v1/pom.xml`:
- Around line 63-66: Update the version values so they are consistent with the
module directory/version; set the pom properties graalvm.version and
graalvm.export.version to match the module version (e.g., 25.0.5 and
25.0.5.wso2v1 if the module is 25.0.5.wso2v1 or to 25.0.4/25.0.4.wso2v1 if
you're targeting 25.0.4) ensuring both graalvm.version and
graalvm.export.version are changed together to the same target version as the
package directory name.
- Around line 117-121: The <snapshotRepository> entry contains a mismatched
<name> ("Apache Snapshot Repository") for the WSO2 URL; update the <name> value
inside the snapshotRepository block (the <name> element associated with
snapshotRepository) to accurately reflect the WSO2 repository (e.g., "WSO2
Snapshot Repository" or similar) so the repository name matches the <url> and
<id>.
- Around line 95-107: Update the repository declaration for the "wso2-nexus"
repository: change the <url> value from http://maven.wso2.org/... to the HTTPS
equivalent (https://maven.wso2.org/...) and remove or change the
<checksumPolicy> from "ignore" to a stricter policy such as "fail" (or remove
the tag to use the default) so artifact integrity is enforced; modify the
<repository> block containing <id>wso2-nexus</id>, <url> and <checksumPolicy>
accordingly.
- Around line 68-93: The pom.xml uses an outdated maven-bundle-plugin version
(5.1.8); update the plugin declaration for org.apache.felix:maven-bundle-plugin
in the build->plugins block to use version 6.0.0 by changing the <version>
element for the maven-bundle-plugin entry so the plugin declaration (groupId
org.apache.felix, artifactId maven-bundle-plugin) uses 6.0.0 instead of 5.1.8.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dd9ab3a and 9d73a8b.

📒 Files selected for processing (1)

• graal-sdk/25.0.5.wso2v1/pom.xml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Version mismatch between file path, PR title, and properties.

The file is located at graal-sdk/25.0.5.wso2v1/pom.xml and the PR title mentions "Graal SDK 25.0.4", but the properties define graalvm.version as 25.0.2. This inconsistency will cause confusion and the bundle version won't match the directory structure.

Please align the version across:

• Directory name
• graalvm.version property
• graalvm.export.version property

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.5.wso2v1/pom.xml` around lines 63 - 66, Update the version
values so they are consistent with the module directory/version; set the pom
properties graalvm.version and graalvm.export.version to match the module
version (e.g., 25.0.5 and 25.0.5.wso2v1 if the module is 25.0.5.wso2v1 or to
25.0.4/25.0.4.wso2v1 if you're targeting 25.0.4) ensuring both graalvm.version
and graalvm.export.version are changed together to the same target version as
the package directory name.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

latest version maven-bundle-plugin 2024 2025

💡 Result:

Apache Felix maven-bundle-plugin latest release in 2024/2025 is 6.0.0 (released Nov 28, 2024). [1] It was published to Maven Central on Nov 25, 2024. [2][3] The Apache Felix downloads page still lists 6.0.0 as the current version (i.e., no newer 2025 release listed). [4]

Maven coordinates: org.apache.felix:maven-bundle-plugin:6.0.0 [4]

---

Update maven-bundle-plugin to the latest version.

The maven-bundle-plugin version 5.1.8 is outdated. Version 6.0.0 was released in November 2024 and is the current stable release. Update to 5.1.8 → 6.0.0 to receive the latest bug fixes, security updates, and improvements.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.5.wso2v1/pom.xml` around lines 68 - 93, The pom.xml uses an
outdated maven-bundle-plugin version (5.1.8); update the plugin declaration for
org.apache.felix:maven-bundle-plugin in the build->plugins block to use version
6.0.0 by changing the <version> element for the maven-bundle-plugin entry so the
plugin declaration (groupId org.apache.felix, artifactId maven-bundle-plugin)
uses 6.0.0 instead of 5.1.8.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use HTTPS for repository URL and avoid ignoring checksums.

Two security concerns:

1. Line 100 uses HTTP (http://maven.wso2.org/...) while distributionManagement correctly uses HTTPS. HTTP repositories are vulnerable to man-in-the-middle attacks.

2. Line 105 sets checksumPolicy to ignore, which bypasses integrity verification of downloaded artifacts.

🔒 Proposed fix

         <repository>
             <id>wso2-nexus</id>
             <name>WSO2 internal Repository</name>
             <url>
-                http://maven.wso2.org/nexus/content/groups/wso2-public/
+                https://maven.wso2.org/nexus/content/groups/wso2-public/
             </url>
             <releases>
                 <enabled>true</enabled>
                 <updatePolicy>daily</updatePolicy>
-                <checksumPolicy>ignore</checksumPolicy>
+                <checksumPolicy>fail</checksumPolicy>
             </releases>
         </repository>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<repositories>
	<repository>
	<id>wso2-nexus</id>
	<name>WSO2 internal Repository</name>
	<url>
	http://maven.wso2.org/nexus/content/groups/wso2-public/
	</url>
	<releases>
	<enabled>true</enabled>
	<updatePolicy>daily</updatePolicy>
	<checksumPolicy>ignore</checksumPolicy>
	</releases>
	</repository>
	<repositories>
	<repository>
	<id>wso2-nexus</id>
	<name>WSO2 internal Repository</name>
	<url>
	https://maven.wso2.org/nexus/content/groups/wso2-public/
	</url>
	<releases>
	<enabled>true</enabled>
	<updatePolicy>daily</updatePolicy>
	<checksumPolicy>fail</checksumPolicy>
	</releases>
	</repository>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.5.wso2v1/pom.xml` around lines 95 - 107, Update the repository
declaration for the "wso2-nexus" repository: change the <url> value from
http://maven.wso2.org/... to the HTTPS equivalent (https://maven.wso2.org/...)
and remove or change the <checksumPolicy> from "ignore" to a stricter policy
such as "fail" (or remove the tag to use the default) so artifact integrity is
enforced; modify the <repository> block containing <id>wso2-nexus</id>, <url>
and <checksumPolicy> accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Incorrect repository name.

The snapshotRepository name says "Apache Snapshot Repository" but it points to a WSO2 repository URL.

📝 Proposed fix

         <snapshotRepository>
             <id>wso2.snapshots</id>
-            <name>Apache Snapshot Repository</name>
+            <name>WSO2 Snapshot Repository</name>
             <url>https://maven.wso2.org/nexus/content/repositories/snapshots/</url>
         </snapshotRepository>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<snapshotRepository>
	<id>wso2.snapshots</id>
	<name>Apache Snapshot Repository</name>
	<url>https://maven.wso2.org/nexus/content/repositories/snapshots/</url>
	</snapshotRepository>
	<snapshotRepository>
	<id>wso2.snapshots</id>
	<name>WSO2 Snapshot Repository</name>
	<url>https://maven.wso2.org/nexus/content/repositories/snapshots/</url>
	</snapshotRepository>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.5.wso2v1/pom.xml` around lines 117 - 121, The
<snapshotRepository> entry contains a mismatched <name> ("Apache Snapshot
Repository") for the WSO2 URL; update the <name> value inside the
snapshotRepository block (the <name> element associated with snapshotRepository)
to accurately reflect the WSO2 repository (e.g., "WSO2 Snapshot Repository" or
similar) so the repository name matches the <url> and <id>.

[coderabbitai]

🧹 Nitpick comments (1)

graal-sdk/25.0.2.wso2v1/pom.xml (1)

85-88: Overly permissive import configuration may mask dependency issues.

Setting Import-Package to *;resolution:=optional combined with DynamicImport-Package:* makes all imports optional and dynamic. This can hide missing dependencies at build time, causing ClassNotFoundException or NoClassDefFoundError at runtime.

Consider explicitly listing required packages without optional resolution, and only marking truly optional packages as such.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.2.wso2v1/pom.xml` around lines 85 - 88, The OSGi bundle
manifest in the pom uses overly permissive Import-Package and
DynamicImport-Package entries; replace the blanket
Import-Package="*;resolution:=optional" and DynamicImport-Package="*" by
enumerating the actual package names your module needs in the Import-Package
element (omit ;resolution:=optional for required packages) and only add
;resolution:=optional for truly optional packages, removing or narrowing
DynamicImport-Package to specific packages if dynamic loading is required;
inspect code references to determine required packages and list them explicitly
in the Import-Package element instead of using wildcards.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@graal-sdk/25.0.2.wso2v1/pom.xml`:
- Around line 85-88: The OSGi bundle manifest in the pom uses overly permissive
Import-Package and DynamicImport-Package entries; replace the blanket
Import-Package="*;resolution:=optional" and DynamicImport-Package="*" by
enumerating the actual package names your module needs in the Import-Package
element (omit ;resolution:=optional for required packages) and only add
;resolution:=optional for truly optional packages, removing or narrowing
DynamicImport-Package to specific packages if dynamic loading is required;
inspect code references to determine required packages and list them explicitly
in the Import-Package element instead of using wildcards.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9d73a8b and 4a9dc1e.

📒 Files selected for processing (1)

• graal-sdk/25.0.2.wso2v1/pom.xml

[coderabbitai]

♻️ Duplicate comments (3)

graal-sdk/25.0.2.wso2v1/pom.xml (3)

124-124: ⚠️ Potential issue | 🟡 Minor

Repository name is misleading for the configured snapshot URL.

Line 124 says Apache Snapshot Repository while the ID/URL clearly point to WSO2 snapshots.

Suggested fix

-            <name>Apache Snapshot Repository</name>
+            <name>WSO2 Snapshot Repository</name>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.2.wso2v1/pom.xml` at line 124, The repository <name> element
is misleading: change the <name>Apache Snapshot Repository</name> entry in the
POM to match the configured repository ID/URL for WSO2 (e.g., "WSO2 Snapshot
Repository" or another name reflecting the WSO2 snapshot URL) so the <name>
value aligns with the repository ID/URL used in the pom.xml.

---

78-78: ⚠️ Potential issue | 🟠 Major

Verify and bump maven-bundle-plugin from 5.1.8.

Line 78 is pinned to an older plugin release; please verify the latest stable release on Maven Central and upgrade accordingly.

#!/bin/bash
set -euo pipefail
curl -fsSL "https://repo1.maven.org/maven2/org/apache/felix/maven-bundle-plugin/maven-metadata.xml" \
  | sed -n '1,220p' \
  | rg -n "<latest>|<release>|<version>"

Suggested change (after verification)

-                <version>5.1.8</version>
+                <version>6.0.0</version>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.2.wso2v1/pom.xml` at line 78, The pom.xml pins the
maven-bundle-plugin to version 5.1.8; verify the latest stable release on Maven
Central and update the <version> element for
org.apache.felix:maven-bundle-plugin from 5.1.8 to that verified latest version.
Use the Maven metadata (org.apache.felix:maven-bundle-plugin:maven-metadata.xml)
or Maven Central search to confirm the correct release, then replace the
existing <version> value in the pom.xml so the plugin declaration
(maven-bundle-plugin) references the newer verified version.

---

104-110: ⚠️ Potential issue | 🟠 Major

Use HTTPS and enforce checksum validation for repository downloads.

Line 105 uses HTTP and Line 110 sets checksum policy to ignore, which weakens artifact integrity guarantees.

Suggested fix

             <url>
-                http://maven.wso2.org/nexus/content/groups/wso2-public/
+                https://maven.wso2.org/nexus/content/groups/wso2-public/
             </url>
@@
-                <checksumPolicy>ignore</checksumPolicy>
+                <checksumPolicy>fail</checksumPolicy>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.2.wso2v1/pom.xml` around lines 104 - 110, Update the
repository declaration to use HTTPS and enforce checksum validation: change the
<url> value from "http://maven.wso2.org/nexus/content/groups/wso2-public/" to
use "https://", and replace the <checksumPolicy> value "ignore" with a stricter
policy such as "fail" (inside the same repository element that contains the
<url> and <releases> blocks) so downloads use HTTPS and invalid checksums will
fail.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@graal-sdk/25.0.2.wso2v1/pom.xml`:
- Line 124: The repository <name> element is misleading: change the <name>Apache
Snapshot Repository</name> entry in the POM to match the configured repository
ID/URL for WSO2 (e.g., "WSO2 Snapshot Repository" or another name reflecting the
WSO2 snapshot URL) so the <name> value aligns with the repository ID/URL used in
the pom.xml.
- Line 78: The pom.xml pins the maven-bundle-plugin to version 5.1.8; verify the
latest stable release on Maven Central and update the <version> element for
org.apache.felix:maven-bundle-plugin from 5.1.8 to that verified latest version.
Use the Maven metadata (org.apache.felix:maven-bundle-plugin:maven-metadata.xml)
or Maven Central search to confirm the correct release, then replace the
existing <version> value in the pom.xml so the plugin declaration
(maven-bundle-plugin) references the newer verified version.
- Around line 104-110: Update the repository declaration to use HTTPS and
enforce checksum validation: change the <url> value from
"http://maven.wso2.org/nexus/content/groups/wso2-public/" to use "https://", and
replace the <checksumPolicy> value "ignore" with a stricter policy such as
"fail" (inside the same repository element that contains the <url> and
<releases> blocks) so downloads use HTTPS and invalid checksums will fail.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a9dc1e and 2647260.

📒 Files selected for processing (1)

• graal-sdk/25.0.2.wso2v1/pom.xml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@graal-sdk/25.0.2.wso2v1/pom.xml`:
- Around line 105-108: The Import-Package manifest header in the POM is
malformed because entries are not comma-separated; update the Import-Package
value so the two entries are separated by a comma (i.e., between
"!org.graalvm.*" and "*;resolution:=optional") to produce a valid OSGi header;
edit the Import-Package element where "!org.graalvm.*" and
"*;resolution:=optional" appear to insert the missing comma.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2647260 and 7e45354.

📒 Files selected for processing (1)

• graal-sdk/25.0.2.wso2v1/pom.xml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Missing comma separator in Import-Package header - will cause bundle resolution issues.

The OSGi Import-Package header requires comma-separated entries. The current configuration is missing a comma between !org.graalvm.* and *;resolution:=optional, which will cause the bundle manifest to be malformed.

🐛 Proposed fix

                         <Import-Package>
-                            !org.graalvm.*
+                            !org.graalvm.*,
                             *;resolution:=optional
                         </Import-Package>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<Import-Package>
	!org.graalvm.*
	*;resolution:=optional
	</Import-Package>
	<Import-Package>
	!org.graalvm.*,
	*;resolution:=optional
	</Import-Package>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@graal-sdk/25.0.2.wso2v1/pom.xml` around lines 105 - 108, The Import-Package
manifest header in the POM is malformed because entries are not comma-separated;
update the Import-Package value so the two entries are separated by a comma
(i.e., between "!org.graalvm.*" and "*;resolution:=optional") to produce a valid
OSGi header; edit the Import-Package element where "!org.graalvm.*" and
"*;resolution:=optional" appear to insert the missing comma.