CORE-18813 - enable Dependabot (#1375)

- Use gradle catalogue using a versions toml file to define library versions.
- Enable Dependabot so it can raise PRs to update dependencies

Author: Dries Samyn

.github/dependabot.yml

@@ -4,6 +4,4 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
-    rebase-strategy: "disabled"
-    # for testing only:
-    target-branch: "driessamyn/poc/version-catalogue"
+    rebase-strategy: "disabled"

application/build.gradle

@@ -21,5 +21,4 @@ dependencies {
     compileOnly 'org.osgi:osgi.core'
 
     testApi 'org.jetbrains.kotlin:kotlin-osgi-bundle'
-    testImplementation "org.assertj:assertj-core:$assertjVersion"
 }

base/build.gradle

@@ -16,5 +16,4 @@ dependencies {
     compileOnly 'org.osgi:osgi.annotation'
 
     testApi 'org.jetbrains.kotlin:kotlin-osgi-bundle'
-    testImplementation "org.assertj:assertj-core:$assertjVersion"
 }

build.gradle

@@ -9,31 +9,22 @@ buildscript {
     ext {
         vcsUrl = System.getenv('GIT_URL') ?: 'https://github.com/corda/corda-api.git'
     }
-    
-    dependencies {
-        classpath "org.jetbrains.dokka:dokka-core:$dokkaVersion"
-        constraints {
-            classpath("org.jsoup:jsoup:1.15.3") {
-                because "required until dokka plugin updates it's internal version of jsoup, not fixed as of dokka 1.7.10"
-            }
-        }
-    }
 }
 
 plugins {
     id 'net.corda.cordapp.cordapp-configuration'
     id 'org.jetbrains.kotlin.jvm' apply false
     id 'org.jetbrains.kotlin.plugin.allopen' apply false
     id 'org.jetbrains.kotlin.plugin.jpa' apply false
-    id 'io.gitlab.arturbosch.detekt' apply false
-    id 'io.snyk.gradle.plugin.snykplugin'
-    id 'org.ajoberstar.grgit' // used for GIT interaction (e.g. extract commit hash)
+    alias libs.plugins.detekt apply false
+    alias libs.plugins.snyk
+    alias libs.plugins.grgit // used for GIT interaction (e.g. extract commit hash)
     id 'corda.root-publish'
     id 'jacoco' // test coverage
-    id 'com.dorongold.task-tree' // utility to visualise Gradle task DAG
-    id 'org.jetbrains.dokka'
-    id 'com.github.ben-manes.versions' // discover possible dependency version upgrades
-    id 'org.cyclonedx.bom' apply false
+    alias libs.plugins.task.tree // utility to visualise Gradle task DAG
+    alias libs.plugins.dokka
+    alias libs.plugins.dependency.check.versions // discover possible dependency version upgrades
+    alias libs.plugins.cyclonedx.bom  apply false
 }
 
 snyk {
@@ -108,7 +99,9 @@ subprojects {
         releasable = true // all corda-api jars are externally consumable
     }
 
-    apply plugin: 'org.cyclonedx.bom'
+    // NOTE: according to this we shouldn't be using subprojects:
+    //   https://discuss.gradle.org/t/apply-plugin-with-version-catalog/43029
+    apply plugin: libs.plugins.cyclonedx.bom.get().pluginId
     cyclonedxBom {
         includeConfigs = ["runtimeClasspath"]
         skipProjects = [rootProject.name]
@@ -162,21 +155,7 @@ subprojects {
         //  thinking is that for the test dependencies it's ok as it'll keep things consistent.
         //  we can add exclusions, or review this if necessary.
         dependencies {
-            // Test libraries -> keep consistent across modules
-            testImplementation "org.jetbrains.kotlin:kotlin-test:$kotlinVersion"
-            testImplementation "org.mockito:mockito-core:$mockitoVersion"
-            testImplementation("org.mockito.kotlin:mockito-kotlin:$mockitoKotlinVersion") {
-                // Excluding mockito-core and adding it implicitly above. This is done to allow the use of the latest version of mockito.
-                exclude group: 'mockito-core'
-            }
-
-            testImplementation "org.junit.jupiter:junit-jupiter:$junitVersion"
-
-            // Test runtime libraries -> also keep consistent
-            testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
-            testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
-
-            detektPlugins "io.gitlab.arturbosch.detekt:detekt-formatting:$detektPluginVersion"
+            detektPlugins libs.detekt.formatting
         }
 
         // Making all persistence entity open and with an empty constructor to allow Hibernate to work.
@@ -259,17 +238,6 @@ subprojects {
         }
     }
 
-    pluginManager.withPlugin('io.gitlab.arturbosch.detekt'){
-        dependencies {
-        detekt "io.gitlab.arturbosch.detekt:detekt-cli:$detektPluginVersion"
-            constraints {
-                detekt("org.yaml:snakeyaml:$snakeyamlVersion") {
-                    because "required until detekt plugin updates it's internal version of snakeYaml, not fixed as of detekt version 1.21"
-                }
-            }
-        }
-    }
-
     // we do this to allow for Gradle task caching. OSGI attribute Bnd-LastModified breaks gradle caching as it is a timestamp
     // below block tells Gradle to ignore specifically the Bnd-LastModified attribute of the manifest when checking if
     // a task is up-to-date, this has no impact on publishing or production of jar.
@@ -407,4 +375,4 @@ if (project.hasProperty('generateSBOM')) {
     artifactoryPublish {
         publications('sbom')
     }
-}
+}

buildSrc/build.gradle

@@ -10,8 +10,6 @@ repositories {
 // So we'll load it into our own object to grab what we need.
 def constants = new Properties()
 file("$rootDir/../gradle.properties").withInputStream { InputStream input -> constants.load(input) }
-def bndVersion = constants.getProperty('bndVersion')
-def bndlibVersion = constants.getProperty('bndlibVersion')
 def internalPluginVersion = constants.getProperty('internalPluginVersion')
 def artifactoryContextUrl = constants.getProperty('artifactoryContextUrl')
 
@@ -51,23 +49,11 @@ repositories {
 
 dependencies {
     constraints {
-        implementation('biz.aQute.bnd:biz.aQute.bndlib') {
-            version {
-                require bndlibVersion
-            }
-        }
-        implementation('biz.aQute.bnd:biz.aQute.bnd.embedded-repo') {
-            version {
-                require bndlibVersion
-            }
-        }
-        implementation('biz.aQute.bnd:biz.aQute.resolve') {
-            version {
-                require bndlibVersion
-            }
-        }
+        implementation libs.bnd.lib
+        implementation libs.bnd.embedded.repo
+        implementation libs.bnd.resolve
     }
-    implementation "biz.aQute.bnd:biz.aQute.bnd.gradle:$bndVersion"
+    implementation libs.bnd.gradle
 
     if (System.getenv('CORDA_ARTIFACTORY_USERNAME') != null || project.hasProperty('cordaArtifactoryUsername')) {
         implementation "com.r3.internal.gradle.plugins:publish:$internalPluginVersion"

buildSrc/settings.gradle

@@ -0,0 +1,7 @@
+dependencyResolutionManagement {
+    versionCatalogs {
+        create('libs', { from(files("../gradle/libs.versions.toml")) })
+    }
+}
+
+rootProject.name = 'buildSrc'

buildSrc/src/main/groovy/corda-api.common-library.gradle

@@ -2,6 +2,7 @@
 
 plugins {
     id 'java-library'
+    id 'org.jetbrains.kotlin.jvm'
     id 'biz.aQute.bnd.builder'
 }
 
@@ -26,9 +27,8 @@ configurations {
 
 dependencies {
     compileOnly "org.jetbrains:annotations:$jetbrainsAnnotationsVersion"
-    testImplementation "org.junit.jupiter:junit-jupiter:$junitVersion"
-    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
-    testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+    testImplementation libs.bundles.test
+    testRuntimeOnly libs.bundles.test.runtime
 }
 
 tasks.named('jar', Jar) {

buildSrc/src/main/groovy/corda.java-only.gradle

@@ -1,9 +1,12 @@
-plugins {
-    id 'org.jetbrains.kotlin.jvm'
-}
-
-tasks.named('compileKotlin') {
-    doFirst {
-        throw new InvalidUserCodeException("Module '${project.path}' should only contain Java classes")
+/**
+ * Apply this plugin to projects that must be implemented in pure Java.
+ * We cannot prevent such projects from applying the Kotlin Gradle plugin,
+ * but we can throw an exception if they try to compile any Kotlin classes.
+ */
+pluginManager.withPlugin('org.jetbrains.kotlin.jvm') {
+    tasks.named('compileKotlin') {
+        doFirst {
+            throw new InvalidUserCodeException("Module '${project.path}' should only contain Java classes")
+        }
     }
 }

corda-api/build.gradle

@@ -26,41 +26,20 @@ dependencies {
         api project(':membership')
         api project(':serialization')
 
-        api('javax.persistence:javax.persistence-api') {
-            version {
-                require javaxPersistenceApiVersion
-            }
-        }
+        api(libs.javax.persistence.api)
         api('org.jetbrains.kotlin:kotlin-osgi-bundle') {
             version {
-                require kotlinVersion
+                    require kotlinVersion
             }
         }
         api('org.jetbrains:annotations') {
             version {
                 require jetbrainsAnnotationsVersion
             }
         }
-        api('org.osgi:osgi.annotation') {
-            version {
-                require osgiAnnotationVersion
-            }
-        }
-        api('org.osgi:osgi.core') {
-            version {
-                require osgiVersion
-            }
-        }
-        api('org.osgi:org.osgi.service.component.annotations') {
-            version {
-                require osgiScrAnnotationVersion
-            }
-        }
-        api('org.slf4j:slf4j-api') {
+        api(libs.bundles.osgi)
+        api(libs.slf4j) {
             because 'Corda 5.1 only supports SLF4J 1.x'
-            version {
-                strictly slf4jVersion
-            }
         }
     }
 }

cordapp-configuration/build.gradle

@@ -31,9 +31,8 @@ java {
 }
 
 dependencies {
-    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
-    testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
-    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
+    testImplementation libs.bundles.test
+    testRuntimeOnly libs.bundles.test.runtime
 }
 
 tasks.named('jar', Jar) {

cordapp-configuration/gradle.properties

@@ -1,5 +1,3 @@
 org.gradle.java.installations.auto-download=false
 org.gradle.jvmargs=-XX:+UseG1GC -Xmx1g
-org.gradle.caching=false
-
-junitVersion=5.7.2
+org.gradle.caching=false

cordapp-configuration/settings.gradle

@@ -2,4 +2,7 @@ dependencyResolutionManagement {
     repositories {
         mavenCentral()
     }
+    versionCatalogs {
+        create('libs', { from(files("../gradle/libs.versions.toml")) })
+    }
 }

crypto/build.gradle

@@ -15,9 +15,6 @@ dependencies {
     api platform(project(':corda-api'))
     api project(':base')
 
-    testImplementation "org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:$bouncycastleVersion"
-    testImplementation "org.assertj:assertj-core:$assertjVersion"
-    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
+    testImplementation libs.bundles.bouncycastle
 }
 

data/avro-schema/build.gradle

@@ -6,17 +6,17 @@ plugins {
     id 'corda-api.common-library'
     id 'corda.common-publishing'
     id 'corda.java-only'
-    id "com.github.davidmc24.gradle.plugin.avro-base"
+    alias libs.plugins.avro.gradle
 }
 
 dependencies {
-    api "org.apache.avro:avro:$avroVersion"
+    api libs.avro
     constraints {
-        implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion") {
+        implementation(libs.jackson.databind) {
             because "required until new version of Avro available which updates Jackson"
         }
 
-        implementation("org.apache.commons:commons-compress:$commonsCompressVersion") {
+        implementation(libs.commons.compress) {
             because "CVE-2023-42503, current version of Avro uses an outdated version"
         }
     }
@@ -30,7 +30,7 @@ dependencies {
 configurations.all {
     resolutionStrategy {
         // CVE-2023-42503, current version of Avro uses an outdated version
-        force "org.apache.commons:commons-compress:$commonsCompressVersion"
+        force libs.commons.compress
     }
 }
 

data/topic-schema/build.gradle

@@ -9,9 +9,8 @@ description 'Definition of Topics'
 dependencies {
     implementation platform(project(':corda-api'))
 
-    testImplementation "org.assertj:assertj-core:$assertjVersion"
-    testImplementation "com.fasterxml.jackson.module:jackson-module-kotlin:$jacksonVersion"
-    testImplementation "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion"
+    testImplementation libs.jackson.kotlin
+    testImplementation libs.jackson.yaml
 
     compileOnly 'org.osgi:osgi.annotation'
 }

gradle.properties

@@ -1,7 +1,3 @@
-# This file is parsed from Python in the docs/source/conf.py file
-# because some versions here need to be matched by app authors in
-# their own projects. So don't get fancy with syntax!
-
 org.gradle.java.installations.auto-download=false
 
 # Versioning
@@ -30,48 +26,12 @@ publicArtifactURL = https://download.corda.net/maven
 # dokka need more metaspace - https://github.com/Kotlin/dokka/issues/1405
 org.gradle.jvmargs=-Dfile.encoding=UTF-8 -XX:MaxMetaspaceSize=2g
 internalPluginVersion = 1.+
-dokkaVersion = 1.8.+
-detektPluginVersion = 1.22.+
-dependencyCheckVersion=0.46.+
 artifactoryPluginVersion = 4.28.2
-snakeyamlVersion=2.0
-
-# Logging
-slf4jVersion = 1.7.36
-
-# Main implementation dependencies
-avroGradlePluginVersion=1.3.0
-avroVersion = 1.11.3
-commonsCompressVersion = 1.24.0
-bouncycastleVersion = 1.73
-grgitPluginVersion = 5.2.0
-taskTreePluginVersion = 2.1.1
-javaxPersistenceApiVersion = 2.2
-jacksonVersion = 2.15.2
-
-# Testing
-assertjVersion = 3.24.+
-junitVersion = 5.10.0
-mockitoVersion = 5.3.+
-mockitoKotlinVersion = 4.1.+
-
-# OSGi
-bndVersion = 6.4.0
-bndlibVersion = 6.4.1
-osgiVersion = 8.0.0
-osgiAnnotationVersion = 8.1.0
-osgiScrAnnotationVersion = 1.5.1
 
 gradleEnterpriseVersion = 3.14.1
 gradleDataPlugin = 1.8.2
 org.gradle.caching = true
 gradleEnterpriseUrl = https://gradle.dev.r3.com
 
-#snyk version
-snykVersion = 0.4
-
 # Kotlin build
-kotlin.build.report.output=file,build_scan
-
-# Cyclonedx Bom generation version
-cyclonedxVersion = 1.7.4
+kotlin.build.report.output=file,build_scan