Release 26.0.1 FR merge

build.gradle

@@ -288,7 +288,7 @@ subprojects {
       dependency 'org.sonarsource.java:sonar-java-plugin:8.7.0.37452'
       dependency 'org.sonarsource.java:sonar-java-symbolic-execution-plugin:8.7.0.37452'
       dependency 'org.sonarsource.javascript:sonar-javascript-plugin:10.18.0.28572'
-      dependency 'org.sonarsource.php:sonar-php-plugin:3.40-CODESCAN'
+      dependency 'org.sonarsource.php:sonar-php-plugin:3.53.0.15220'
       dependency 'org.sonarsource.plugins.cayc:sonar-cayc-plugin:2.4.0.2018'
       dependency 'org.sonarsource.python:sonar-python-plugin:5.7.0.24163'
       dependency 'org.sonarsource.kotlin:sonar-kotlin-plugin:2.21.0.5736'
@@ -377,7 +377,8 @@ subprojects {
         entry 'jjwt-jackson'
       }
       dependency 'com.auth0:java-jwt:4.4.0'
-      dependency 'io.netty:netty-all:4.2.6.Final'
+      dependency 'io.netty:netty-all:4.2.9.Final'
+      imports { mavenBom 'io.netty:netty-bom:4.2.9.Final' }
       dependency 'com.sun.mail:jakarta.mail:1.6.7'
       dependency 'javax.annotation:javax.annotation-api:1.3.2'
       dependency 'javax.inject:javax.inject:1'
@@ -386,13 +387,13 @@ subprojects {
       dependency 'junit:junit:4.13.2'
       dependency 'org.xmlunit:xmlunit-core:2.10.0'
       dependency 'org.xmlunit:xmlunit-matchers:2.10.0'
-      dependency 'org.lz4:lz4-java:1.8.0'
+      dependency 'at.yawk.lz4:lz4-java:1.10.1'
       dependency 'org.littleshoot:littleproxy:1.1.2'
       dependency 'net.sf.trove4j:core:3.1.0'
       dependency 'org.awaitility:awaitility:4.2.2'
       dependency 'org.apache.commons:commons-collections4:4.4'
       dependency 'org.apache.commons:commons-csv:1.12.0'
-      dependency 'org.apache.commons:commons-lang3:3.18.0'
+      dependency 'org.apache.commons:commons-lang3:3.20.0'
       dependency 'org.apache.commons:commons-email:1.6.0'
       dependency 'org.apache.commons:commons-text:1.12.0'
       dependency 'org.apache.mina:mina-core:2.2.3'
@@ -410,7 +411,7 @@ subprojects {
         entry 'log4j-api'
         entry 'log4j-to-slf4j'
       }
-      dependencySet(group: 'org.apache.tomcat.embed', version: '9.0.90') {
+      dependencySet(group: 'org.apache.tomcat.embed', version: '9.0.111') {
         entry 'tomcat-embed-core'
         entry('tomcat-embed-jasper') {
           exclude 'org.eclipse.jdt.core.compiler:ecj'
@@ -435,6 +436,7 @@ subprojects {
         exclude 'org.apache.logging.log4j:log4j-core'
         exclude 'org.elasticsearch:jna'
         exclude 'com.fasterxml.jackson.core:jackson-core'
+        exclude 'org.lz4:lz4-java'
       }
       dependency 'com.fasterxml.jackson.core:jackson-core:2.20.0'
       dependency "org.elasticsearch.plugin:transport-netty4-client:${elasticSearchClientVersion}"
@@ -477,14 +479,14 @@ subprojects {
       dependency 'org.reflections:reflections:0.10.2'
       dependency 'org.simpleframework:simple:5.1.6'
       dependency 'org.sonarsource.git.blame:git-files-blame:1.1.0.1835'
-      dependency('org.sonarsource.orchestrator:sonar-orchestrator-junit4:4.9.0.1920') {
+      dependency('org.sonarsource.orchestrator:sonar-orchestrator-junit4:6.0.3.3907') {
         exclude 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml'
       }
-      dependency('org.sonarsource.orchestrator:sonar-orchestrator-junit5:4.9.0.1920') {
+      dependency('org.sonarsource.orchestrator:sonar-orchestrator-junit5:6.0.3.3907') {
         exclude 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml'
       }
       dependency 'com.sonarsource.pdfreport:security-report-pdf-generation:2.0.0.165'
-      dependency 'org.sonarsource.update-center:sonar-update-center-common:1.34.0.2766'
+      dependency 'org.sonarsource.update-center:sonar-update-center-common:1.36.0.4317'
       dependency("org.springframework:spring-context:${springVersion}") {
         exclude 'commons-logging:commons-logging'
       }
@@ -524,6 +526,13 @@ subprojects {
     resolutionStrategy {
       force 'com.fasterxml.jackson.core:jackson-core:2.20.0'
       force 'org.eclipse.jgit:org.eclipse.jgit:7.3.0.202506031305-r'
+      force 'at.yawk.lz4:lz4-java:1.10.1'
+    }
+
+    resolutionStrategy.capabilitiesResolution {
+        withCapability('org.lz4:lz4-java') {
+            select('at.yawk.lz4:lz4-java:1.10.1')
+        }
     }
   }
 

server/sonar-ce-common/src/it/java/org/sonar/ce/queue/CeQueueImplIT.java

@@ -19,6 +19,20 @@
  */
 package org.sonar.ce.queue;
 
+import static com.google.common.collect.ImmutableList.of;
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptyMap;
+import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
+import static org.apache.commons.lang3.RandomStringUtils.secure;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.assertj.core.api.Assertions.catchThrowable;
+import static org.assertj.core.api.Assertions.tuple;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.sonar.ce.queue.CeQueue.SubmitOption.UNIQUE_QUEUE_PER_ENTITY;
+import static org.sonar.ce.queue.CeQueue.SubmitOption.UNIQUE_QUEUE_PER_TASK_TYPE;
+
 import java.util.List;
 import java.util.Optional;
 import java.util.Random;
@@ -47,19 +61,6 @@
 import org.sonar.db.user.UserTesting;
 import org.sonar.server.platform.NodeInformation;
 
-import static com.google.common.collect.ImmutableList.of;
-import static java.util.Arrays.asList;
-import static java.util.Collections.emptyMap;
-import static org.apache.commons.lang3.RandomStringUtils.secure;
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.assertj.core.api.Assertions.catchThrowable;
-import static org.assertj.core.api.Assertions.tuple;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-import static org.sonar.ce.queue.CeQueue.SubmitOption.UNIQUE_QUEUE_PER_ENTITY;
-import static org.sonar.ce.queue.CeQueue.SubmitOption.UNIQUE_QUEUE_PER_TASK_TYPE;
-
 public class CeQueueImplIT {
 
   private static final String WORKER_UUID = "workerUuid";

server/sonar-ce-task-projectanalysis/src/main/java/ce/CodeScanBranch.java

@@ -20,7 +20,7 @@
 package ce;
 
 import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.api.utils.MessageException;
 import org.sonar.ce.task.projectanalysis.analysis.Branch;
 import org.sonar.db.component.BranchType;

server/sonar-ce-task-projectanalysis/src/main/java/ce/CodeScanBranchLoaderDelegate.java

@@ -21,7 +21,7 @@
 
 import java.util.Optional;
 import javax.annotation.Nonnull;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.ce.task.projectanalysis.analysis.Branch;
 import org.sonar.ce.task.projectanalysis.analysis.MutableAnalysisMetadataHolder;
 import org.sonar.ce.task.projectanalysis.component.BranchLoaderDelegate;

server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/period/NewCodePeriodResolver.java

@@ -28,7 +28,7 @@
 import java.util.function.Supplier;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.api.utils.DateUtils;
 import org.sonar.api.utils.MessageException;
 import org.slf4j.Logger;

server/sonar-ce/src/main/java/org/sonar/ce/app/CeServer.java

@@ -31,7 +31,6 @@
 import org.sonar.ce.logging.CeProcessLogging;
 import org.sonar.process.MinimumViableSystem;
 import org.sonar.process.Monitored;
-import org.sonar.process.PluginSecurityManager;
 import org.sonar.process.ProcessEntryPoint;
 import org.sonar.process.Props;
 
@@ -56,8 +55,7 @@ public class CeServer implements Monitored {
   private CeMainThread ceMainThread = null;
 
   @VisibleForTesting
-  protected CeServer(ComputeEngine computeEngine, MinimumViableSystem mvs, CeSecurityManager securityManager) {
-    securityManager.apply();
+  protected CeServer(ComputeEngine computeEngine, MinimumViableSystem mvs) {
     this.computeEngine = computeEngine;
     mvs
       .checkWritableTempDir()
@@ -121,8 +119,7 @@ public static void main(String[] args) {
 
     CeServer server = new CeServer(
       new ComputeEngineImpl(props, new ComputeEngineContainerImpl()),
-      new MinimumViableSystem(),
-      new CeSecurityManager(new PluginSecurityManager(), props));
+      new MinimumViableSystem());
     entryPoint.launch(server);
   }
 

server/sonar-ce/src/test/java/org/sonar/ce/app/CeServerTest.java

@@ -55,7 +55,6 @@ public class CeServerTest {
   private CeServer underTest = null;
   private Thread waitingThread = null;
   private final MinimumViableSystem minimumViableSystem = mock(MinimumViableSystem.class, Mockito.RETURNS_MOCKS);
-  private final CeSecurityManager ceSecurityManager = mock(CeSecurityManager.class);
 
   @After
   public void tearDown() throws Exception {
@@ -76,12 +75,6 @@ public void constructor_does_not_start_a_new_Thread() {
     assertThat(ceThreadExists()).isFalse();
   }
 
-  @Test
-  public void constructor_calls_ceSecurityManager() {
-    newCeServer();
-    verify(ceSecurityManager).apply();
-  }
-
   @Test
   public void awaitStop_throws_ISE_if_called_before_start() {
     CeServer ceServer = newCeServer();
@@ -269,7 +262,7 @@ private CeServer newCeServer() {
 
   private CeServer newCeServer(ComputeEngine computeEngine) {
     checkState(this.underTest == null, "Only one CeServer can be created per test method");
-    this.underTest = new CeServer(computeEngine, minimumViableSystem, ceSecurityManager);
+    this.underTest = new CeServer(computeEngine, minimumViableSystem);
     return underTest;
   }
 

server/sonar-db-dao/build.gradle

@@ -11,7 +11,7 @@ dependencies {
   api 'com.google.protobuf:protobuf-java'
   api 'commons-io:commons-io'
   api 'org.apache.commons:commons-lang3'
-  api 'org.lz4:lz4-java'
+  api 'at.yawk.lz4:lz4-java'
   api 'org.mybatis:mybatis'
   api 'org.sonarsource.api.plugin:sonar-plugin-api'