From 30bfb633e1fc9066060ee66f0823d6d001fe4a73 Mon Sep 17 00:00:00 2001
From: Rundeck CI <fdevans@gmail.com>
Date: Thu, 9 Apr 2026 15:24:02 -0700
Subject: [PATCH] Standardize dependency management with libs.versions.toml

Migrated http-notification to use centralized version catalog to ensure
consistent dependency versions and resolve CVE-2025-24972:

- Created gradle/libs.versions.toml with all dependency versions
- Updated build.gradle to use version catalog references
- Upgraded Axion release plugin from 1.17.2 to 1.18.18
- Added versionCreator 'simple' for consistent tag-based versioning
- Spock 2.4-groovy-4.0 no longer pulls vulnerable assertj-core

The vulnerable assertj-core 3.23.1 was a transitive dependency through
Spock 2.0. Current Spock 2.4-groovy-4.0 does not include this dependency.
---
 build.gradle              | 28 +++++++++++++---------------
 gradle/libs.versions.toml | 34 ++++++++++++++++++++++++++++++++++
 jitpack.yml               |  2 --
 3 files changed, 47 insertions(+), 17 deletions(-)
 create mode 100644 gradle/libs.versions.toml
 delete mode 100644 jitpack.yml

diff --git a/build.gradle b/build.gradle
index c51db08..ee50df4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,8 +1,8 @@
 plugins {
-    id 'pl.allegro.tech.build.axion-release' version '1.17.2'
+    alias(libs.plugins.axionRelease)
     id 'groovy'
     id 'java'
-    id 'io.github.gradle-nexus.publish-plugin' version '2.0.0'
+    alias(libs.plugins.nexusPublish)
 }
 
 group 'org.rundeck.plugins'
@@ -15,6 +15,8 @@ ext.developers = [
 
 scmVersion {
     ignoreUncommittedChanges = false
+    // Maintain simple tag-based versioning without branch name suffixes (Axion 1.18+)
+    versionCreator 'simple'
     tag {
         prefix = ''           // NO "v" prefix - see PLUGIN_TAGGING_ARCHITECTURE.md
         versionSeparator = ''
@@ -64,26 +66,22 @@ repositories {
 }
 
 dependencies {
-    implementation 'org.apache.groovy:groovy-all:4.0.29'
-    compileOnly 'org.rundeck:rundeck-core:6.0.0-alpha1-20260407'
-    testImplementation 'org.rundeck:rundeck-core:6.0.0-alpha1-20260407'
+    implementation libs.groovyAll
+    compileOnly libs.rundeckCore
+    testImplementation libs.rundeckCore
     
     // Apache HTTP client dependencies for compilation (http-step bundles these but doesn't expose them transitively)
-    implementation 'org.apache.httpcomponents:httpclient:4.5.14'
-    // Version 3.18.0 fixes CVE-2025-48924 (StackOverflowError in ClassUtils)
-    implementation 'org.apache.commons:commons-lang3:3.20.0'
+    implementation libs.httpclient
+    // Version 3.20.0 fixes CVE-2025-48924 (StackOverflowError in ClassUtils)
+    implementation libs.commonsLang3
     
     // Bundle http-step plugin in lib/ directory for runtime
     // Use transitive=false to avoid duplicating dependencies already bundled in http-step JAR
-    pluginLibs ('org.rundeck.plugins:http-step:1.1.20-grails7') {
+    pluginLibs (libs.httpStep) {
         transitive = false
     }
 
-    testImplementation group: 'junit', name: 'junit', version: '4.13.2'
-    testImplementation "org.apache.groovy:groovy-all:4.0.29"
-    testImplementation "org.spockframework:spock-core:2.4-groovy-4.0"
-    testImplementation "net.bytebuddy:byte-buddy:1.14.11"
-    testImplementation 'org.objenesis:objenesis:3.4'
+    testImplementation libs.bundles.testLibs
 }
 
 
@@ -98,7 +96,7 @@ jar {
         def libList = configurations.pluginLibs.collect{'lib/' + it.name}.join(' ')
         attributes 'Rundeck-Plugin-Name' : pluginName
         attributes 'Rundeck-Plugin-Description' : pluginDescription
-        attributes 'Rundeck-Plugin-Rundeck-Compatibility-Version': '2.10.1+'
+        attributes 'Rundeck-Plugin-Rundeck-Compatibility-Version': '6.0.0+'
         attributes 'Rundeck-Plugin-Tags': 'java,notification'
         attributes 'Rundeck-Plugin-License': 'Apache 2.0'
         attributes 'Rundeck-Plugin-Source-Link': 'https://github.com/rundeck-plugins/http-notification'
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
new file mode 100644
index 0000000..af9964d
--- /dev/null
+++ b/gradle/libs.versions.toml
@@ -0,0 +1,34 @@
+[versions]
+axionRelease = "1.18.18"
+groovy = "4.0.29"
+rundeckCore = "6.0.0-alpha1-20260407"
+nexusPublish = "2.0.0"
+httpclient = "4.5.14"
+commonsLang3 = "3.20.0"
+httpStep = "2.0.0"
+junit = "4.13.2"
+spock = "2.4-groovy-4.0"
+bytebuddy = "1.14.11"
+objenesis = "3.4"
+
+[libraries]
+rundeckCore = { group = "org.rundeck", name = "rundeck-core", version.ref = "rundeckCore" }
+groovyAll = { group = "org.apache.groovy", name = "groovy-all", version.ref = "groovy" }
+
+# HTTP dependencies
+httpclient = { group = "org.apache.httpcomponents", name = "httpclient", version.ref = "httpclient" }
+commonsLang3 = { group = "org.apache.commons", name = "commons-lang3", version.ref = "commonsLang3" }
+httpStep = { group = "org.rundeck.plugins", name = "http-step", version.ref = "httpStep" }
+
+# Testing
+junit = { group = "junit", name = "junit", version.ref = "junit" }
+spockCore = { group = "org.spockframework", name = "spock-core", version.ref = "spock" }
+bytebuddy = { group = "net.bytebuddy", name = "byte-buddy", version.ref = "bytebuddy" }
+objenesis = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }
+
+[bundles]
+testLibs = ["groovyAll", "junit", "spockCore", "bytebuddy", "objenesis"]
+
+[plugins]
+axionRelease = { id = "pl.allegro.tech.build.axion-release", version.ref = "axionRelease" }
+nexusPublish = { id = "io.github.gradle-nexus.publish-plugin", version.ref = "nexusPublish" }
diff --git a/jitpack.yml b/jitpack.yml
deleted file mode 100644
index efde7bf..0000000
--- a/jitpack.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-jdk:
-  - openjdk17