build(deps): bump com.h2database:h2 from 2.1.214 to 2.2.224

[jeremylong]

Pending a resolution to gradle/gradle#27156

[mbecca]

Pending a resolution to gradle/gradle#27156

Hi, the issue was resolved! gradle/gradle#27156

[mbecca]

Hello @jeremylong, is there any possibility to re-activate this PR?

[jeremylong]

Upgrading is a breaking change. I'd rather hold off a bit. If the concern is the CVE; see https://github.com/jeremylong/DependencyCheck/security/dependabot/833

The CLI is not used in the dependency-check project.

[leaqui]

Upgrading is a breaking change. I'd rather hold off a bit. If the concern is the CVE; see https://github.com/jeremylong/DependencyCheck/security/dependabot/833

The CLI is not used in the dependency-check project.

link broken?

[jeremylong]

Ah sorry - I forgot that link is only available to maintainers.

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console.

We don't use the CLI. Dependency-check is not affected by the CVE.

[mbecca]

Hi @jeremylong , I´ve a problem with quarkus gradle plugin, because it has com.h2database:h2:2.2.224 on their classpath.
I posted a question in StackOverflow, do you have any ideas about it?

https://stackoverflow.com/questions/78162642/quarkus-gradle-plugin-classpath-exclude-problem

I need strictly force com.h2database:h2:2.1.214 because I have a central NVD database builded with com.h2database:h2:2.1.214

Thanks.

[jeremylong]

Aren't breaking changes on minor versions great fun? You could try constraints: https://stackoverflow.com/a/57636110

Also, is this a multi-project build and/or have a buildSrc? You might need to do the configuration in buildSrc... Been a while since I fought with gradle on this though.

[mbecca]

Aren't breaking changes on minor versions great fun? You could try constraints: https://stackoverflow.com/a/57636110

Also, is this a multi-project build and/or have a buildSrc? You might need to do the configuration in buildSrc... Been a while since I fought with gradle on this though.

It isn´t a multi-project build. I add build Script for testing, but it's configuration doesn´t work

new build.gradle:

buildscript {
  repositories {
    maven {
      url = uri("https://plugins.gradle.org/m2/")
    }
  }
  dependencies {
     constraints {
        classpath('com.h2database:h2:2.1.214') {
            because 'testing force upgrade'
        }
     }
    
  }
}
plugins {
      id 'java'
      id 'org.owasp.dependencycheck' version '9.0.9'
      id 'io.quarkus'	


}

version = '0.1.0'

configurations {
    all {
        resolutionStrategy {
            force 'com.h2database:h2:2.1.214'
            forcedModules = ['com.h2database:h2:2.1.214']
        }
    }
}

wrapper {
    gradleVersion = '8.6'    
}

[mbecca]

I found a solution!, thanks @jeremylong

build.gradle:

buildscript {
    configurations.classpath {
      resolutionStrategy {
            force 'com.h2database:h2:2.1.214'            
        }
  }
}
plugins {
	id 'java'
    id 'org.owasp.dependencycheck' version '9.0.9'
    id 'io.quarkus'	
}

[jeremylong]

Planning on including this in the 10.0 release.

[jeremylong]

TODO - document minimum gradle versions. See gradle/gradle#27156

[jeremylong]

@chadjvw and @aikebah - I'm working on the last of the updates for 10. I really would like to include this one - but it will require all users rebuild their database. Given the current issue with the NVD and CVSSv4. Since we are not actually affected by the CVE - I think it would be better to skip this and hold off on this one for 11.0 (the next breaking change). Any opinion?

[aikebah]

@jeremylong agree that it's better to leave it out for a more friction-less upgrade for existing users.

Think that I might have even postponed the upgrade of the DotNet version to 8.x (in case some pipelines have 6 but not 8 runtime installed) which you already included

[aikebah]

My take on it would be to release 10 with the NVD API fix and shortly after release 11.0 with the h2 database upgrade

[chadlwilson]

@jeremylong were you meaning to tag me? 😅

Yeah, personally I'd leave it out too, since there is no working version of ODC right now at all. Assuming dotnet 8 is a reason for the major version bump to 10.0 I'd probably have left that out too. No harm in reverting and doing 9.3.0 instead?

Don't see the reason to batch all this together.