As a developer, I want dependency updates

[james-d-brown]

• Libraries having update available
• Libraries marked vulnerable by scan
• Jetty
• Artemis
• Redis
• RabbitMQ
• Java Runtime Environment
• Anything else

Known Issues:
#68
#100

CVEs flagged by the github bot, which we can use alongside the gradle task, dependencyCheckAnalyze

https://github.com/NOAA-OWP/wres/security/dependabot

[james-d-brown]

Feel free to edit the OP to replace Anything Else with actual things. For example, we might consider upgrading to a new major version, which will require a quick scan of the release notes w/r to breaking changes and, potentially, additional checking/testing.

[HankHerr-NOAA]

I'm going to start on this today, but given this is a short day for me, I don't anticipate finishing it. In fact, if we start bumping to major versions, I may not even come close to finishing it today.

To begin, my plan is to do a minor version bump. I'll then take a look at what major versions there are to consider and decide which if any to tackle with this update.

Hank

[HankHerr-NOAA]

I've pulled the latest and am running unit tests on owpal-d-ised01. Once that's done, I'll create the branch and start following the process described in the VLab Wiki, "COWRES Deployment Process Instructions (Github)".

Hank

[HankHerr-NOAA]

I looked at the past dependency update to 6.27, #340, and searching a few libraries, it appears that, if a major version update is indicated by ./gradlew dependencyUpdates, then we just skip that update altogether when limiting ourselves to minor updates. But, again, I only looked at a few. Should I make an attempt to identify minor updates that may be between the current version and the major version upgrade? Again, my goal with this first pass is minor update only, noting #68 which prevents bumping Jersey.

The results of ./gradlew dependencyUpdates are provided below,

Hank

==========

> Configure project :
Set wres-writing version: 20241126-2da40a3
20241126-2da40a3-dev
Set wres-vis version: 20241126-2da40a3
20241126-2da40a3-dev
Path for java installation '/usr/lib/jvm/java-11-openjdk-11.0.16.0.8-1.el7_9.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-11-openjdk-11.0.14.1.1-1.el7_9.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-11-openjdk-11.0.14.0.9-1.el7_9.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.20-1jpp.1.el7.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.5-1jpp.1.el7.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-11-openjdk-11.0.21.0.9-2.el8.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.25-1jpp.1.el7.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.15-1jpp.1.el7.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.15-1jpp.3.el7.x86_64' (Common Linux Locations) does not contain a java executable
Path for java installation '/usr/lib/jvm/java-1.8.0-ibm-1.8.0.8.10-1jpp.1.el7.x86_64' (Common Linux Locations) does not contain a java executable

> Task :dependencyUpdates

------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.adarshr.test-logger:com.adarshr.test-logger.gradle.plugin:4.0.0
 - com.atlassian.commonmark:commonmark:0.17.0
 - com.github.ben-manes.caffeine:caffeine:3.1.8
 - com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.51.0
 - com.github.marschall:jfr-jdbc:0.4.0
 - com.github.seanrl.jaxb:com.github.seanrl.jaxb.gradle.plugin:2.5.4
 - com.google.guava:guava:33.3.1-jre
 - com.google.guava:guava-testlib:33.3.1-jre
 - com.google.jimfs:jimfs:1.3.0
 - com.h2database:h2:2.3.232
 - com.netflix.nebula:gradle-aggregate-javadocs-plugin:3.0.1
 - com.opencsv:opencsv:5.9
 - com.sun.xml.fastinfoset:FastInfoset:2.1.1
 - commons-beanutils:commons-beanutils:1.9.4
 - commons-codec:commons-codec:1.17.1
 - de.undercouch.download:de.undercouch.download.gradle.plugin:5.6.0
 - io.swagger.core.v3:swagger-jaxrs2:2.2.25
 - jakarta.jms:jakarta.jms-api:3.1.0
 - javax.measure:unit-api:2.2
 - javax.servlet:javax.servlet-api:3.1.0
 - javax.ws.rs:javax.ws.rs-api:2.1
 - junit:junit:4.13.2
 - org.ajoberstar.grgit:org.ajoberstar.grgit.gradle.plugin:5.3.0
 - org.apache.activemq:artemis-amqp-protocol:2.38.0
 - org.apache.activemq:artemis-server:2.38.0
 - org.apache.commons:commons-compress:1.27.1
 - org.apache.commons:commons-configuration2:2.11.0
 - org.apache.commons:commons-lang3:3.17.0
 - org.apache.commons:commons-math3:3.6.1
 - org.apache.qpid:qpid-broker-core:9.2.0
 - org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol:9.2.0
 - org.apache.qpid:qpid-broker-plugins-memory-store:9.2.0
 - org.apache.qpid:qpid-jms-client:2.6.1
 - org.eclipse.jetty:jetty-webapp:11.0.24
 - org.eclipse.jetty.http2:http2-server:11.0.24
 - org.glassfish:javax.json:1.1.4
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.jfree:jfreechart:1.5.5
 - org.jvnet.jaxb2_commons:jaxb2-basics-annotate:1.1.0
 - org.kordamp.gradle.markdown:org.kordamp.gradle.markdown.gradle.plugin:2.2.0
 - org.locationtech.jts:jts-core:1.20.0
 - org.locationtech.jts:jts-io:1.20.0
 - org.mock-server:mockserver-netty:5.15.0
 - org.mockito:mockito-core:5.14.2
 - org.mockito:mockito-inline:5.2.0
 - org.postgresql:postgresql:42.7.4
 - org.slf4j:jcl-over-slf4j:2.1.0-alpha1
 - org.slf4j:jul-to-slf4j:2.1.0-alpha1
 - org.slf4j:log4j-over-slf4j:2.1.0-alpha1
 - si.uom:si-units:2.1
 - systems.uom:systems-quantity:2.1
 - systems.uom:systems-ucum:2.1

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - com.fasterxml.jackson:jackson-bom [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-bom
 - com.fasterxml.jackson.core:jackson-annotations [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson
 - com.fasterxml.jackson.core:jackson-core [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-core
 - com.fasterxml.jackson.core:jackson-databind [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson
 - com.fasterxml.jackson.dataformat:jackson-dataformat-yaml [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-dataformats-text
 - com.fasterxml.jackson.datatype:jackson-datatype-jsr310 [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-modules-java8
 - com.github.sabomichal:immutable-xjc-plugin [1.7.1 -> 2.0.3]
     https://github.com/sabomichal/immutable-xjc
 - com.google.protobuf:com.google.protobuf.gradle.plugin [0.9.1 -> 0.9.4]
 - com.google.protobuf:protobuf-java [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.google.protobuf:protobuf-java-util [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.google.protobuf:protoc [3.25.5 -> 21.0-rc-1]
     https://developers.google.com/protocol-buffers/
 - com.hubspot.jackson:jackson-datatype-protobuf [0.9.15 -> 0.9.17]
 - com.mattbertolini:liquibase-slf4j [5.0.0 -> 5.1.0]
     https://github.com/mattbertolini/liquibase-slf4j
 - com.networknt:json-schema-validator [1.5.2 -> 1.5.4]
     https://github.com/networknt/json-schema-validator
 - com.rabbitmq:amqp-client [5.22.0 -> 5.23.0]
     https://www.rabbitmq.com
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - com.zaxxer:HikariCP [5.1.0 -> 6.2.1]
     https://github.com/brettwooldridge/HikariCP
 - commons-io:commons-io [2.17.0 -> 2.18.0]
     https://commons.apache.org/proper/commons-io/
 - edu.ucar:cdm-core [5.4.2 -> 6.0.0-beta1]
 - io.netty:netty-all [4.1.111.Final -> 5.0.0.Alpha2]
     http://netty.io/
 - io.soabase.record-builder:record-builder-core [41 -> 43]
     https://github.com/randgalt/record-builder
 - io.soabase.record-builder:record-builder-processor [41 -> 43]
     https://github.com/randgalt/record-builder
 - io.swagger.core.v3:swagger-jaxrs2-jakarta [2.2.25 -> 2.2.26]
     https://github.com/swagger-api/swagger-core
 - io.swagger.core.v3.swagger-gradle-plugin:io.swagger.core.v3.swagger-gradle-plugin.gradle.plugin [2.2.25 -> 2.2.26]
 - jakarta.activation:jakarta.activation-api [1.2.2 -> 2.1.3]
     https://github.com/jakartaee/jaf-api
 - jakarta.annotation:jakarta.annotation-api [2.1.1 -> 3.0.0]
     https://projects.eclipse.org/projects/ee4j.ca
 - jakarta.ws.rs:jakarta.ws.rs-api [3.1.0 -> 4.0.0]
     https://github.com/jakartaee/rest
 - jakarta.xml.bind:jakarta.xml.bind-api [2.3.3 -> 4.0.2]
     https://github.com/jakartaee/jaxb-api
 - jakarta.xml.bind:jakarta.xml.bind-api [3.0.1 -> 4.0.2]
     https://github.com/jakartaee/jaxb-api
 - org.apache.commons:commons-collections4 [4.4 -> 4.5.0-M2]
     https://commons.apache.org/proper/commons-collections/
 - org.apache.commons:commons-lang3 [3.12.0 -> 3.17.0]
     https://commons.apache.org/proper/commons-lang/
 - org.apache.tika:tika-core [2.9.2 -> 3.0.0]
     https://tika.apache.org/
 - org.beryx.jlink:org.beryx.jlink.gradle.plugin [2.26.0 -> 3.1.1]
 - org.bouncycastle:bcpkix-jdk18on [1.78.1 -> 1.79]
     https://www.bouncycastle.org/java.html
 - org.bouncycastle:bcprov-jdk18on [1.78.1 -> 1.79]
     https://www.bouncycastle.org/java.html
 - org.eclipse.collections:eclipse-collections [11.1.0 -> 12.0.0.M3]
     https://github.com/eclipse/eclipse-collections
 - org.eclipse.jetty:jetty-alpn-java-server [11.0.24 -> 12.1.0.alpha0]
     https://jetty.org
 - org.eclipse.jetty:jetty-server [11.0.24 -> 12.1.0.alpha0]
     https://jetty.org
 - org.eclipse.persistence:org.eclipse.persistence.moxy [2.7.12 -> 5.0.0-B04]
     http://www.eclipse.org/eclipselink
 - org.glassfish.jaxb:jaxb-core [2.3.0.1 -> 4.0.5]
     https://eclipse-ee4j.github.io/jaxb-ri/
 - org.glassfish.jaxb:jaxb-runtime [2.3.8 -> 4.0.5]
     https://eclipse-ee4j.github.io/jaxb-ri/
 - org.glassfish.jaxb:jaxb-xjc [2.3.8 -> 4.0.5]
     https://eclipse-ee4j.github.io/jaxb-ri/
 - org.glassfish.jersey.containers:jersey-container-jetty-http [3.1.3 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.containers:jersey-container-servlet [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.containers:jersey-container-servlet-core [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.core:jersey-server [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.inject:jersey-hk2 [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.media:jersey-media-multipart [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.jetbrains.kotlin:kotlin-stdlib [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk7 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk8 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jfree:org.jfree.svg [4.1 -> 5.0.6]
     http://www.jfree.org/jfreesvg
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-params [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.jvnet.jaxb2_commons:jaxb2-basics [0.13.1 -> 1.11.1]
     https://github.com/highsource/jaxb2-basics
 - org.jvnet.jaxb2_commons:jaxb2-basics-ant [0.13.1 -> 1.11.1]
     https://github.com/highsource/jaxb2-basics
 - org.jvnet.jaxb2_commons:jaxb2-basics-runtime [0.13.1 -> 2.0.12]
     https://github.com/highsource/jaxb-tools
 - org.liquibase:liquibase-core [4.29.2 -> 4.30.0]
     http://www.liquibase.com
 - org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin [10.0.2 -> 11.1.0]
 - org.projectlombok:lombok [1.18.34 -> 1.18.36]
     https://projectlombok.org
 - org.redisson:redisson [3.18.0 -> 3.39.0]
     https://redisson.pro
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org
 - org.sonarqube:org.sonarqube.gradle.plugin [5.1.0.4882 -> 6.0.0.5145]
 - tech.units:indriya [2.2 -> 2.2.1]
     http://units.tech

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-config:dependencyUpdates

------------------------------------------------------------
:wres-config Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.google.guava:guava:33.3.1-jre
 - com.google.jimfs:jimfs:1.3.0
 - com.opencsv:opencsv:5.9
 - commons-beanutils:commons-beanutils:1.9.4
 - org.apache.commons:commons-lang3:3.17.0
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.jvnet.jaxb2_commons:jaxb2-basics-annotate:1.1.0
 - org.locationtech.jts:jts-core:1.20.0
 - org.locationtech.jts:jts-io:1.20.0
 - org.mockito:mockito-core:5.14.2

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - com.fasterxml.jackson:jackson-bom [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-bom
 - com.fasterxml.jackson.core:jackson-annotations [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson
 - com.fasterxml.jackson.core:jackson-core [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-core
 - com.fasterxml.jackson.core:jackson-databind [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson
 - com.fasterxml.jackson.dataformat:jackson-dataformat-yaml [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-dataformats-text
 - com.fasterxml.jackson.datatype:jackson-datatype-jsr310 [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-modules-java8
 - com.github.sabomichal:immutable-xjc-plugin [1.7.1 -> 2.0.3]
     https://github.com/sabomichal/immutable-xjc
 - com.google.protobuf:protobuf-java [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.google.protobuf:protobuf-java-util [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.hubspot.jackson:jackson-datatype-protobuf [0.9.15 -> 0.9.17]
 - com.networknt:json-schema-validator [1.5.2 -> 1.5.4]
     https://github.com/networknt/json-schema-validator
 - commons-io:commons-io [2.17.0 -> 2.18.0]
     https://commons.apache.org/proper/commons-io/
 - io.soabase.record-builder:record-builder-core [41 -> 43]
     https://github.com/randgalt/record-builder
 - io.soabase.record-builder:record-builder-processor [41 -> 43]
     https://github.com/randgalt/record-builder
 - jakarta.activation:jakarta.activation-api [1.2.2 -> 2.1.3]
     https://github.com/jakartaee/jaf-api
 - jakarta.xml.bind:jakarta.xml.bind-api [2.3.3 -> 4.0.2]
     https://github.com/jakartaee/jaxb-api
 - org.apache.tika:tika-core [2.9.2 -> 3.0.0]
     https://tika.apache.org/
 - org.eclipse.persistence:org.eclipse.persistence.moxy [2.7.12 -> 5.0.0-B04]
     http://www.eclipse.org/eclipselink
 - org.glassfish.jaxb:jaxb-core [2.3.0.1 -> 4.0.5]
     https://eclipse-ee4j.github.io/jaxb-ri/
 - org.glassfish.jaxb:jaxb-runtime [2.3.8 -> 4.0.5]
     https://eclipse-ee4j.github.io/jaxb-ri/
 - org.glassfish.jaxb:jaxb-xjc [2.3.8 -> 4.0.5]
     https://eclipse-ee4j.github.io/jaxb-ri/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-params [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.jvnet.jaxb2_commons:jaxb2-basics [0.13.1 -> 1.11.1]
     https://github.com/highsource/jaxb2-basics
 - org.jvnet.jaxb2_commons:jaxb2-basics-ant [0.13.1 -> 1.11.1]
     https://github.com/highsource/jaxb2-basics
 - org.jvnet.jaxb2_commons:jaxb2-basics-runtime [0.13.1 -> 2.0.12]
     https://github.com/highsource/jaxb-tools
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-datamodel:dependencyUpdates

------------------------------------------------------------
:wres-datamodel Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.github.ben-manes.caffeine:caffeine:3.1.8
 - javax.measure:unit-api:2.2
 - junit:junit:4.13.2
 - org.apache.commons:commons-lang3:3.17.0
 - org.apache.commons:commons-math3:3.6.1
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.locationtech.jts:jts-core:1.20.0
 - org.mockito:mockito-core:5.14.2
 - si.uom:si-units:2.1
 - systems.uom:systems-quantity:2.1
 - systems.uom:systems-ucum:2.1

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org
 - tech.units:indriya [2.2 -> 2.2.1]
     http://units.tech

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-events:dependencyUpdates

------------------------------------------------------------
:wres-events Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.github.ben-manes.caffeine:caffeine:3.1.8
 - jakarta.jms:jakarta.jms-api:3.1.0
 - org.apache.commons:commons-lang3:3.17.0
 - org.apache.qpid:qpid-jms-client:2.6.1
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.mockito:mockito-core:5.14.2
 - org.mockito:mockito-inline:5.2.0

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - io.netty:netty-all [4.1.111.Final -> 5.0.0.Alpha2]
     http://netty.io/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-eventsbroker:dependencyUpdates

------------------------------------------------------------
:wres-eventsbroker Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.google.guava:guava:33.3.1-jre
 - jakarta.jms:jakarta.jms-api:3.1.0
 - org.apache.activemq:artemis-amqp-protocol:2.38.0
 - org.apache.activemq:artemis-server:2.38.0
 - org.apache.commons:commons-configuration2:2.11.0
 - org.apache.commons:commons-lang3:3.17.0
 - org.apache.qpid:qpid-jms-client:2.6.1
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.slf4j:jcl-over-slf4j:2.1.0-alpha1

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - org.bouncycastle:bcprov-jdk18on [1.78.1 -> 1.79]
     https://www.bouncycastle.org/java.html
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-external-services-tests:dependencyUpdates

------------------------------------------------------------
:wres-external-services-tests Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-http:dependencyUpdates

------------------------------------------------------------
:wres-http Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - org.apache.commons:commons-lang3:3.17.0
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.mockito:mockito-inline:5.2.0

The following dependencies have later milestone versions:
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - org.jetbrains.kotlin:kotlin-stdlib [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk7 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk8 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-io:dependencyUpdates

------------------------------------------------------------
:wres-io Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.github.ben-manes.caffeine:caffeine:3.1.8
 - com.github.marschall:jfr-jdbc:0.4.0
 - com.google.guava:guava:33.3.1-jre
 - com.google.guava:guava-testlib:33.3.1-jre
 - com.google.jimfs:jimfs:1.3.0
 - com.h2database:h2:2.3.232
 - junit:junit:4.13.2
 - org.glassfish:javax.json:1.1.4
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.locationtech.jts:jts-core:1.20.0
 - org.locationtech.jts:jts-io:1.20.0
 - org.mockito:mockito-inline:5.2.0
 - org.postgresql:postgresql:42.7.4
 - org.slf4j:jcl-over-slf4j:2.1.0-alpha1
 - org.slf4j:jul-to-slf4j:2.1.0-alpha1

The following dependencies have later milestone versions:
 - com.mattbertolini:liquibase-slf4j [5.0.0 -> 5.1.0]
     https://github.com/mattbertolini/liquibase-slf4j
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - com.zaxxer:HikariCP [5.1.0 -> 6.2.1]
     https://github.com/brettwooldridge/HikariCP
 - edu.ucar:cdm-core [5.4.2 -> 6.0.0-beta1]
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.liquibase:liquibase-core [4.29.2 -> 4.30.0]
     http://www.liquibase.com

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-messages:dependencyUpdates

------------------------------------------------------------
:wres-messages Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - junit:junit:4.13.2
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8

The following dependencies have later milestone versions:
 - com.google.protobuf:protobuf-java [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.google.protobuf:protoc [3.25.5 -> 21.0-rc-1]
     https://developers.google.com/protocol-buffers/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-metrics:dependencyUpdates

------------------------------------------------------------
:wres-metrics Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - junit:junit:4.13.2
 - org.apache.commons:commons-math3:3.6.1
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.mockito:mockito-core:5.14.2

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - org.eclipse.collections:eclipse-collections [11.1.0 -> 12.0.0.M3]
     https://github.com/eclipse/eclipse-collections
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-reading:dependencyUpdates

------------------------------------------------------------
:wres-reading Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.google.guava:guava:33.3.1-jre
 - com.google.guava:guava-testlib:33.3.1-jre
 - com.google.jimfs:jimfs:1.3.0
 - com.sun.xml.fastinfoset:FastInfoset:2.1.1
 - junit:junit:4.13.2
 - org.apache.commons:commons-compress:1.27.1
 - org.apache.commons:commons-math3:3.6.1
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.locationtech.jts:jts-core:1.20.0
 - org.locationtech.jts:jts-io:1.20.0
 - org.mock-server:mockserver-netty:5.15.0
 - org.mockito:mockito-inline:5.2.0

The following dependencies have later milestone versions:
 - com.fasterxml.jackson.datatype:jackson-datatype-jsr310 [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-modules-java8
 - com.mattbertolini:liquibase-slf4j [5.0.0 -> 5.1.0]
     https://github.com/mattbertolini/liquibase-slf4j
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - edu.ucar:cdm-core [5.4.2 -> 6.0.0-beta1]
 - org.apache.commons:commons-collections4 [4.4 -> 4.5.0-M2]
     https://commons.apache.org/proper/commons-collections/
 - org.apache.tika:tika-core [2.9.2 -> 3.0.0]
     https://tika.apache.org/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.liquibase:liquibase-core [4.29.2 -> 4.30.0]
     http://www.liquibase.com
 - org.projectlombok:lombok [1.18.34 -> 1.18.36]
     https://projectlombok.org

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-statistics:dependencyUpdates

------------------------------------------------------------
:wres-statistics Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - com.google.protobuf:protobuf-java [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.google.protobuf:protoc [3.25.5 -> 21.0-rc-1]
     https://developers.google.com/protocol-buffers/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-system:dependencyUpdates

------------------------------------------------------------
:wres-system Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.github.marschall:jfr-jdbc:0.4.0
 - com.h2database:h2:2.3.232
 - com.sun.xml.fastinfoset:FastInfoset:2.1.1
 - junit:junit:4.13.2
 - org.apache.commons:commons-lang3:3.17.0
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.mock-server:mockserver-netty:5.15.0
 - org.postgresql:postgresql:42.7.4
 - org.slf4j:jul-to-slf4j:2.1.0-alpha1

The following dependencies have later milestone versions:
 - com.zaxxer:HikariCP [5.1.0 -> 6.2.1]
     https://github.com/brettwooldridge/HikariCP
 - jakarta.xml.bind:jakarta.xml.bind-api [2.3.3 -> 4.0.2]
     https://github.com/jakartaee/jaxb-api
 - org.jvnet.jaxb2_commons:jaxb2-basics-runtime [0.13.1 -> 2.0.12]
     https://github.com/highsource/jaxb-tools
 - org.projectlombok:lombok [1.18.34 -> 1.18.36]
     https://projectlombok.org
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-tasker:dependencyUpdates

------------------------------------------------------------
:wres-tasker Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.github.ben-manes.caffeine:caffeine:3.1.8
 - com.google.jimfs:jimfs:1.3.0
 - commons-codec:commons-codec:1.17.1
 - io.swagger.core.v3:swagger-jaxrs2:2.2.25
 - javax.servlet:javax.servlet-api:3.1.0
 - javax.ws.rs:javax.ws.rs-api:2.1
 - junit:junit:4.13.2
 - org.apache.commons:commons-lang3:3.17.0
 - org.apache.qpid:qpid-broker-core:9.2.0
 - org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol:9.2.0
 - org.apache.qpid:qpid-broker-plugins-memory-store:9.2.0
 - org.eclipse.jetty:jetty-webapp:11.0.24
 - org.eclipse.jetty.http2:http2-server:11.0.24
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - com.fasterxml.jackson:jackson-bom [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-bom
 - com.fasterxml.jackson.core:jackson-annotations [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson
 - com.fasterxml.jackson.core:jackson-core [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson-core
 - com.fasterxml.jackson.core:jackson-databind [2.18.0 -> 2.18.1]
     https://github.com/FasterXML/jackson
 - com.google.protobuf:protobuf-java [3.25.5 -> 4.29.0-RC3]
     https://developers.google.com/protocol-buffers/
 - com.rabbitmq:amqp-client [5.22.0 -> 5.23.0]
     https://www.rabbitmq.com
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - io.netty:netty-all [4.1.111.Final -> 5.0.0.Alpha2]
     http://netty.io/
 - io.swagger.core.v3:swagger-jaxrs2-jakarta [2.2.25 -> 2.2.26]
     https://github.com/swagger-api/swagger-core
 - jakarta.annotation:jakarta.annotation-api [2.1.1 -> 3.0.0]
     https://projects.eclipse.org/projects/ee4j.ca
 - jakarta.ws.rs:jakarta.ws.rs-api [3.1.0 -> 4.0.0]
     https://github.com/jakartaee/rest
 - org.apache.commons:commons-lang3 [3.12.0 -> 3.17.0]
     https://commons.apache.org/proper/commons-lang/
 - org.apache.tika:tika-core [2.9.2 -> 3.0.0]
     https://tika.apache.org/
 - org.bouncycastle:bcpkix-jdk18on [1.78.1 -> 1.79]
     https://www.bouncycastle.org/java.html
 - org.bouncycastle:bcprov-jdk18on [1.78.1 -> 1.79]
     https://www.bouncycastle.org/java.html
 - org.eclipse.jetty:jetty-alpn-java-server [11.0.24 -> 12.1.0.alpha0]
     https://jetty.org
 - org.eclipse.jetty:jetty-server [11.0.24 -> 12.1.0.alpha0]
     https://jetty.org
 - org.glassfish.jersey.containers:jersey-container-servlet-core [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.core:jersey-server [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.inject:jersey-hk2 [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.glassfish.jersey.media:jersey-media-multipart [3.1.8 -> 4.0.0-M1]
     https://projects.eclipse.org/projects/ee4j.jersey
 - org.jetbrains.kotlin:kotlin-stdlib [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk7 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk8 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.redisson:redisson [3.18.0 -> 3.39.0]
     https://redisson.pro
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-vis:dependencyUpdates

------------------------------------------------------------
:wres-vis Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.google.jimfs:jimfs:1.3.0
 - com.sun.xml.fastinfoset:FastInfoset:2.1.1
 - junit:junit:4.13.2
 - org.apache.commons:commons-lang3:3.17.0
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.jfree:jfreechart:1.5.5
 - org.mockito:mockito-core:5.14.2
 - org.slf4j:log4j-over-slf4j:2.1.0-alpha1

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - org.jfree:org.jfree.svg [4.1 -> 5.0.6]
     http://www.jfree.org/jfreesvg
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.vintage:junit-vintage-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-worker:dependencyUpdates

------------------------------------------------------------
:wres-worker Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - junit:junit:4.13.2
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.mock-server:mockserver-netty:5.15.0
 - org.mockito:mockito-inline:5.2.0

The following dependencies have later milestone versions:
 - ch.qos.logback:logback-classic [1.5.11 -> 1.5.12]
     http://logback.qos.ch
 - com.rabbitmq:amqp-client [5.22.0 -> 5.23.0]
     https://www.rabbitmq.com
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - jakarta.ws.rs:jakarta.ws.rs-api [3.1.0 -> 4.0.0]
     https://github.com/jakartaee/rest
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.slf4j:slf4j-api [2.0.13 -> 2.1.0-alpha1]
     http://www.slf4j.org

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

> Task :wres-writing:dependencyUpdates

------------------------------------------------------------
:wres-writing Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - com.google.guava:guava:33.3.1-jre
 - com.google.jimfs:jimfs:1.3.0
 - junit:junit:4.13.2
 - org.apache.commons:commons-math3:3.6.1
 - org.jacoco:org.jacoco.agent:0.8.8
 - org.jacoco:org.jacoco.ant:0.8.8
 - org.locationtech.jts:jts-core:1.20.0
 - org.locationtech.jts:jts-io:1.20.0
 - org.mockito:mockito-inline:5.2.0

The following dependencies have later milestone versions:
 - com.squareup.okhttp3:okhttp [4.12.0 -> 5.0.0-alpha.14]
     https://square.github.io/okhttp/
 - edu.ucar:cdm-core [5.4.2 -> 6.0.0-beta1]
 - org.apache.tika:tika-core [2.9.2 -> 3.0.0]
     https://tika.apache.org/
 - org.jetbrains.kotlin:kotlin-stdlib [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk7 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.jetbrains.kotlin:kotlin-stdlib-jdk8 [1.9.23 -> 2.1.0]
     https://kotlinlang.org/
 - org.junit.jupiter:junit-jupiter-api [5.11.2 -> 5.11.3]
     https://junit.org/junit5/
 - org.junit.jupiter:junit-jupiter-engine [5.11.2 -> 5.11.3]
     https://junit.org/junit5/

Failed to determine the latest version for the following dependencies (use --info for details):
 - net.jcip:jcip-annotations

Gradle release-candidate updates:
 - Gradle: [7.6.4 -> 8.11.1]

Generated report file build/dependencyUpdates/report.txt

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.6.4/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 46s
17 actionable tasks: 17 executed

[james-d-brown]

Yeah, that is unfortunately a weakness of our dependency checker, it doesn't provide both the minor and major version options, so you do need to check for minor updates that are hidden by major ones, unfortunately.

[james-d-brown]

Or just do the major update, but I would take major updates carefully, one at a time. Our automated tests are probably good enough to catch most issues, once it is compiling (and major upgrades mean it may not compile, of course), but there is an extra risk, especially when working in the cowres components, tasker/worker/broker, as these are generally not very well covered by unit/integration tests.

[HankHerr-NOAA]

Adding #100 to the notable tickets in the description.

Hank

[HankHerr-NOAA]

Thanks, James. I'll look into minor updates that are between the reported current and major.

Hank

[HankHerr-NOAA]

I completed the (what I hope are) low hanging fruit minors upgrades. I'm unit testing now. If that completes successfully, I'll attempt to deploy to the -dev COWRES. I just need to see what the current process is deploy from the development area.

Hank

[HankHerr-NOAA]

I've tackled all of the low-hanging fruit, minor version upgrades. That is, those identified by the dependency check. All pass unit tests except for this one:

com.google.protobuf:com.google.protobuf.gradle.plugin [0.9.1 -> 0.9.4]

I took the above to mean that I need to update the line,

    // To generate de/serialization classes for message bodies
    id 'com.google.protobuf' version '0.9.1'

to reference 0.9.4. I made that change. When I did so, the build failed:

> Task :wres-statistics:compileJava
/home/hank.herr/wres_repos/wres/wres-statistics/src/main/java/module-info.java:4: error: module not found: com.google.protobuf
    requires com.google.protobuf;
                       ^
/home/hank.herr/wres_repos/wres/wres-statistics/src/main/java/module-info.java:5: error: module not found: org.slf4j
    requires org.slf4j;
                ^
2 errors

When I backed that one up to 0.9.1, I was able to build the code and the unit tests passed.

So, referring to the dependency check shared in my previous comment, I've handled all of the minor updates directly reported by dependency check, except for com.google.protobuf:com.google.protobuf.gradle.plugin [0.9.1 -> 0.9.4]. I'm going to deploy what I have to -dev to see if the COWRES comes up successfully.

Hank

P.S. Note to self so I don't lose it by the time I return to this ticket next week... When deploying the locally build .zips, the following command should work:

./scripts/dockerize.sh 20241126-b735d54-dev 20241113-6f1b17d-dev 20241113-6f1b17d-dev 20241126-b735d54-dev 20241126-b735d54-dev 20241126-b735d54-dev 20241126-2da40a3-dev 20241126-2da40a3-dev

[james-d-brown]

See #103. I had thought Evan addressed this recently, but I guess that was the protobuf dependencies themselves, not the gradle plugin.

[HankHerr-NOAA]

Thanks, James. I'll take a look.

I was able to deploy what I have to -dev COWRES and get a smoke test to pass. Step 1 of many steps. :)

Hank

[HankHerr-NOAA]

I read through #103. I also note #70. They appear to be related.

I think what I'm seeing is that to update @com.google.protobuf@ to 0.9.4, we need the general protobuf dependencies to go to 4.26.1 or later. Is that right?

If so, I can try that as my first major update when I get started on them.

Thanks,

Hank

[HankHerr-NOAA]

With the build.gradle updated, the next step in the minor version updates is the Dockerfile changes, I think. I need to check to be sure, but I believe the process there is to try to build each image with the revisions removed so that Docker pulls the latest, and with it not in quiet mode so that we can see what it pulls. Let me check the wiki and see what I've done in the past.

I do this so rarely that every time I update dependencies, I spend a lot of time reminding myself of the process.

Hank

[epag]

I believe #70 was resolved in #341

[james-d-brown]

I read through #103. I also note #70. They appear to be related.

I think what I'm seeing is that to update @com.google.protobuf@ to 0.9.4, we need the general protobuf dependencies to go to 4.26.1 or later. Is that right?

If so, I can try that as my first major update when I get started on them.

Thanks,

Hank

Probably, but we'll see. According to the ticket by the people that maintain the gradle dep, it is fixed, so I would browse that ticket w/r to versions. I do recall that they hadn't backported the fix.

[HankHerr-NOAA]

Final update for today...

I've updated the Dockerfiles; the Redhat UBI version changed to registry.access.redhat.com/ubi8/ubi:8.10-1132 and Redis changed to redis:7.4.1-alpine3.20. Otherwise, no changes were needed. Specifically, the JDK and related libraries included in the Dockerfile are unchanged (based on removing the version and letting docker build find the one to use). On Tuesday, I'll look at the CVEs.

Once the minor changes are made, the next step will be to step through the major version updates one at a time and identify the ones that will cause problems for us. We'll then determine whether to work on each change soon/now, or push them off until later and find an interim minor version update (that is hidden by the major one pointed to by the dependency check).

After a discussion with Josh Walston during "office hours", we decided that we should deploy next week. He's waiting on a couple of features that we will be deploying in 6.28. We'll have to decide if any of these dependency updates should go out in that deployment. If so, then I'll have to push what I can on Tuesday when I return to work.

My day is done. Happy Thanksgiving!

Hank

[HankHerr-NOAA]

I've been on sick leave a couple of days, so I wasn't able to look at the CVEs. My hope is to work on that tomorrow. Today is likely going to be a partial days and I won't have the time available to look at this.

Hank

[HankHerr-NOAA]

Running dependencyCheckAnalyze now and looking at the dependabot items. Note that its been a few months, so I need to remind myself, once again, how to process what I see.

I need to take my kid to school. Back in a bit,

Hank

[HankHerr-NOAA]

I'm having NVD request failures so I bailed on the run:

NVD API request failures are occurring; retrying request for the 5 time
Retrying request /rest/json/cves/2.0?lastModStartDate=2024-09-13T13%3A52%3A07Z&lastModEndDate=2025-01-11T13%3A52%3A07Z&resultsPerPage=2000&startIndex=216000 : 3 time
Retrying request /rest/json/cves/2.0?lastModStartDate=2024-09-13T13%3A52%3A07Z&lastModEndDate=2025-01-11T13%3A52%3A07Z&resultsPerPage=2000&startIndex=206000 : 3 time
NVD API request failures are occurring; retrying request for the 5 time
Retrying request /rest/json/cves/2.0?lastModStartDate=2024-09-13T13%3A52%3A07Z&lastModEndDate=2025-01-11T13%3A52%3A07Z&resultsPerPage=2000&startIndex=224000 : 3 time

I have the dependencyCheck key at the bottom of my build.gradle, so I'm not sure what is going wrong:

dependencyCheck {
    nvd {
        apiKey='omitted'
    }
}

Hank

[james-d-brown]

Seems like the issue is with NIST service, not the tool - has been a consistent issue. Will probably 503 eventually:

jeremylong/DependencyCheck#7178

[HankHerr-NOAA]

I got a fresh NVD key just in case mine expired or something. I'm running it again.

Without that service, I can only use the dependabot, right?

Hank

[james-d-brown]

I'm not currently aware of another good tool. There may be one. But, ultimately, it is sounds like it isn't the tool, it's the underlying service (cannot say for sure in this instance, but that has been the case, and the above ticket points to it too).

[HankHerr-NOAA]

Thanks. Well, I scanned the dependabot stuff, at least, through the "high" CVEs:

https://github.com/NOAA-OWP/wres/security/dependabot

I already noted the Redisson critical CVE is waiting on #100 with a comment in that ticket.

However, the rest are either false alarms it appears (we are already using a new enough version that the CVE should not be an issue) or do not apply (they are libraries we are not referencing in build.gradle).

Anyway, I'm not sure there is much more I can do for the CVEs unless someone has a better idea.

Hank

[james-d-brown]

Be careful, because transitive deps are still deps. That is why we override a bunch to remove CVEs in the build.gradle. I doubt the bot randomly identifies deps that are not part of our software, because that would be a bug. You can use gradle to list out all deps, including transitive ones, or you can search for a named one.

[james-d-brown]

I would also keep trying dependencyCheckAnalyze, as the service may resume. Regardless, we are not bound to these updates for a release anymore, although it is a good idea to address critical ones before releasing.

[HankHerr-NOAA]

Updated the checkboxes. Beyond the build.gradle library changes, I had to update Dockerfile, wres-eventsbroker/Dockerfile, wres-vis/Dockerfile, wres-writing/Dockerfile for this one:

-FROM registry.access.redhat.com/ubi8/ubi:8.10-1088
+FROM registry.access.redhat.com/ubi8/ubi:8.10-1132

I also updated wres-redis/Dockerfile with this change:

-FROM redis:7.4-alpine3.20
+FROM redis:7.4.1-alpine3.20

Oh, and, look at that, the dependencyCheckAnalyze just completed. And there are actually results to examine. Submitting this comment and then I'll take a look at that,

Hank

[HankHerr-NOAA]

No, I've made no changes to the wres-broker. The only change since 6.27 is the removal of the colon by Evan, but that does not appear to impact things. Although, I am using the dockerize script to build the image, so perhaps a flag or something has changed in that script that could impact the image? Taking a look,

Hank

[HankHerr-NOAA]

I need to get Arvin some feedback on his GUI changes, so I'm taking a short break from this ticket. Should be back in a bit,

Hank

[HankHerr-NOAA]

I'm back. No closer to a solution. I double checked that nothing else was changed in the broker. I see no reason for an image built today to fail when brought up in a container when an image built two months ago comes up just fine.

Hank

[HankHerr-NOAA]

I pushed my changes to branch 368_dependency_updates. I've asked Evan to pull down that branch and see if he encounters the same problem I'm encountering with building and deploying the broker image, in particular. I can build and deploy the other images just fine, and can confirm they work successfully when I use the 6.27 broker image, but, as soon I use a broker image built today (with no changes in wres-broker), the broker container fails to come up.

Thanks,

Hank

(NOTE to self: The link to create a pull request later is https://github.com/NOAA-OWP/wres/pull/new/368_dependency_updates. So I don't have to fumble around for it later.)

[HankHerr-NOAA]

Evan recommended trying to build the broker image on the -dev03 machine. I did that, and the problem persisted. He also recommended rebuilding a clean version of the 6.27 images to see what happens. I might try that tomorrow.

Hank

[epag]

ok, so looking through this and some stuff I have noticed.

First off, I have no clue why using an older version of just the broker seems to fix things other than maybe the fact to do with docker's cache

Looking at the containers, it seems like the broker actually starts successfully

9a27b15b2892   wres/wres-broker:test368    "docker-entrypoint.s…"   2 hours ago   Up 2 hours (healthy)             deployment_broker_1

It seems like this is an issue with the worker and tasker talking to the broker and not an isolated issue with the broker starting up or something like that. I think that means that changes made to the tasker/worker should also be scrutinized as well.

Once again, unsure why using an older broker version only would change this

[epag]

Okay, I was able to reproduce what hank was able to. Deploying the old version of the broker has everything working fine and using the new version leads to above posted error.

Something that is a potential thread to pull on, but if this is the case then this is really bad practice, but a thought.

With the above being true than that means that SOMETHING must have changed in the broker image from last deploy to current deploy. Out of interest, I decided to do some digging and I saw that the image we use was "Last pushed" 3 days ago:

Out of interest, I decided to look into why this may have been and it looks like there are some automated version bumping that are happening on official docker images:

What was bumped was something related to ERLANG in rabbitmq

Which is where the error message for SSL we are getting originates from.

https://www.erlang.org/doc/apps/ssl/ssl.html

Now this is my theory. This automated dependency check saw that is was a patch (I think, never seen a 4 decimal version haha) change and therefore just raw pushed the changes and same with whoever updated the docker registry

[epag]

If I am correct, then it seems like there was a small change to the underlying erlang logic of the rabbitmq version we use. The bump got pushed all the way up to the official docker registry without triggering any flags for a version change when in reality that contains changes that interact poorly with how we have things set up.

That at least is my best (and really only) thought on what is causing things.

If this is true, then re-creating the broker image with the old code we have will be breaking.

[james-d-brown]

Sounds right, this is exactly what I speculated above:

#368 (comment)

If you read the message, it just sounds like an additional check related to the key usage extensions, which suggests our cert is missing something related to this.

That said, this sounds like very dodgy practice indeed, updating existing images in place, if I understood correctly. Anyway, we'll need to decipher the message in full and then update our cert.

[HankHerr-NOAA]

The OTP version went from 26.2.5.5 to 26.2.5.6. Information on that patch is here, including release notes which can be downloaded:

https://www.erlang.org/patches/otp-26.2.5.6

I'm scanning the release notes now,

Hank

[HankHerr-NOAA]

Probably one of these two, likely the latter:

  OTP-19240    Application(s): public_key
               Related Id(s): PR-8840, OTP-19532

               If both ext-key-usage and key-usage are defined for a
               certificate it should be checked that these usages are
               consistent with each other. This will have the affect
               that such certificates where the ext-key-usages is
               marked as critical and the usages is consistent with
               the key-use it can be considered valid without
               mandatory application specific checks for the
               ext-key-useage extension.

...

  OTP-19352    Application(s): ssl
               Related Id(s): PR-9130, CVE-2024-53846, OTP-19240

               If present, extended key-usage TLS (SSL) role check
               (pk-clientAuth, pk-serverAuth) should always be
               performed for peer-cert. An intermediate CA cert may
               relax the requirement if AnyExtendedKeyUsage purpose is
               present.

               In OTP-25.3.2.8, OTP-26.2 and OTP-27.0 these
               requirements became too relaxed. There where two
               problems, firstly the peer cert extension was only
               checked if it was marked critical, and secondly the CA
               cert check did not assert the relaxed
               AnyExtendedKeyUsage purpose.

               This could result in that certificates might be misused
               for purposes not intended by the certificate authority.

Hank

[james-d-brown]

What has probably happened here is that you have created a server cert without any constraints on extended key usage. As far as I recall, the instructions were to constrain these uses. For example, for the eventsbroker, I use this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = eventsbroker

Note the keyUsage, which constraints the key.

[HankHerr-NOAA]

I posted this comment earlier to the wrong ticket, https://github.com/NOAA-OWP/wres-gui/issues/25. I'm going to repost it here...

Oh, and I was able to deploy a version of the broker with SSL logging jacked up, but it didn't help a whole lot with understanding why the certificate is unsupported. Restating the complete message here:

2024-12-10 12:20:55.591511+00:00 [notice] <0.900.0> TLS server: In state certify at ssl_handshake.erl:2153 generated SERVER ALERT: Fatal - Unsupported Certificate
2024-12-10 12:20:55.591511+00:00 [notice] <0.900.0> - {invalid_ext_keyusage,["id-kp-serverAuth"]}

Now for the new content... These are the key usages for the tasker client cert:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

So that "TLS Web Server Authentication" key usage would appear to be invalid. What makes it invalid? Looking,

Hank

[HankHerr-NOAA]

Here are the key usages that are supposed to be used when the cert is created:

[ req_ext ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectKeyIdentifier = hash

Where is "TLS Web Server Authentication" coming from based on that list? Note that this comes from the Updating Certificates wiki in VLab. Is this certificate consistent with how other certificates have been defined? Let me check that real quick,

Hank

[epag]

When the CA signs a cert they can change anything they want about it, so this may be an IT issue an not us

[HankHerr-NOAA]

Yes, that is consistent with how the certs are defined in staging.

However, its not consistent with how we used to define the certs many moons ago. I found some certs in -dev from a long time ago (2021?). For the tasker client cert, I see this:

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication

The extended key usage is client authentication.

So the question is, where is the server authentication extended key usage coming from given we ask for client authentication in the CSR?

Hank

[james-d-brown]

Server authentication doesn't sound like a valid use for a client cert. What happened here is that either the CA overrode, incorrectly, or the wrong source file was used for extended key usage, which should be client auth for a client cert.

[HankHerr-NOAA]

When the CA signs a cert they can change anything they want about it, so this may be an IT issue an not us

Oh.

When we sign the cert using the web interface, we select "Web Server". What are the other options?

Hank

[james-d-brown]

When we sign the cert using the web interface, we select "Web Server". What are the other options?

Or that. Client and server certs are obvs not the same thing, and I think you are saying that the web interface for generating the CSR only supports server certs...

[HankHerr-NOAA]

Evan: Did ITSG explicitly tell us to select "Web Server"?

Regardless, we could try those other options to see if one of them yields the "client auth" extended key usage that I believe we need.

Hank

[epag]

Yes, they specifically told me to select web server. They also added web client and server for us for our 2 way auth certs

[HankHerr-NOAA]

Sounds like we may need to ask for a client, only, option. Regardless, 6.28 cannot be deployed until we have a fix in place for this, because our certs are invalid (if that's the right word) and RabbitMQ is now calling us out on it.

I'll create a Jira ticket,

Hank

[HankHerr-NOAA]

ITSG-4052 has been reported.

Evan: Please feel free to add or correct any of the details I provided in the ticket. Also, thank you for spotting the update to the image, which was done in place and which added the checks that exposed our invalid certificates.

All:

My minor dependency updates are still sitting in the branch. I don't think I can merge the changes, because I cannot fully check that they work in -dev. They appear to work when using the 6.27 broker image, but nothing is running when I use a freshly built broker image.

I'm hoping one of you tell me to not worry about it and just merge, because I hate having that branch sitting off to the side for potentially multiple days (I'm out tomorrow because of window replacements).

Hank

[james-d-brown]

We don't normally deploy to check dependency updates, FWIW. I mean, any problem is ultimately exposed during an official deployment cycle, and that has always been the case. There is no special requirement to deploy in order to verify a software change, although it can certainly make sense sometimes. This is definitely a case of personal prerogative. Feel free to merge, if you want. For major updates to cluster dependencies, it probably does make sense to deploy to -dev before merging in, preempting the deployment to -ti for an official deploy UAT.

[HankHerr-NOAA]

Sounds good to me. :)

Before I merge the branch, I need to back out changes to compose-entry.yml and compose-workers.yml that I accidentally pushed to the branch. If there is an easy way to do this via GitHub, I'm all ears. Otherwise, I'll manually do it from the command line (whatever that requires; its been a while).

I need to step away for a few minutes, but will handle that when I return. Thanks,

Hank

[HankHerr-NOAA]

I backed out changes to dockerize.sh, as well, which I made to allow for deploying using locally built .zip files. The changes were only made for testing purposes.

Pull request has been made and I'm waiting for the build checks to complete before merging,

Hank

[HankHerr-NOAA]

Pull request handled and the changes were merged:

#371

Hank

[HankHerr-NOAA]

Next up is deploying 6.28... Which unfortunately needs to wait until we can get the certs fixed.

Hank

[HankHerr-NOAA]

An update... ITSG pointed to the web client and server option as one to use. I used it, and, yes, I was able to deploy to -dev and post a smoke test. However, I'm not comfortable with our client authentication only certs having an extended key usage indicating that they can be used for server authentication, as well. So I asked that they still provide a client authentication only option.

We are going to have to redo the tasker and worker client certs in all environments. I'd rather only do that once. Hence, I'm going to wait to see if they will provide the client-only option before deploying 6.28, which now looks like it will happen Thursday or Friday.

Hank