Vulnerability scanning

[jdaugherty]

Adds a vulnerability scanning workflow for grails-core

[jdaugherty]

@jamesfredley @matrei We'll have to manage exceptions here.

[jdaugherty]

Looks like the find main task is failing with these changes for some reason. It's likely due to the plexus update.

[jdaugherty]

Root cause: Adding the Sonatype scan plugin to build-logic/plugins/build.gradle changed the build-logic's content hash, which invalidated the Gradle build cache for all subproject tasks. When findMainClass runs fresh (not from
cache), MainClassFinder tries to read compiled Java 17 class files (major version 61) using groovyjarjarasm.asm.ClassReader — the ASM bundled with Groovy 3.x — which doesn't support class file version 61. This is a pre-existing bug
that was hidden by the build cache.

The fix is to switch MainClassFinder from groovyjarjarasm.asm (Groovy's bundled, potentially old ASM) to org.objectweb.asm (the explicit ASM library, version-managed by Spring Framework BOM at 9.7+, which supports Java 17+).

[jdaugherty]

Converting this to draft, the dependency bumps have caused gradle issues

[jdaugherty]

Alright, the problem is that the ASM classes are shaded inside scan-gradle-plugin-3.1.5.jar itself. They're not a separate transitive dependency. Gradle exclusions only work on transitive dependencies, not on classes bundled inside a fat/shaded jar. So we can't exclude them with a standard exclude rule.

The find main class is picking the shaded version, which is frustrating.

[jdaugherty]

I've opened sonatype-nexus-community/scan-gradle-plugin#206

[jdaugherty]

sonatype-nexus-community/scan-gradle-plugin#207 is the fix for this. We can't adopt due to the classpath conflict. I'm hopeful Sonatype will accept the change.

[testlens-app]

🚨 TestLens detected 1 failed test 🚨

Here is what you can do:

1. Inspect the test failures carefully.
2. If you are convinced that some of the tests are flaky, you can mute them below.
3. Finally, trigger a rerun by checking the rerun checkbox.

Test Summary

CI / Functional Tests (17) > :grails-test-examples-scaffolding:integrationTest

Test	Runs
UserControllerSpec > User list	❌

🏷️ Commit: f5a9fba
▶️ Tests: 40523 executed
⚪️ Checks: 33/33 completed

Test Failures

UserControllerSpec > User list (:grails-test-examples-scaffolding:integrationTest in CI / Functional Tests (17))

geb.waiting.WaitTimeoutException: condition did not pass in 10 seconds (failed with exception)
	at geb.waiting.Wait.waitFor(Wait.groovy:128)
	at geb.waiting.PotentiallyWaitingExecutor.execute(PotentiallyWaitingExecutor.groovy:31)
	at geb.Page.verifyThisPageAtOnly(Page.groovy:424)
	at geb.Page.getAtVerificationResult(Page.groovy:217)
	at geb.Page.verifyAt(Page.groovy:188)
	at geb.Browser.doAt(Browser.groovy:1208)
	at geb.Browser.at(Browser.groovy:410)
	at geb.Browser.to(Browser.groovy:566)
	at geb.Browser.to(Browser.groovy:543)
	at geb.Browser.to(Browser.groovy:532)
	at grails.plugin.geb.support.delegate.BrowserDelegate$Trait$Helper.to(BrowserDelegate.groovy:160)
	at com.example.UserControllerSpec.User list(UserControllerSpec.groovy:46)
Caused by: Assertion failed: 

title == pageTitle
|     |  |
|     |  'User List'
|     false
'Please sign in'

	at com.example.pages.UserListPage._clinit__closure1(UserListPage.groovy:28)
	at com.example.pages.UserListPage._clinit__closure1(UserListPage.groovy)
	at geb.waiting.Wait.waitFor(Wait.groovy:117)
	... 11 more

Muted Tests

Select tests to mute in this pull request:

• UserControllerSpec > User list

Reuse successful test results:

• ♻️ Only rerun the tests that failed or were muted before

Click the checkbox to trigger a rerun:

• Rerun jobs

---

Learn more about TestLens at testlens.app.

[jdaugherty]

Sonatype fixed the classpath issue so this is ready for review.