Project not compatible with Java (Open)JDK 21

[volkert-fastned]

trafficstars

Reproduced this by git-cloning the project and running ./gradlew build in a Docker container based on base image eclipse-temurin:21.0.1_12-jdk.

The result was the following:

#9 0.187 Downloading https://services.gradle.org/distributions/gradle-8.0.2-all.zip
#9 1.172 ...............10%................20%................30%................40%................50%................60%................70%................80%................90%................100%
#9 17.70 
#9 17.70 Welcome to Gradle 8.0.2!
#9 17.70 
#9 17.70 Here are the highlights of this release:
#9 17.70  - Improvements to the Kotlin DSL
#9 17.70  - Fine-grained parallelism from the first build with configuration cache
#9 17.70  - Configurable Gradle user home cache cleanup
#9 17.70 
#9 17.70 For more details see https://docs.gradle.org/8.0.2/release-notes.html
#9 17.70 
#9 17.70 Starting a Gradle Daemon (subsequent builds will be faster)
#9 18.80 
#9 18.87 FAILURE: Build failed with an exception.
#9 18.87 
#9 18.87 * What went wrong:
#9 18.87 Could not open cp_settings generic class cache for settings file '/code/Open-Vulnerability-Project/settings.gradle' (/root/.gradle/caches/8.0.2/scripts/dtzqbsuayf35ind7d77nx1ikb).
#9 18.87 > BUG! exception in phase 'semantic analysis' in source unit '_BuildScript_' Unsupported class file major version 65
#9 18.87 
#9 18.87 * Try:
#9 18.87 > Run with --stacktrace option to get the stack trace.
#9 18.87 > Run with --info or --debug option to get more log output.
#9 18.87 > Run with --scan to get full insights.
#9 18.87 
#9 18.87 * Get more help at https://help.gradle.org
#9 18.87 
#9 18.87 BUILD FAILED in 18s

In a Docker container based on base image eclipse-temurin:17.0.9_9-jdk, ./gradle build builds fine.

[jeremylong]

Which is why the project ships with a gradle wrapper.

[volkert-fastned]

Again, you're mixing up these two issues. 😅

This one is about the Java 21 incompatibility which a build on Java 17 is already warning about (althought stil passes on that version, despite the warnings):

#10 45.55 > Task :open-vulnerability-clients:spotbugsMain
#10 45.55 WARNING: A terminally deprecated method in java.lang.System has been called
#10 45.55 WARNING: System::setSecurityManager has been called by edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue (file:/root/.gradle/caches/modules-2/files-2.1/com.github.spotbugs/spotbugs/4.5.3/dad48e1bcec3f7925850421cf5bf5f7f7ba62e1/spotbugs-4.5.3.jar)
#10 45.55 WARNING: Please consider reporting this to the maintainers of edu.umd.cs.findbugs.ba.jsr305.TypeQualifierValue
#10 45.55 WARNING: System::setSecurityManager will be removed in a future release

It looks like the culprit is the SpotBugs plugin in Gradle.

Please reopen this issue, since it's not resolved.

Also, having a Gradle Wrapper is very good, but issue #119 will still have to be resolved whenever you update the Gradle Wrapper version, right? At some point you'll have to do that anyway.

[jeremylong]

When we upgrade the build to use 21 this will get fixed. There is not an issue with using the library under JRE 21 as spotbugs not a runtime dependency.

[volkert-fastned]

When we upgrade the build to use 21 this will get fixed. There is not an issue with using the library under JRE 21 as spotbugs not a runtime dependency.

I can confirm this. Sorry if I caused any confusion. Indeed, it's a problem with building on a JDK 21 toolchain, not when runningn the build on JRE 21. Thanks for clarifying.