[BUG] CI runs with outdated maven jars for core that lead to failing checks

[cwperks]

What is the bug?

During a recent dependency upgrade (#2269), the WhiteSource security check failed because it identified outdated dependencies in zip output of ./gradlew assemble for the security plugin. The problem with the check is that it relies on outdated 1.4.0-SNAPSHOT dependency of core which was bringing in the outdated dependency and the dependency has since been upgraded in the corresponding branch of core.

When running everything locally and publishing core's SNAPSHOT build to maven (m2) local, the dependencies are upgraded and would not get flagged.

Stale snapshots have been an issue with previous builds and require a successful distribution build to get new snapshots published to the remote maven repository (maven central or something else?).

At build time we could add a step in the github workflow to checkout the same branch of core and perform ./gradlew publishToMavenLocal to avoid the issue with stale SNAPSHOTs.

PR on 1.3 with up-to-date artifacts for core that passes WhiteSource security check:

PR on 1.x with up-to-date stale artifacts for core that fails WhiteSource security check:

WhiteSource report flagging outdated netty:

When run locally this is what is contained in the security plugin zip. The resolved version of netty is 4.1.84.Final:

[stephen-crawford]

Excellent. This was a really good idea you had and helps make the suggestions you and @DarshitChanpura had actionable. What do we want to do moving forward for making sure we do not run into stuff like this?

Should we reach out to the build repository or do we want to write an action that can be called to create updated artifacts?

[RyanL1997]

[Triaged] @cwperks Could you please follow up on this one?

[davidlago]

@cwperks is this issue still relevant?

[cwperks]

The gradle cache was disabled so this issue can be closed.