Merge pull request #56 from spdx/releasepom

Update POM file for release

Author: goneall

RELEASE-CHECKLIST.md

@@ -0,0 +1,11 @@
+# Release Checklist for the SPDX RDF Store
+
+- [ ] Check for any warnings from the compiler and findbugs
+- [ ] Run unit tests for all packages that depend on the library
+- [ ] Run dependency check to find any potential vulnerabilities `mvn dependency-check:check`
+- [ ] Test the release `mvn release:prepare -DdryRun`
+- [ ] Run `mvn release:prepare` - you will be prompted for the release - typically take the defaults
+- [ ] Run `mvn release:perform`
+- [ ] Release artifacts to Maven Central
+- [ ] Create a Git release including release notes
+- [ ] Zip up the files from the Maven archive and add them to the release

dependency-check-supress.xml

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+<suppress>
+   <notes><![CDATA[
+   file name: jackson-core-2.15.3.jar
+   Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
+   <cve>CVE-2023-5072</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jackson-core-2.15.3.jar
+   Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
+   <cve>CVE-2023-5072</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jackson-databind-2.15.3.jar
+   he vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+   <cve>CVE-2023-35116</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.json-2.0.1.jar
+   Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
+   <cve>CVE-2022-45688</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jakarta.json-2.0.1.jar
+    Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
+   <cve>CVE-2023-5072</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jsonld-java-0.13.4.jar
+   Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
+   <cve>CVE-2022-45688</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jackson-core-2.15.3.jar
+   Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
+   <cve>CVE-2022-45688</cve>
+</suppress>
+<suppress>
+   <notes><![CDATA[
+   file name: jsonld-java-0.13.4.jar
+   Since the JSON input files are generated, this vulnerability can not occur
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
+   <cve>CVE-2023-5072</cve>
+</suppress>
+</suppressions>

pom.xml

@@ -49,7 +49,7 @@
 
 	<profiles>
 		<profile>
-			<id>gpg-signing</id>
+			<id>release</id>
 			<build>
 				<plugins>
 					<plugin>
@@ -70,6 +70,42 @@
 		        			</execution>
 		      			</executions>
 	    			</plugin>
+	                <plugin>
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-javadoc-plugin</artifactId>
+						<version>2.9</version>
+						<configuration>
+							<quiet>true</quiet>
+							<source>8</source>
+							<javadocExecutable>${env.JAVA_HOME}/bin/javadoc</javadocExecutable>
+							<additionalparam>-Xdoclint:none</additionalparam>
+						</configuration>
+						<executions>
+							<execution>
+								<id>attach-javadocs</id>
+								<configuration>
+									<additionalparam>${javadoc.opts}</additionalparam>
+								</configuration>
+								<goals>
+									<goal>jar</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				   	<plugin>
+				      <groupId>org.apache.maven.plugins</groupId>
+				      <artifactId>maven-source-plugin</artifactId>
+				      <version>3.2.1</version>
+				      <executions>
+				        <execution>
+				          <id>attach-sources</id>
+				          <phase>verify</phase>
+				          <goals>
+				            <goal>jar-no-fork</goal>
+				          </goals>
+				        </execution>
+				      </executions>
+				    </plugin>	    			
 				</plugins>
 			</build>
 		</profile>
@@ -89,17 +125,17 @@
     <dependency>
     	<groupId>org.apache.jena</groupId>
     	<artifactId>jena-core</artifactId>
-    	<version>4.8.0</version>
+    	<version>4.10.0</version>
     </dependency>
     <dependency>
     	<groupId>org.apache.jena</groupId>
     	<artifactId>jena-arq</artifactId>
-    	<version>4.8.0</version>
+    	<version>4.10.0</version>
     </dependency>
     <dependency>
     	<groupId>org.apache.jena</groupId>
     	<artifactId>jena-base</artifactId>
-    	<version>4.8.0</version>
+    	<version>4.10.0</version>
     </dependency>
   </dependencies>
     <build>
@@ -143,15 +179,28 @@
 			</testResource>
 		</testResources>
 		<plugins>
+		   <plugin>
+		      <groupId>org.apache.maven.plugins</groupId>
+		      <artifactId>maven-release-plugin</artifactId>
+		      <version>3.0.1</version>
+		      <configuration>
+		        <tagNameFormat>v@{project.version}</tagNameFormat>
+		        <releaseProfiles>release</releaseProfiles>
+		        <goals>deploy</goals>
+		      </configuration>
+		    </plugin>
 			<plugin>
    				<groupId>org.owasp</groupId>
    				<artifactId>dependency-check-maven</artifactId>
    				<version>${dependency-check-maven.version}</version>
+   				<configuration>
+   					<suppressionFiles>dependency-check-supress.xml</suppressionFiles>
+   				</configuration>
 			</plugin>
 		    <plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.6.1</version>
+				<version>3.11.0</version>
 				<configuration>
 					<release>11</release>
 					<encoding>${project.build.sourceEncoding}</encoding>
@@ -160,42 +209,6 @@
 					<optimize>true</optimize>
 				</configuration>
 			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>2.9</version>
-				<configuration>
-					<quiet>true</quiet>
-					<source>8</source>
-					<javadocExecutable>${env.JAVA_HOME}/bin/javadoc</javadocExecutable>
-					<additionalparam>-Xdoclint:none</additionalparam>
-				</configuration>
-				<executions>
-					<execution>
-						<id>attach-javadocs</id>
-						<configuration>
-							<additionalparam>${javadoc.opts}</additionalparam>
-						</configuration>
-						<goals>
-							<goal>jar</goal>
-						</goals>
-					</execution>
-				</executions>
-			</plugin>
-		   	<plugin>
-		      <groupId>org.apache.maven.plugins</groupId>
-		      <artifactId>maven-source-plugin</artifactId>
-		      <version>3.2.1</version>
-		      <executions>
-		        <execution>
-		          <id>attach-sources</id>
-		          <phase>verify</phase>
-		          <goals>
-		            <goal>jar-no-fork</goal>
-		          </goals>
-		        </execution>
-		      </executions>
-		    </plugin>
 			<plugin>
 				<groupId>org.spdx</groupId>
 					<artifactId>spdx-maven-plugin</artifactId>
@@ -253,6 +266,7 @@
     	<url>https://github.com/spdx/spdx-java-rdf-store</url>
     	<connection>scm:git:git://github.com/spdx/spdx-java-rdf-store</connection>
     	<developerConnection>scm:git:[email protected]:/spdx/spdx-java-rdf-store</developerConnection>
+    	<tag>master</tag>
     </scm>
     <issueManagement>
     	<system>Github</system>