Update jgit from 7.2.0 to 7.6.0

[mbien]

This updates jgit to latest (7.6) and its dependencies to the resolved version.

• https://projects.eclipse.org/projects/technology.jgit/releases/7.3.0
• https://projects.eclipse.org/projects/technology.jgit/releases/7.4.0
• https://projects.eclipse.org/projects/technology.jgit/releases/7.5.0
• https://projects.eclipse.org/projects/technology.jgit/releases/7.6.0
• https://commons.apache.org/proper/commons-codec/changes.html#a1.21.0
• https://www.cve.org/CVERecord?id=CVE-2025-4949 via Update jgit from 7.2.0 to 7.2.1 #9114

current jgit releases are not on maven central yet but the jgit team is working on it (eclipse-jgit/jgit#210). This adds the eclipse repo temporarily. done

classpath diffs

$ mvn eu.maveniverse.maven.plugins:toolbox:gav-classpath-diff -Dunified\
 -Dgav1=org.eclipse.jgit:org.eclipse.jgit:7.2.0.202503040940-r -Dgav2=org.eclipse.jgit:org.eclipse.jgit:7.4.0.202509020913-r 

*** org.eclipse.jgit:org.eclipse.jgit:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
    com.googlecode.javaewah:JavaEWAH:jar:1.2.3
    org.slf4j:slf4j-api:jar:1.7.36
*** commons-codec:commons-codec:jar 1.18.0 -> 1.19.0

$ mvn eu.maveniverse.maven.plugins:toolbox:gav-classpath-diff -Dunified\
 -Dgav1=org.eclipse.jgit:org.eclipse.jgit.gpg.bc:7.2.0.202503040940-r -Dgav2=org.eclipse.jgit:org.eclipse.jgit.gpg.bc:7.4.0.202509020913-r

*** org.eclipse.jgit:org.eclipse.jgit.gpg.bc:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
*** org.eclipse.jgit:org.eclipse.jgit:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
    com.googlecode.javaewah:JavaEWAH:jar:1.2.3
*** commons-codec:commons-codec:jar 1.18.0 -> 1.19.0
*** org.bouncycastle:bcpg-jdk18on:jar 1.80 -> 1.81
*** org.bouncycastle:bcprov-jdk18on:jar 1.80 -> 1.81
*** org.bouncycastle:bcutil-jdk18on:jar 1.80 -> 1.81
*** org.bouncycastle:bcpkix-jdk18on:jar 1.80 -> 1.81
    org.slf4j:slf4j-api:jar:1.7.36

$ mvn eu.maveniverse.maven.plugins:toolbox:gav-classpath-diff -Dunified\
 -Dgav1=org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:7.2.0.202503040940-r -Dgav2=org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:7.4.0.202509020913-r

*** org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
*** org.eclipse.jgit:org.eclipse.jgit:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
    com.googlecode.javaewah:JavaEWAH:jar:1.2.3
*** commons-codec:commons-codec:jar 1.18.0 -> 1.19.0
    com.jcraft:jsch:jar:0.1.55
    com.jcraft:jzlib:jar:1.1.3
    org.slf4j:slf4j-api:jar:1.7.36

$ mvn eu.maveniverse.maven.plugins:toolbox:gav-classpath-diff -Dunified\
 -Dgav1=org.eclipse.jgit:org.eclipse.jgit.lfs:7.2.0.202503040940-r -Dgav2=org.eclipse.jgit:org.eclipse.jgit.lfs:7.4.0.202509020913-r

*** org.eclipse.jgit:org.eclipse.jgit.lfs:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
*** org.eclipse.jgit:org.eclipse.jgit:jar 7.2.0.202503040940-r -> 7.4.0.202509020913-r
    com.googlecode.javaewah:JavaEWAH:jar:1.2.3
    org.slf4j:slf4j-api:jar:1.7.36
*** commons-codec:commons-codec:jar 1.18.0 -> 1.19.0
*** com.google.code.gson:gson:jar 2.12.1 -> 2.13.1
*** com.google.errorprone:error_prone_annotations:jar 2.36.0 -> 2.38.0

thanks to @cstamas for the awesome classpath diff tool. This made this much easier than in past.

last update for reference #8383

[mbien]

oh right I forgot about that (#7569). bouncycaste can't be updated still

    [junit] WARNING [org.netbeans.core.netigso.Netigso]: Cannot fake bcprov
    [junit] org.osgi.framework.BundleException: Invalid manifest header Import-Package: "java.io;resolution:="optional"" : Cannot specify java.* packages in Import/Export headers "java.io"
    [junit] 	at org.eclipse.osgi.internal.resolver.StateBuilder.checkImportExportSyntax(StateBuilder.java:824)
    [junit] 	at org.eclipse.osgi.internal.resolver.StateBuilder.validateHeaders(StateBuilder.java:212)

edit: reverted it here and parked the bouncycastle commit in a branch https://github.com/mbien/netbeans/commits/bc182/
edit2: opened issue #8894

[mbien]

jgit update is likely not possible with the bouncycastle dependency locked to 1.77.

I ran jgit tests locally with downgraded dependency:

diff --git a/pom.xml b/pom.xml
index 14cfa2405..f1a8b742c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,7 +137,7 @@
     <slf4j-version>1.7.36</slf4j-version>
     <maven-javadoc-plugin-version>3.11.2</maven-javadoc-plugin-version>
     <gson-version>2.13.1</gson-version>
-    <bouncycastle-version>1.81</bouncycastle-version>
+    <bouncycastle-version>1.77</bouncycastle-version>
     <spotbugs-maven-plugin-version>4.9.3.0</spotbugs-maven-plugin-version>
     <maven-project-info-reports-plugin-version>3.9.0</maven-project-info-reports-plugin-version>
     <maven-jxr-plugin-version>3.6.0</maven-jxr-plugin-version>

git checkout v7.4.0.202509020913-r
mvn clean verify

failed with

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.14.0:compile (default-compile) on project org.eclipse.jgit.gpg.bc: Compilation failure: Compilation failure:
[ERROR] /home/mbien/NetBeansProjects/jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/BouncyCastleGpgSigner.java:[105,47] The constructor org.bouncycastle.openpgp.PGPSignatureGenerator(org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder, org.bouncycastle.openpgp.PGPPublicKey) is undefined
[ERROR] /home/mbien/NetBeansProjects/jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/keys/SecretKeys.java:[149,22] ProtectionFormatTypeTags cannot be resolved or is not a field
[ERROR] /home/mbien/NetBeansProjects/jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/keys/SecretKeys.java:[150,6] The method getProtectionType(java.lang.String) is undefined for the type org.bouncycastle.gpg.SExprParser

converting to draft, dropping milestone

[mbien]

• dropped gson commit since it got already updated
• rabased
• temporarily added Enable loading of bundles importing java.-packages and update Bouncy Castle to fix jgit signing #9329 for a test build

edit: smoke test worked, modules loaded + tested basic git workflow

[matthiasblaesing]

Just built this together with #9329 merged and signing seems to work and both lfs and gpg.bc are reported as being resolved.

[mbien]

dependency tree is now:

+- org.eclipse.jgit:org.eclipse.jgit.gpg.bc:jar:7.6.0.202603022253-r [compile] (origin: central)
|  +- org.bouncycastle:bcpg-jdk18on:jar:1.83 [compile] (origin: central,jgit-repository)
|  +- org.bouncycastle:bcprov-jdk18on:jar:1.83 [compile] (origin: central,jgit-repository)
|  +- org.bouncycastle:bcutil-jdk18on:jar:1.83 [compile] (origin: central,jgit-repository)
|  +- org.bouncycastle:bcpkix-jdk18on:jar:1.83 [compile] (origin: central,jgit-repository)
|  \- org.slf4j:slf4j-api:jar:2.0.17 [compile] (origin: central,jgit-repository)
+- org.eclipse.jgit:org.eclipse.jgit.lfs:jar:7.6.0.202603022253-r [compile] (origin: central)
|  \- com.google.code.gson:gson:jar:2.13.2 [compile] (origin: central,jgit-repository)
|     \- com.google.errorprone:error_prone_annotations:jar:2.41.0 [compile] (origin: central,jgit-repository)
+- org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:jar:7.6.0.202603022253-r [compile] (origin: central)
|  +- com.jcraft:jsch:jar:0.1.55 [compile] (origin: central,jgit-repository)
|  \- com.jcraft:jzlib:jar:1.1.3 [compile] (origin: central,jgit-repository)
\- org.eclipse.jgit:org.eclipse.jgit:jar:7.6.0.202603022253-r [compile] (origin: central)
   +- com.googlecode.javaewah:JavaEWAH:jar:1.2.3 [compile] (origin: central,jgit-repository)
   \- commons-codec:commons-codec:jar:1.21.0 [compile] (origin: central,jgit-repository)

will bump commons-codec to the stated version. But other than that we are good i believe.

slf4j-api we ship is at 1.7.36, but it seems to work fine with it. Bumping the major version there might be risky - lets keep it a while longer.

[mbien]

opening history for some repos, e.g the netbeans repo doesn't work

Details

SEVERE [org.openide.util.RequestProcessor]: Error in RequestProcessor org.netbeans.modules.git.ui.history.SearchExecutor
java.lang.IllegalArgumentException: 23 flags already created.
	at org.eclipse.jgit.revwalk.RevWalk.allocFlag(RevWalk.java:1418)
	at org.eclipse.jgit.revwalk.RevWalk.newFlag(RevWalk.java:1412)
	at org.netbeans.libs.git.jgit.commands.LogCommand.run(LogCommand.java:124)
	at org.netbeans.libs.git.jgit.commands.GitCommand.execute(GitCommand.java:49)
	at org.netbeans.libs.git.GitClient.log(GitClient.java:982)
	at org.netbeans.modules.git.client.GitClient$39.call(GitClient.java:614)
	at org.netbeans.modules.git.client.GitClient$39.call(GitClient.java:610)
	at org.netbeans.modules.git.client.GitClient$CommandInvoker$1$1.call(GitClient.java:945)
	at org.netbeans.modules.git.client.GitClient$CommandInvoker$1.call(GitClient.java:968)
	at org.netbeans.modules.git.client.GitClient$CommandInvoker.runMethodIntern(GitClient.java:980)
	at org.netbeans.modules.git.client.GitClient$CommandInvoker.runMethod(GitClient.java:909)
	at org.netbeans.modules.git.client.GitClient$CommandInvoker.runMethod(GitClient.java:887)
	at org.netbeans.modules.git.client.GitClient.log(GitClient.java:610)
	at org.netbeans.modules.git.ui.history.SearchExecutor.search(SearchExecutor.java:185)
	at org.netbeans.modules.git.ui.history.SearchExecutor.perform(SearchExecutor.java:166)
	at org.netbeans.modules.git.client.GitProgressSupport.performIntern(GitProgressSupport.java:92)
	at org.netbeans.modules.git.client.GitProgressSupport.run(GitProgressSupport.java:85)
	at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1403)
	at org.netbeans.modules.openide.util.GlobalLookup.execute(GlobalLookup.java:45)
	at org.openide.util.lookup.Lookups.executeWith(Lookups.java:287)
	at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2012)
Caused: org.openide.util.RequestProcessor$SlowItem
	at org.openide.util.RequestProcessor.post(RequestProcessor.java:395)
	at org.netbeans.modules.git.client.GitProgressSupport.start(GitProgressSupport.java:78)
	at org.netbeans.modules.git.ui.history.SearchHistoryPanel.executeSearch(SearchHistoryPanel.java:375)
	at org.netbeans.modules.git.ui.history.SearchHistoryTopComponent.search(SearchHistoryTopComponent.java:55)
	at org.netbeans.modules.git.ui.history.SearchHistoryAction.lambda$openSearch$0(SearchHistoryAction.java:79)
	at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:323)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:714)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:693)
	at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:136)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
[catch] at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

dejavu #6594

eclipse-jgit/jgit@a5a1c87 seems to have reduced the available flags by one without updating the doc at https://github.com/eclipse-jgit/jgit/blame/9bcb91c0106bf96e1d9bdd04eb0ff4b8be612b13/org.eclipse.jgit/src/org/eclipse/jgit/revwalk/RevWalk.java#L1401?

edit: can confirm that reducing the flag limit by one in LogCommand does fix it again.
edi2: adjusted value + added tripwire test