Improved: Update build.gradle to the latest dependencies (OFBIZ-13194)

Thanks to previous precious Danny Trunk's work at OFBIZ-13123, this time the
effort was not too hard.

There are 2 aspects:
1) In build.gradle:
  Uses <<version "latest.release">> for plugins following
  https://docs.gradle.org/7.0/release-notes.html#using-dynamic-versions-in-the-plugins-block

  Updates junitReport to 'org.apache.ant:ant-junit:1.10.15'
          checkstyle to toolVersion = '10.20.2'

  Adds a commented out "useLatestVersions" section. Commented out because
  I tried to use the recommended useLatestVersions and useLatestVersionsCheck
  ie gradlew -PenableDependencyUpdates useLatestVersions
         && gradlew -PenableDependencyUpdates useLatestVersionsCheck
  and got an issue:
  Execution failed for task ':useLatestVersionsCheck'
  Maybe because of:
  Failed to determine the latest version for the following dependencies
   - org.apereo.cas:cas-server-support-ldap-core
   - org.safehaus.jug:jug
  This said it was useful, could be more if we complete the "useLatestVersions"
  section

2) In Dependencies the "standard" updates with new comments when needed
   ie removing or commenting issues in code with the help of useLatestVersions
   feature

Author: JacquesLeRoux

build.gradle

@@ -23,20 +23,21 @@ import org.asciidoctor.gradle.jvm.AsciidoctorTask
  * Project setup
  * ======================================================== */
 plugins {
-    id 'application'
+    id 'application' // plugins that are versioned as part of Gradle are using simple quotes to differentiate them
     id 'groovy'
     id 'eclipse'
     id 'checkstyle'
     id 'codenarc'
     id 'maven-publish'
-    id 'org.asciidoctor.jvm.convert' version '4.0.2'
-    id 'org.asciidoctor.jvm.pdf' version '4.0.2'
-    id 'org.owasp.dependencycheck' version '10.0.2' apply false
-    id 'se.patrikerdes.use-latest-versions' version '0.2.18' apply false
-    id 'com.github.ben-manes.versions' version '0.51.0' apply false
-    id "com.github.ManifestClasspath" version "0.1.0-RELEASE"
-    id "com.github.jakemarsden.git-hooks" version "0.0.2"
-    id "com.github.node-gradle.node" version '7.0.2' apply false
+    id "org.asciidoctor.jvm.convert" version "latest.release"
+    id "org.asciidoctor.jvm.pdf" version "latest.release"
+    id "org.owasp.dependencycheck" version "latest.release" apply false
+    //id 'se.patrikerdes.use-latest-versions' version '0.2.18' apply false
+    id "se.patrikerdes.use-latest-versions"  version "latest.release" apply false
+    id "com.github.ben-manes.versions" version "latest.release" apply false
+    id "com.github.ManifestClasspath" version "latest.release"
+    id "com.github.jakemarsden.git-hooks" version "latest.release"
+    id "com.github.node-gradle.node" version "latest.release" apply false
 }
 
 /* OWASP plugin
@@ -71,6 +72,43 @@ if (project.hasProperty('enableDependencyUpdates')) {
     apply plugin: 'se.patrikerdes.use-latest-versions'
 }
 
+/* Configuration and default values. By default not available as it breacks Gradle build even when useLatestVersionsCheck (see above) is used.
+useLatestVersions {
+   // A whitelist of dependencies to update, in the format of group:name
+   // Equal to command line: --update-dependency=[values]
+   updateWhitelist = []
+   // A blacklist of dependencies to update, in the format of group:name
+   // Equal to command line: --ignore-dependency=[values]
+   updateBlacklist = []
+   // When enabled, root project gradle.properties will also be populated with
+   // versions from subprojects in multi-project build
+   // Equal to command line: --update-root-properties
+   updateRootProperties = false
+   // By default plugin tries to find all relevant gradle files (e.g. *.gradle, gradle.properties etc).
+   // This can be slow in some cases when project has a lot of gradle files. For example when using conventions
+   // in buildSrc. With this option you can specify what files should plugin search and check. Plugin will ignore
+   // files that don't exist. Empty list means use default strategy. File paths are relative to project dir.
+   //
+   // Example:
+   // versionFiles = ["gradle.build", "gradle.properties"]
+   // Will check just $projectDir/gradle.build and $projectDir/gradle.properties
+   //
+   // Note:
+   // You always have to specify file that has dependencies in some common dependency format with artifact coordinates,
+   // e.g. compileOnly "group:module:version" or compileOnly("group:module:version") or val dependency = "group:module:version" etc.
+   // For example if you set just versionFiles = ["gradle.properties"] this won't work, since plugin
+   // won't be able to correlate variable with artifact coordinates.
+   //
+   // Equal to command line: --version-files=[values]
+   versionFiles = []
+   // List of root project files to update when updateRootProperties is enabled.
+   // `build.gradle` is not an acceptable entry here as it breaks other expected
+   // functionality. Version variables in `build.gradle` need to be moved into
+   // a separate file which can be listed here.
+   // Equal to command line: --root-version-files=[values]
+   //rootVersionFiles = ['gradle.properties']
+}*/
+
 apply from: 'common.gradle'
 apply from: 'dependencies.gradle'
 
@@ -218,7 +256,7 @@ dependencies {
     }
 
     junitReport 'junit:junit:4.13.2'
-    junitReport 'org.apache.ant:ant-junit:1.10.14'
+    junitReport 'org.apache.ant:ant-junit:1.10.15'
 
     // Libraries downloaded manually
     implementation fileTree(dir: file("${rootDir}/lib"), include: '**/*.jar')
@@ -295,7 +333,7 @@ checkstyle {
     // Currently there are no errors so we can show new one when they appear
     showViolations = true
     // Specify tool version so we can keep it up-to-date
-    toolVersion = '10.17.0'
+    toolVersion = '10.20.2'
 }
 gitHooks {
     hooks = ['pre-push': 'checkstyleMain codenarcMain codenarcTest']

dependencies.gradle

@@ -18,64 +18,64 @@
  */
 dependencies {
     implementation 'com.github.ben-manes.caffeine:caffeine:3.1.8'
-    implementation 'com.google.guava:guava:33.2.1-jre'
+    implementation 'com.google.guava:guava:33.3.1-jre'
     implementation 'com.google.zxing:core:3.5.3'
     implementation 'com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2'
     implementation 'com.googlecode.ez-vcard:ez-vcard:0.12.1'
-    implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20220608.1'
-    implementation 'com.googlecode.libphonenumber:libphonenumber:8.13.31'
-    implementation 'com.ibm.icu:icu4j:74.2'
+    implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20240325.1'
+    implementation 'com.googlecode.libphonenumber:libphonenumber:8.13.52'
+    implementation 'com.ibm.icu:icu4j:76.1'
     implementation ('com.lowagie:itext:2.1.7') { // Don't update due to license change in newer versions, see OFBIZ-10455
         exclude  group: 'bouncycastle', module: 'bcmail-jdk14'
         exclude  group: 'bouncycastle', module: 'bcprov-jdk14'
         exclude  group: 'bouncycastle', module: 'bctsp-jdk14'
     }
     implementation 'com.sun.mail:javax.mail:1.6.2'
     implementation 'com.rometools:rome:2.1.0'
-    implementation 'com.thoughtworks.xstream:xstream:1.4.20'
+    implementation 'com.thoughtworks.xstream:xstream:1.4.21'
     implementation 'commons-cli:commons-cli:1.5.0' // with 1.6.0, 2 tests of OfbizStartupUnitTests don't pass
     implementation 'commons-fileupload:commons-fileupload:1.5'
-    implementation 'commons-net:commons-net:3.10.0'
-    implementation 'commons-validator:commons-validator:1.8.0'
+    implementation 'commons-net:commons-net:3.11.1'
+    implementation 'commons-validator:commons-validator:1.9.0'
     implementation 'de.odysseus.juel:juel-impl:2.2.7'
     implementation 'javax.transaction:javax.transaction-api:1.3'
     implementation 'net.fortuna.ical4j:ical4j:1.0-rc4-atlassian-12'
     implementation 'net.lingala.zip4j:zip4j:2.11.5'
-    implementation 'org.apache.ant:ant-junit:1.10.14'
+    implementation 'org.apache.ant:ant-junit:1.10.15'
     implementation 'org.apache.commons:commons-collections4:4.4'
-    implementation 'org.apache.commons:commons-csv:1.10.0'
+    implementation 'org.apache.commons:commons-csv:1.12.0'
     implementation 'org.apache.commons:commons-dbcp2:2.13.0'
     implementation 'org.apache.commons:commons-imaging:1.0-alpha3' // Alpha but OK, "Imaging was working and was used by a number of projects in production even before reaching its initial release as an Apache Commons component." Since 1.0.0-alpha4 (note the use of semver) the API has changed. Better wait an "official release" to rewrite OFBiz code...
-    implementation 'org.apache.commons:commons-text:1.11.0'
+    implementation 'org.apache.commons:commons-text:1.12.0'
     implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.5' // 4.0.0 does not compile
     implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
     implementation 'org.apache.httpcomponents:httpclient-cache:4.5.14'
     implementation 'org.apache.logging.log4j:log4j-api:2.24.2' // the API of log4j 2
     implementation 'org.apache.logging.log4j:log4j-core:2.24.2' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
     implementation 'org.apache.poi:poi:5.3.0'
     implementation 'org.apache.pdfbox:pdfbox:2.0.32' // 3.0.1 does not compile
-    implementation 'org.apache.shiro:shiro-core:1.13.0'
-    implementation 'org.apache.shiro:shiro-crypto-cipher:2.0.0'
-    implementation 'org.apache.sshd:sshd-core:2.13.1'
-    implementation 'org.apache.sshd:sshd-sftp:2.13.1'
-    implementation 'org.apache.tika:tika-core:2.9.2'
-    implementation 'org.apache.tika:tika-parsers:2.9.2'
-    implementation 'org.apache.tika:tika-parser-pdf-module:2.9.2'
+    implementation 'org.apache.shiro:shiro-core:1.13.0' // Got "Exception in thread "main" java.lang.UnsupportedOperationException: Cannot create a hash with the given algorithm: argon2" with 2.0.2 in integration tests
+    implementation 'org.apache.shiro:shiro-crypto-cipher:2.0.2'
+    implementation 'org.apache.sshd:sshd-core:2.14.0'
+    implementation 'org.apache.sshd:sshd-sftp:2.14.0'
+    implementation 'org.apache.tika:tika-core:2.9.2'     // To be compatible with tika-parser-pdf-module below
+    implementation 'org.apache.tika:tika-parsers:2.9.2' // To be compatible with tika-parser-pdf-module below
+    implementation 'org.apache.tika:tika-parser-pdf-module:2.9.2' // > 2.9.2 does not compile, see OFBIZ-13155
     implementation 'org.apache.cxf:cxf-rt-frontend-jaxrs:3.6.4' // 4.x+ requires javax.xml.bind -> jakarta.xml.bind namespace change
     implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.97' // Remember to change the version number (9 now) in javadoc block if needed.
     implementation 'org.apache.tomcat:tomcat-jasper:9.0.97'
     implementation 'org.apache.axis2:axis2-kernel:1.8.2'
-    implementation 'org.apache.xmlgraphics:batik-anim:1.17'
-    implementation 'org.apache.xmlgraphics:batik-util:1.17'
-    implementation 'org.apache.xmlgraphics:batik-bridge:1.17'
+    implementation 'org.apache.xmlgraphics:batik-anim:1.18'
+    implementation 'org.apache.xmlgraphics:batik-util:1.18'
+    implementation 'org.apache.xmlgraphics:batik-bridge:1.18'
     implementation 'org.apache.xmlgraphics:fop:2.3' // NOTE: since 2.4 dependencies are messed up. See https://github.com/moqui/moqui-fop/blob/master/build.gradle
-    implementation 'org.clojure:clojure:1.11.3'
-    implementation 'org.apache.groovy:groovy-all:4.0.22'
+    implementation 'org.clojure:clojure:1.12.0'
+    implementation 'org.apache.groovy:groovy-all:5.0.0-alpha-11'
     implementation 'org.freemarker:freemarker:2.3.34-SNAPSHOT' // Remember to change the version number in FreeMarkerWorker class when upgrading. See OFBIZ-10019 if >= 2.4
-    implementation 'org.owasp.esapi:esapi:2.5.4.0'
+    implementation 'org.owasp.esapi:esapi:2.6.0.0'
     implementation 'org.cyberneko:html:1.9.8'
     implementation 'org.springframework:spring-test:5.3.29' //  6.1.4 does not compile
-    implementation 'com.fasterxml.jackson.core:jackson-databind:2.17.1'
+    implementation 'com.fasterxml.jackson.core:jackson-databind:2.18.2'
     implementation 'oro:oro:2.0.8'
     implementation 'wsdl4j:wsdl4j:1.6.3'
     implementation 'com.auth0:java-jwt:4.4.0'
@@ -88,7 +88,7 @@ dependencies {
     }
 
     testImplementation 'org.hamcrest:hamcrest-library:2.2' // Enable junit4 to not depend on hamcrest-1.3
-    testImplementation 'org.mockito:mockito-core:5.10.0'
+    testImplementation 'org.mockito:mockito-core:5.14.2'
     testImplementation 'org.jmockit:jmockit:1.49'
     testImplementation 'com.pholser:junit-quickcheck-generators:1.0'
 
@@ -108,7 +108,7 @@ dependencies {
     runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.24.2' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
 
     // specify last codenarc version for java 17 compliance
-    codenarc('org.codenarc:CodeNarc:3.4.0')
+    codenarc('org.codenarc:CodeNarc:3.5.0')
 
     // use constraints to update transitive dependencies
     constraints {