From 48b226c0e7b2ac60c52541f4802f1c2274c2847d Mon Sep 17 00:00:00 2001
From: Karl Tarbet <karl.l.tarbet@usace.army.mil>
Date: Fri, 29 May 2026 11:59:12 -0700
Subject: [PATCH] Update kotlin (javalin dependency) and checkstyle

---
 README.md                                            | 11 +++++++++++
 buildSrc/src/main/groovy/cda.deps-conventions.gradle |  9 +++++++++
 buildSrc/src/main/groovy/cda.java-conventions.gradle |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ef02e510d5..1e42cd27e0 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,17 @@ To build the war:
 
 This will compile the jar and run the basic unit tests.
 
+To run the OWASP dependency vulnerability scan:
+
+     ./gradlew dependencyCheckAggregate
+
+For faster scans, add a free [NVD API key](https://nvd.nist.gov/developers/request-an-api-key) to your
+user gradle properties file (`~/.gradle/gradle.properties`):
+
+     nvdApiKey=<your-key>
+
+The report is written to `build/reports/dependency-check-report.html`.
+
 ## Development stack
 
 See the docker-compose.README.md for instructions using the docker-compose environment
diff --git a/buildSrc/src/main/groovy/cda.deps-conventions.gradle b/buildSrc/src/main/groovy/cda.deps-conventions.gradle
index 5000be0534..0543e6692d 100644
--- a/buildSrc/src/main/groovy/cda.deps-conventions.gradle
+++ b/buildSrc/src/main/groovy/cda.deps-conventions.gradle
@@ -19,4 +19,13 @@ repositories {
 
 configurations.all {
     exclude group: "org.python", module: "jython-standalone"
+
+    resolutionStrategy {
+        // javalin 4.6.8 pulls in the vulnerable kotlin-stdlib 1.5.32 
+        // Force a patched version; javalin can't be bumped past 4.x while we target Java 11.
+        force "org.jetbrains.kotlin:kotlin-stdlib:1.9.25"
+        force "org.jetbrains.kotlin:kotlin-stdlib-common:1.9.25"
+        force "org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.25"
+        force "org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.25"
+    }
 }
diff --git a/buildSrc/src/main/groovy/cda.java-conventions.gradle b/buildSrc/src/main/groovy/cda.java-conventions.gradle
index a0be9732c2..8fe281bb10 100644
--- a/buildSrc/src/main/groovy/cda.java-conventions.gradle
+++ b/buildSrc/src/main/groovy/cda.java-conventions.gradle
@@ -26,7 +26,7 @@ test {
 }
 
 checkstyle {
-    toolVersion = '9.3'
+    toolVersion = '10.26.1'
 }
 
 dependencyCheck {