From 63a09484a038f959ebe48b3b0cbda4850180f3ad Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 19 May 2026 11:44:18 +0000
Subject: [PATCH 1/6] Initial plan


From b1615312b8f9cb5a7ed00fbb4b926e34d035558c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 19 May 2026 11:52:46 +0000
Subject: [PATCH 2/6] Bump jackson-core to 2.18.6 in
 ferstl-depgraph-dependencies (CVE-2025-52999)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update 3 maven-fetches.expected files: jackson 2.14.1→2.18.6,
  jackson-parent 2.14→2.18.4, oss-parent 48→69,
  plugin version 4.0.3-CodeQL→4.0.3-CodeQL-2
- Update 2 diagnostics.expected files: plugin version reference
  4.0.3-CodeQL→4.0.3-CodeQL-2
- Add update-ferstl-depgraph-dependencies.sh auto-update script
---
 .../maven-fetches.expected                    |  24 +-
 .../maven-fetches.expected                    |  24 +-
 .../diagnostics.expected                      |   2 +-
 .../diagnostics.expected                      |   2 +-
 .../buildless-maven/maven-fetches.expected    |  24 +-
 .../update-ferstl-depgraph-dependencies.sh    | 230 ++++++++++++++++++
 6 files changed, 268 insertions(+), 38 deletions(-)
 create mode 100755 java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh

diff --git a/java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected b/java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected
index f4c4dab94565..208ca501487a 100644
--- a/java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected
@@ -1,18 +1,18 @@
 Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
 Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
 Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.14.1/jackson-base-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.18.6/jackson-databind-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.18.6/jackson-databind-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.18.6/jackson-base-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.18.6/jackson-bom-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.18.4/jackson-parent-2.18.4.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/69/oss-parent-69.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL-2/depgraph-maven-plugin-4.0.3-CodeQL-2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL-2/depgraph-maven-plugin-4.0.3-CodeQL-2.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
diff --git a/java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected b/java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected
index de38626f4d84..cffdda2891e3 100644
--- a/java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected
@@ -1,15 +1,15 @@
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.14.1/jackson-base-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.18.6/jackson-databind-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.18.6/jackson-databind-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.18.6/jackson-base-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.18.6/jackson-bom-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.18.4/jackson-parent-2.18.4.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/69/oss-parent-69.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL-2/depgraph-maven-plugin-4.0.3-CodeQL-2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL-2/depgraph-maven-plugin-4.0.3-CodeQL-2.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
diff --git a/java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected b/java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected
index 94b25c68a00d..5a30189b5e30 100644
--- a/java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected
+++ b/java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected
@@ -83,7 +83,7 @@
   }
 }
 {
-  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3-CodeQL:graph` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
+  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3-CodeQL-2:graph` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
   "severity": "note",
   "source": {
     "extractorName": "java",
diff --git a/java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected b/java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected
index c65231eccd00..0ef924eb7c11 100644
--- a/java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected
+++ b/java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected
@@ -97,7 +97,7 @@
   }
 }
 {
-  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3-CodeQL:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
+  "markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3-CodeQL-2:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
   "severity": "note",
   "source": {
     "extractorName": "java",
diff --git a/java/ql/integration-tests/java/buildless-maven/maven-fetches.expected b/java/ql/integration-tests/java/buildless-maven/maven-fetches.expected
index f4c4dab94565..208ca501487a 100644
--- a/java/ql/integration-tests/java/buildless-maven/maven-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-maven/maven-fetches.expected
@@ -1,18 +1,18 @@
 Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
 Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
 Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.14.1/jackson-base-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.jar
-Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.18.6/jackson-databind-2.18.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.18.6/jackson-databind-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.18.6/jackson-base-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.18.6/jackson-bom-2.18.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.18.4/jackson-parent-2.18.4.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/69/oss-parent-69.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL-2/depgraph-maven-plugin-4.0.3-CodeQL-2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL-2/depgraph-maven-plugin-4.0.3-CodeQL-2.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
diff --git a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
new file mode 100755
index 000000000000..3af20eaca076
--- /dev/null
+++ b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
@@ -0,0 +1,230 @@
+#!/usr/bin/env bash
+# Upgrades the ferstl-depgraph-dependencies bundle used by the buildless Java extractor.
+#
+# This script:
+#   1. Clones ferstl/depgraph-maven-plugin at the upstream 4.0.3 tag.
+#   2. Applies the CodeQL patches: version suffix, Guava bump, Jackson bump.
+#   3. Builds the plugin (skipping tests).
+#   4. Collects all runtime artifacts into a Maven local-repo layout and zips them.
+#   5. Updates the *.expected integration-test files in this directory.
+#
+# The generated zip file must be placed (in the companion semmle-code PR) at:
+#   resources/lib/ferstl-depgraph-dependencies/ferstl-depgraph-dependencies.zip
+#
+# Usage:
+#   ./update-ferstl-depgraph-dependencies.sh [JACKSON_VERSION [GUAVA_VERSION]]
+#
+# Defaults:
+#   JACKSON_VERSION = 2.18.6
+#   GUAVA_VERSION   = 33.4.0-jre
+#
+# Requirements:
+#   - JDK 17 (or JDK 11+; the plugin targets Java 8+)
+#   - Maven 3.9.x  (do NOT use Maven 4.x)
+#   - git, python3, zip, sha1sum (or shasum on macOS)
+
+set -euo pipefail
+
+# ---------------------------------------------------------------------------
+# Configuration
+# ---------------------------------------------------------------------------
+JACKSON_VERSION="${1:-2.18.6}"
+GUAVA_VERSION="${2:-33.4.0-jre}"
+
+PLUGIN_UPSTREAM_VERSION="4.0.3"
+PLUGIN_CODEQL_VERSION="${PLUGIN_UPSTREAM_VERSION}-CodeQL-2"
+UPSTREAM_TAG="depgraph-maven-plugin-${PLUGIN_UPSTREAM_VERSION}"
+UPSTREAM_REPO="https://github.com/ferstl/depgraph-maven-plugin.git"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+WORK_DIR="$(mktemp -d)"
+trap 'rm -rf "${WORK_DIR}"' EXIT
+
+echo "=== ferstl-depgraph-dependencies update ==="
+echo "  Jackson:        ${JACKSON_VERSION}"
+echo "  Guava:          ${GUAVA_VERSION}"
+echo "  Plugin version: ${PLUGIN_CODEQL_VERSION}"
+echo "  Work dir:       ${WORK_DIR}"
+echo ""
+
+# ---------------------------------------------------------------------------
+# Step 1 — Clone plugin source
+# ---------------------------------------------------------------------------
+echo "[1/5] Cloning ${UPSTREAM_REPO} at tag ${UPSTREAM_TAG} ..."
+git clone --depth=1 --branch "${UPSTREAM_TAG}" "${UPSTREAM_REPO}" "${WORK_DIR}/plugin-src"
+
+# ---------------------------------------------------------------------------
+# Step 2 — Patch pom.xml
+# ---------------------------------------------------------------------------
+echo "[2/5] Patching pom.xml ..."
+python3 - \
+    "${WORK_DIR}/plugin-src/pom.xml" \
+    "${PLUGIN_UPSTREAM_VERSION}" \
+    "${PLUGIN_CODEQL_VERSION}" \
+    "${GUAVA_VERSION}" \
+    "${JACKSON_VERSION}" << 'PYEOF'
+import sys
+
+pom_path, old_version, new_version, new_guava, new_jackson = sys.argv[1:]
+
+with open(pom_path) as f:
+    content = f.read()
+
+# 1. Version suffix: 4.0.3 -> 4.0.3-CodeQL-2  (first occurrence only — the <version> element)
+content = content.replace(f'<version>{old_version}</version>', f'<version>{new_version}</version>', 1)
+
+# 2. Guava
+content = content.replace('<version>31.1-jre</version>', f'<version>{new_guava}</version>')
+
+# 3. Jackson (jackson-databind drives the transitive jackson-core / jackson-annotations versions)
+content = content.replace('<version>2.14.1</version>', f'<version>{new_jackson}</version>')
+
+with open(pom_path, 'w') as f:
+    f.write(content)
+
+print(f'  pom.xml patched: version={new_version}, guava={new_guava}, jackson={new_jackson}')
+PYEOF
+
+# ---------------------------------------------------------------------------
+# Step 3 — Build
+# ---------------------------------------------------------------------------
+LOCAL_REPO="${WORK_DIR}/local-repo"
+echo "[3/5] Building plugin (mvn package + install, skipping tests) ..."
+cd "${WORK_DIR}/plugin-src"
+mvn package install -DskipTests -q -Dmaven.repo.local="${LOCAL_REPO}"
+
+# ---------------------------------------------------------------------------
+# Step 4 — Package local-repo zip
+# ---------------------------------------------------------------------------
+echo "[4/5] Packaging local Maven repo into zip ..."
+
+# Remove build-time-only noise (but keep _remote.repositories for Maven
+# cache-validation compatibility).
+find "${LOCAL_REPO}" \( \
+    -name "resolver-status.properties" \
+    -o -name "*.lastUpdated" \
+    -o -name "m2e-lastUpdated.properties" \
+    \) -delete
+
+# Add missing SHA-1 files (mvn install doesn't always write them for locally
+# built artifacts; they are needed to suppress Maven checksum warnings).
+if command -v sha1sum &>/dev/null; then
+    SHA1_CMD="sha1sum"
+elif command -v shasum &>/dev/null; then
+    SHA1_CMD="shasum -a 1"
+else
+    echo "WARNING: Neither sha1sum nor shasum found; .sha1 files will not be generated." >&2
+    SHA1_CMD=""
+fi
+
+if [[ -n "${SHA1_CMD}" ]]; then
+    while IFS= read -r -d '' f; do
+        if [[ ! -f "${f}.sha1" ]]; then
+            ${SHA1_CMD} "${f}" | awk '{print $1}' > "${f}.sha1"
+        fi
+    done < <(find "${LOCAL_REPO}" \( -name "*.jar" -o -name "*.pom" \) -print0)
+fi
+
+ZIP_OUT="${WORK_DIR}/ferstl-depgraph-dependencies.zip"
+(cd "${LOCAL_REPO}" && zip -r -q "${ZIP_OUT}" .)
+
+echo ""
+echo "  Zip created: ${ZIP_OUT}"
+echo ""
+echo "  *** Place this file in semmle-code at:"
+echo "      resources/lib/ferstl-depgraph-dependencies/ferstl-depgraph-dependencies.zip"
+echo ""
+
+# ---------------------------------------------------------------------------
+# Step 5 — Update integration-test *.expected files
+# ---------------------------------------------------------------------------
+echo "[5/5] Updating integration-test expected files ..."
+
+# Discover versions currently recorded in the expected files so the script
+# is idempotent and can be re-run after a partial update.
+EXPECTED_FILE="${SCRIPT_DIR}/java/buildless-maven/maven-fetches.expected"
+
+OLD_JACKSON="$(grep -oP 'jackson-core/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
+OLD_PLUGIN="$(grep -oP 'depgraph-maven-plugin/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
+OLD_OSS_PARENT="$(grep -oP 'fasterxml/oss-parent/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
+OLD_JACKSON_PARENT="$(grep -oP 'jackson-parent/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
+
+# Resolve new parent versions from the artifacts Maven just resolved.
+NEW_JACKSON_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/jackson/jackson-parent" \
+    -name "jackson-parent-*.pom" | sort | tail -1 | grep -oP '[\d.]+(?=\.pom)')"
+NEW_OSS_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/oss-parent" \
+    -name "oss-parent-*.pom" | sort | tail -1 | grep -oP '[0-9]+(?=\.pom)')"
+
+echo "  Jackson:        ${OLD_JACKSON} -> ${JACKSON_VERSION}"
+echo "  jackson-parent: ${OLD_JACKSON_PARENT} -> ${NEW_JACKSON_PARENT}"
+echo "  oss-parent:     ${OLD_OSS_PARENT} -> ${NEW_OSS_PARENT}"
+echo "  Plugin:         ${OLD_PLUGIN} -> ${PLUGIN_CODEQL_VERSION}"
+
+python3 - \
+    "${SCRIPT_DIR}" \
+    "${OLD_JACKSON}" "${JACKSON_VERSION}" \
+    "${OLD_JACKSON_PARENT}" "${NEW_JACKSON_PARENT}" \
+    "${OLD_OSS_PARENT}" "${NEW_OSS_PARENT}" \
+    "${OLD_PLUGIN}" "${PLUGIN_CODEQL_VERSION}" << 'PYEOF'
+import os, sys, glob
+
+(script_dir,
+ old_jackson, new_jackson,
+ old_jackson_parent, new_jackson_parent,
+ old_oss_parent, new_oss_parent,
+ old_plugin, new_plugin) = sys.argv[1:]
+
+# Substitutions applied to maven-fetches.expected files
+fetch_substitutions = [
+    (f"jackson-annotations/{old_jackson}/jackson-annotations-{old_jackson}",
+     f"jackson-annotations/{new_jackson}/jackson-annotations-{new_jackson}"),
+    (f"jackson-core/{old_jackson}/jackson-core-{old_jackson}",
+     f"jackson-core/{new_jackson}/jackson-core-{new_jackson}"),
+    (f"jackson-databind/{old_jackson}/jackson-databind-{old_jackson}",
+     f"jackson-databind/{new_jackson}/jackson-databind-{new_jackson}"),
+    (f"jackson-base/{old_jackson}/jackson-base-{old_jackson}",
+     f"jackson-base/{new_jackson}/jackson-base-{new_jackson}"),
+    (f"jackson-bom/{old_jackson}/jackson-bom-{old_jackson}",
+     f"jackson-bom/{new_jackson}/jackson-bom-{new_jackson}"),
+    (f"jackson-parent/{old_jackson_parent}/jackson-parent-{old_jackson_parent}.pom",
+     f"jackson-parent/{new_jackson_parent}/jackson-parent-{new_jackson_parent}.pom"),
+    (f"com/fasterxml/oss-parent/{old_oss_parent}/oss-parent-{old_oss_parent}.pom",
+     f"com/fasterxml/oss-parent/{new_oss_parent}/oss-parent-{new_oss_parent}.pom"),
+    (f"depgraph-maven-plugin/{old_plugin}/depgraph-maven-plugin-{old_plugin}.",
+     f"depgraph-maven-plugin/{new_plugin}/depgraph-maven-plugin-{new_plugin}."),
+]
+
+# Substitutions applied to diagnostics.expected files
+diagnostics_substitutions = [
+    (f"depgraph-maven-plugin:{old_plugin}:graph",
+     f"depgraph-maven-plugin:{new_plugin}:graph"),
+]
+
+def update(filepath, substitutions):
+    with open(filepath) as f:
+        content = f.read()
+    updated = content
+    for old, new in substitutions:
+        updated = updated.replace(old, new)
+    if updated != content:
+        with open(filepath, 'w') as f:
+            f.write(updated)
+        print(f"  Updated: {os.path.relpath(filepath, script_dir)}")
+
+for fp in glob.glob(os.path.join(script_dir, "java", "**", "maven-fetches.expected"), recursive=True):
+    update(fp, fetch_substitutions)
+
+for fp in glob.glob(os.path.join(script_dir, "java", "**", "diagnostics.expected"), recursive=True):
+    update(fp, diagnostics_substitutions)
+
+print("  Expected files updated.")
+PYEOF
+
+echo ""
+echo "=== Update complete ==="
+echo ""
+echo "Next steps:"
+echo "  1. Copy ${ZIP_OUT} -> semmle-code resources/lib/ferstl-depgraph-dependencies/ferstl-depgraph-dependencies.zip"
+echo "  2. In semmle-code, update autobuild/src/com/semmle/util/build/Maven.java:"
+echo "     bump the plugin version constant to '${PLUGIN_CODEQL_VERSION}'"
+echo "  3. Commit and raise PRs in both repositories."

From 8b799f84edde7a1dd31be61cdb35398ab0bb9327 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= <oscarsj@github.com>
Date: Tue, 19 May 2026 14:30:50 +0200
Subject: [PATCH 3/6] Do not remove zip file if the process succeeds

---
 java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
index 3af20eaca076..9fb034f5c17b 100755
--- a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
+++ b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
@@ -228,3 +228,4 @@ echo "  1. Copy ${ZIP_OUT} -> semmle-code resources/lib/ferstl-depgraph-dependen
 echo "  2. In semmle-code, update autobuild/src/com/semmle/util/build/Maven.java:"
 echo "     bump the plugin version constant to '${PLUGIN_CODEQL_VERSION}'"
 echo "  3. Commit and raise PRs in both repositories."
+trap - EXIT

From 38a2101e11d460d34af9a201cea7bf76430aa427 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 21 May 2026 09:41:57 +0000
Subject: [PATCH 4/6] update-ferstl-depgraph-dependencies.sh: address review
 feedback

- Use BUILD_REPO/DIST_REPO split so zip contains only runtime deps
  (build-lifecycle plugins, test jars, etc. stay in throwaway BUILD_REPO)
- Minimal inline stub pom.xml (no deps) instead of archetype:generate
  to avoid polluting DIST_REPO with stub project's own dependencies
- Replace grep -oP (PCRE, unavailable on macOS BSD grep) with Python re
- Use version-aware Python version_key() for max POM version selection
  (lexicographic sort fails for e.g. 2.18.10 vs 2.18.6; release > snapshot)
- Write zip to caller's working directory; keep cleanup trap active;
  remove `trap - EXIT` which was leaving WORK_DIR behind
---
 .../update-ferstl-depgraph-dependencies.sh    | 133 +++++++++++++++---
 1 file changed, 114 insertions(+), 19 deletions(-)

diff --git a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
index 9fb034f5c17b..a2a78bbac08d 100755
--- a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
+++ b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
@@ -4,8 +4,8 @@
 # This script:
 #   1. Clones ferstl/depgraph-maven-plugin at the upstream 4.0.3 tag.
 #   2. Applies the CodeQL patches: version suffix, Guava bump, Jackson bump.
-#   3. Builds the plugin (skipping tests).
-#   4. Collects all runtime artifacts into a Maven local-repo layout and zips them.
+#   3. Builds the plugin (skipping tests) into a throwaway build repo.
+#   4. Resolves only the plugin's runtime deps into a clean dist repo and zips it.
 #   5. Updates the *.expected integration-test files in this directory.
 #
 # The generated zip file must be placed (in the companion semmle-code PR) at:
@@ -14,6 +14,9 @@
 # Usage:
 #   ./update-ferstl-depgraph-dependencies.sh [JACKSON_VERSION [GUAVA_VERSION]]
 #
+# Output:
+#   ferstl-depgraph-dependencies.zip  (written to the current working directory)
+#
 # Defaults:
 #   JACKSON_VERSION = 2.18.6
 #   GUAVA_VERSION   = 33.4.0-jre
@@ -38,6 +41,9 @@ UPSTREAM_REPO="https://github.com/ferstl/depgraph-maven-plugin.git"
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 WORK_DIR="$(mktemp -d)"
+# The zip is written to the caller's working directory so the cleanup trap can
+# safely remove the entire temporary work tree.
+ZIP_OUT="$(pwd)/ferstl-depgraph-dependencies.zip"
 trap 'rm -rf "${WORK_DIR}"' EXIT
 
 echo "=== ferstl-depgraph-dependencies update ==="
@@ -86,12 +92,56 @@ print(f'  pom.xml patched: version={new_version}, guava={new_guava}, jackson={ne
 PYEOF
 
 # ---------------------------------------------------------------------------
-# Step 3 — Build
+# Step 3 — Build the plugin, then resolve its runtime deps into a clean repo
 # ---------------------------------------------------------------------------
-LOCAL_REPO="${WORK_DIR}/local-repo"
+#
+# Two separate local repos:
+#
+#   BUILD_REPO  Throwaway cache for the plugin's own `mvn package install` —
+#               accumulates build-lifecycle plugins (compiler, surefire, jar,
+#               plugin-plugin, etc.) that the extractor never invokes at
+#               runtime.  Discarded after this step.
+#
+#   DIST_REPO   Clean repo seeded with the freshly built plugin, then
+#               populated only with the plugin's runtime transitive deps by
+#               invoking the :graph goal against a minimal stub project.
+#               This is what gets zipped.
+#
+BUILD_REPO="${WORK_DIR}/build-repo"
+DIST_REPO="${WORK_DIR}/dist-repo"
+
 echo "[3/5] Building plugin (mvn package + install, skipping tests) ..."
 cd "${WORK_DIR}/plugin-src"
-mvn package install -DskipTests -q -Dmaven.repo.local="${LOCAL_REPO}"
+mvn package install -DskipTests -q -Dmaven.repo.local="${BUILD_REPO}"
+
+echo "      Resolving runtime dependencies into clean dist repo ..."
+
+# Seed DIST_REPO with the freshly built plugin jar+pom so the :graph
+# invocation below can resolve its transitive runtime deps without hitting
+# Central for the plugin artifact itself.
+PLUGIN_REL="com/github/ferstl/depgraph-maven-plugin/${PLUGIN_CODEQL_VERSION}"
+mkdir -p "${DIST_REPO}/${PLUGIN_REL}"
+cp "${BUILD_REPO}/${PLUGIN_REL}/depgraph-maven-plugin-${PLUGIN_CODEQL_VERSION}.jar" \
+   "${BUILD_REPO}/${PLUGIN_REL}/depgraph-maven-plugin-${PLUGIN_CODEQL_VERSION}.pom" \
+   "${DIST_REPO}/${PLUGIN_REL}/"
+
+# Create a minimal stub project with no dependencies.  Using an empty project
+# avoids polluting DIST_REPO with the stub's own deps (e.g. junit from the
+# quickstart archetype).  The sole purpose of this project is to give Maven a
+# valid reactor context in which to load and execute the plugin.
+mkdir -p "${WORK_DIR}/stub-project"
+cat > "${WORK_DIR}/stub-project/pom.xml" << 'STUBPOM'
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.example</groupId>
+  <artifactId>stub</artifactId>
+  <version>1.0-SNAPSHOT</version>
+</project>
+STUBPOM
+
+cd "${WORK_DIR}/stub-project"
+mvn -q "com.github.ferstl:depgraph-maven-plugin:${PLUGIN_CODEQL_VERSION}:graph" \
+    -Dmaven.repo.local="${DIST_REPO}"
 
 # ---------------------------------------------------------------------------
 # Step 4 — Package local-repo zip
@@ -100,7 +150,7 @@ echo "[4/5] Packaging local Maven repo into zip ..."
 
 # Remove build-time-only noise (but keep _remote.repositories for Maven
 # cache-validation compatibility).
-find "${LOCAL_REPO}" \( \
+find "${DIST_REPO}" \( \
     -name "resolver-status.properties" \
     -o -name "*.lastUpdated" \
     -o -name "m2e-lastUpdated.properties" \
@@ -122,11 +172,10 @@ if [[ -n "${SHA1_CMD}" ]]; then
         if [[ ! -f "${f}.sha1" ]]; then
             ${SHA1_CMD} "${f}" | awk '{print $1}' > "${f}.sha1"
         fi
-    done < <(find "${LOCAL_REPO}" \( -name "*.jar" -o -name "*.pom" \) -print0)
+    done < <(find "${DIST_REPO}" \( -name "*.jar" -o -name "*.pom" \) -print0)
 fi
 
-ZIP_OUT="${WORK_DIR}/ferstl-depgraph-dependencies.zip"
-(cd "${LOCAL_REPO}" && zip -r -q "${ZIP_OUT}" .)
+(cd "${DIST_REPO}" && zip -r -q "${ZIP_OUT}" .)
 
 echo ""
 echo "  Zip created: ${ZIP_OUT}"
@@ -142,18 +191,65 @@ echo "[5/5] Updating integration-test expected files ..."
 
 # Discover versions currently recorded in the expected files so the script
 # is idempotent and can be re-run after a partial update.
+# Python is used for portability: grep -oP requires PCRE which is absent on
+# macOS's BSD grep.
 EXPECTED_FILE="${SCRIPT_DIR}/java/buildless-maven/maven-fetches.expected"
 
-OLD_JACKSON="$(grep -oP 'jackson-core/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
-OLD_PLUGIN="$(grep -oP 'depgraph-maven-plugin/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
-OLD_OSS_PARENT="$(grep -oP 'fasterxml/oss-parent/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
-OLD_JACKSON_PARENT="$(grep -oP 'jackson-parent/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
+read -r OLD_JACKSON OLD_PLUGIN OLD_OSS_PARENT OLD_JACKSON_PARENT <<< "$(python3 - "${EXPECTED_FILE}" << 'PYEOF'
+import sys, re
 
-# Resolve new parent versions from the artifacts Maven just resolved.
-NEW_JACKSON_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/jackson/jackson-parent" \
-    -name "jackson-parent-*.pom" | sort | tail -1 | grep -oP '[\d.]+(?=\.pom)')"
-NEW_OSS_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/oss-parent" \
-    -name "oss-parent-*.pom" | sort | tail -1 | grep -oP '[0-9]+(?=\.pom)')"
+with open(sys.argv[1]) as f:
+    content = f.read()
+
+def extract(pattern):
+    m = re.search(pattern, content)
+    return m.group(1) if m else ''
+
+print(
+    extract(r'jackson-core/([^/]+)/'),
+    extract(r'depgraph-maven-plugin/([^/]+)/'),
+    extract(r'fasterxml/oss-parent/([^/]+)/'),
+    extract(r'jackson-parent/([^/]+)/'),
+)
+PYEOF
+)"
+
+# Resolve new parent-pom versions from the artifacts Maven just resolved.
+# Python is used for version-aware max() so that e.g. 2.18.10 sorts after
+# 2.18.6 (lexicographic sort would get this wrong).
+read -r NEW_JACKSON_PARENT NEW_OSS_PARENT <<< "$(python3 - \
+    "${DIST_REPO}/com/fasterxml/jackson/jackson-parent" \
+    "${DIST_REPO}/com/fasterxml/oss-parent" << 'PYEOF'
+import sys, os, re
+
+def max_version(directory, name_prefix, name_suffix):
+    try:
+        entries = os.listdir(directory)
+    except FileNotFoundError:
+        return ''
+    versions = []
+    for e in entries:
+        pom = os.path.join(directory, e, f'{name_prefix}{e}{name_suffix}')
+        if os.path.isfile(pom):
+            versions.append(e)
+    if not versions:
+        return ''
+    def version_key(v):
+        parts = re.split(r'[.\-]', v)
+        numeric = tuple(int(p) for p in parts if p.isdigit())
+        # A release version (all-numeric parts) beats a snapshot/qualifier with
+        # the same numeric prefix; append 1 for pure-release, 0 otherwise.
+        is_release = int(all(p.isdigit() for p in parts if p))
+        return (numeric, is_release)
+    return max(versions, key=version_key)
+
+jackson_parent_dir, oss_parent_dir = sys.argv[1], sys.argv[2]
+print(
+    max_version(jackson_parent_dir, 'jackson-parent-', '.pom'),
+    max_version(oss_parent_dir,     'oss-parent-',     '.pom'),
+)
+PYEOF
+)"
 
 echo "  Jackson:        ${OLD_JACKSON} -> ${JACKSON_VERSION}"
 echo "  jackson-parent: ${OLD_JACKSON_PARENT} -> ${NEW_JACKSON_PARENT}"
@@ -228,4 +324,3 @@ echo "  1. Copy ${ZIP_OUT} -> semmle-code resources/lib/ferstl-depgraph-dependen
 echo "  2. In semmle-code, update autobuild/src/com/semmle/util/build/Maven.java:"
 echo "     bump the plugin version constant to '${PLUGIN_CODEQL_VERSION}'"
 echo "  3. Commit and raise PRs in both repositories."
-trap - EXIT

From 8170c207bd3bee795058f4f884d6ce1efe6adaae Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 21 May 2026 09:57:10 +0000
Subject: [PATCH 5/6] Fix macOS bash 3.2 heredoc-in-$() portability issue in
 update script

---
 .../update-ferstl-depgraph-dependencies.sh    | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
index a2a78bbac08d..088f7bdd380b 100755
--- a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
+++ b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
@@ -189,13 +189,12 @@ echo ""
 # ---------------------------------------------------------------------------
 echo "[5/5] Updating integration-test expected files ..."
 
-# Discover versions currently recorded in the expected files so the script
-# is idempotent and can be re-run after a partial update.
-# Python is used for portability: grep -oP requires PCRE which is absent on
-# macOS's BSD grep.
+# Python helpers are written to files to avoid heredocs inside $(...), which
+# are not reliably parsed by macOS bash 3.2.
 EXPECTED_FILE="${SCRIPT_DIR}/java/buildless-maven/maven-fetches.expected"
 
-read -r OLD_JACKSON OLD_PLUGIN OLD_OSS_PARENT OLD_JACKSON_PARENT <<< "$(python3 - "${EXPECTED_FILE}" << 'PYEOF'
+# Script: extract current versions from the expected file
+cat > "${WORK_DIR}/extract_versions.py" << 'PYEOF'
 import sys, re
 
 with open(sys.argv[1]) as f:
@@ -212,14 +211,12 @@ print(
     extract(r'jackson-parent/([^/]+)/'),
 )
 PYEOF
-)"
-
-# Resolve new parent-pom versions from the artifacts Maven just resolved.
-# Python is used for version-aware max() so that e.g. 2.18.10 sorts after
-# 2.18.6 (lexicographic sort would get this wrong).
-read -r NEW_JACKSON_PARENT NEW_OSS_PARENT <<< "$(python3 - \
-    "${DIST_REPO}/com/fasterxml/jackson/jackson-parent" \
-    "${DIST_REPO}/com/fasterxml/oss-parent" << 'PYEOF'
+
+read -r OLD_JACKSON OLD_PLUGIN OLD_OSS_PARENT OLD_JACKSON_PARENT \
+    <<< "$(python3 "${WORK_DIR}/extract_versions.py" "${EXPECTED_FILE}")"
+
+# Script: find the highest-version POM in each parent directory
+cat > "${WORK_DIR}/max_versions.py" << 'PYEOF'
 import sys, os, re
 
 def max_version(directory, name_prefix, name_suffix):
@@ -249,7 +246,11 @@ print(
     max_version(oss_parent_dir,     'oss-parent-',     '.pom'),
 )
 PYEOF
-)"
+
+read -r NEW_JACKSON_PARENT NEW_OSS_PARENT \
+    <<< "$(python3 "${WORK_DIR}/max_versions.py" \
+        "${DIST_REPO}/com/fasterxml/jackson/jackson-parent" \
+        "${DIST_REPO}/com/fasterxml/oss-parent")"
 
 echo "  Jackson:        ${OLD_JACKSON} -> ${JACKSON_VERSION}"
 echo "  jackson-parent: ${OLD_JACKSON_PARENT} -> ${NEW_JACKSON_PARENT}"

From 0f3c9ab483ac58f437a7329544d8a06d9ca346ba Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 21 May 2026 12:07:45 +0000
Subject: [PATCH 6/6] Fix remaining macOS bash 3.2 portability issues in update
 script (step 5)

---
 .../update-ferstl-depgraph-dependencies.sh    | 23 +++++++++++--------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
index 088f7bdd380b..19d8167be740 100755
--- a/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
+++ b/java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
@@ -247,22 +247,18 @@ print(
 )
 PYEOF
 
-read -r NEW_JACKSON_PARENT NEW_OSS_PARENT \
-    <<< "$(python3 "${WORK_DIR}/max_versions.py" \
-        "${DIST_REPO}/com/fasterxml/jackson/jackson-parent" \
-        "${DIST_REPO}/com/fasterxml/oss-parent")"
+# Capture python output into a variable first to avoid backslash continuation
+# inside $(...), which is not reliably handled by macOS bash 3.2.
+_max_versions_out="$(python3 "${WORK_DIR}/max_versions.py" "${DIST_REPO}/com/fasterxml/jackson/jackson-parent" "${DIST_REPO}/com/fasterxml/oss-parent")"
+read -r NEW_JACKSON_PARENT NEW_OSS_PARENT <<< "${_max_versions_out}"
 
 echo "  Jackson:        ${OLD_JACKSON} -> ${JACKSON_VERSION}"
 echo "  jackson-parent: ${OLD_JACKSON_PARENT} -> ${NEW_JACKSON_PARENT}"
 echo "  oss-parent:     ${OLD_OSS_PARENT} -> ${NEW_OSS_PARENT}"
 echo "  Plugin:         ${OLD_PLUGIN} -> ${PLUGIN_CODEQL_VERSION}"
 
-python3 - \
-    "${SCRIPT_DIR}" \
-    "${OLD_JACKSON}" "${JACKSON_VERSION}" \
-    "${OLD_JACKSON_PARENT}" "${NEW_JACKSON_PARENT}" \
-    "${OLD_OSS_PARENT}" "${NEW_OSS_PARENT}" \
-    "${OLD_PLUGIN}" "${PLUGIN_CODEQL_VERSION}" << 'PYEOF'
+# Script: update all *.expected files in-place
+cat > "${WORK_DIR}/update_expected.py" << 'PYEOF'
 import os, sys, glob
 
 (script_dir,
@@ -317,6 +313,13 @@ for fp in glob.glob(os.path.join(script_dir, "java", "**", "diagnostics.expected
 print("  Expected files updated.")
 PYEOF
 
+python3 "${WORK_DIR}/update_expected.py" \
+    "${SCRIPT_DIR}" \
+    "${OLD_JACKSON}" "${JACKSON_VERSION}" \
+    "${OLD_JACKSON_PARENT}" "${NEW_JACKSON_PARENT}" \
+    "${OLD_OSS_PARENT}" "${NEW_OSS_PARENT}" \
+    "${OLD_PLUGIN}" "${PLUGIN_CODEQL_VERSION}"
+
 echo ""
 echo "=== Update complete ==="
 echo ""