Raising an issue for a discussing dedicated to the mess that is blocking
FINERACT-700 from proceeding:
The TL;DR is that the Apache Fineract project is stuck on very ancient versions of a number of 3rd party tools and libraries, including the Gradle Build tools, JDBC driver, automated code quality tools like FindBugs (which has security related impacts; more recent versions would permit switching to SpotBugs and add automated SQL injection vulnerability scanning and the like).
It's a long tail of depencies, but ultimately it boils down to having to talk to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is can be seen on https://github.com/krummas/DrizzleJDBC is simply dead - unmaintained. The obvious solution is to switch to using the current MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see https://downloads.mariadb.org/connector-java/. But there are hesitations to do this due to legal concerns, see
FINCN-26 (which is for Fineract CN not for Fineract "Classic", but same story).
Not entirely sure how to proceed here. In theory, I guess the options are:
1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems unreasonable.
2. See if there is any way that the impasse on the legal side could be resolved? Perhaps at least for a build time tool which is not shipped there could be an exception? I've opened
LEGAL-462 to get an official viewpoint from the Apache.org Legal Affairs Committee...