Update vulnerable dependencies in verification test fixtures

[JamieMagee]

An osv-scanner run flagged 91 vulnerabilities across packages in the verification test fixtures. None of these are runtime dependencies of component-detection itself -- they're all in the lockfiles and manifests under test/.../VerificationTests/resources/ that exercise the various detectors.

Still, having known-vulnerable versions in the repo isn't great, so this PR bumps them.

What changed

Gradle test fixture

Updated build.gradle from AGP 7.1.0 + Kotlin 1.5.31 to AGP 9.0.0 + Kotlin 2.3.10, then regenerated the lockfile. The new transitive tree drops a bunch of old dependencies entirely (jackson, netty, grpc, json-simple, jsoup, woodstox, antlr4, etc.) and bumps everything else:

• gson 2.8.6 -> 2.11.0
• guava 30.1-jre -> 33.3.1-jre
• protobuf-java 3.10.0 -> 3.25.5
• commons-io 2.4 -> 2.16.1
• commons-compress 1.20 -> 1.27.1
• bouncycastle 1.56 -> 1.79 (migrated from jdk15on to jdk18on)
• jose4j 0.7.0 -> 0.9.5
• httpclient 4.5.6 -> 4.5.14
• tink 1.3.0-rc2 -> 1.7.0

pip test fixtures

Bumped pinned versions across 8 fixture files:

• requests 2.32.3 -> 2.32.4 (GHSA-9hjg-9r4m-mvj7)
• keras 3.9.2 -> 3.12.0
• urllib3 2.3.0 -> 2.6.0
• werkzeug 3.1.3 -> 3.1.5
• wheel 0.45.1 -> 0.46.2
• certifi 2024.6.2 -> 2025.1.31 (in pre-generated/multiple)

Go test fixture

• go directive 1.22 -> 1.24.4 (GO-2025-3750)

Remaining findings

The re-scan still shows 27 findings. Most of these fall into two buckets:

1. No fix available yet -- e.g. keras GHSA-gfmx-qqqh-f38q, some bouncycastle advisories with no patched version
2. Transitive deps pulled by AGP that would need a newer AGP -- e.g. some netty and commons-compress advisories where the fix version is very recent (4.1.125+, 1.26+) but AGP 9.0.0's dependency tree pins slightly older versions
3. Maven pom.xml fixture -- commons-lang3 3.14.0 needs 3.18.0, tracked separately since that's a different fixture file

These could be addressed in follow-ups, potentially with version forcing in the Gradle resolutionStrategy or by waiting for the next AGP release.

[Copilot]

Pull request overview

This PR updates dependency versions used only in verification test fixtures (under test/.../VerificationTests/resources/) to reduce vulnerability findings from osv-scanner without impacting Component Detection runtime dependencies.

Changes:

• Bump pinned versions in multiple pip requirements.txt fixtures (e.g., requests, keras, urllib3, Werkzeug, wheel, certifi).
• Upgrade the Gradle fixture to Android Gradle Plugin 9.0.0 + Kotlin 2.3.10 and regenerate the Gradle dependency lockfile.
• Update the Go fixture go.mod go directive to a newer version.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/simple-extras/requirements.txt	Bumps requests patch version in an extras/marker fixture.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/requirements.txt	Updates several pinned pip dependencies to newer versions.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/pre-generated/multiple/requirements.txt	Updates pinned certifi and requests for the pre-generated fixture.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/parallel/parallel-test-1/requirements.txt	Updates pinned requests for parallel fixture set.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/parallel/parallel-test-2/requirements.txt	Updates pinned requests for parallel fixture set.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/parallel/parallel-test-3/requirements.txt	Updates pinned requests for parallel fixture set.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/parallel/parallel-test-4/requirements.txt	Updates pinned requests for parallel fixture set.
test/Microsoft.ComponentDetection.VerificationTests/resources/pip/parallel/parallel-test-5/requirements.txt	Updates pinned requests for parallel fixture set.
test/Microsoft.ComponentDetection.VerificationTests/resources/gradle/buildscript-gradle.lockfile	Regenerated lockfile reflecting AGP/Kotlin upgrade and updated transitive graph.
test/Microsoft.ComponentDetection.VerificationTests/resources/gradle/build.gradle	Updates AGP and Kotlin plugin versions used by the Gradle fixture.
test/Microsoft.ComponentDetection.VerificationTests/resources/go/go.mod	Updates the go directive version in the Go fixture.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.8%. Comparing base (c857e69) to head (bb2696b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #1670     +/-   ##
=======================================
- Coverage   90.8%   90.8%   -0.1%     
=======================================
  Files        451     451             
  Lines      40148   40148             
  Branches    2443    2443             
=======================================
- Hits       36461   36460      -1     
  Misses      3188    3188             
- Partials     499     500      +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.