kaleido-io · matthew1001 · Jan 6, 2026 · Jan 5, 2026
diff --git a/build.gradle b/build.gradle
@@ -33,6 +33,14 @@ plugins {
   id 'org.sonarqube' version '6.2.0.5505'
 }
 
+// Enable dependency locking for SBOM generation (Trivy scans gradle.lockfile)
+// Run `./gradlew dependencies --write-locks` to generate/update lockfiles
+allprojects {
+  dependencyLocking {
+    lockAllConfigurations()
+  }
+}
+
 sonarqube {
   properties {
     property "sonar.projectKey", "$System.env.SONAR_PROJECT_KEY"

diff --git a/gradle.lockfile b/gradle.lockfile
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
diff --git a/platform/build.gradle b/platform/build.gradle
@@ -28,11 +28,11 @@ javaPlatform {
 dependencies {
   api platform('com.fasterxml.jackson:jackson-bom:2.18.2')
   api platform('io.grpc:grpc-bom:1.70.0')
-  api platform('io.netty:netty-bom:4.2.7.Final')
+  api platform('io.netty:netty-bom:4.2.8.Final')
   api platform('io.opentelemetry:opentelemetry-bom:1.47.0')
   api platform('io.prometheus:prometheus-metrics-bom:1.3.5')
-  api platform('io.vertx:vertx-stack-depchain:4.5.13')
-  api platform('org.apache.logging.log4j:log4j-bom:2.24.3')
+  api platform('io.vertx:vertx-stack-depchain:4.5.22')
+  api platform('org.apache.logging.log4j:log4j-bom:2.25.3')
   api platform('org.assertj:assertj-bom:3.27.3')
   api platform('org.immutables:bom:2.10.1')
   api platform('org.junit:junit-bom:5.11.4')

diff --git a/testfuzz/gradle.lockfile b/testfuzz/gradle.lockfile
@@ -0,0 +1,5 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.jacoco:org.jacoco.agent:0.8.11=jacocoAgent
+empty=
diff --git a/util/build.gradle b/util/build.gradle
@@ -29,6 +29,13 @@ jar {
   }
 }
 
+tasks.withType(JavaCompile).configureEach {
+  options.compilerArgs += [
+    '-Alog4j.graalvm.groupId=org.hyperledger.besu',
+    '-Alog4j.graalvm.artifactId=besu-util'
+  ]
+}
+
 dependencies {
   api 'org.slf4j:slf4j-api'
 

diff --git a/util/src/main/java/org/hyperledger/besu/util/log4j/plugin/StackTraceMatchFilter.java b/util/src/main/java/org/hyperledger/besu/util/log4j/plugin/StackTraceMatchFilter.java
@@ -102,12 +102,23 @@ public Builder() {
     }
 
     /**
-     * Set the string to match in the stack trace
+     * Set the string to match in the stack trace.
      *
      * @param text the match string
      * @return this builder
      */
     public StackTraceMatchFilter.Builder setMatchString(final String text) {
+      return setText(text);
+    }
+
+    /**
+     * Set the text to match in the stack trace. A public setter is required by newer versions of
+     * Log4j.
+     *
+     * @param text the match string
+     * @return this builder
+     */
+    public StackTraceMatchFilter.Builder setText(final String text) {
       this.text = text;
       return this;
     }