[REBASEME] Backport infra changes to branch-8.16

[dorian-burihabwa-sonarsource]

This part is meant to backport fixes to the CI that have been done on the master branch and enable the release of java-se for SQCB and SQIDE.

[hashicorp-vault-sonar-prod]

JAVASE-194

[sonar-review-alpha]

Summary

This PR backports infrastructure changes from master to branch-8.16, primarily implementing a license packaging standard (JAVASE-179) and simplifying CI workflows.

Main changes:

1. License packaging: Adds LicenseValidator tool and commits all third-party license files for reproducible packaging. The build now validates that generated licenses match tracked files using a Maven plugin.
2. CI simplification: Removes the custom plugin version resolution script and reduces QA test matrix from 3 to 2 configurations (drops the separate "Prod SonarJava Plugin" test variant).
3. Dependency updates: Git submodule updates (its/sources), removal of one submodule reference, and mise.toml version changes.
4. Test resources: Adds guava test case (java-S3824.json).

These changes enable java-se releases for SQCB and SQIDE while cleaning up the build infrastructure on the maintenance branch.

What reviewers should know

Where to focus:

• Start with java-symbolic-execution/java-symbolic-execution-plugin/pom.xml: the new license-maven-plugin configuration and exec-maven-plugin for validation
• Check .github/workflows/build.yml: compare the QA matrix changes (removed java_plugin_version parameter and one test variant) and the deleted plugin version resolution step
• Review the added license files in java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/licenses/ to verify completeness
• Examine LicenseValidator.java to understand the build-time validation logic

Key decision points:

• QA matrix was intentionally simplified: removing the separate "LATEST_MASTER" plugin test variant consolidates CI complexity while keeping the POM_PROPERTY (release) and Latest plugin variants
• All dependencies' licenses are now committed to the repo, making builds deterministic and packaging reproducible
• The deleted shell script is no longer needed after QA matrix simplification

Test implications:

• License validation now runs as part of the Maven verify phase—review that the validator correctly compares temp vs. committed license files
• Reduced QA test variants mean fewer plugin compatibility checks, but the two remaining variants cover the key scenarios (latest plugin and POM-specified version)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[tomasz-tylenda-sonarsource]

Let's discuss it offline when you have some time.

[tomasz-tylenda-sonarsource]

As discussed offline, I think this may be unnecessary, but I don't see any harm in including it.

[tomasz-tylenda-sonarsource]

Are we planning to run it on a branch?

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

Clean backport. The license packaging implementation (LicenseValidator.java, the Maven plugin configuration, and committed license files) is well-structured and correct. The CI simplifications — dropping the LATEST_MASTER plugin version test variant, removing the custom version-resolution script, and centralising the mise.toml — are coherent and self-consistent. No bugs found.

🗣️ Give feedback