Skip to content

Commit

Permalink
2.x dep upgrades (helidon-io#7861)
Browse files Browse the repository at this point in the history
* Suppress jgit false positive
* Upgrade kafka clients, okhttp3, and oci sdk
* Fix dependency convergence issue
  • Loading branch information
barchetta authored Oct 24, 2023
1 parent d82d24a commit ce50ca2
Show file tree
Hide file tree
Showing 5 changed files with 90 additions and 45 deletions.
55 changes: 22 additions & 33 deletions dependencies/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,7 @@
<version.lib.jsonp-api>1.1.6</version.lib.jsonp-api>
<version.lib.jsonp-impl>1.1.6</version.lib.jsonp-impl>
<version.lib.junit>5.7.0</version.lib.junit>
<version.lib.kafka>3.4.0</version.lib.kafka>
<!-- Force upgrade of snappy. This should be removed once kafka-clients is upgraded -->
<!-- to 3.4.2 or newer. See https://issues.apache.org/jira/browse/KAFKA-15096 -->
<version.lib.snappy>1.1.10.1</version.lib.snappy>
<version.lib.kafka>3.6.0</version.lib.kafka>
<version.lib.log4j>2.17.1</version.lib.log4j>
<version.lib.logback>1.2.10</version.lib.logback>
<version.lib.mariadb-java-client>2.6.2</version.lib.mariadb-java-client>
Expand Down Expand Up @@ -127,13 +124,14 @@
<version.lib.narayana>5.12.0.Final</version.lib.narayana>
<version.lib.netty>4.1.100.Final</version.lib.netty>
<version.lib.netty-io_uring>0.0.19.Final</version.lib.netty-io_uring>
<version.lib.oci>2.60.1</version.lib.oci>
<version.lib.oci>2.66.0</version.lib.oci>
<version.lib.oci-java-sdk-objectstorage>${version.lib.oci}</version.lib.oci-java-sdk-objectstorage>
<version.lib.ojdbc8>21.3.0.0</version.lib.ojdbc8>
<version.lib.database.messaging>19.3.0.0</version.lib.database.messaging>
<version.lib.okhttp3>3.14.9</version.lib.okhttp3>
<!-- Force upgrade to more current version -->
<version.lib.okio>3.4.0</version.lib.okio>
<!-- Manage okio version for dependency convergence -->
<version.lib.okio>3.6.0</version.lib.okio>
<!-- Force upgrade okhttp3 transitive dependency -->
<version.lib.okhttp3>4.12.0</version.lib.okhttp3>
<version.lib.opentracing>0.33.0</version.lib.opentracing>
<version.lib.opentracing.grpc>0.2.1</version.lib.opentracing.grpc>
<version.lib.opentracing.tracerresolver>0.1.8</version.lib.opentracing.tracerresolver>
Expand Down Expand Up @@ -919,13 +917,6 @@
<artifactId>kafka-clients</artifactId>
<version>${version.lib.kafka}</version>
</dependency>
<!-- Force upgrade of snappy. This should be removed once kafka-clients is upgraded -->
<!-- to 3.4.2 or newer. See https://issues.apache.org/jira/browse/KAFKA-15096 -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>${version.lib.snappy}</version>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-json-binding</artifactId>
Expand Down Expand Up @@ -1266,24 +1257,6 @@
</exclusion>
</exclusions>
</dependency>
<!-- 4.x versions cause problems with native-image This is used by jaeger-client -->
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
<version>${version.lib.okhttp3}</version>
</dependency>
<dependency>
<!-- required for dependency convergence
used from both
com.squareup.okhttp3:mockwebserver:3.13.1
com.squareup.moshi:moshi:1.8.0
both referenced by
io.zipkin.zipkin2:zipkin-junit:2.12.5
-->
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>${version.lib.okio}</version>
</dependency>
<!-- END OF Section 3: transitive dependencies we manage the version of for convergence/upgrade -->

<!-- Section 4: Testing -->
Expand Down Expand Up @@ -1393,6 +1366,22 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<!-- Force upgrade and for dependency convergence. -->
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp-bom</artifactId>
<version>${version.lib.okhttp3}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<!-- For dependency convergence. Used by okhttp -->
<groupId>com.squareup.okio</groupId>
<artifactId>okio-bom</artifactId>
<version>${version.lib.okio}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
Expand Down
13 changes: 13 additions & 0 deletions etc/dependency-check-suppression.xml
Original file line number Diff line number Diff line change
Expand Up @@ -121,4 +121,17 @@
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>

<!--
This is a FP. We have upgrade jgit to a fixed version, but it is still getting flagged.
Probably due to the funky version string used by jgit. See
https://github.com/jeremylong/DependencyCheck/issues/5943
-->
<suppress>
<notes><![CDATA[
file name: org.eclipse.jgit-6.7.0.202309050840-r.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cve>CVE-2023-4759</cve>
</suppress>

</suppressions>
39 changes: 34 additions & 5 deletions grpc/server/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,40 @@
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>mockwebserver</artifactId>
<scope>test</scope>
<exclusions>
<!-- For dependency convergence. This excludes the transitive dep
on kotlin from okhttp. We defer to the transitive dep from okio -->
<exclusion>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib-jdk8</artifactId>
</exclusion>
<exclusion>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.zipkin.zipkin2</groupId>
<artifactId>zipkin-junit</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- For dependency convergence of kotlin-stdlib -->
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.reactivex.rxjava2</groupId>
<artifactId>rxjava</artifactId>
Expand All @@ -113,11 +147,6 @@
<artifactId>helidon-config-yaml</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.zipkin.zipkin2</groupId>
<artifactId>zipkin-junit</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.oracle.bedrock</groupId>
<artifactId>bedrock-testing-support</artifactId>
Expand Down
6 changes: 6 additions & 0 deletions tests/integration/kafka/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,12 @@
<groupId>org.apache.kafka</groupId>
<artifactId>kafka_2.12</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.checkerframework</groupId>
<artifactId>checker-qual</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
Expand Down
22 changes: 15 additions & 7 deletions tracing/jaeger/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,23 @@
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
</exclusion>
<!-- For dependency convergence. This excludes the transitive dep
on kotlin from okhttp. We defer to the transitive dep from okio -->
<exclusion>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib-jdk8</artifactId>
</exclusion>
<exclusion>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- For dependency convergence of kotlin-stdlib -->
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.common</groupId>
<artifactId>helidon-common</artifactId>
Expand Down Expand Up @@ -84,13 +99,6 @@
<scope>provided</scope>
<optional>true</optional>
</dependency>
<!-- Hack to get around module issue in okio. See module-info.java -->
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib</artifactId>
<version>1.8.0</version>
<scope>provided</scope>
</dependency>
<!--
- Test dependencies
-->
Expand Down

0 comments on commit ce50ca2

Please sign in to comment.