DDF-5324 Upgrades Guava to 25.1 and forces OpenSAML to use the same version

[Lambeaux]

What does this PR do?

Upgrades the Guava version used by DDF code and OpenSAML code to 25.1-jre.

Who is reviewing it?

@ryeats
@mojogitoverhere
@brianfelix

Select relevant component teams:

@codice/security

Ask 2 committers to review/merge the PR and tag them here.

@bdeining
@stustison

How should this be tested?

• Full build. ✅
• SAML Conformance (https://github.com/codice/saml-conformance). ✅
• Container starts up, Intrigue is usable logged in. ✅
• Features that depend on older Guava versions can be installed (i.e. camel-protobuf). ✅

Any background context you want to provide?

There are several areas of the code where impls are leaking through APIs and, in an OSGi context, are causing unrelated components to inherit problems from their transitive dependencies. This means that the version of Guava that we use and the version of Guava that OpenSAML uses needs to be upgraded in lockstep. The immediate follow-on to this PR will be the following:

• Cleaning up the security APIs (Refactor security APIs to not leak dependencies or other implementation details #5327)
• Possibly getting off JSR 305 (Migrate off javax annotations and JSR305 #5343)
• Looking into catalog features files so component tests use the same building blocks as production (the work to get this upgrade done revealed a lot of discrepancies).

What are the relevant tickets?

Fixes: #5324

Checklist:

• Documentation Updated
• Update / Add Threat Dragon models
• Update / Add Unit Tests
• Update / Add Integration Tests

Notes on Review Process

Please see Notes on Review Process for further guidance on requirements for merging and abbreviated reviews.

Review Comment Legend:

• ✏️ (Pencil) This comment is a nitpick or style suggestion, no action required for approval. This comment should provide a suggestion either as an in line code snippet or a gist.
• ❓ (Question Mark) This comment is to gain a clearer understanding of design or code choices, clarification is required but action may not be necessary for approval.
• ❗ (Exclamation Mark) This comment is critical and requires clarification or action before approval.

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[ryeats]

should we have a version here?

[Lambeaux]

Next chance I get, I'll spin up a container and see what version is being wired up here.

[Lambeaux]

Strange. It's getting wired up correctly without the range.

Import-Package =
	org.opensaml.xmlsec.signature.support.provider,
	org.opensaml.core.config;version=3.3.0,
...

Probably because this is the only consumer. I think this will be fine. We're trying to get rid of opensaml anyway.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7418/

Failed Tests: 0

❌ JOB FAILURE

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7449/

Failed Tests: 1

DDF-Jobs/pr/Linux/ddf.catalog.core:catalog-core-directorymonitor: 1

• org.codice.ddf.catalog.content.monitor.AsyncFileAlterationObserverTest.testRemovalOfListenerDuringExecution

❌ JOB FAILURE

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7460/
❌ JOB FAILURE

[mojogitoverhere]

🎉 Hero build was successful! 🎉

1. Regression tested Intrigue
2. Passed SAML conformance
3. camel-protobuf installed without any issues

[mojogitoverhere]

build now

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7466/
❌ JOB FAILURE

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7469/
❌ JOB FAILURE

[Lambeaux]

Failed to execute goal org.codice.acdebugger:acdebugger-maven-plugin:1.7:start (default) on project test-itests-ddf: Execution default of goal org.codice.acdebugger:acdebugger-maven-plugin:1.7:start failed: Plugin org.codice.acdebugger:acdebugger-maven-plugin:1.7 or one of its dependencies could not be resolved: Could not transfer artifact com.google.errorprone:error_prone_annotations:jar:2.2.0 from/to office (http://nexus.phx.connexta.com:8081/nexus/content/groups/public/): Connect to nexus.phx.connexta.com:8081 [nexus.phx.connexta.com/10.101.1.253] failed: Connection refused (Connection refused) -> [Help 1]
15:21:45 org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codice.acdebugger:acdebugger-maven-plugin:1.7:start (default) on project test-itests-ddf: Execution default of goal org.codice.acdebugger:acdebugger-maven-plugin:1.7:start failed: Plugin org.codice.acdebugger:acdebugger-maven-plugin:1.7 or one of its dependencies could not be resolved: Could not transfer artifact com.google.errorprone:error_prone_annotations:jar:2.2.0 from/to office (http://nexus.phx.connexta.com:8081/nexus/content/groups/public/): Connect to nexus.phx.connexta.com:8081 [nexus.phx.connexta.com/10.101.1.253] failed: Connection refused (Connection refused)

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7472/
❌ JOB FAILURE

[Lambeaux]

I'm not sure how the poms can be invalid. They are fine locally.

19:49:00 [ERROR] The build could not read 1 project -> [Help 1]
19:49:00 [ERROR]   
19:49:00 [ERROR]   The project ddf.lib.bundles:bundles:[unknown-version] (/jenkins/workspace/DDF-Jobs/pr/Linux/libs/bundles/pom.xml) has 1 error
19:49:00 [ERROR]     Non-resolvable parent POM for ddf.lib.bundles:bundles:[unknown-version]: Could not find artifact ddf.lib:lib:pom:2.19.0-SNAPSHOT and 'parent.relativePath' points at wrong local POM @ line 18, column 13 -> [Help 2]

[bdeining]

I'm not sure how the poms can be invalid. They are fine locally.

19:49:00 [ERROR] The build could not read 1 project -> [Help 1]
19:49:00 [ERROR]   
19:49:00 [ERROR]   The project ddf.lib.bundles:bundles:[unknown-version] (/jenkins/workspace/DDF-Jobs/pr/Linux/libs/bundles/pom.xml) has 1 error
19:49:00 [ERROR]     Non-resolvable parent POM for ddf.lib.bundles:bundles:[unknown-version]: Could not find artifact ddf.lib:lib:pom:2.19.0-SNAPSHOT and 'parent.relativePath' points at wrong local POM @ line 18, column 13 -> [Help 2]

https://github.com/codice/ddf/pull/5379/files#r331216610

[Lambeaux]

Build now.

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7480/

Build result: FAILURE

[...truncated 14.70 MB...][INFO] BUILD FAILURE[INFO] ------------------------------------------------------------------------[INFO] Total time: 10:24 min[INFO] Finished at: 2019-10-04T07:00:55+00:00[INFO] Final Memory: 427M/2121M[INFO] ------------------------------------------------------------------------[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.1.1:check (default) on project ddf: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during dependency-check analysis[ERROR] The download was interrupted; unable to complete the update[ERROR] -> [Help 1][ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.[ERROR] Re-run Maven using the -X switch to enable full debug logging.[ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles:[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionExceptionBuild step 'Invoke top-level Maven targets' marked build as failureNew run name is 'PR 5379'Taking single-use slave mesos-jenkins-e12506a4-linux-large offline.+ echo ERROR: dockerd exited, or diedArchiving artifactsAdding one-line test results to commit status...Setting status of df2e45a to FAILURE with url https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7480/ and message: 'JOB FAILURE: https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7480/ 15538 tests run, 86 skipped, 0 failed.'Using context: Internal CI Pipeline
❌ JOB FAILURE

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7496/

Build result: FAILURE

[...truncated 5.84 MB...][INFO] --- jacoco-maven-plugin:0.8.2:prepare-agent (default-prepare-agent) @ test ---[INFO] Skipping JaCoCo execution because property jacoco.skip is set.[INFO] jacoco.argline set to empty[INFO] [INFO] --- gmavenplus-plugin:1.5:compile (default) @ test ---[INFO] No sources specified for compilation. Skipping.[INFO] [INFO] --- gmavenplus-plugin:1.5:testCompile (default) @ test ---[INFO] No sources specified for compilation. Skipping.[INFO] [INFO] --- jacoco-maven-plugin:0.8.2:report (default-report) @ test ---[INFO] Skipping JaCoCo execution because property jacoco.skip is set.[INFO] [INFO] --- maven-site-plugin:3.4:attach-descriptor (attach-descriptor) @ test ---[INFO] [INFO] --- maven-enforcer-plugin:1.4.1:enforce (check-artifact-size) @ test ---[INFO] Unsupported package type pom. Skipping artifact size enforcement.[INFO] [INFO] --- jacoco-maven-plugin:0.8.2:check (default-check) @ test ---[INFO] Skipping JaCoCo execution because property jacoco.skip is set.[INFO] [INFO] --- maven-install-plugin:2.5.2:install (default-install) @ test ---[INFO] Installing /jenkins/workspace/DDF-Jobs/pr/Linux/distribution/test/pom.xml to /root/.m2/repository/ddf/test/test/2.20.0-SNAPSHOT/test-2.20.0-SNAPSHOT.pom[JENKINS] Archiving disabled
❌ JOB FAILURE

[Lambeaux]

Build now.

[cxbot]

Internal build has been scheduled, your results will be available at build completion.

[cxbot]

Refer to this link for build results (access rights to CI server needed):
https://jenkins.codice.org/job/DDF-Jobs/job/pr/job/Linux/7498/
✅ JOB SUCCESS