OAK-12093 Add maven-enforcer dependency convergence check

[thomasmueller]

Update: right now the build fails. I will try to resolve the failures first, and then we can discuss about the changes. It might not make sense to discuss changes right now.

Adds the maven-enforcer-plugin to oak-parent with the dependencyConvergence rule, which fails the build if any dependency appears at more than one version in a module's resolved dependency tree. This catches transitive version conflicts at build time rather than at runtime.

Running the enforcer across all modules revealed 20 existing version conflicts. These are fixed by adding explicit version pins to dependencyManagement in oak-parent, with comments on each pin identifying the two conflicting sources so they can be removed when the underlying dependencies are upgraded.

A few modules had direct dependencies with stale explicit versions that were the root cause of their conflict; those versions are updated in place:

• oak-run: jline, commons-csv, commons-logging
• oak-segment-azure: guava
• oak-blob-cloud-azure: guava
• oak-examples/webapp: json-simple

A comment is also added to the existing tika-core exclusion in oak-run-commons explaining why the exclusion is necessary alongside the pin.

The Guava pin points to a bigger issue with different modules requiring different version of Guava. It should be resolved. The root cause is that azure-keyvault-core:1.2.6 is quite old and brings in a significantly outdated Guava (30.1.1-jre vs 33.5.0-jre). The pin papers over that mismatch. The real fix would be to upgrade azure-keyvault-core or replace it, since that library has been deprecated in favour of the modern com.azure:azure-keyvault-keys / azure-keyvault-secrets SDK. Once that dependency is gone, the Guava pin would likely become unnecessary.

[github-actions]

Commit-Check ✔️

[reschke]

There are a few good things here that should get their own tickets.

Some other suggestions are based on a misunderstanding why we embed different versions.

Some "fix" things that will auto-resolve anyway once we upgrade dependencies.

Most of the remaining changes just add noise to the parent pom.

[reschke]

This depencency is embedded intentionally. It matches the version used by the Azure SDK. Updating it could be possible, but Azure support doesn't have adequate test coverage over here, so I would leave that to someone more knowledgeable of the SDK.

For that matter, this dependency will go away when the SDK 8 use is gone.

[thomasmueller]

It looks like embedded deps don't cause OSGi conflicts at runtime, yes, but dependencyConvergence runs at Maven dependency resolution time. Maven still needs to pick a single version for compilation and test.

It looks like we still need to pin the version, because the tests don't use OSGi. Oak-run also doesn't use OSGi, and some of the jobs we need (eg. for indexing) do not use OSGi, so I think it's important that we test this as well. If tests with OSGi (using a different version) are needed, then we could do that e.g. in oak-it-osgi.

And for OSGi, not every bundle embeds Guava; some import it via Import-Package.

Pinning is also a way to document things; otherwise Maven would chose silently (and somewhat arbitrarily) some version and we don't know which one.

[reschke]

It seems there is a misunderstanding here.

Embedded dependencies which are not exported are not visible from the POV of OSGi, and thus will not conflict. That's one of the reasons why this is used here.

We need that Guava version right now. There's zero reason to pin the version. It's set to the version the Azure SDK wants (and the SDK will go away anyway).

[reschke]

Yes, but should be a separate ticket; I can do that.

[reschke]

That said: that library has been unmaintained for 12 years now; so it would be better to look for a replacement.

[reschke]

-> https://issues.apache.org/jira/browse/OAK-12265

[reschke]

1. Guava will go anyway.

2. It would be good to understand why that shows up as a dependency; given it's nature as a code checking tool. It might be better to suppress it in the place where we use Caffeine.

In any case, if it ever disappears as a Caffeine dependeny, this will leave noise over here.

[thomasmueller]

if it ever disappears as a Caffeine dependeny, this will leave noise over here.

We could document this.

[reschke]

Where?

ChatGPT points out that these are annotations and that they are used in the Caffeine API; so they are only relevant at Oak compile time. It might be possbile to just exclude them, and that's what we should try first.

[reschke]

It doesn't conflict, because these are embeds. One reason for being embeds is to avoid conflicts.

[thomasmueller]

See my first comments about embeds

[reschke]

we are removing Guava.

[thomasmueller]

we are removing Guava.

Yes, but it is not yet removed. The following might be interesting:
"making guava optional in oak-shaded-guava would eliminate that false positive"

[reschke]

Was that an AI? In any case it's completely ignorant of what this module is.

[reschke]

we are updating Tika

[thomasmueller]

But we didn't do it yet.

[reschke]

Actually, the problem was that there was embedding, and that was caused by a plugin version change (probably fixing a bug).

[thomasmueller]

Not sure what you mean.

[reschke]

The issue was caused by the change of a maven bundle. Before the change it did not include Tika. That's what changed (and that's why the aforementioned issue did not come up ages ago).

[reschke]

why did it increase? (just trying to understand)

[thomasmueller]

Because with the pinned version (newer versions) it was too large.

[reschke]

No. Embedded for good reasons.

[thomasmueller]

See the first comment about embeds.

[thomasmueller]

Most of the remaining changes just add noise to the parent pom.

Remember the idea of this PR is to avoid issues like the problem that occured with Tika, by adding enforce-dependency-convergence. It turns out, dependencies are very complicated, and I'm trying to make the smallest possible PR that can add dependency-convergence. I do not think anything in this PR is not needed to make that happen.

[rishabhdaim]

Both of them would go away once we update the org.apache.directory.api/api-all in oak-auth-ldap.

[reschke]

FWIW, this is another case of intended embedding.

@rishabhdaim - can you open a ticket for the directory update?

[rishabhdaim]

Created : https://issues.apache.org/jira/browse/OAK-12271

[rishabhdaim]

AFAIK, embedded dependencies shouldn't cause conflicts. Shouldn't we avoid them here.

[rishabhdaim]

IIUC, since it is embedded in oak-segment-aws, it shouldn't cause any conflict.

[thomasmueller]

I'll first try to make the build work, and then let me try removing it, and then we will see what happens :-)

[thomasmueller]

See my very first comment about embeds.

[rishabhdaim]

dynamodb-lock-client is also embedded in oak-segment-aws.

[thomasmueller]

See my very first comment about embeds.

[rishabhdaim]

both of them are embedded, can't understand how they can cause conflicts.

[thomasmueller]

See my very first comment about embeds.

[reschke]

Observation: there is a lot back and forth about embedding. It doesn't seem to be constructive in this context.

Embedding can be problematic, in particular as it makes components harder to update, and sometimes APIs of embedded code leaks into the exports.

Thus they should be reviewed; optimally by those who added them. We there's a reason to think an embed is problematic, we should open a ticket.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rishabhdaim]

@thomasmueller one key observation, now we have version fixed in oak-parent/pom.xml, but they are still added with a version field.

Would we be opening new tickets to remove versions from individual poms OR we need to do it here?

For e.g :

Now Netty's are included in oak-parent/pom.xml, but are still referenced in 4 separate poms with the version field.
Now they should refer to the version defined in oak-parent's pom.

[reschke]

Some of the findings here are useful and we should address them separately.

Overall this would be a very bad change that is hard to maintain and really does not fix any problem.

The ticket says "add dependency check"; what's completely missing is a discussion what the benefits and drackbacks would be. In particular we apparently have different views about (1) what embeds are for and (2) how they actually work. I have tried to explain it here, but obviously failed to. We need to have a common understandig first before it even makes sense to dicuss the details of the ticket.

EDIT: in particular: what's completely missing is an explanation why diverging versions in test dependencies are actually a technical problem, and why adding more information to the POMs is useful here.

Consider: test dependencies A and B with transitive dependency on C. If we "pin" C's version to something that is "good" for the current versions of A and B, who's going to review/update it when we update to newer versions of A or B?

[reschke]

That said: that library has been unmaintained for 12 years now; so it would be better to look for a replacement.

[reschke]

-> https://issues.apache.org/jira/browse/OAK-12265

[reschke]

It seems there is a misunderstanding here.

Embedded dependencies which are not exported are not visible from the POV of OSGi, and thus will not conflict. That's one of the reasons why this is used here.

We need that Guava version right now. There's zero reason to pin the version. It's set to the version the Azure SDK wants (and the SDK will go away anyway).

[reschke]

Where?

ChatGPT points out that these are annotations and that they are used in the Caffeine API; so they are only relevant at Oak compile time. It might be possbile to just exclude them, and that's what we should try first.

[reschke]

Was that an AI? In any case it's completely ignorant of what this module is.

[reschke]

The issue was caused by the change of a maven bundle. Before the change it did not include Tika. That's what changed (and that's why the aforementioned issue did not come up ages ago).

[reschke]

We need to discuss this somewhere else, apparently.

[reschke]

FWIW, this is another case of intended embedding.

@rishabhdaim - can you open a ticket for the directory update?

[reschke]

Embeds: see, for instance: https://gemini.google.com/share/577ed3522d94

[reschke]

FWIW:

https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html#filtering-dependency-errors

It would be useful to exclude test dependencies for now, and see how this affects the outcome.

[mbaedke]

I agree that it is unfortunate that we can't have OSGi's classloader separation in oak-run and other standalone tooling.
But the main concern should be to test each module with the dependency version it actually uses in an OSGi deployment.
If that version is embedded, we can't just blindly change it.
That would be the task of the maintainer of the module who actually knows what they are doing.
That specific version may have been embedded for a reason, changing it is not low risk.

If we have a different version in e.g. oak-run and that is considered an issue, we should have tests for that issue in oak-run.

If a dependency is not embedded and used in multiple modules, then it makes sense to centralize it.
If it's just used in a single module, we should not centralize it, because the responsibility for it should be kept with the maintainer of that module.

[reschke]

Suggested change

<version>3.5.0</version>

[reschke]

Not needed.

If we really care, the simpler way would be to exclude the dependency oak-core-spi's caffeine dependency.

And yes, I could create a ticket and a PR if desired.