Skip to content

Commit

Permalink
Feature/dependency check (apache#13587)
Browse files Browse the repository at this point in the history
  • Loading branch information
chrisdutz authored Sep 25, 2024
1 parent 734786f commit 574bbd1
Show file tree
Hide file tree
Showing 5 changed files with 412 additions and 0 deletions.
59 changes: 59 additions & 0 deletions .github/workflows/dependency-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# This workflow will check if dependencies have changed (adding new dependencies or removing existing ones)

name: Dependency Check

on:
push:
branches:
- master
- 'rel/*'
- "rc/*"
paths-ignore:
- 'docs/**'
- 'site/**'
pull_request:
branches:
- master
- 'rel/*'
- "rc/*"
paths-ignore:
- 'docs/**'
- 'site/**'
# allow manually run the action:
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
MAVEN_ARGS: --batch-mode --no-transfer-progress
DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}

jobs:
dependency-check:
strategy:
fail-fast: false
max-parallel: 15
matrix:
java: [ 17 ]
os: [ ubuntu-latest ]
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Set up JDK ${{ matrix.java }}
uses: actions/setup-java@v4
with:
distribution: corretto
java-version: ${{ matrix.java }}
- name: Cache Maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2-
- name: Do the dependency check
shell: bash
run: mvn verify -Dmaven.test.skip=true -DdependencyCheck.skip=false -Dmdep.analyze.skip=true
167 changes: 167 additions & 0 deletions dependencies.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
{
"dependencies": [
"cglib:cglib",
"ch.qos.logback:logback-classic",
"ch.qos.logback:logback-core",
"ch.qos.reload4j:reload4j",
"com.bugsnag:bugsnag",
"com.digitalpetri.fsm:strict-machine",
"com.digitalpetri.netty:netty-channel-fsm",
"com.fasterxml.jackson.core:jackson-annotations",
"com.fasterxml.jackson.core:jackson-core",
"com.fasterxml.jackson.core:jackson-databind",
"com.fasterxml.jackson.dataformat:jackson-dataformat-yaml",
"com.fasterxml.jackson.datatype:jackson-datatype-jsr310",
"com.fasterxml.jackson.jaxrs:jackson-jaxrs-base",
"com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider",
"com.fasterxml.jackson.module:jackson-module-jaxb-annotations",
"com.github.ben-manes.caffeine:caffeine",
"com.github.luben:zstd-jni",
"com.github.stephenc.jcip:jcip-annotations",
"com.github.wendykierp:JTransforms",
"com.google.code.findbugs:jsr305",
"com.google.code.gson:gson",
"com.google.errorprone:error_prone_annotations",
"com.google.guava:failureaccess",
"com.google.guava:guava",
"com.google.guava:listenablefuture",
"com.google.j2objc:j2objc-annotations",
"com.h2database:h2-mvstore",
"com.librato.metrics:librato-java",
"com.librato.metrics:metrics-librato",
"com.lmax:disruptor",
"com.nimbusds:content-type",
"com.nimbusds:lang-tag",
"com.nimbusds:nimbus-jose-jwt",
"com.nimbusds:oauth2-oidc-sdk",
"com.sun.istack:istack-commons-runtime",
"com.zaxxer:HikariCP",
"commons-cli:commons-cli",
"commons-codec:commons-codec",
"commons-io:commons-io",
"commons-logging:commons-logging",
"io.airlift:airline",
"io.airlift:concurrent",
"io.airlift:log",
"io.airlift:units",
"io.dropwizard.metrics:metrics-core",
"io.dropwizard.metrics:metrics-jvm",
"io.jsonwebtoken:jjwt-api",
"io.micrometer:micrometer-commons",
"io.micrometer:micrometer-core",
"io.micrometer:micrometer-observation",
"io.moquette:moquette-broker",
"io.netty:netty-buffer",
"io.netty:netty-codec",
"io.netty:netty-codec-dns",
"io.netty:netty-codec-http",
"io.netty:netty-codec-http2",
"io.netty:netty-codec-mqtt",
"io.netty:netty-codec-socks",
"io.netty:netty-common",
"io.netty:netty-handler",
"io.netty:netty-handler-proxy",
"io.netty:netty-resolver",
"io.netty:netty-resolver-dns",
"io.netty:netty-resolver-dns-classes-macos",
"io.netty:netty-resolver-dns-native-macos",
"io.netty:netty-transport",
"io.netty:netty-transport-classes-epoll",
"io.netty:netty-transport-native-epoll",
"io.netty:netty-transport-native-unix-common",
"io.projectreactor:reactor-core",
"io.projectreactor.netty:reactor-netty-core",
"io.projectreactor.netty:reactor-netty-http",
"io.swagger:swagger-annotations",
"io.swagger:swagger-core",
"io.swagger:swagger-jaxrs",
"io.swagger:swagger-models",
"jakarta.activation:jakarta.activation-api",
"jakarta.annotation:jakarta.annotation-api",
"jakarta.servlet:jakarta.servlet-api",
"jakarta.validation:jakarta.validation-api",
"jakarta.ws.rs:jakarta.ws.rs-api",
"jakarta.xml.bind:jakarta.xml.bind-api",
"net.java.dev.jna:jna",
"net.minidev:accessors-smart",
"net.minidev:json-smart",
"org.antlr:antlr4-runtime",
"org.apache.commons:commons-collections4",
"org.apache.commons:commons-csv",
"org.apache.commons:commons-jexl3",
"org.apache.commons:commons-lang3",
"org.apache.commons:commons-math3",
"org.apache.commons:commons-pool2",
"org.apache.httpcomponents:httpclient",
"org.apache.httpcomponents:httpcore",
"org.apache.ratis:ratis-client",
"org.apache.ratis:ratis-common",
"org.apache.ratis:ratis-grpc",
"org.apache.ratis:ratis-metrics-api",
"org.apache.ratis:ratis-proto",
"org.apache.ratis:ratis-server",
"org.apache.ratis:ratis-server-api",
"org.apache.ratis:ratis-thirdparty-misc",
"org.apache.thrift:libthrift",
"org.apache.tsfile:common",
"org.apache.tsfile:tsfile",
"org.bouncycastle:bcpkix-jdk18on",
"org.bouncycastle:bcprov-jdk18on",
"org.bouncycastle:bcutil-jdk18on",
"org.checkerframework:checker-qual",
"org.eclipse.collections:eclipse-collections",
"org.eclipse.collections:eclipse-collections-api",
"org.eclipse.jetty:jetty-http",
"org.eclipse.jetty:jetty-io",
"org.eclipse.jetty:jetty-security",
"org.eclipse.jetty:jetty-server",
"org.eclipse.jetty:jetty-servlet",
"org.eclipse.jetty:jetty-util",
"org.eclipse.jetty:jetty-util-ajax",
"org.eclipse.milo:bsd-core",
"org.eclipse.milo:bsd-generator",
"org.eclipse.milo:sdk-client",
"org.eclipse.milo:sdk-core",
"org.eclipse.milo:sdk-server",
"org.eclipse.milo:stack-client",
"org.eclipse.milo:stack-core",
"org.eclipse.milo:stack-server",
"org.fusesource.hawtbuf:hawtbuf",
"org.fusesource.hawtdispatch:hawtdispatch",
"org.fusesource.hawtdispatch:hawtdispatch-transport",
"org.fusesource.mqtt-client:mqtt-client",
"org.glassfish.hk2:hk2-api",
"org.glassfish.hk2:hk2-locator",
"org.glassfish.hk2:hk2-utils",
"org.glassfish.hk2:osgi-resource-locator",
"org.glassfish.hk2.external:aopalliance-repackaged",
"org.glassfish.hk2.external:jakarta.inject",
"org.glassfish.jaxb:jaxb-runtime",
"org.glassfish.jaxb:txw2",
"org.glassfish.jersey.containers:jersey-container-servlet-core",
"org.glassfish.jersey.core:jersey-client",
"org.glassfish.jersey.core:jersey-common",
"org.glassfish.jersey.core:jersey-server",
"org.glassfish.jersey.inject:jersey-hk2",
"org.glassfish.jersey.media:jersey-media-multipart",
"org.hdrhistogram:HdrHistogram",
"org.java-websocket:Java-WebSocket",
"org.javassist:javassist",
"org.jline:jline",
"org.jvnet.mimepull:mimepull",
"org.latencyutils:LatencyUtils",
"org.lz4:lz4-java",
"org.ops4j.pax.jdbc:pax-jdbc-common",
"org.osgi:osgi.cmpn",
"org.osgi:osgi.core",
"org.ow2.asm:asm",
"org.reactivestreams:reactive-streams",
"org.reflections:reflections",
"org.slf4j:slf4j-api",
"org.slf4j:slf4j-reload4j",
"org.tukaani:xz",
"org.xerial.snappy:snappy-java",
"org.yaml:snakeyaml",
"pl.edu.icm:JLargeArrays"
]
}
85 changes: 85 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@
<commons-pool2.version>2.11.1</commons-pool2.version>
<commons.collections4.version>4.4</commons.collections4.version>
<ctest.skip.tests>false</ctest.skip.tests>
<dependencyCheck.skip>true</dependencyCheck.skip>
<disruptor.version>3.4.4</disruptor.version>
<drill.freemarker.maven.plugin.version>1.21.1</drill.freemarker.maven.plugin.version>
<dropwizard.metrics.version>4.2.19</dropwizard.metrics.version>
Expand Down Expand Up @@ -1360,6 +1361,90 @@
</execution>
</executions>
</plugin>
<!-- Check if we've changed any dependencies being included -->
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<!-- Only run this in the root module of the project -->
<inherited>false</inherited>
<configuration>
<outputName>apache-${project.artifactId}-${project.version}-sbom</outputName>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>xml-maven-plugin</artifactId>
<version>1.1.0</version>
<!-- Only run this in the root module of the project -->
<inherited>false</inherited>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>transform</goal>
</goals>
<configuration>
<transformationSets>
<transformationSet>
<dir>${project.basedir}/target/</dir>
<includes>apache-${project.artifactId}-${project.version}-sbom.xml</includes>
<stylesheet>src/main/xslt/sbom-filter.xsl</stylesheet>
<outputDir>${project.basedir}/target/</outputDir>
<fileMappers>
<fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
<targetExtension>transformed.json</targetExtension>
</fileMapper>
</fileMappers>
</transformationSet>
</transformationSets>
</configuration>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>net.sf.saxon</groupId>
<artifactId>Saxon-HE</artifactId>
<version>12.5</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.codehaus.gmaven</groupId>
<artifactId>groovy-maven-plugin</artifactId>
<version>2.1.1</version>
<!-- Only run this in the root module of the project -->
<inherited>false</inherited>
<executions>
<execution>
<id>compare-with-reference-list</id>
<phase>verify</phase>
<goals>
<goal>execute</goal>
</goals>
<configuration>
<properties>
<skipDependencyCheck>${dependencyCheck.skip}</skipDependencyCheck>
</properties>
<source>src/main/groovy/checkDependencies.groovy</source>
</configuration>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>org.apache.groovy</groupId>
<artifactId>groovy</artifactId>
<version>4.0.22</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
<licenses>
Expand Down
60 changes: 60 additions & 0 deletions src/main/groovy/checkDependencies.groovy
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
package src.main.groovy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import groovy.json.JsonSlurper

if(Boolean.parseBoolean(properties['skipDependencyCheck']).booleanValue()) {
println "Skipping dependency check"
return
}

def jsonSlurper = new JsonSlurper()

var referenceFile = new File(basedir, "dependencies.json")
if(!referenceFile.exists()) {
throw new RuntimeException("Missing Reference: dependencies.json")
}
def referenceJson = jsonSlurper.parse(referenceFile)

var curBuildFile = new File(project.build.directory, "apache-${project.artifactId}-${project.version}-sbom.transformed.json")
if(!curBuildFile.exists()) {
throw new RuntimeException("Missing Build: apache-${project.artifactId}-${project.version}-sbom.transformed.json")
}
def curBuildJson = jsonSlurper.parse(curBuildFile)

def differencesFound = false
referenceJson.dependencies.each {
if(!curBuildJson.dependencies.contains(it)) {
println "current build has removed a dependency: " + it
differencesFound = true
}
}
curBuildJson.dependencies.each {
if(!referenceJson.dependencies.contains(it)) {
println "current build has added a dependency: " + it
differencesFound = true
}
}

if(differencesFound) {
println "Differences were found between the information in ${referenceFile.getPath()} and ${curBuildFile.toPath()}"
println "The simplest fix for this, is to replace the content of ${referenceFile.getPath()} with that of ${curBuildFile.toPath()} and to inspect the diff of the resulting file in your IDE of choice."
throw new RuntimeException("Differences found.")
}
Loading

0 comments on commit 574bbd1

Please sign in to comment.