-
Notifications
You must be signed in to change notification settings - Fork 75
Dashboard Proposal
The Google Cloud Java Code Hygiene dashboard reports on the status of the dependencies managed by the Google Cloud BOM (com.google.cloud:cloud-oss-bom). The exact contents of the BOM are still being worked out, but currently that's about 130 separate artifacts, all available from Maven Central. Most, though not all, of these artifacts, have source code published in Github.
The list of checks performed on each artifact is open ended but initially includes:
- Upper Bounds
- Dependency convergence
Other checks may include:
- Approved License
- pom.xml includes relevant metadata
- Google code style
etc.
In addition, we can perform an upper bounds check across all the targeted libraries. For instance, com.google.api:gax:1.32.0 may only need version 20.0 of Guava to satisfy the upper bounds check within its own tree. However, if io.grpc:grpc-netty:1.15.0 requires Guava 23.0 we can suggest that com.google.api:gax:1.32.0 optionally upgrade to 23.0.
This is optional because Java minimum versions may interfere with which dependency versions a library can accept. It is not always possible to upgrade every library to the latest version of each dependency.
Check whether for each transitive dependency the library pulls in, the highest version found in the tree is picked. The highest version follows the same comparison rules as [org.apache.maven.artifact.versioning.ComparableVersion](https://maven.apache.org/ref/3.5.4/maven-artifact/apidocs/org/apache/maven/artifact/versioning/ComparableVersion.html).
For dependencies where a lower dependency is chosen, suggest an additional dependency that can be added to the project's pom.xml to satisfy the upper bounds check.
Check whether there is exactly one version of each dependency in the library's transitive dependency tree. That is, two different artifacts with the same group ID, artifact ID, extension, and classifier do not appear in the tree. Another way of saying it: artifacts whose Maven coordinates differ only in version do not appear in the tree.
Any library that passes dependency convergence automatically passes upper bounds.
Unlike upper bounds it is usually not possible to bring a library into compliance only by adding dependencies to the library's own pom.xml. More often than not, changes to the dependencies themselves are also required.
Suggest, as best we can, the minimum set of dependency upgrades in the highest dependencies necessary to bring the tree into convergence, in the order in which they should be performed.
List any dependency found in the dependency tree that is known to have security vulnerabilities. For example, Jackson 1.
Link to the corresponding CVE and suggest an appropriate replacement or upgrade to the dependency.
No class, as identified by the fully package qualified name, appears in artifacts with different group IDs and/or artifact IDs. This tends to come up when third parties have forked and republished a library without repackaging classes.
The dashboard will be one-level deep hierarchy of static HTML pages that is generated by a Java program based on the Apache Maven Artifact Resolver (also known as Aether, or Eclipse Aether). This program runs daily as a periodic Kokoro job. Kokoro stores the output HTML in Google Cloud Storage, from where it's served.
The top page lists the artifacts and status of each:
| Artifact | Upper Bounds | Convergence |
|---|---|---|
| io.grpc:grpc-auth:1.15.0 | Green | Red |
| com.google.protobuf:protobuf-java:3.6.1 | Green | Green |
| com.google.api:gax:1.32.0 | Green | Red |
...
In addition the main page will either provide or link to a prioritized list of suggested dependency updates for the various projects.
You can drill down on each project to see the specific problems and recommendations. For example, the com.google.api:gax page might look like this:
com.google.api:gax:1.32.0 selects the highest version of all dependencies.
Suggested Dependency Updates
- com.google.guava:guava:20.0 needs to upgrade com.google.code.findbugs:jsr305:1.3.9 to 3.0.2
- com.google.api:api-common:1.7.0 needs to upgrade com.google.guava:guava:19.0 to 20.0
Format is up to date with google-java-format 1.6
- License ✓
- Code of Conduct ✓
- Readme ✓
- .gitignore X