Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make dependency updates more efficient #2781

Closed
16 tasks done
ThorbenLindhauer opened this issue Sep 19, 2022 · 11 comments
Closed
16 tasks done

Make dependency updates more efficient #2781

ThorbenLindhauer opened this issue Sep 19, 2022 · 11 comments
Assignees
Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.18.12 version:7.19.8 version:7.20.1 version:7.21.0-alpha1 version:7.21.0

Comments

@ThorbenLindhauer
Copy link
Member

ThorbenLindhauer commented Sep 19, 2022

This issue was imported from JIRA:

Field Value
JIRA Link CAM-14890
Reporter @toco-cam
Has restricted visibility comments false

Acceptance Criteria (Required on creation):

  • Assess where we spend time to perform dependency updates
  • The time is reduced as much as possible within reasonable effort

Hints (optional):

  • E.g. evaluate dependency check tools (that other teams use) to (semi-)automate the license checks. Find a good tradeoff between time saved and probability of mistakes

Links:

PRs

Preview Give feedback
  1. ThorbenLindhauer

Rollout PRs

Preview Give feedback
  1. ci:no-build
    ThorbenLindhauer
  2. bot:java-dependency-check ci:no-build
    ThorbenLindhauer
  3. ThorbenLindhauer
  4. ThorbenLindhauer
  5. ThorbenLindhauer
  6. ThorbenLindhauer
@ThorbenLindhauer
Copy link
Member Author

ThorbenLindhauer commented Mar 1, 2023

Experiment for automatically detecting licenses:

  1. Run mvn org.codehaus.mojo:license-maven-plugin:2.0.0:aggregate-download-licenses in the root directory of the repo.
  2. Compare license book to generated report

Findings:

  • Most licenses are detected correctly
  • Lists both licenses for dual-licensed libraries (e.g. logback-classic, h2) => needs education
  • Deps not included in report:
    • jackson-dataformat-csv
  • Deps with mismatching license:
    • jcip-annotations (reported: Apache; license book: Creative commons) => this is very likely a mistake in the license book
    • jakarta.activation-api (reported: EDL 1.0; license book: BSD-3-Clause)
    • jersey-* dependencies (reported: ten licenses, cannot be accurate)
    • javassist (reported: three licenses, not sure if accurate)
    • asm-* (reported: BSD, license book: BSD-3-Clause)

@ThorbenLindhauer
Copy link
Member Author

https://www.mojohaus.org/license-maven-plugin/aggregate-add-third-party-mojo.html and its configuration are quite powerful, e.g. the parameter templateFile can be used to create a JSON document (or any other text format).

@ThorbenLindhauer
Copy link
Member Author

ThorbenLindhauer commented Jun 1, 2023

Same experiment as above using https://github.com/CycloneDX/cyclonedx-maven-plugin/:

Dependencies not detected:

  • jackson-dataformat-csv
    • is only used in EE repo which I didn't scan
  • juel-api, juel-impl, juel-spi
    • was removed recently and replaced with jakarta.el-api, which is detected correctly
  • jakarta.ws.rs-api@3.1.0 (only 2.3.6 is found)
    • wasn't part of the Maven Reactor because I built with Java 8

Incorrect licenses:

The plugin gets the license information from Maven (I assume that this means it retrieves whatever is declared in the pom.xml of the Maven artifact). See https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/cyclonedx-maven-plugin-2.7.9/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L297 and calling code.

@ThorbenLindhauer
Copy link
Member Author

ThorbenLindhauer commented Jun 12, 2023

Idea for the tool chain:

  • Generate an aggregate SBOM for the base and head commit using mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom
  • Parse the SBOM. Perform a diff, starting with every Camunda module in the reactor, compute and diff the transitive hull of (third-party) dependencies (using the dependency graph; note that we use the same dependencies with different versions in various modules, so simply detecting that two third-party dependencies have different versions before and after doesn't quite cut it)
  • For every module with changes, render the changed versions along with their licenses and instructions (based on FOSS policy) what to do

Side notes:

@ThorbenLindhauer
Copy link
Member Author

ThorbenLindhauer commented Aug 24, 2023

Test PRs:

Breakdown of remaining tasks:

  • Use proper Maven settings so that there are no more artifact transfer failures
  • Make sure the workflow works in a private/internal repo (e.g. EE)
    • In the EE repo, I see warnings as in this comment
    • This is because newer Maven versions use a mirror declaration (maven-default-http-blocker) in the global settings XML that redirects any http repository requests to the non-existent 0.0.0.0. Nevertheless, the artifacts can be resolved by other declared repositories, so that is not a problem.
    • Note that http repositories are not declared in our code but in some third-party POMs, e.g. javax.enterprise:cdi-api:1.0-SP4
    • The problem could be solved in the following ways:
      • Use the internal Artifactory group as a mirror for everything => Maven Central is atm much faster and significantly reduces the time of the build (see above)
      • Override the mirror declaration in the build's settings => Could work, but not sure about precedence. Also, it may not be obvious which repository we would use as the mirror
      • Update the third-party dependencies => a lot of effort
    • Accordingly, we are accepting the warnings for the time being
  • Analyze oddities and decide if they need a fix (e.g. same dependency versions may be reported as a change)
  • Resolve all open TODOs in the code
    • Unresolved code issue: The reusable workflow cannot checkout its own repository in the current github ref. The corresponding property github.job_workflow_sha that is documented to provide this does not work.
  • Review tests and test coverage
  • Resolve warnings in test output
  • Review and if necessary improve file structure of the shared workflow
  • Let the workflow be triggered by a label
  • Improve performance if reasonable
    • Build time is roughly 12 minutes in the platform mono repo, which should be the one that takes longest. Downloading Maven dependencies has the largest performance impact (e.g. the build runs much faster locally with a populated local Maven repo)
    • Maven build parallelization via -T parameter is not useful, becasue the makeAggregateBom goal does all of its work in the root module (the remaining modules are skipped) and -T only parallelizes by module
    • Doubling the number of threads for artifact download (via -Dmaven.artifact.threads=10) only has a slight positive effect (10:30 minutes vs 12:00 minutes build time)
    • Breadth-first resolution of POM files (which in turn would parallelize POM downloads; via https://stackoverflow.com/questions/32299902/parallel-downloads-of-maven-artifacts) is not available by default, because Maven is currently still on version 3.8.8 in the ubuntu-latest runner (https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md#project-management)
    • Using dependency caching has two drawbacks:
      1. By default, the cache key is based on the hashes of the POM files, i.e. any POM change invalidates the cache. However, the nature of this workflow is to apply when the POM has changed. This problem is solvable one way or the other.
      2. PR builds can only access the caches of the main branch, the base branch, and its own branch. They cannot access caches from other PRs. In consequence, we would have to keep caches for the master branch (e.g. by introducing an additional workflow that creates the cache periodically on the master branch). This would add quite some extra complexity to our github workflows
    • In consequence, I am not implementing any of the suggestions. It is ok to wait for ~15 minutes for this analysis. Changing depdendencies doesn't happen too often.
  • Add CI that runs the unit tests on merge and PRs
  • Enable Vault access for all repositories
  • Prepare PRs for all repositories
  • Add the bot label to all repositories
  • Communicate changes to the team (will happen on team meeting 10.10.2023)
  • Document how to debug unexpected behavior (and potentially write code that allows to easily run the diff for two given SBOM files)
  • Document known limitations
    • Cases
      • When a dependency is declared in multiple versions and pinned to one by Maven, the SBOM plugin may report the declared (and overridden), not the actual version of the dependency
  • Make a follow-up for retiring the current workflow (won't do; there is a bit of value to still have the other workflow and the team can make this decision further down the road)

@ThorbenLindhauer
Copy link
Member Author

ThorbenLindhauer commented Aug 25, 2023

Blocked HTTP repository example output:

Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Downloading from camunda-public-repository: https://artifacts.camunda.com/artifactory/public/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Downloading from maven-default-http-blocker: http://0.0.0.0/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Downloading from apache.snapshots: https://repository.apache.org/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Progress (1): 622 B
                   
Downloaded from camunda-public-repository: https://artifacts.camunda.com/artifactory/public/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml (622 B at 6.1 kB/s)
Downloading from JBoss public: https://repository.jboss.org/nexus/content/groups/public/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Progress (1): 622 B
                   
Downloading from sonatype-oss-snapshots: https://oss.sonatype.org/content/repositories/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml (622 B at 2.3 kB/s)
Progress (1): 622 B
                   
Downloaded from sonatype-oss-snapshots: https://oss.sonatype.org/content/repositories/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml (622 B at 1.3 kB/s)
[WARNING] Could not transfer metadata org.camunda.bpm.webapp:camunda-webapp-root:7.20.0-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): transfer failed for http://0.0.0.0/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml
Downloading from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/camunda-webapp-root-7.20.0-20230818.070330-58.pom
Progress (1): 4.1/10 kB
Progress (1): 7.8/10 kB
Progress (1): 10 kB    
                   
Downloaded from sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/camunda-webapp-root-7.20.0-20230818.070330-58.pom (10 kB at 42 kB/s)
[WARNING] org.camunda.bpm.webapp:camunda-webapp-root:7.20.0-SNAPSHOT/maven-metadata.xmlfailed to transfer from http://0.0.0.0/ during a previous attempt. This failure was cached in the local repository and resolution will not be reattempted until the update interval of maven-default-http-blocker has elapsed or updates are forced. Original error: Could not transfer metadata org.camunda.bpm.webapp:camunda-webapp-root:7.20.0-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): transfer failed for http://0.0.0.0/org/camunda/bpm/webapp/camunda-webapp-root/7.20.0-SNAPSHOT/maven-metadata.xml

@ThorbenLindhauer
Copy link
Member Author

ThorbenLindhauer commented Sep 28, 2023

Repos that we will roll out the workflow to:

camunda/camunda-bpm-platform
camunda/camunda-bpm-platform-maintenance
camunda/camunda-bpm-platform-ee
camunda/camunda-bpm-platform-ee-maintenance
camunda/camunda-connect
camunda/camunda-spin
camunda/camunda-commons
camunda/camunda-template-engines-jsr223
camunda/camunda-bpm-rpa-bridge-ee

ThorbenLindhauer added a commit to camunda/camunda-connect that referenced this issue Sep 28, 2023
ThorbenLindhauer added a commit to camunda/camunda-spin that referenced this issue Sep 28, 2023
ThorbenLindhauer added a commit to camunda/camunda-commons that referenced this issue Sep 28, 2023
ThorbenLindhauer added a commit to camunda/camunda-template-engines-jsr223 that referenced this issue Sep 28, 2023
ThorbenLindhauer added a commit to camunda/automation-platform-github-actions that referenced this issue Sep 29, 2023
- contains some changes of the following commits in accumulating files
  (e.g. dist/index.js, package.json)

related to camunda/camunda-bpm-platform#2781
ThorbenLindhauer added a commit to camunda/automation-platform-github-actions that referenced this issue Sep 29, 2023
ThorbenLindhauer added a commit to camunda/automation-platform-github-actions that referenced this issue Sep 29, 2023
ThorbenLindhauer added a commit to camunda/automation-platform-github-actions that referenced this issue Sep 29, 2023
ThorbenLindhauer added a commit to camunda/automation-platform-github-actions that referenced this issue Sep 29, 2023
ThorbenLindhauer added a commit that referenced this issue Oct 2, 2023
- also removes legacy CI labels that we have already deleted

related to #2781
ThorbenLindhauer added a commit to camunda/camunda-connect that referenced this issue Oct 9, 2023
ThorbenLindhauer added a commit to camunda/camunda-spin that referenced this issue Oct 9, 2023
ThorbenLindhauer added a commit to camunda/camunda-commons that referenced this issue Oct 9, 2023
ThorbenLindhauer added a commit to camunda/camunda-template-engines-jsr223 that referenced this issue Oct 9, 2023
@ThorbenLindhauer
Copy link
Member Author

@danielkelemen I have added the 7.20 PRs and corrected the workflow references. Please re-review.

@ThorbenLindhauer
Copy link
Member Author

❓Should we also include the older but still active branches for spin, commons and connect? Or it's unnecessary.

Forgot to respond here. I decided to not do backports there to save some effort. Anyone who needs it can still do it when they work with such a branch.

venetrius pushed a commit to camunda/camunda-template-engines-jsr223 that referenced this issue Mar 13, 2024
venetrius pushed a commit that referenced this issue Mar 20, 2024
venetrius pushed a commit that referenced this issue Mar 21, 2024
venetrius pushed a commit that referenced this issue Apr 23, 2024
venetrius pushed a commit that referenced this issue Apr 23, 2024
venetrius pushed a commit that referenced this issue Apr 30, 2024
venetrius pushed a commit that referenced this issue May 2, 2024
venetrius pushed a commit that referenced this issue May 6, 2024
venetrius pushed a commit that referenced this issue May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.18.12 version:7.19.8 version:7.20.1 version:7.21.0-alpha1 version:7.21.0
Projects
None yet
Development

No branches or pull requests

2 participants