Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace JSR-305 annotations with spotbugs annotations #71

Merged
merged 20 commits into from
Sep 5, 2024

Conversation

MarkEWaite
Copy link
Contributor

@MarkEWaite MarkEWaite commented May 8, 2024

Replace JSR-305 annotations with spotbugs annotations

Annotations for Nonnull, CheckForNull, and several others were proposed for Java as part of dormant Java specification request JSR-305. The proposal never became a part of standard Java.

Jenkins plugins should switch from using JSR-305 annotations to use Spotbugs annotations that provide the same semantics.

The mailing list discussion from James Nord describes the affected annotations and why they should be replaced with annotations that are actively maintained.

The "Improve a plugin" tutorial provides instructions to perform this change.

An OpenRewrite recipe is also available and is even better than the tutorial.

Include another pull request to allow ci.jenkins.io tests to pass:

Also includes changes to significantly reduce the size of the plugin hpi file. The previous release included many unnecessary dependencies.

Previously the plugin included multiple jar files:

  -rw-r--r--     15203   2-Aug-2023  19:53:40  WEB-INF/lib/spotbugs-annotations-4.6.0.jar
  -rw-r--r--     41125  19-Jul-2023  14:33:24  WEB-INF/lib/slf4j-api-1.7.36.jar
  -rw-r--r--     17712   2-Aug-2023  19:53:40  WEB-INF/lib/annotation-indexer-1.16.jar
  -rw-r--r--     34276   2-Aug-2023  19:53:40  WEB-INF/lib/asm-analysis-9.3.jar
  -rw-r--r--     52669   2-Aug-2023  19:53:40  WEB-INF/lib/asm-tree-9.3.jar
  -rw-r--r--     16555  19-Jul-2023  14:36:52  WEB-INF/lib/jcl-over-slf4j-1.7.36.jar
  -rw-r--r--    122176   2-Aug-2023  19:53:40  WEB-INF/lib/asm-9.3.jar
  -rw-r--r--     23715   2-Aug-2023  19:53:40  WEB-INF/lib/log4j-over-slf4j-1.7.36.jar
  -rw-r--r--    138491  23-Feb-2024  13:02:38  WEB-INF/lib/robot.jar
  -rw-r--r--     85682   2-Aug-2023  19:53:40  WEB-INF/lib/asm-util-9.3.jar
  -rw-r--r--      2322   2-Aug-2023  19:53:40  WEB-INF/lib/symbol-annotation-1.1.jar
  -rw-r--r--    587402  19-Jul-2023  14:24:00  WEB-INF/lib/commons-lang3-3.12.0.jar
  -rw-r--r--     19943  19-Jul-2023  14:26:56  WEB-INF/lib/jsr305-3.0.1.jar

Now the plugin includes a single jar file:

  -rw-rw-r--    141117  10-May-2024  20:33:04  WEB-INF/lib/robot.jar

Testing done

Confirmed that automated tests pass on Linux with Java 21.

Submitter checklist

Preview Give feedback

StefanSpieker and others added 3 commits May 3, 2024 16:49
Annotations for Nonnull, CheckForNull, and several others were proposed
for Java as part of dormant Java specification request JSR-305. The
proposal never became a part of standard Java.

Jenkins plugins should switch from using JSR-305 annotations to use
Spotbugs annotations that provide the same semantics.

The [mailing list discussion](https://groups.google.com/g/jenkinsci-dev/c/uE1wwtVi1W0/m/gLxdEJmlBQAJ)
from James Nord describes the affected annotations and why they should
be replaced with annotations that are actively maintained.

The ["Improve a plugin" tutorial](https://www.jenkins.io/doc/developer/tutorial-improve/replace-jsr-305-annotations/)
provides instructions to perform this change.

An [OpenRewrite recipe](https://docs.openrewrite.org/recipes/jenkins/javaxannotationstospotbugs)
is also available and is even better than the tutorial.

Confirmed that automated tests pass on Linux with Java 21.
pom.xml Outdated Show resolved Hide resolved
Blue Ocean enhancements have stopped.  In the future, Blue Ocean will
be removed from ci.jenkins.io.  Better to prepare for that removal now.

https://www.jenkins.io/doc/book/blueocean/ says:

Blue Ocean status

Blue Ocean will not receive further functionality updates. Blue Ocean
will continue to provide easy-to-use Pipeline visualization, but it
will not be enhanced further. It will only receive selective updates
for significant security issues or functional defects.

Alternative options for Pipeline visualization, such as the Pipeline:
Stage View and Pipeline Graph View plugins, are available and offer some
of the same functionality. While not complete replacements for Blue Ocean,
contributions are encouraged from the community for continued development
of these plugins.

The Pipeline syntax snippet generator assists users as they define
Pipeline steps with their arguments. It is the preferred tool for Jenkins
Pipeline creation, as it provides online help for the Pipeline steps
available in your Jenkins controller. It uses the plugins installed
on your Jenkins controller to generate the Pipeline syntax. Refer to
the Pipeline steps reference page for information on all available
Pipeline steps.
Copy link
Contributor

@asimell asimell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@MarkEWaite
Copy link
Contributor Author

MarkEWaite commented May 25, 2024

@asimell is there more that needs to be done in order to merge this pull request?

For example, if you'd prefer that I rebase it to remove my mistakes from the history, I'm happy to do that.

@asimell
Copy link
Contributor

asimell commented May 26, 2024

@MarkEWaite no, but since this introduces quite a big backwards compatibility issue with Java and Jenkins version requirements we're going to release this as a major release after our holidays. Before that we'll focus on potential bug fixes and keep this PR sitting here. Don't worry, we have a schedule to merge and release this, but for now it shall wait a moment.

Sorry for not communicating this earlier and I hope you understand our decision.

@MarkEWaite
Copy link
Contributor Author

MarkEWaite commented May 26, 2024

Thanks @asimell. I appreciate very much the care that you provide for users of the plugin.

The installation statistics page shows that 95% of installations of the 3.5.1 release are already running Jenkins 2.414.3 or newer. 3.5.1 is the most installed of any of the releases and was released 3 months ago.

It also shows that 89% of installations of the 3.5.0 release are already running Jenkins 2.414.3 or newer. 3.5.0 is installed on about 10% of all installations and was released 4 months ago.

Most of the users of robot plugin that are upgrading the plugin have already upgraded their Jenkins controller to require Java 11 and to use at least Jenkins 2.414.3. SECURITY-3314 is a very good reason to upgrade to Jenkins 2.426.3 or newer and it appears that robot plugin users who upgrade the plugin are already upgrading their controller.

I think that users who are not willing to upgrade robot plugin will not be affected and users who are willing to upgrade robot plugin are already running Java 11 and Jenkins 2.414.3 or newer.

I fully support that you as a maintainer are exactly the right person to decide when or if you merge a change. I share the data in case that helps your decision. Thanks again for maintaining the plugin!

@asimell asimell merged commit eae62fe into jenkinsci:master Sep 5, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants