[bazel] Update java rules to latest releases

Open shs96c opened this issue 2 months ago • 2 comments

PR Type

Enhancement

Description

Update Bazel Java rules to latest versions
Upgrade contrib_rules_jvm from 0.27.0 to 0.30.0
Upgrade rules_jvm_external from 6.8 to 6.9
Add known_contributing_modules configuration for grpc-java and selenium
Regenerate maven_install.json with updated dependencies and new transitive dependencies

Diagram Walkthrough

flowchart LR
  A["Bazel Rules<br/>Versions"] -->|"contrib_rules_jvm<br/>0.27.0 → 0.30.0"| B["Updated<br/>Configuration"]
  A -->|"rules_jvm_external<br/>6.8 → 6.9"| B
  B -->|"Add known_contributing_modules"| C["Maven Install<br/>Regenerated"]
  C -->|"Resolve new<br/>dependencies"| D["Updated<br/>maven_install.json"]

File Walkthrough

Relevant files

Configuration changes

MODULE.bazel

Update Java Bazel rules versions and add contributing modules

MODULE.bazel

Updated contrib_rules_jvm dependency from version 0.27.0 to 0.30.0
Updated rules_jvm_external dependency from version 6.8 to 6.9
Added known_contributing_modules configuration listing grpc-java and
selenium

+6/-2

Dependencies

maven_install.json

Regenerate maven dependencies with updated transitive dependencies

java/maven_install.json

Regenerated artifact hashes reflecting dependency updates
Added new dependencies: google-auth-library-oauth2-http,
google-http-client, google-http-client-gson,
proto-google-common-protos, google-android-annotations, auto-value,
auto-value-annotations, google-truth, re2j, okhttp, okio,
commons-codec, httpclient, httpcore, netty-tcnative-boringssl-static,
netty-tcnative-classes, netty-transport-classes-epoll,
netty-transport-native-epoll, opencensus libraries, perfmark-api,
junit, kotlin-stdlib, animal-sniffer-annotations, annotations-api
Removed netty codec modules: netty-codec-compression,
netty-codec-marshalling, netty-codec-protobuf
Updated netty versions from 4.2.7.Final to 4.1.110.Final for multiple
modules
Updated error_prone_annotations from 2.41.0 to 2.30.0
Updated guava failureaccess from 1.0.3 to 1.0.1
Updated conflict resolution entries for j2objc-annotations and asm

+739/-112

Nov 10 '25 22:11 shs96c

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided [ ] Create ticket/issue <!-- /create_ticket --create_ticket=true -->
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No runtime logs: The PR only updates dependency metadata and Bazel module settings; no application logic was added to log critical actions, so audit trail coverage cannot be assessed from this diff. Referred Code { "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", "__INPUT_ARTIFACTS_HASH": -245838302, "__RESOLVED_ARTIFACTS_HASH": -970209915, "artifacts": { "com.beust:jcommander": { "shasums": { "jar": "deeac157c8de6822878d85d0c7bc8467a19cc8484d37788f7804f039dde280b1", "sources": "cc39d22f3cf29c2033fb526e5600ae8fec36e316274b0c07fa14c1a4a38eca3b" }, "version": "1.82" }, "com.esotericsoftware:kryo": { "shasums": { "jar": "4e8b1d2f4977187af8a51a957329722dc1cdc56a7c94fbb5a791e82897629cff", "sources": "acd9090539befa5421466ea1001dd808927af3f7d0ff12340ff518c15a9c5f4e" }, "version": "5.6.2" }, "com.esotericsoftware:minlog": { "shasums": { ... (clipped 3934 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Metadata only: The changes add or bump Bazel module versions and maven install configuration without introducing source identifiers, so naming conventions cannot be evaluated here. Referred Code bazel_dep(name = "bazel_features", version = "1.23.0") bazel_dep(name = "bazel_skylib", version = "1.7.1") bazel_dep(name = "buildifier_prebuilt", version = "6.4.0") bazel_dep(name = "contrib_rules_jvm", version = "0.30.0") bazel_dep(name = "platforms", version = "0.0.11") # Required for the closure rules bazel_dep(name = "protobuf", version = "29.2", dev_dependency = True, repo_name = "com_google_protobuf") # Required for rules_rust to import the crates properly bazel_dep(name = "rules_cc", version = "0.2.0", dev_dependency = True) bazel_dep(name = "rules_dotnet", version = "0.17.5") bazel_dep(name = "rules_java", version = "8.7.1") bazel_dep(name = "rules_jvm_external", version = "6.9") bazel_dep(name = "rules_multitool", version = "1.3.0") bazel_dep(name = "rules_nodejs", version = "6.3.2") bazel_dep(name = "rules_oci", version = "1.8.0") bazel_dep(name = "rules_pkg", version = "1.0.1") bazel_dep(name = "rules_python", version = "1.6.3") bazel_dep(name = "rules_proto", version = "7.0.2") ... (clipped 227 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: The diff updates dependency versions and maven configuration and does not introduce executable code paths or error handling, so robustness cannot be assessed. Referred Code bazel_dep(name = "bazel_features", version = "1.23.0") bazel_dep(name = "bazel_skylib", version = "1.7.1") bazel_dep(name = "buildifier_prebuilt", version = "6.4.0") bazel_dep(name = "contrib_rules_jvm", version = "0.30.0") bazel_dep(name = "platforms", version = "0.0.11") # Required for the closure rules bazel_dep(name = "protobuf", version = "29.2", dev_dependency = True, repo_name = "com_google_protobuf") # Required for rules_rust to import the crates properly bazel_dep(name = "rules_cc", version = "0.2.0", dev_dependency = True) bazel_dep(name = "rules_dotnet", version = "0.17.5") bazel_dep(name = "rules_java", version = "8.7.1") bazel_dep(name = "rules_jvm_external", version = "6.9") bazel_dep(name = "rules_multitool", version = "1.3.0") bazel_dep(name = "rules_nodejs", version = "6.3.2") bazel_dep(name = "rules_oci", version = "1.8.0") bazel_dep(name = "rules_pkg", version = "1.0.1") bazel_dep(name = "rules_python", version = "1.6.3") bazel_dep(name = "rules_proto", version = "7.0.2") ... (clipped 227 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No user errors: The PR modifies dependency lock data and does not add user-facing error messages, so secure error handling cannot be evaluated from this change. Referred Code { "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", "__INPUT_ARTIFACTS_HASH": -245838302, "__RESOLVED_ARTIFACTS_HASH": -970209915, "artifacts": { "com.beust:jcommander": { "shasums": { "jar": "deeac157c8de6822878d85d0c7bc8467a19cc8484d37788f7804f039dde280b1", "sources": "cc39d22f3cf29c2033fb526e5600ae8fec36e316274b0c07fa14c1a4a38eca3b" }, "version": "1.82" }, "com.esotericsoftware:kryo": { "shasums": { "jar": "4e8b1d2f4977187af8a51a957329722dc1cdc56a7c94fbb5a791e82897629cff", "sources": "acd9090539befa5421466ea1001dd808927af3f7d0ff12340ff518c15a9c5f4e" }, "version": "5.6.2" }, "com.esotericsoftware:minlog": { "shasums": { ... (clipped 3934 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: No logging added: No logging statements were added or modified in this PR; only dependency and Bazel configuration changed, so secure logging practices cannot be assessed. Referred Code { "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", "__INPUT_ARTIFACTS_HASH": -245838302, "__RESOLVED_ARTIFACTS_HASH": -970209915, "artifacts": { "com.beust:jcommander": { "shasums": { "jar": "deeac157c8de6822878d85d0c7bc8467a19cc8484d37788f7804f039dde280b1", "sources": "cc39d22f3cf29c2033fb526e5600ae8fec36e316274b0c07fa14c1a4a38eca3b" }, "version": "1.82" }, "com.esotericsoftware:kryo": { "shasums": { "jar": "4e8b1d2f4977187af8a51a957329722dc1cdc56a7c94fbb5a791e82897629cff", "sources": "acd9090539befa5421466ea1001dd808927af3f7d0ff12340ff518c15a9c5f4e" }, "version": "5.6.2" }, "com.esotericsoftware:minlog": { "shasums": { ... (clipped 3934 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No input handling: The PR does not introduce input processing code; it updates dependencies and build configuration, so input validation and data handling cannot be evaluated from this diff. Referred Code bazel_dep(name = "bazel_features", version = "1.23.0") bazel_dep(name = "bazel_skylib", version = "1.7.1") bazel_dep(name = "buildifier_prebuilt", version = "6.4.0") bazel_dep(name = "contrib_rules_jvm", version = "0.30.0") bazel_dep(name = "platforms", version = "0.0.11") # Required for the closure rules bazel_dep(name = "protobuf", version = "29.2", dev_dependency = True, repo_name = "com_google_protobuf") # Required for rules_rust to import the crates properly bazel_dep(name = "rules_cc", version = "0.2.0", dev_dependency = True) bazel_dep(name = "rules_dotnet", version = "0.17.5") bazel_dep(name = "rules_java", version = "8.7.1") bazel_dep(name = "rules_jvm_external", version = "6.9") bazel_dep(name = "rules_multitool", version = "1.3.0") bazel_dep(name = "rules_nodejs", version = "6.3.2") bazel_dep(name = "rules_oci", version = "1.8.0") bazel_dep(name = "rules_pkg", version = "1.0.1") bazel_dep(name = "rules_python", version = "1.6.3") bazel_dep(name = "rules_proto", version = "7.0.2") ... (clipped 227 lines) Learn more about managing compliance generic rules or creating your own custom rules
[ ] Update <!-- /compliance --update_compliance=true -->

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Nov 10 '25 22:11 qodo-code-review[bot]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Large dependency update lacks justification The PR involves a large-scale update of Java dependencies without any justification. It is recommended to add a detailed description explaining the reason for the update, its potential impact, and the validation tests performed. Examples: java/maven_install.json [1-4104] `{ "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", "__INPUT_ARTIFACTS_HASH": -245838302, "__RESOLVED_ARTIFACTS_HASH": -970209915, "artifacts": { "com.beust:jcommander": { "shasums": { "jar": "deeac157c8de6822878d85d0c7bc8467a19cc8484d37788f7804f039dde280b1", "sources": "cc39d22f3cf29c2033fb526e5600ae8fec36e316274b0c07fa14c1a4a38eca3b" }, ... (clipped 4094 lines)` MODULE.bazel [11-22] `bazel_dep(name = "contrib_rules_jvm", version = "0.30.0") bazel_dep(name = "platforms", version = "0.0.11") # Required for the closure rules bazel_dep(name = "protobuf", version = "29.2", dev_dependency = True, repo_name = "com_google_protobuf") # Required for rules_rust to import the crates properly bazel_dep(name = "rules_cc", version = "0.2.0", dev_dependency = True) bazel_dep(name = "rules_dotnet", version = "0.17.5") ... (clipped 2 lines)` Solution Walkthrough: Before: `// MODULE.bazel bazel_dep(name = "contrib_rules_jvm", version = "0.27.0") bazel_dep(name = "rules_jvm_external", version = "6.8") // java/maven_install.json { "__RESOLVED_ARTIFACTS_HASH": 121511744, "artifacts": { "io.netty:netty-buffer": { "version": "4.2.7.Final" }, "io.netty:netty-codec": { "version": "4.2.7.Final" }, // ... many other dependencies at older versions } }` After: `// MODULE.bazel bazel_dep(name = "contrib_rules_jvm", version = "0.30.0") bazel_dep(name = "rules_jvm_external", version = "6.9") ... known_contributing_modules = ["grpc-java", "selenium"], // java/maven_install.json { "__RESOLVED_ARTIFACTS_HASH": -970209915, "artifacts": { "io.netty:netty-buffer": { "version": "4.1.110.Final" }, "io.netty:netty-codec": { "version": "4.1.110.Final" }, // ... many new and updated dependencies } }` Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies the most critical issue: a massive, unexplained dependency update that introduces significant risk of regressions and complicates future debugging.	High
Possible issue	Fix circular platform-specific dependencies Remove the circular dependencies for the platform-specific JARs of `io.netty:netty-tcnative-boringssl-static` by clearing their dependency arrays. java/maven_install.json [1273-1302] -"io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64": [ - "io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64" -], -"io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64": [ - "io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64" -], -"io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64": [ - "io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64" -], -"io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64": [ - "io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64" -], -"io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64": [ - "io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64", - "io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64" -] +"io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64": [], +"io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64": [], +"io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64": [], +"io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64": [], +"io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64": [] `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies circular dependencies for platform-specific JARs of `io.netty:netty-tcnative-boringssl-static`, which can cause build and resolution issues.	Medium
[ ] Update <!-- /improve_multi --more_suggestions=true -->

Nov 10 '25 22:11 qodo-code-review[bot]

[bazel] Update java rules to latest releases

PR Type

Description

Diagram Walkthrough

File Walkthrough

PR Compliance Guide 🔍

PR Code Suggestions ✨

Examples:

Solution Walkthrough:

Before:

After: