mockserver
mockserver copied to clipboard
Published
20 hours ago •
mock-server
mock-server
Removed useless/Minimize dependencies of ``mockserver-client-java``
Describe the feature request
While using the mockserver-client-java I noticed that it introduces a lot of (transitive) dependencies into our projects.
List of dependencies
[INFO] \- org.mock-server:mockserver-client-java:jar:5.14.0:compile
[INFO] +- org.mock-server:mockserver-core:jar:5.14.0:compile
[INFO] | +- com.lmax:disruptor:jar:3.4.4:compile
[INFO] | +- javax.servlet:javax.servlet-api:jar:4.0.1:compile
[INFO] | +- io.netty:netty-buffer:jar:4.1.79.Final:compile
[INFO] | | \- io.netty:netty-common:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-codec:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-codec-http:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-codec-socks:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-resolver:jar:4.1.79.Final:compile
[INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.79.Final:compile
[INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile
[INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile
[INFO] | +- com.jcraft:jzlib:jar:1.1.3:compile
[INFO] | +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:compile
[INFO] | +- org.bouncycastle:bcprov-jdk18on:jar:1.71:compile
[INFO] | +- org.bouncycastle:bcpkix-jdk18on:jar:1.71:compile
[INFO] | | \- org.bouncycastle:bcutil-jdk18on:jar:1.71:compile
[INFO] | +- com.nimbusds:nimbus-jose-jwt:jar:9.24.2:compile
[INFO] | | \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] | +- org.apache.velocity:velocity-engine-scripting:jar:2.3:compile
[INFO] | +- org.apache.velocity:velocity-engine-core:jar:2.3:compile
[INFO] | +- org.apache.velocity.tools:velocity-tools-generic:jar:3.1:compile
[INFO] | | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | | +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | | \- com.github.cliftonlabs:json-simple:jar:3.0.2:compile
[INFO] | +- com.samskivert:jmustache:jar:1.15:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] | +- net.javacrumbs.json-unit:json-unit-core:jar:2.35.0:compile
[INFO] | | \- org.hamcrest:hamcrest-core:jar:2.2:compile
[INFO] | | \- org.hamcrest:hamcrest:jar:2.2:compile
[INFO] | +- com.networknt:json-schema-validator:jar:1.0.72:compile
[INFO] | | \- com.ethlo.time:itu:jar:1.7.0:compile
[INFO] | +- com.jayway.jsonpath:json-path:jar:2.7.0:compile
[INFO] | | \- net.minidev:json-smart:jar:2.4.7:compile
[INFO] | | \- net.minidev:accessors-smart:jar:2.4.7:compile
[INFO] | | \- org.ow2.asm:asm:jar:9.1:compile
[INFO] | +- io.swagger.parser.v3:swagger-parser:jar:2.1.2:compile
[INFO] | | +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.2:compile
[INFO] | | | +- io.swagger:swagger-core:jar:1.6.6:compile
[INFO] | | | | \- io.swagger:swagger-models:jar:1.6.6:compile
[INFO] | | | | \- io.swagger:swagger-annotations:jar:1.6.6:compile
[INFO] | | | +- io.swagger:swagger-parser:jar:1.0.61:compile
[INFO] | | | +- io.swagger:swagger-compat-spec-parser:jar:1.0.61:compile
[INFO] | | | | +- com.github.java-json-tools:json-schema-validator:jar:2.2.14:compile
[INFO] | | | | | +- com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:compile
[INFO] | | | | | +- com.github.java-json-tools:json-schema-core:jar:1.2.14:compile
[INFO] | | | | | | +- com.github.java-json-tools:uri-template:jar:0.10:compile
[INFO] | | | | | | \- org.mozilla:rhino:jar:1.7.7.2:compile
[INFO] | | | | | +- com.sun.mail:mailapi:jar:1.6.2:compile
[INFO] | | | | | +- joda-time:joda-time:jar:2.10.5:compile
[INFO] | | | | | +- com.googlecode.libphonenumber:libphonenumber:jar:8.11.1:compile
[INFO] | | | | | \- net.sf.jopt-simple:jopt-simple:jar:5.0.4:compile
[INFO] | | | | +- com.github.java-json-tools:json-patch:jar:1.13:compile
[INFO] | | | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile
[INFO] | | | | | | \- com.github.java-json-tools:btf:jar:1.3:compile
[INFO] | | | | | \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile
[INFO] | | | | \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | | | \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] | | | +- io.swagger.core.v3:swagger-models:jar:2.2.2:compile
[INFO] | | | \- io.swagger.parser.v3:swagger-parser-core:jar:2.1.2:compile
[INFO] | | \- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.2:compile
[INFO] | | +- io.swagger.core.v3:swagger-core:jar:2.2.2:compile
[INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] | | | +- io.swagger.core.v3:swagger-annotations:jar:2.2.2:compile
[INFO] | | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.2:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:3.0.1:compile
[INFO] | | \- com.sun.activation:jakarta.activation:jar:2.0.1:compile
[INFO] | +- com.sun.xml.bind:jaxb-impl:jar:4.0.0:runtime
[INFO] | | \- com.sun.xml.bind:jaxb-core:jar:4.0.0:runtime
[INFO] | | \- org.eclipse.angus:angus-activation:jar:1.0.0:runtime
[INFO] | | \- jakarta.activation:jakarta.activation-api:jar:2.1.0:runtime
[INFO] | +- org.xmlunit:xmlunit-core:jar:2.9.0:compile
[INFO] | +- org.xmlunit:xmlunit-placeholders:jar:2.9.0:compile
[INFO] | +- commons-io:commons-io:jar:2.11.0:compile
[INFO] | +- org.apache.commons:commons-text:jar:1.9:compile
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | \- io.github.classgraph:classgraph:jar:4.8.149:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] +- com.google.guava:guava:jar:31.1-jre:compile
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] \- org.slf4j:slf4j-api:jar:1.7.36:compile
Most of them seem to be introduced through the core module and are useless for the client.
What you are trying to do
Trying to use the client as mentioned above. And only the client part because the server part is running inside a docker container.
We are running a code scanner regularly and I'm not in the mood to fix security vulnerabilities for unused dependencies (Example: snakeyaml:1.30 - CVE-2022-25857).
The solution you'd like
Remove the not required dependencies from the client. Maybe remove the core module completely and generate the client based on the OpenAPI specification or create a model module that just contains the needed models.
Describe alternatives you've considered For now I ignored a lot of dependencies that are delivered:
<dependency>
<groupId>org.mock-server</groupId>
<artifactId>mockserver-client-java</artifactId>
<version>5.14.0</version>
<!-- Excluded not required dependencies -->
<exclusions>
<!-- We don't do anything with OpenAPI - ignore as much as possible -->
<exclusion>
<groupId>io.swagger.core.v3</groupId>
<artifactId>swagger-core</artifactId>
</exclusion>
<exclusion>
<groupId>io.swagger.parser.v3</groupId>
<artifactId>swagger-parser-v2-converter</artifactId>
</exclusion>
<exclusion>
<groupId>io.swagger.parser.v3</groupId>
<artifactId>swagger-parser-core</artifactId>
</exclusion>
<!-- Brings a vulnerable version of SnakeYAML; Also unused -->
<exclusion>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
</exclusion>
<!-- Why is templating needed in a Rest API? -->
<exclusion>
<groupId>org.apache.velocity</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.velocity.tools</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>com.samskivert</groupId>
<artifactId>*</artifactId>
</exclusion>
<!-- Completely unused, seems to be only required for server component -->
<exclusion>
<groupId>com.jcraft</groupId>
<artifactId>jzlib</artifactId>
</exclusion>
<!-- Jakarta bind api is only used in unit tests -->
<exclusion>
<groupId>com.sun.xml.bind</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>jakarta.xml.bind</groupId>
<artifactId>*</artifactId>
</exclusion>
<!-- Unittests? -->
<exclusion>
<groupId>org.xmlunit</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>io.github.classgraph</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>net.javacrumbs.json-unit</groupId>
<artifactId>*</artifactId>
</exclusion>
<!-- Unused Json -->
<exclusion>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>*</artifactId>
</exclusion>
<!-- Unused JWT -->
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>*</artifactId>
</exclusion>
<!-- Servlet API in a Client? -->
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Undeclared used dependency for above; Was transitively excluded above but is needed -->
<dependency>
<groupId>com.github.java-json-tools</groupId>
<artifactId>jackson-coreutils</artifactId>
<version>2.0</version>
</dependency>
List of dependencies
[INFO] +- org.mock-server:mockserver-client-java:jar:5.14.0:compile
[INFO] | +- org.mock-server:mockserver-core:jar:5.14.0:compile
[INFO] | | +- com.lmax:disruptor:jar:3.4.4:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.79.Final:compile
[INFO] | | | \- io.netty:netty-common:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-codec:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-codec-http:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-codec-socks:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-handler:jar:4.1.79.Final:compile
[INFO] | | | +- io.netty:netty-resolver:jar:4.1.79.Final:compile
[INFO] | | | \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-transport:jar:4.1.79.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile
[INFO] | | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile
[INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile
[INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile
[INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile
[INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile
[INFO] | | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile
[INFO] | | +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:compile
[INFO] | | +- org.bouncycastle:bcprov-jdk18on:jar:1.71:compile
[INFO] | | +- org.bouncycastle:bcpkix-jdk18on:jar:1.71:compile
[INFO] | | | \- org.bouncycastle:bcutil-jdk18on:jar:1.71:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] | | +- com.networknt:json-schema-validator:jar:1.0.72:compile
[INFO] | | | \- com.ethlo.time:itu:jar:1.7.0:compile
[INFO] | | +- io.swagger.parser.v3:swagger-parser:jar:2.1.2:compile
[INFO] | | | \- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.2:compile
[INFO] | | | \- io.swagger.core.v3:swagger-models:jar:2.2.2:compile
[INFO] | | +- commons-io:commons-io:jar:2.11.0:compile
[INFO] | | +- org.apache.commons:commons-text:jar:1.9:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] | +- com.google.guava:guava:jar:31.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:compile
[INFO] +- com.github.java-json-tools:msg-simple:jar:1.2:runtime
[INFO] | \- com.github.java-json-tools:btf:jar:1.3:runtime
[INFO] \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
After we monitored the situation here for a while now and after determining that this project was likely abandoned, we decided to fork the project and fix the problems ourself: https://github.com/xdev-software/mockserver-neolight
Disclaimer: The fork focuses on simplicity and maintainability - some functionality was removed to bring the code into a maintainable state.