`oci-java-sdk-bom` extends `oci-java-sdk` resulting in dependency conflicts

[David-16]

See https://github.com/jdbi/jdbi/issues/1656 and replace jdbi with oci-java-sdk

We do not see the findbugs issue as we did with jdbi, but we do see other anomalies. Specifically, oci-java-sdk influences test dependencies like mockito. We pull in mockito from a different team owned dependency and the OCI SDK bom was overwriting it with 1.10.19 which is quite old. There were a number of similar issues where the SDK overwrites dependencies because it defines so many dependencies.

A bom is generally separate from your project's dependencies and dictates only the versions of your project's artifacts; not the versions of dependencies used to build the artifacts. The dependencies used by your project's artifacts are baked into your project's artifacts themselves and become transitive

I understand I can fix this in my own pom by explicitly setting mockito or fiddling with dependency ordering and have already fixed this issue by duplicating the bom and breaking the inheritance so I get dependency management for only OCI jars. But, the point is that this is not always possible/apparent when the dependency is pulled in transitively. Plus, there are dozens of such dependencies that would then need to be controlled in such a way

[aalmiray]

FYI This was recently discussed at the Maven user list https://lists.apache.org/thread.html/r7c8b6e6b219cd3fb144b990f1b88d95d7d53ea54c7b9cec8944e5a0a%40%3Cusers.maven.apache.org%3E

[David-16]

This was fixed in 3.7.0

3.6.0 has a parent: https://repo1.maven.org/maven2/com/oracle/oci/sdk/oci-java-sdk-bom/3.6.0/oci-java-sdk-bom-3.6.0.pom 3.7.0 does NOT have a parent: https://repo1.maven.org/maven2/com/oracle/oci/sdk/oci-java-sdk-bom/3.7.0/oci-java-sdk-bom-3.7.0.pom