oci-java-sdk icon indicating copy to clipboard operation
oci-java-sdk copied to clipboard

Published 20 hours ago verified publisher icon oracle

Issues with dependencies in oci-java-sdk-2.37.0.pom

Open ljnelson opened this issue 2 years ago • 1 comments

Thank you for releasing the shaded jar.

I have noticed that the dependency tree information for it is slightly weird.

The entire point, I assume, of the shaded jar, is that various dependencies that it might have are, in fact, shaded. But because its parent is oci-java-sdk-shaded, and its parent is oci-java-sdk, and because it has a <dependencies> section that includes many things that aren't shaded, the net result is a shaded jar all of whose dependencies are not, in fact, shaded.

For example, the output of mvn dependency:tree run on a project that uses the shaded jar includes:

[INFO] +- com.oracle.oci.sdk:oci-java-sdk-shaded-full:jar:2.37.0:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.33:compile
[INFO] |  +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile
[INFO] |  |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  \- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile

As it happens, I personally and selfishly have no problem with any of the following non-shaded dependencies of oci-java-sdk-shaded-full:

  • org.slf4j:slf4j-api:jar
  • org.bouncycastle:bcpkix-jdk15on:jar
  • org.bouncycastle:bcutil-jdk15on:jar
  • org.bouncycastle:bcprov-jdk15on:jar

Technically this is still weird. I would expect references internal to the shaded jar to refer to the shaded versions of these artifacts' packages, and hence that the full shaded jar would not need to name these artifacts as dependencies, transitive or otherwise.

Personally and selfishly again, I do have a problem with the following non-shaded dependencies being included:

  • javax.annotation:javax.annotation-api:jar
  • jakarta.ws.rs:jakarta.ws.rs-api:jar

In the case of javax.annotation.*, the shaded jar already includes shaded versions of these, so it would appear that there is no reason to include the "real" javax.annotation:javax.annotation-api:jar among its dependencies.

The same would appear to be true of the javax.ws.* hierarchy of packages.

The root issue, it seems to me, is that there are too many top-level <dependency> elements in oci-java-sdk.

Specifically, it would be nice if the spurious top-level dependencies of oci-java-sdk could be properly "pushed down" into the modules that actually use them, rather than hosted at the "top level", since in fact they do not universally apply across the project.

ljnelson avatar Jul 29 '22 04:07 ljnelson

The following are intentionally left out of the shaded jar:

  • org.slf4j:slf4j-api
  • org.bouncycastle:bcpkix-jdk15on (which brings in org.bouncycastle:bcutil-jdk15on)
  • org.bouncycastle:bcprov-jdk15on

https://github.com/oracle/oci-java-sdk/blob/master/bmc-shaded/bmc-shaded-full/pom.xml

I'll have to look at the other ones.

  • jakarta.ws.rs:jakarta.ws.rs-api - It looks like we are relocating and shading this. I think not removing this as a dependency from the shaded jar may have been an oversight from a time when we didn't also shade Jersey.
  • javax.annotation:javax.annotation-api:jar - I'm not sure that it makes sense to shade this (it probably shouldn't be included in the shaded full jar). These are annotations, and if we relocate them, they essentially lose their meaning.
    • For example, relocating javax.annotation.Priority to shaded.com.oracle.oci.javasdk.javax.annotation.Priority, it may not be possible to understand the priority of filters, for example. We'll have to make sure that this would still work with JAX-RS.
    • On the other hand, it looks like we are relocating and shading JAX-RS. That means it should mean we should also be able to relocate the annotations.

So it looks like we should be able to address all the issues you have accurately and generously brought to our attention. Thanks!

mricken avatar Aug 01 '22 17:08 mricken

@ljnelson - The issue is fixed now with the lates 3.x Java SDK.

[INFO] \- com.oracle.oci.sdk:oci-java-sdk-shaded-full:jar:3.2.2:compile
[INFO]    +- org.slf4j:slf4j-api:jar:1.7.33:compile
[INFO]    +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile
[INFO]    |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:compile
[INFO]    \- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile

Please check the latest 3.x OCI SDK version and let us know if it's okay to close the ticket.

rkumarpa avatar Jan 26 '23 23:01 rkumarpa

Closing the ticket. Please reopen it if you still see this issue in the latest 3.x version.

rkumarpa avatar Feb 06 '23 15:02 rkumarpa