From 1fdb5b2000a2f94e761367e32e901b9156f1d310 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 18 Apr 2024 08:27:11 +0200 Subject: [PATCH] [ISSUE #4700] Remove logging backends from runtime deps (#4719) * [ISSUE #4700] Remove logging backends from runtime deps This PR removes all the logging backends from the Maven artifacts. As explained in #4700 libraries should only depend on logging APIs, not logging implementations the same way web applications depend on the Servlet API, not its implementations. The logging backends are added to the `dist` folder to be included in the TAR binary distribution. * Fix licenses * Fix Logback exclusions * Fix license check * Fix `printProjects` according to the review * Add logging backend to `eventmesh-starter` * Remove task description * Fix task dependencies of task `installPlugin` * Fix `installPlugin` task * Add comment about exclusions * Minimize changes to current configuration This commit minimizes the changes to EventMesh dependencies. Since a global exclusion is not an effective way to stop propagating logging backends as **transitive** dependencies we: * explictly remove logging backends from third-party dependencies that include them: RocketMQ, Pulsar, Spring Boot and Zookeeper, * restore Log4j Core as dependency of `eventmesh-common`, * exclude Log4j Core as dependency of `eventmesh-sdk-java`. * Add comments to remove exclusions after upgrade * Make `installPlugin` independent from `dist` * Make `copy` tasks easier to understand * Add `eventmesh-common` to EventMesh OpenConnect deps * Refactor RocketMQ deps * Delete `output.dirs` * Fix typo * Remove last `outputs.dir` * Remove dependencies from `installPlugin` * Add `eventmesh-common` to OpenConnect artifacts --- .gitignore | 4 +- build.gradle | 198 ++++++++---------- eventmesh-common/build.gradle | 5 +- .../eventmesh-connector-pravega/build.gradle | 5 - .../eventmesh-connector-pulsar/build.gradle | 23 +- .../eventmesh-connector-rabbitmq/build.gradle | 5 - .../eventmesh-connector-rocketmq/build.gradle | 11 +- .../eventmesh-connector-slack/build.gradle | 6 - .../eventmesh-connector-spring/build.gradle | 21 +- .../eventmesh-connector-wechat/build.gradle | 6 - .../eventmesh-connector-wecom/build.gradle | 6 - eventmesh-examples/build.gradle | 7 +- .../eventmesh-meta-zookeeper/build.gradle | 10 +- .../eventmesh-openconnect-java/build.gradle | 4 +- .../build.gradle | 6 +- .../build.gradle | 4 +- .../eventmesh-retry-rocketmq/build.gradle | 10 +- .../eventmesh-sdk-java/build.gradle | 6 +- .../eventmesh-storage-kafka/build.gradle | 4 - .../eventmesh-storage-pulsar/build.gradle | 25 ++- .../eventmesh-storage-rabbitmq/build.gradle | 5 - .../eventmesh-storage-redis/build.gradle | 4 - .../eventmesh-storage-rocketmq/build.gradle | 17 +- tools/dependency-check/check-dependencies.sh | 8 +- tools/dependency-check/known-dependencies.txt | 5 - .../licenses/java/LICENSE-logback-core.txt | 14 -- .../licenses/java/LICENSE-slf4j-simple.txt | 21 -- 27 files changed, 189 insertions(+), 251 deletions(-) mode change 100644 => 100755 tools/dependency-check/check-dependencies.sh delete mode 100644 tools/third-party-licenses/licenses/java/LICENSE-logback-core.txt delete mode 100644 tools/third-party-licenses/licenses/java/LICENSE-slf4j-simple.txt diff --git a/.gitignore b/.gitignore index a22c82f795..2379b9f175 100644 --- a/.gitignore +++ b/.gitignore @@ -27,7 +27,7 @@ node_modules h2/db.mv.db # license check tmp file -all-dependencies.txt +/tools/dependency-check/all-dependencies.txt self-modules.txt third-party-dependencies.txt @@ -50,4 +50,4 @@ bld/ **/org/apache/eventmesh/connector/jdbc/antlr4/autogeneration/* #rust -Cargo.lock \ No newline at end of file +Cargo.lock diff --git a/build.gradle b/build.gradle index 3cd8460b9a..fbaaa92640 100644 --- a/build.gradle +++ b/build.gradle @@ -139,7 +139,58 @@ allprojects { } } -task tar(type: Tar) { +tasks.register('dist') { + subprojects.forEach { subProject -> + dependsOn("${subProject.path}:jar") + } + def includedProjects = + ["eventmesh-common", + "eventmesh-meta:eventmesh-meta-api", + "eventmesh-metrics-plugin:eventmesh-metrics-api", + "eventmesh-protocol-plugin:eventmesh-protocol-api", + "eventmesh-retry:eventmesh-retry-api", + "eventmesh-runtime", + "eventmesh-security-plugin:eventmesh-security-api", + "eventmesh-spi", + "eventmesh-starter", + "eventmesh-storage-plugin:eventmesh-storage-api", + "eventmesh-trace-plugin:eventmesh-trace-api", + "eventmesh-webhook:eventmesh-webhook-api", + "eventmesh-webhook:eventmesh-webhook-admin", + "eventmesh-webhook:eventmesh-webhook-receive"] + doLast { + includedProjects.each { + def subProject = findProject(it) + logger.lifecycle('Install module: module: {}', subProject.name) + copy { + from subProject.jar.archivePath + into rootProject.file('dist/apps') + } + copy { + from subProject.file('bin') + into rootProject.file('dist/bin') + } + copy { + from subProject.file('conf') + from subProject.sourceSets.main.resources.srcDirs + into rootProject.file('dist/conf') + duplicatesStrategy = DuplicatesStrategy.EXCLUDE + exclude 'META-INF' + } + copy { + from subProject.configurations.runtimeClasspath + into rootProject.file('dist/lib') + exclude 'eventmesh-*' + } + } + copy { + from 'tools/third-party-licenses' + into rootProject.file('dist') + } + } +} + +tasks.register('tar', Tar) { archiveBaseName.set(project.name) archiveVersion.set(project.version.toString()) archiveExtension.set('tar.gz') @@ -150,7 +201,7 @@ task tar(type: Tar) { } } -task zip(type: Zip) { +tasks.register('zip', Zip) { archiveBaseName.set(project.name) archiveVersion.set(project.version.toString()) archiveExtension.set('zip') @@ -160,50 +211,39 @@ task zip(type: Zip) { } } -task installPlugin() { - if (!new File("${rootDir}/dist").exists()) { - return +tasks.register('installPlugin') { + var pluginProjects = subprojects.findAll { + it.file('gradle.properties').exists() + && it.properties.containsKey('pluginType') + && it.properties.containsKey('pluginName') + } + doLast { + String[] libJars = java.util.Optional.ofNullable(file('dist/lib').list()).orElse(new String[0]) + pluginProjects.forEach(subProject -> { + var pluginType = subProject.properties.get('pluginType') + var pluginName = subProject.properties.get('pluginName') + logger.lifecycle('Install plugin: pluginType: {}, pluginInstanceName: {}, module: {}', pluginType, + pluginName, subProject.name) + copy { + from subProject.jar.archivePath + into rootProject.file("dist/plugin/${pluginType}/${pluginName}") + } + copy { + from subProject.configurations.runtimeClasspath + into rootProject.file("dist/plugin/${pluginType}/${pluginName}") + exclude(libJars) + } + copy { + from subProject.file('conf') + from subProject.sourceSets.main.resources.srcDirs + into rootProject.file("dist/conf") + exclude 'META-INF' + } + }) } - String[] libJars = java.util.Optional.ofNullable(new File("${rootDir}/dist/lib").list()).orElseGet(() -> new String[0]) - getAllprojects().forEach(subProject -> { - var file = new File("${subProject.projectDir}/gradle.properties") - if (!file.exists()) { - return - } - var properties = new Properties() - properties.load(new FileInputStream(file)) - var pluginType = properties.getProperty("pluginType") - var pluginName = properties.getProperty("pluginName") - if (pluginType == null || pluginName == null) { - return - } - var pluginFile = new File("${rootDir}/dist/plugin/${pluginType}/${pluginName}") - if (pluginFile.exists()) { - return - } - pluginFile.mkdirs() - println String.format( - "install plugin, pluginType: %s, pluginInstanceName: %s, module: %s", pluginType, pluginName, subProject.getName() - ) - - copy { - into "${rootDir}/dist/plugin/${pluginType}/${pluginName}" - from "${subProject.getProjectDir()}/dist/apps" - } - copy { - into "${rootDir}/dist/plugin/${pluginType}/${pluginName}" - from "${subProject.getProjectDir()}/dist/lib/" - exclude(libJars) - } - copy { - into "${rootDir}/dist/conf" - from "${subProject.getProjectDir()}/dist/conf" - exclude 'META-INF' - } - }) } -task printProjects() { +tasks.register('printProjects') { getAllprojects().forEach(subProject -> { if ("EventMesh".equals(subProject.getName())) { return @@ -303,77 +343,6 @@ subprojects { } } - task dist(dependsOn: ['jar']) { - doFirst { - new File("${projectDir}/dist/bin").mkdirs() - new File("${projectDir}/dist/apps").mkdirs() - new File("${projectDir}/dist/conf").mkdirs() - new File("${projectDir}/dist/lib").mkdirs() - new File("${projectDir}/dist/licenses").mkdirs() - } - Set rootProject = ["eventmesh-common", - "eventmesh-storage-api", - "eventmesh-metrics-api", - "eventmesh-meta-api", - "eventmesh-trace-api", - "eventmesh-retry-api", - "eventmesh-runtime", - "eventmesh-security-api", - "eventmesh-protocol-api", - "eventmesh-starter", - "eventmesh-spi", - "eventmesh-webhook-api", - "eventmesh-webhook-admin", - "eventmesh-webhook-receive"] - doLast { - copy { - into("${projectDir}/dist/apps") - from project.jar.getArchivePath() - } - copy { - into("${projectDir}/dist/lib") - from project.configurations.runtimeClasspath - } - copy { - into("${projectDir}/dist/bin") - from 'bin' - } - copy { - into("${projectDir}/dist/conf") - from 'conf', sourceSets.main.resources.srcDirs - setDuplicatesStrategy(DuplicatesStrategy.EXCLUDE) - exclude 'META-INF' - } - if (rootProject.contains(project.name)) { - new File("${rootDir}/dist/apps").mkdirs() - new File("${rootDir}/dist/lib").mkdirs() - new File("${rootDir}/dist/bin").mkdirs() - new File("${rootDir}/dist/conf").mkdirs() - copy { - into("${rootDir}/dist/apps") - from "${projectDir}/dist/apps" - } - copy { - into "${rootDir}/dist/lib" - from "${projectDir}/dist/lib" - exclude "eventmesh-*" - } - copy { - into "${rootDir}/dist/bin" - from "${projectDir}/dist/bin" - } - copy { - into "${rootDir}/dist/conf" - from "${projectDir}/dist/conf" - } - } - copy { - into "${rootDir}/dist" - from "${rootDir}/tools/third-party-licenses" - } - } - } - javadoc { source = sourceSets.main.java destinationDir = reporting.file("javadoc") @@ -491,7 +460,6 @@ subprojects { dependency "org.apache.logging.log4j:log4j-api:${log4jVersion}" dependency "org.apache.logging.log4j:log4j-core:${log4jVersion}" dependency "org.apache.logging.log4j:log4j-slf4j2-impl:${log4jVersion}" - dependency "org.apache.logging.log4j:log4j-slf4j-impl:${log4jVersion}" // used with SLF4J 1.7.x or older for third-party dependencies dependency "com.lmax:disruptor:3.4.2" diff --git a/eventmesh-common/build.gradle b/eventmesh-common/build.gradle index a6dc2cd269..23f9455e1a 100644 --- a/eventmesh-common/build.gradle +++ b/eventmesh-common/build.gradle @@ -32,9 +32,8 @@ dependencies { api "com.alibaba.fastjson2:fastjson2" - implementation "org.apache.logging.log4j:log4j-api" - implementation "org.apache.logging.log4j:log4j-core" - implementation "org.apache.logging.log4j:log4j-slf4j2-impl" + runtimeOnly "org.apache.logging.log4j:log4j-core" + runtimeOnly "org.apache.logging.log4j:log4j-slf4j2-impl" implementation 'com.github.seancfoley:ipaddress' diff --git a/eventmesh-connectors/eventmesh-connector-pravega/build.gradle b/eventmesh-connectors/eventmesh-connector-pravega/build.gradle index 0365334311..24876409f1 100644 --- a/eventmesh-connectors/eventmesh-connector-pravega/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-pravega/build.gradle @@ -15,11 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' -} - dependencies { api project(":eventmesh-openconnect:eventmesh-openconnect-java") implementation project(":eventmesh-common") diff --git a/eventmesh-connectors/eventmesh-connector-pulsar/build.gradle b/eventmesh-connectors/eventmesh-connector-pulsar/build.gradle index 4a532ec2b8..f087842ea8 100644 --- a/eventmesh-connectors/eventmesh-connector-pulsar/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-pulsar/build.gradle @@ -15,12 +15,27 @@ * limitations under the License. */ -List pulsar = [ - "org.apache.pulsar:pulsar-client:$pulsar_version" -] dependencies { implementation project(":eventmesh-openconnect:eventmesh-openconnect-java") - implementation pulsar + + /* + * TODO: This is a shaded artifact that contains 20 MiB of external libraries. It could probably be replaced by: + * + * implementation "org.apache.pulsar:pulsar-client-api:$pulsar_version" + * runtimeOnly "org.apache.pulsar:pulsar-client-original:$pulsar_version" + * + * The exclusions can be removed after an upgrade of the transitive: + * + * "org.apache.bookkeeper:bookkeeper" + * + * dependency to 4.15.4 or higher (used by Pulsar 2.11.2 or higher). + */ + implementation("org.apache.pulsar:pulsar-client:$pulsar_version") { + // Remove logging backend implementations + exclude group: 'org.apache.logging.log4j', module: 'log4j-core' + exclude group: 'org.apache.logging.log4j', module: 'log4j-slf4j-impl' + } + compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' } \ No newline at end of file diff --git a/eventmesh-connectors/eventmesh-connector-rabbitmq/build.gradle b/eventmesh-connectors/eventmesh-connector-rabbitmq/build.gradle index b4edbe1f8a..f96d81bf6d 100644 --- a/eventmesh-connectors/eventmesh-connector-rabbitmq/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-rabbitmq/build.gradle @@ -16,11 +16,6 @@ */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' -} - dependencies { api project(":eventmesh-openconnect:eventmesh-openconnect-java") implementation project(":eventmesh-common") diff --git a/eventmesh-connectors/eventmesh-connector-rocketmq/build.gradle b/eventmesh-connectors/eventmesh-connector-rocketmq/build.gradle index 769e9c6cf8..64c43e29d5 100644 --- a/eventmesh-connectors/eventmesh-connector-rocketmq/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-rocketmq/build.gradle @@ -34,7 +34,16 @@ List rocketmq = [ dependencies { api project(":eventmesh-openconnect:eventmesh-openconnect-java") implementation project(":eventmesh-common") - implementation rocketmq + /* + * The exclusions can be removed after this issue is fixed: + * https://github.com/apache/rocketmq/issues/5347 + */ + rocketmq.each { + implementation(it) { + exclude group: 'ch.qos.logback', module: 'logback-classic' + } + } + compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' testImplementation "org.mockito:mockito-core" diff --git a/eventmesh-connectors/eventmesh-connector-slack/build.gradle b/eventmesh-connectors/eventmesh-connector-slack/build.gradle index ad66b78b96..851887e3c3 100644 --- a/eventmesh-connectors/eventmesh-connector-slack/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-slack/build.gradle @@ -15,12 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' - testImplementation.exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' -} - dependencies { implementation project(":eventmesh-common") implementation project(":eventmesh-sdks:eventmesh-sdk-java") diff --git a/eventmesh-connectors/eventmesh-connector-spring/build.gradle b/eventmesh-connectors/eventmesh-connector-spring/build.gradle index 48459b9004..e0680d2bf2 100644 --- a/eventmesh-connectors/eventmesh-connector-spring/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-spring/build.gradle @@ -15,20 +15,23 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' - implementation.exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' - testImplementation.exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' -} - dependencies { api project(":eventmesh-openconnect:eventmesh-openconnect-java") implementation project(":eventmesh-common") implementation project(":eventmesh-sdks:eventmesh-sdk-java") - implementation "org.springframework.boot:spring-boot-starter:$spring_boot_version" - implementation "org.springframework.boot:spring-boot-starter-validation:$spring_boot_version" + + /* + * TODO: Are these dependencies necessary? The source code only requires these two dependencies + * that do not propagate logging backends: + * + * api "org.springframework:spring-context:$spring_version" + * implementation "org.springframework.boot:spring-boot-autoconfigure:$spring_boot_version" + */ + implementation("org.springframework.boot:spring-boot-starter-validation:$spring_boot_version") { + exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging' + } implementation "org.springframework:spring-messaging:$spring_version" + compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' diff --git a/eventmesh-connectors/eventmesh-connector-wechat/build.gradle b/eventmesh-connectors/eventmesh-connector-wechat/build.gradle index 9a73345d1d..afd4e115c0 100644 --- a/eventmesh-connectors/eventmesh-connector-wechat/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-wechat/build.gradle @@ -15,12 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' - testImplementation.exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' -} - dependencies { implementation project(":eventmesh-common") implementation project(":eventmesh-sdks:eventmesh-sdk-java") diff --git a/eventmesh-connectors/eventmesh-connector-wecom/build.gradle b/eventmesh-connectors/eventmesh-connector-wecom/build.gradle index 746a4f3722..e89567c6f9 100644 --- a/eventmesh-connectors/eventmesh-connector-wecom/build.gradle +++ b/eventmesh-connectors/eventmesh-connector-wecom/build.gradle @@ -15,12 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' - testImplementation.exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' -} - dependencies { implementation project(":eventmesh-common") implementation project(":eventmesh-sdks:eventmesh-sdk-java") diff --git a/eventmesh-examples/build.gradle b/eventmesh-examples/build.gradle index 9ef70836bd..212b567799 100644 --- a/eventmesh-examples/build.gradle +++ b/eventmesh-examples/build.gradle @@ -17,15 +17,14 @@ def grpcVersion = '1.43.2' -configurations { - implementation.exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging' -} - dependencies { implementation project(":eventmesh-sdks:eventmesh-sdk-java") implementation project(":eventmesh-common") implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") implementation project(":eventmesh-connectors:eventmesh-connector-spring") + implementation('org.springframework.boot:spring-boot-starter') { + exclude module: 'spring-boot-starter-logging' + } implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'io.netty:netty-all' implementation "io.cloudevents:cloudevents-core" diff --git a/eventmesh-meta/eventmesh-meta-zookeeper/build.gradle b/eventmesh-meta/eventmesh-meta-zookeeper/build.gradle index 1d8c871e2b..149f78e99d 100644 --- a/eventmesh-meta/eventmesh-meta-zookeeper/build.gradle +++ b/eventmesh-meta/eventmesh-meta-zookeeper/build.gradle @@ -20,7 +20,15 @@ dependencies { compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' - implementation 'org.apache.zookeeper:zookeeper' + /* + * The exclusion can be removed once ZOOKEEPER-4820 has been fixed. + * + * See https://github.com/apache/zookeeper/pull/2155 + */ + implementation('org.apache.zookeeper:zookeeper') { + exclude group: 'ch.qos.logback', module: 'logback-core' + exclude group: 'ch.qos.logback', module: 'logback-classic' + } implementation 'org.apache.curator:curator-client' implementation 'org.apache.curator:curator-framework' implementation 'org.apache.curator:curator-recipes' diff --git a/eventmesh-openconnect/eventmesh-openconnect-java/build.gradle b/eventmesh-openconnect/eventmesh-openconnect-java/build.gradle index d47a81a4ff..b41f7fbfae 100644 --- a/eventmesh-openconnect/eventmesh-openconnect-java/build.gradle +++ b/eventmesh-openconnect/eventmesh-openconnect-java/build.gradle @@ -17,9 +17,6 @@ dependencies { api "org.slf4j:slf4j-api" - implementation "org.apache.logging.log4j:log4j-api" - implementation "org.apache.logging.log4j:log4j-core" - implementation "org.apache.logging.log4j:log4j-slf4j2-impl" implementation "com.fasterxml.jackson.core:jackson-databind" implementation "com.fasterxml.jackson.core:jackson-core" @@ -29,6 +26,7 @@ dependencies { api project (":eventmesh-openconnect:eventmesh-openconnect-offsetmgmt-plugin:eventmesh-openconnect-offsetmgmt-api") implementation project (":eventmesh-openconnect:eventmesh-openconnect-offsetmgmt-plugin:eventmesh-openconnect-offsetmgmt-nacos") implementation project(":eventmesh-sdks:eventmesh-sdk-java") + implementation project(":eventmesh-common") compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' diff --git a/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/build.gradle b/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/build.gradle index 3f5f0a240b..537c74fafc 100644 --- a/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/build.gradle +++ b/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/build.gradle @@ -17,17 +17,15 @@ dependencies { api "org.slf4j:slf4j-api" - implementation "org.apache.logging.log4j:log4j-api" - implementation "org.apache.logging.log4j:log4j-core" - implementation "org.apache.logging.log4j:log4j-slf4j2-impl" implementation "com.fasterxml.jackson.core:jackson-databind" implementation "com.fasterxml.jackson.core:jackson-core" implementation "com.fasterxml.jackson.core:jackson-annotations" implementation "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml" + implementation project(":eventmesh-common") implementation project(":eventmesh-sdks:eventmesh-sdk-java") compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' -} \ No newline at end of file +} diff --git a/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/eventmesh-openconnect-offsetmgmt-api/build.gradle b/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/eventmesh-openconnect-offsetmgmt-api/build.gradle index c5ac62b00f..97c3b8c33c 100644 --- a/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/eventmesh-openconnect-offsetmgmt-api/build.gradle +++ b/eventmesh-openconnect/eventmesh-openconnect-offsetmgmt-plugin/eventmesh-openconnect-offsetmgmt-api/build.gradle @@ -18,12 +18,10 @@ dependencies { api project(":eventmesh-spi") api "org.slf4j:slf4j-api" - implementation "org.apache.logging.log4j:log4j-api" - implementation "org.apache.logging.log4j:log4j-core" - implementation "org.apache.logging.log4j:log4j-slf4j2-impl" compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' + implementation project(":eventmesh-common") testCompileOnly 'org.projectlombok:lombok' testAnnotationProcessor 'org.projectlombok:lombok' diff --git a/eventmesh-retry/eventmesh-retry-rocketmq/build.gradle b/eventmesh-retry/eventmesh-retry-rocketmq/build.gradle index 3d33929b44..883081271c 100644 --- a/eventmesh-retry/eventmesh-retry-rocketmq/build.gradle +++ b/eventmesh-retry/eventmesh-retry-rocketmq/build.gradle @@ -33,7 +33,15 @@ List rocketmq = [ dependencies { implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") implementation project(":eventmesh-storage-plugin:eventmesh-storage-rocketmq") - implementation rocketmq + /* + * The exclusions can be removed after this issue is fixed: + * https://github.com/apache/rocketmq/issues/5347 + */ + rocketmq.each { + implementation(it) { + exclude group: 'ch.qos.logback', module: 'logback-classic' + } + } implementation project(":eventmesh-retry:eventmesh-retry-api") implementation project(":eventmesh-common") diff --git a/eventmesh-sdks/eventmesh-sdk-java/build.gradle b/eventmesh-sdks/eventmesh-sdk-java/build.gradle index db15554031..c83b77d26b 100644 --- a/eventmesh-sdks/eventmesh-sdk-java/build.gradle +++ b/eventmesh-sdks/eventmesh-sdk-java/build.gradle @@ -18,7 +18,11 @@ def grpcVersion = '1.43.2' dependencies { - api project(":eventmesh-common") + api(project(":eventmesh-common")) { + // Remove logging backend implementations to allow users to choose their own + exclude group: 'org.apache.logging.log4j', module: 'log4j-core' + exclude group: 'org.apache.logging.log4j', module: 'log4j-slf4j2-impl' + } implementation "com.fasterxml.jackson.core:jackson-databind" implementation "com.fasterxml.jackson.core:jackson-core" diff --git a/eventmesh-storage-plugin/eventmesh-storage-kafka/build.gradle b/eventmesh-storage-plugin/eventmesh-storage-kafka/build.gradle index d776cc46a7..1a467ed8c3 100644 --- a/eventmesh-storage-plugin/eventmesh-storage-kafka/build.gradle +++ b/eventmesh-storage-plugin/eventmesh-storage-kafka/build.gradle @@ -14,10 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' -} dependencies { implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") diff --git a/eventmesh-storage-plugin/eventmesh-storage-pulsar/build.gradle b/eventmesh-storage-plugin/eventmesh-storage-pulsar/build.gradle index 77922e241a..d439016bea 100644 --- a/eventmesh-storage-plugin/eventmesh-storage-pulsar/build.gradle +++ b/eventmesh-storage-plugin/eventmesh-storage-pulsar/build.gradle @@ -15,19 +15,30 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' -} - dependencies { implementation project(":eventmesh-common") implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") - implementation 'org.apache.pulsar:pulsar-client:2.10.1' + + /* + * TODO: This is a shaded artifact that contains 20 MiB of external libraries. It could probably be replaced by: + * + * implementation "org.apache.pulsar:pulsar-client-api:$pulsar_version" + * runtimeOnly "org.apache.pulsar:pulsar-client-original:$pulsar_version" + * + * The exclusions can be removed after an upgrade of the transitive: + * + * "org.apache.bookkeeper:bookkeeper" + * + * dependency to 4.15.4 or higher (used by Pulsar 2.11.2 or higher). + */ + implementation('org.apache.pulsar:pulsar-client:2.10.1') { + // Remove logging backend implementations + exclude group: 'org.apache.logging.log4j', module: 'log4j-core' + exclude group: 'org.apache.logging.log4j', module: 'log4j-slf4j-impl' + } testImplementation project(":eventmesh-storage-plugin:eventmesh-storage-api") testImplementation project(":eventmesh-common") - testImplementation 'org.apache.pulsar:pulsar-client:2.10.1' implementation 'io.cloudevents:cloudevents-json-jackson' diff --git a/eventmesh-storage-plugin/eventmesh-storage-rabbitmq/build.gradle b/eventmesh-storage-plugin/eventmesh-storage-rabbitmq/build.gradle index 69b4f75bac..2e8ddac448 100644 --- a/eventmesh-storage-plugin/eventmesh-storage-rabbitmq/build.gradle +++ b/eventmesh-storage-plugin/eventmesh-storage-rabbitmq/build.gradle @@ -15,11 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' -} - dependencies { implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") implementation project(":eventmesh-common") diff --git a/eventmesh-storage-plugin/eventmesh-storage-redis/build.gradle b/eventmesh-storage-plugin/eventmesh-storage-redis/build.gradle index 5a103cb8e3..bec0767638 100644 --- a/eventmesh-storage-plugin/eventmesh-storage-redis/build.gradle +++ b/eventmesh-storage-plugin/eventmesh-storage-redis/build.gradle @@ -15,10 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'org.slf4j', module: 'slf4j-simple' -} - dependencies { implementation project(":eventmesh-common") implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") diff --git a/eventmesh-storage-plugin/eventmesh-storage-rocketmq/build.gradle b/eventmesh-storage-plugin/eventmesh-storage-rocketmq/build.gradle index be30240097..fd14357fb9 100644 --- a/eventmesh-storage-plugin/eventmesh-storage-rocketmq/build.gradle +++ b/eventmesh-storage-plugin/eventmesh-storage-rocketmq/build.gradle @@ -15,11 +15,6 @@ * limitations under the License. */ -configurations { - implementation.exclude group: 'ch.qos.logback', module: 'logback-classic' - implementation.exclude group: 'log4j', module: 'log4j' -} - List rocketmq = [ "org.apache.rocketmq:rocketmq-client:$rocketmq_version", "org.apache.rocketmq:rocketmq-broker:$rocketmq_version", @@ -39,7 +34,15 @@ List rocketmq = [ dependencies { implementation project(":eventmesh-common") implementation project(":eventmesh-storage-plugin:eventmesh-storage-api") - implementation rocketmq + /* + * The exclusions can be removed after this issue is fixed: + * https://github.com/apache/rocketmq/issues/5347 + */ + rocketmq.each { + implementation(it) { + exclude group: 'ch.qos.logback', module: 'logback-classic' + } + } testImplementation project(":eventmesh-storage-plugin:eventmesh-storage-api") testImplementation project(":eventmesh-common") @@ -47,8 +50,6 @@ dependencies { testImplementation "org.mockito:mockito-core" testImplementation "org.mockito:mockito-junit-jupiter" - testImplementation rocketmq - compileOnly 'org.projectlombok:lombok' annotationProcessor 'org.projectlombok:lombok' diff --git a/tools/dependency-check/check-dependencies.sh b/tools/dependency-check/check-dependencies.sh old mode 100644 new mode 100755 index 5353df817e..3842323c1f --- a/tools/dependency-check/check-dependencies.sh +++ b/tools/dependency-check/check-dependencies.sh @@ -1,4 +1,4 @@ -#!/usr/bin bash +#!/bin/bash # # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with @@ -34,14 +34,14 @@ self_modules_txt='tools/dependency-check/self-modules.txt' # store all third part dependencies third_party_dependencies_txt='tools/dependency-check/third-party-dependencies.txt' -mkdir $decompress_conf || true +mkdir -p $decompress_conf tar -zxf build/eventmesh*.tar.gz -C $decompress_conf ./gradlew printProjects | grep '.jar' > "$self_modules_txt" -find "$decompress_conf" -name "*.jar" -exec basename {} \; | uniq | sort > "$all_dependencies_txt" +find "$decompress_conf" -name "*.jar" -exec basename {} \; | sort | uniq > "$all_dependencies_txt" -grep -wvf "$self_modules_txt" "$all_dependencies_txt" | uniq | sort > "$third_party_dependencies_txt" +grep -wvf "$self_modules_txt" "$all_dependencies_txt" | sort | uniq > "$third_party_dependencies_txt" # If the check is success it will return 0 sort "$known_third_party_dependencies_txt" | diff - "$third_party_dependencies_txt" diff --git a/tools/dependency-check/known-dependencies.txt b/tools/dependency-check/known-dependencies.txt index b30ca5d5ed..f6627a693e 100644 --- a/tools/dependency-check/known-dependencies.txt +++ b/tools/dependency-check/known-dependencies.txt @@ -154,15 +154,11 @@ json-path-2.7.0.jar json-smart-2.4.7.jar json-utils-2.20.29.jar jsr305-3.0.2.jar -jul-to-slf4j-1.7.33.jar kafka-clients-3.0.0.jar listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar log4j-api-2.22.1.jar log4j-core-2.22.1.jar -log4j-slf4j-impl-2.22.1.jar log4j-slf4j2-impl-2.22.1.jar -logback-classic-1.2.10.jar -logback-core-1.2.10.jar lz4-java-1.7.1.jar lz4-java-1.8.0.jar metrics-annotation-4.1.0.jar @@ -325,7 +321,6 @@ spring-beans-5.3.20.jar spring-boot-2.5.9.jar spring-boot-autoconfigure-2.5.9.jar spring-boot-starter-2.5.9.jar -spring-boot-starter-logging-2.5.9.jar spring-boot-starter-validation-2.5.9.jar spring-context-5.3.15.jar spring-core-5.3.20.jar diff --git a/tools/third-party-licenses/licenses/java/LICENSE-logback-core.txt b/tools/third-party-licenses/licenses/java/LICENSE-logback-core.txt deleted file mode 100644 index 8953762a3c..0000000000 --- a/tools/third-party-licenses/licenses/java/LICENSE-logback-core.txt +++ /dev/null @@ -1,14 +0,0 @@ -Logback LICENSE ---------------- - -Logback: the reliable, generic, fast and flexible logging framework. -Copyright (C) 1999-2015, QOS.ch. All rights reserved. - -This program and the accompanying materials are dual-licensed under -either the terms of the Eclipse Public License v1.0 as published by -the Eclipse Foundation - - or (per the licensee's choosing) - -under the terms of the GNU Lesser General Public License version 2.1 -as published by the Free Software Foundation. \ No newline at end of file diff --git a/tools/third-party-licenses/licenses/java/LICENSE-slf4j-simple.txt b/tools/third-party-licenses/licenses/java/LICENSE-slf4j-simple.txt deleted file mode 100644 index 744377c437..0000000000 --- a/tools/third-party-licenses/licenses/java/LICENSE-slf4j-simple.txt +++ /dev/null @@ -1,21 +0,0 @@ -Copyright (c) 2004-2017 QOS.ch -All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.