Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tomcat10 support latest master #4342

Merged
merged 12 commits into from
Jul 4, 2024
Merged

Tomcat10 support latest master #4342

merged 12 commits into from
Jul 4, 2024

Conversation

psavidis
Copy link
Contributor

@psavidis psavidis commented May 14, 2024
edited
Loading

Related-to: #4387
Parent-issue: #2471

@psavidis psavidis added the ci:tomcat Runs the builds for the Tomcat application server. label May 14, 2024
@psavidis psavidis self-assigned this May 14, 2024
@yanavasileva yanavasileva added ci:all-as Runs the builds for all application servers. ci:spring-boot Runs the integration tests for the Spring Boot starter. ci:webapp-integration Runs the webapp integration builds. labels May 14, 2024
@psavidis psavidis added ci:skipTests Skips tests execution in Assembly and Distro-ee stages. labels May 15, 2024
@yanavasileva yanavasileva removed ci:all-as Runs the builds for all application servers. ci:spring-boot Runs the integration tests for the Spring Boot starter. ci:skipTests Skips tests execution in Assembly and Distro-ee stages. labels May 17, 2024
@psavidis psavidis added the ci:skipTests Skips tests execution in Assembly and Distro-ee stages. label May 21, 2024
@psavidis psavidis force-pushed the tomcat10_support_latest_master branch 4 times, most recently from 52127f5 to e64463e Compare May 23, 2024 15:09
@psavidis psavidis removed ci:skipTests Skips tests execution in Assembly and Distro-ee stages. ci:webapp-integration Runs the webapp integration builds. labels May 24, 2024
@psavidis psavidis force-pushed the tomcat10_support_latest_master branch from 487eddf to b7b7328 Compare May 29, 2024 06:20
This was referenced May 29, 2024
Closed
Closed
@psavidis psavidis force-pushed the tomcat10_support_latest_master branch from b7b7328 to 75af30a Compare May 29, 2024 10:40
@psavidis psavidis force-pushed the tomcat10_support_latest_master branch 2 times, most recently from c42c696 to fd7a58b Compare June 17, 2024 13:48
@psavidis psavidis added ci:all-as Runs the builds for all application servers. bot:java-dependency-check When assigned to a PR, generates SBOMs for the PR and base branch and compares them. labels Jun 17, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 18, 2024
edited by psavidis
Loading

Java dependency diff

Omitted due to character limit. See workflow artifacts for full diff file.

Module details

Omitted due to character limit. See workflow artifacts for full diff file.

Checklist

Unique changes

Unique additions

Developer comments

Glossary

Limitations

  • The reported transitive dependencies may not always be accurate in a multi-module project.
    The SBOM file format represents a unique dependency (coordinates + type) only once. In a multi-module
    project a dependency can be declared in multiple locations with different exclusions of transitive dependencies
    or different version overrides for transitive dependencies.

Emojies

  • ✔: All licenses are on the Go list
  • ⚠: (At least one) license is on the Caution list
  • ❌: (At least one) license is on the Stop list
  • ❓: (At least one) license cannot be determined or is unknown
  • ‼: Dependency has multiple licenses declared
  • ⬆: New dependency version is higher than previous
  • ⬇: New dependency version is lower than previous
  • 🔄: Dependency version is equal and the dependencies of this component changed (e.g. when comparing snapshots)
  • 🤷: The change of the dependency version can not be determined further (e.g. because the version does not follow semantic versioning)

@psavidis
Copy link
Contributor Author

psavidis commented Jun 18, 2024
edited
Loading

Dependencies license check

Upgrades

Dependency Old version New version License change License Action required
slf4j-api 1.7.36 1.7.29 No MIT No
tomcat 9.0.85 10.1.18 No Apache 2.0 License No

Additions

Dependency New version License Status Action required
jna 5.8.0 LGPL 2.1, Apache 2.0 from 4.0+ Go No, Using Apache 2.0
jboss-jstl-api_1.2_spec 1.0.3.Final Apache 2.0, CDDL, GPLv2 with Exceptions Go No, using Apache 2.0
jboss-vfs 3.1.0.Final Apache 2.0 Go No
icu4j 68.2 Unicode License v3 Go No
ant 1.7.1 Apache 2.0 License Go No
jboss-logging 3.0.0.CR1 Apache 2.0 Go No
tomcat 1.10.18 Apache 2.0 Go No
jakarta.enterprise.cdi-api 4.0.1 Apache 2.0 License Go No
jakarta.servlet-api 6.0.0 EPL 2.0 Caution Yes
jakarta.annotation-api 2.1.1 EPL 2.0 Caution Yes
jakarta.ws.rs-api 3.1.0 EPL 2.0 Caution Yes
h2 2.1.214 Mozilla Public License 2.0 Caution Yes
junit 4.13.1 EPL 1.0 Caution Yes
jakarta.el-api 4.0.0 EPL 2.0 Caution Yes
javax.activation 1.2.0 CDDL 1.1 Caution Yes
javax.activation 1.1 CDDL-1.0 Caution Yes
jboss-javaee-web 6.0: 3.0.2.Final GNU LGPL 2.1 Caution Yes
hibernate-jpa-2.0-api 1.0.1.Final EPL 1.0 Caution Yes
jboss-annotations-api_1.1_spec 1.0.1.Final CDDL or GPLv2 with exceptions Caution Yes, chosing CDDL
jboss-ejb-api_3.1_spec 1.0.2.Final CDDL 1.0, GNU General Public License, Version 2 with the Classpath Exception Caution Yes, chosing CDDL
jboss-el-api_2.2_spec 1.0.2.Final CDDL or GPLv2 with exceptions Caution Yes, chosing CDDL
jboss-jsf-api_2.1_spec 2.0.9.Final CCDL or GPLv2 with exceptions Caution Yes, chosing CDDL
jboss-interceptors-api_1.1_spec 1.0.1.Final CDDL, GPL 2.0 with Classpath Exceptions Caution Yes, chosing CDDL
jboss-connector-api_1.6_spec 1.0.1.Final CDDL or GPLv2 with exceptions Caution Yes, choosing CDDL
jboss-jaspi-api_1.0_spec 1.0.1.Final LGPL 2.1 Caution Yes
jboss-servlet-api_3.0_spec 1.0.2.Final CDDL or GPLv2 with exceptions Caution Yes, choosing CDDL
jboss-jsp-api_2.2_spec 1.0.1.Final GPLv2 Caution Yes
jboss-jstl-api_1.2_spec 1.0.3.Final CDDL or GPLv2 Caution Yes
jboss-transaction-api_1.1_spec 1.0.1.Final CDDL or GPLv2 Caution Yes
jboss-jaxb-api_2.2_spec 1.0.4.Final GPLv2 Caution Yes
jakarta.transaction-api 2.0.1 EPL 2.0 Caution Yes
jakarta.ejb-api 4.0.1 EPL 2.0 Caution Yes
javax.mail 1.5.6 GPLv2 or CDDL Caution Yes
activation 1.1 CDDL 1.0 Caution Yes
jakarta.interceptor-api 2.1.0 EPL 2.0 or GPL2 with Classpath Exceptions Caution Yes
jakarta.enterprise.concurrent-api 3.0.1 EPL 2.0 Caution Yes
jakarta.faces-api 4.0.1 EPL 2.0 Caution Yes
jakarta.el-api 5.0.1 EPL 2.0 Caution Yes

@psavidis
Copy link
Contributor Author

Notes for the Reviewer

The ee pipeline build failure looks unrelated to the changes.

Assigning for the review.

@psavidis psavidis force-pushed the tomcat10_support_latest_master branch from fd7a58b to fcc6c0c Compare June 18, 2024 11:11
@psavidis psavidis marked this pull request as ready for review June 18, 2024 11:11
psavidis
psavidis commented Jun 28, 2024
View reviewed changes
engine-rest/assembly-jakarta/assembly-war-tomcat.xml Outdated
<include>jakarta.xml.bind:jakarta.xml.bind-api:jar</include>

<!-- Resteasy -->
<include>org.jboss.resteasy:resteasy-*</include>
Copy link
Contributor Author

@psavidis psavidis Jun 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line could potentially include more artifacts than neccessary

Copy link
Contributor Author

@psavidis psavidis Jul 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After keeping only reasteasy-core from all the resteasy artifacts, no issue could be identified at the moment.

References:

@psavidis
Copy link
Contributor Author

psavidis commented Jul 1, 2024
edited
Loading

Update

Context: Removed all resteasy depencencies except resteasy-core
Reference: commit
Notes:

  • The above also removes the following dependencies:

    • jakarta.activation-1.2.2
    • jakarta.validation-api-2.0.2
    • jboss-annotations-api_1.3_spec-2.0.1.Final
    • jboss-jaxb-api_2.3_spec-2.0.1.Final
    • jboss-jaxrs-api_2.1_spec-2.0.1.Final
    • jboss-logging-3.4.1.Final
    • jcip-annotations-1.0-1
    • reactive-streams-1.0.3
    • resteasy-jaxrs-3.15.6.Final

  • Tested the distro manually and couldn't find any problems after the removal of the aforementioned dependencies.

  • Build passed ✔

@psavidis psavidis mentioned this pull request Jul 1, 2024
Merged
@psavidis
chore(assembly-jakarta): Include resteasy-core directly
1b05b6e 
The inclusion contains also the transitive dependencies
@psavidis
Copy link
Contributor Author

psavidis commented Jul 1, 2024

Assigning for a second review round

danielkelemen
danielkelemen approved these changes Jul 1, 2024
View reviewed changes
Copy link
Member

@danielkelemen danielkelemen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks good. Nice work!
❓Is the CI error related?

@psavidis
Copy link
Contributor Author

psavidis commented Jul 1, 2024

👍 Looks good. Nice work! ❓Is the CI error related?

I believe we can ignore it since the respective EE-PR build passed which used the No. 48 build (latest) as a basis

@psavidis
Copy link
Contributor Author

psavidis commented Jul 1, 2024

Next steps

Redo License check after the updated artifacts, collect them and send the list for license approval.

@psavidis psavidis added bot:java-dependency-check When assigned to a PR, generates SBOMs for the PR and base branch and compares them. and removed bot:java-dependency-check When assigned to a PR, generates SBOMs for the PR and base branch and compares them. labels Jul 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 2, 2024
edited by psavidis
Loading

Java dependency diff

Omitted due to character limit. See workflow artifacts for full diff file.

Module details

cockroachdb:1.16.0

Declared licenses:

  • MIT ✔

Links:

junit:4.13.1

Declared licenses:

  • EPL-1.0 ⚠

Links:

hamcrest-core:1.3

Declared licenses:

  • BSD-3-Clause ✔

Links:

slf4j-api:1.7.26

Declared licenses:

  • MIT ✔

Links:

testcontainers:1.16.0

Declared licenses:

  • MIT ✔

Links:

commons-compress:1.20

Declared licenses:

  • Apache-2.0 ✔

Links:

duct-tape:1.0.8

Declared licenses:

  • MIT ✔

Links:

docker-java-api:3.2.11

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-annotations:2.10.3

Declared licenses:

  • Apache-2.0 ✔

Links:

docker-java-transport-zerodep:3.2.11

Declared licenses:

  • Apache-2.0 ✔

Links:

docker-java-transport:3.2.11

Declared licenses:

  • Apache-2.0 ✔

Links:

jna:5.8.0

Declared licenses:

Links:

jdbc:1.16.0

Declared licenses:

  • MIT ✔

Links:

database-commons:1.16.0

Declared licenses:

  • MIT ✔

Links:

jakarta.servlet-api:6.0.0

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

resteasy-core:6.2.3.Final

Declared licenses:

  • Apache-2.0 ✔

Links:

jakarta.activation-api:2.1.0

Declared licenses:

  • BSD-3-Clause ✔

Links:

jakarta.xml.bind-api:4.0.0

Declared licenses:

  • BSD-3-Clause ✔

Links:

jakarta.annotation-api:2.1.1

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

jakarta.ws.rs-api:3.1.0

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

jakarta.validation-api:3.0.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jboss-logging:3.5.0.Final

Declared licenses:

  • Apache-2.0 ✔

Links:

jandex:2.4.3.Final

Declared licenses:

  • Apache-2.0 ✔

Links:

resteasy-core-spi:6.2.3.Final

Declared licenses:

  • Apache-2.0 ✔

Links:

reactive-streams:1.0.4

Declared licenses:

  • MIT-0 ✔

Links:

angus-activation:1.0.0

Declared licenses:

  • BSD-3-Clause ✔

Links:

asyncutil:0.1.0

Declared licenses:

  • Apache-2.0 ✔

Links:

javax.servlet-api:4.0.0

Declared licenses:

  • (CDDL-1.0 OR GPL-2.0-with-classpath-exception) ❓

Links:

tomcat:9.0.89

Declared licenses: None

Links: None

tomcat:10.1.18

Declared licenses: None

Links: None

assertj-core:2.9.1

Declared licenses:

  • Apache-2.0 ✔

Links:

jakarta.el-api:4.0.0

Declared licenses:

Links:

javax.activation:1.2.0

Declared licenses:

  • (CDDL-1.0 OR GPL-2.0-with-classpath-exception) ❓

Links:

scala-library:2.13.12

Declared licenses:

  • Apache-2.0 ✔

Links:

fastparse_2.13:3.0.2

Declared licenses:

  • MIT ✔

Links:

sourcecode_2.13:0.3.0

Declared licenses:

  • MIT ✔

Links:

geny_2.13:1.0.0

Declared licenses:

  • MIT ✔

Links:

slf4j-api:1.7.25

Declared licenses:

  • MIT ✔

Links:

joda-time:2.12.5

Declared licenses:

  • Apache-2.0 ✔

Links:

httpclient:4.5.14

Declared licenses:

  • Apache-2.0 ✔

Links:

httpcore:4.4.16

Declared licenses:

  • Apache-2.0 ✔

Links:

commons-logging:1.2

Declared licenses:

  • Apache-2.0 ✔

Links:

commons-codec:1.15

Declared licenses:

  • Apache-2.0 ✔

Links:

mybatis:3.5.15

Declared licenses:

  • Apache-2.0 ✔

Links:

spring-beans:5.3.36

Declared licenses:

  • Apache-2.0 ✔

Links:

spring-core:5.3.36

Declared licenses:

  • Apache-2.0 ✔

Links:

spring-jcl:5.3.36

Declared licenses:

  • Apache-2.0 ✔

Links:

gson:2.8.9

Declared licenses:

  • Apache-2.0 ✔

Links:

ant:1.7.1

Declared licenses: None

Links:

ant-launcher:1.7.1

Declared licenses: None

Links:

geronimo-jta_1.1_spec:1.1.1

Declared licenses:

  • Apache-2.0 ✔

Links:

java-uuid-generator:4.3.0

Declared licenses:

  • Apache-2.0 ✔

Links:

jboss-javaee-web-6.0:3.0.2.Final

Declared licenses: None

Links: None

cdi-api:1.0-SP4

Declared licenses:

  • Apache-2.0 ✔

Links:

javax.inject:1

Declared licenses:

  • Apache-2.0 ✔

Links:

validation-api:1.0.0.GA

Declared licenses:

  • Apache-2.0 ✔

Links:

hibernate-jpa-2.0-api:1.0.1.Final

Declared licenses: None

Links:

jboss-annotations-api_1.1_spec:1.0.1.Final

Declared licenses:

Links:

jboss-ejb-api_3.1_spec:1.0.2.Final

Declared licenses:

Links:

jboss-el-api_2.2_spec:1.0.2.Final

Declared licenses:

Links:

jboss-jsf-api_2.1_spec:2.0.9.Final

Declared licenses:

Links:

jboss-interceptors-api_1.1_spec:1.0.1.Final

Declared licenses:

Links:

jboss-connector-api_1.6_spec:1.0.1.Final

Declared licenses:

Links:

jboss-jaspi-api_1.0_spec:1.0.1.Final

Declared licenses:

Links:

jboss-servlet-api_3.0_spec:1.0.2.Final

Declared licenses:

Links:

jboss-jsp-api_2.2_spec:1.0.1.Final

Declared licenses:

Links:

jboss-jstl-api_1.2_spec:1.0.3.Final

Declared licenses:

Links:

xalan:2.7.1.jbossorg-2

Declared licenses:

  • Apache-2.0 ✔

Links:

serializer:2.7.1.jbossorg-2

Declared licenses:

  • Apache-2.0 ✔

Links:

jboss-transaction-api_1.1_spec:1.0.1.Final

Declared licenses:

Links:

jboss-jaxrs-api_1.1_spec:1.0.1.Final

Declared licenses:

Links:

jboss-jaxb-api_2.2_spec:1.0.4.Final

Declared licenses:

Links:

jakarta.transaction-api:2.0.1

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

jakarta.ejb-api:4.0.1

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

catalina:6.0.37

Declared licenses:

  • Apache-2.0 ✔

Links:

servlet-api:6.0.37

Declared licenses:

  • Apache-2.0 ✔

Links:

juli:6.0.37

Declared licenses:

  • Apache-2.0 ✔

Links:

annotations-api:6.0.37

Declared licenses:

  • Apache-2.0 ✔

Links:

jboss-vfs:3.1.0.Final

Declared licenses:

Links:

jboss-logging:3.0.0.CR1

Declared licenses:

Links:

commons-email:1.5

Declared licenses:

  • Apache-2.0 ✔

Links:

javax.mail:1.5.6

Declared licenses:

  • (CDDL-1.0 OR GPL-2.0-with-classpath-exception) ❓

Links:

activation:1.1

Declared licenses:

  • CDDL-1.0 ⚠

Links:

jakarta.inject-api:2.0.1

Declared licenses:

  • Apache-2.0 ✔

Links:

jakarta.interceptor-api:2.1.0

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

jakarta.enterprise.concurrent-api:3.0.1

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

jakarta.enterprise.cdi-api:4.0.1

Declared licenses:

  • Apache-2.0 ✔

Links:

jakarta.faces-api:4.0.1

Declared licenses:

  • EPL-2.0 ⚠
  • GPL-2.0-with-classpath-exception ⚠

Links:

jakarta.el-api:5.0.1

Declared licenses:

Links:

commons-io:2.8.0

Declared licenses:

  • Apache-2.0 ✔

Links:

commons-fileupload:1.5

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-databind:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-annotations:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-core:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-jakarta-rs-json-provider:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-jakarta-rs-base:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-module-jakarta-xmlbind-annotations:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

jackson-datatype-jsr310:2.15.2

Declared licenses:

  • Apache-2.0 ✔

Links:

Checklist

Unique changes

Unique additions

Developer comments

Glossary

Limitations

  • The reported transitive dependencies may not always be accurate in a multi-module project.
    The SBOM file format represents a unique dependency (coordinates + type) only once. In a multi-module
    project a dependency can be declared in multiple locations with different exclusions of transitive dependencies
    or different version overrides for transitive dependencies.

Emojies

  • ✔: All licenses are on the Go list
  • ⚠: (At least one) license is on the Caution list
  • ❌: (At least one) license is on the Stop list
  • ❓: (At least one) license cannot be determined or is unknown
  • ‼: Dependency has multiple licenses declared
  • ⬆: New dependency version is higher than previous
  • ⬇: New dependency version is lower than previous
  • 🔄: Dependency version is equal and the dependencies of this component changed (e.g. when comparing snapshots)
  • 🤷: The change of the dependency version can not be determined further (e.g. because the version does not follow semantic versioning)

@psavidis
Copy link
Contributor Author

psavidis commented Jul 2, 2024
edited
Loading

License Check

Here is the final table with the dependencies that need approval

Dependencies used for Testing

Dependency New version License Status Action required
junit 4.13.1 EPL 1.0 Caution Yes
h2 2.1.214 Mozilla Public License 2.0 Caution Yes

APIs

Dependency New version License Status Action required
jakarta.servlet-api 6.0.0 EPL 2.0 Caution Yes
jakarta.annotation-api 2.1.1 EPL 2.0 Caution Yes
jakarta.ws.rs-api 3.1.0 EPL 2.0 Caution Yes
jakarta.el-api 5.0.1 EPL 2.0 Caution Yes
javax.activation 1.2.0 CDDL 1.1 Caution Yes
jboss-javaee-web 6.0: 3.0.2.Final GNU LGPL 2.1 Caution Yes
jboss-annotations-api_1.1_spec 1.0.1.Final CDDL or GPLv2 with exceptions Caution Yes, chosing CDDL
jboss-ejb-api_3.1_spec 1.0.2.Final CDDL 1.0, GNU General Public License, Version 2 with the Classpath Exception Caution Yes, chosing CDDL
jboss-el-api_2.2_spec 1.0.2.Final CDDL or GPLv2 with exceptions Caution Yes, chosing CDDL
jboss-jsf-api_2.1_spec 2.0.9.Final CCDL or GPLv2 with exceptions Caution Yes, chosing CDDL
jboss-interceptors-api_1.1_spec 1.0.1.Final CDDL, GPL 2.0 with Classpath Exceptions Caution Yes, chosing CDDL
jboss-connector-api_1.6_spec 1.0.1.Final CDDL or GPLv2 with exceptions Caution Yes, choosing CDDL
jboss-jaspi-api_1.0_spec 1.0.1.Final LGPL 2.1 Caution Yes
jboss-servlet-api_3.0_spec 1.0.2.Final CDDL or GPLv2 with exceptions Caution Yes, choosing CDDL
jboss-jsp-api_2.2_spec 1.0.1.Final GPLv2 Caution Yes
jboss-jstl-api_1.2_spec 1.0.3.Final CDDL or GPLv2 Caution Yes, choosing CDDL
jboss-transaction-api_1.1_spec 1.0.1.Final CDDL or GPLv2 Caution Yes, choosing CDDL
jboss-jaxrs-api_1.1_spec 1.0.1.Final CDDL Caution Yes
jboss-jaxb-api_2.2_spec 1.0.4.Final GPLv2 Caution Yes
jakarta.transaction-api 2.0.1 EPL 2.0 Caution Yes
jakarta.ejb-api 4.0.1 EPL 2.0 Caution Yes
javax.mail 1.5.6 GPLv2 or CDDL Caution Yes, choosing CDDL
jakarta.interceptor-api 2.1.0 EPL 2.0 or GPL2 with Classpath Exceptions Caution Yes, choosing EPL 2.0
jakarta.enterprise.concurrent-api 3.0.1 EPL 2.0 Caution Yes
jakarta.faces-api 4.0.1 EPL 2.0 Caution Yes
jakarta.el-api 4.0.0 EPL 2.0 Caution Yes

@psavidis psavidis added bot:java-dependency-tree When assigned to a PR, scans the code for Maven dependency changes and prints a diff. and removed bot:java-dependency-check When assigned to a PR, generates SBOMs for the PR and base branch and compares them. labels Jul 2, 2024
@psavidis
Copy link
Contributor Author

psavidis commented Jul 2, 2024

License Check Update

Opened a License check ticket to request approval

@psavidis
Copy link
Contributor Author

psavidis commented Jul 2, 2024
edited
Loading

License Check Update

There are two dependencies that use GPL and are not allowed:

  • jboss-jsp-api_2.2_spec
  • jboss-jaxb-api_2.2_spec

Reference: Approval Request Thread

Update
The bot:java-dependency-tree has detected:

Both dependencies above in their respective github repositories use GPL. It's questionable why.

Verdict: These licenses are not added by the Tomcat 10 PR but for some reason the plugin reported them as new.

Next Steps: Find out more about the licenses of the two dependencies, figure out when they were introduced and see if they can be excluded.

References: Root-cause Analysis of the Dependency Diff

@psavidis
Copy link
Contributor Author

psavidis commented Jul 3, 2024
edited
Loading

jboss-jsp-api_2.2_spec & jboss-jaxb-api_2.2_spec

Module: engine
Dependency Parent: jboss-javaee-web-6.0
Reference: last commit

@psavidis
Copy link
Contributor Author

psavidis commented Jul 3, 2024
edited
Loading

License Check

  • Opened a new ticket for investigating the correctness or necessity of the jboss dependencies.
  • Since the dependencies are not added by this Pull Request, the merge can proceed.

@psavidis
Copy link
Contributor Author

psavidis commented Jul 3, 2024

Next Step

Proceed with Merging.

@psavidis
Copy link
Contributor Author

psavidis commented Jul 3, 2024
edited
Loading

Root Cause Analysis of the Java Dependency Diff

Problem: jboss-jsp-api_2.2_spec, jboss-jaxb-api_2.2_spec are reported by the bot:java-dependency-tree.

Root-cause

  • camunda-engine-cdi was replaced with camunda-engine-cdi-jakarta in the camunda-tomcat-assembly.
  • The plugin that diffs the changes displays the its transitive artifact tree as new additions
  • The following tree branch appears as new:

camunda-engine-cdi-jakarta
|
camunda-engine
|
jboss-javaee-web-6.0 ------ jboss-jsp-api_2.2
|
jboss-jsp-api_2.2_spec

  • The jboss artifacts appear as new

Solution: Ignore the false additions.

danielkelemen
danielkelemen reviewed Jul 3, 2024
View reviewed changes
parent/pom.xml Outdated Show resolved Hide resolved
@psavidis
Copy link
Contributor Author

psavidis commented Jul 3, 2024

Next Step

Proceed with Merging.

Temporarily postponing the merge until all review points are covered and clarity for the version diff is restored.

@psavidis psavidis requested a review from tasso94 July 3, 2024 14:55
@psavidis
Copy link
Contributor Author

psavidis commented Jul 4, 2024

Update

License check has been completed. Proceeding to merging.

@psavidis psavidis merged commit bc173fc into master Jul 4, 2024
2 of 3 checks passed
@psavidis psavidis deleted the tomcat10_support_latest_master branch July 4, 2024 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielkelemen danielkelemen danielkelemen approved these changes

@tasso94 tasso94 Awaiting requested review from tasso94

Assignees

@psavidis psavidis

Labels
bot:java-dependency-tree When assigned to a PR, scans the code for Maven dependency changes and prints a diff. ci:all-as Runs the builds for all application servers. ci:tomcat Runs the builds for the Tomcat application server. ci:webapp-integration Runs the webapp integration builds.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@psavidis @danielkelemen @tasso94 @yanavasileva