Feature/dependency check (#13587)

Author: chrisdutz

.github/workflows/dependency-check.yml

@@ -0,0 +1,59 @@
+# This workflow will check if dependencies have changed (adding new dependencies or removing existing ones)
+
+name: Dependency Check
+
+on:
+  push:
+    branches:
+      - master
+      - 'rel/*'
+      - "rc/*"
+    paths-ignore:
+      - 'docs/**'
+      - 'site/**'
+  pull_request:
+    branches:
+      - master
+      - 'rel/*'
+      - "rc/*"
+    paths-ignore:
+      - 'docs/**'
+      - 'site/**'
+  # allow manually run the action:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
+  MAVEN_ARGS: --batch-mode --no-transfer-progress
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
+
+jobs:
+  dependency-check:
+    strategy:
+      fail-fast: false
+      max-parallel: 15
+      matrix:
+        java: [ 17 ]
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: corretto
+          java-version: ${{ matrix.java }}
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-
+      - name: Do the dependency check
+        shell: bash
+        run: mvn verify -Dmaven.test.skip=true -DdependencyCheck.skip=false -Dmdep.analyze.skip=true

dependencies.json

@@ -0,0 +1,167 @@
+{
+    "dependencies": [
+        "cglib:cglib",
+        "ch.qos.logback:logback-classic",
+        "ch.qos.logback:logback-core",
+        "ch.qos.reload4j:reload4j",
+        "com.bugsnag:bugsnag",
+        "com.digitalpetri.fsm:strict-machine",
+        "com.digitalpetri.netty:netty-channel-fsm",
+        "com.fasterxml.jackson.core:jackson-annotations",
+        "com.fasterxml.jackson.core:jackson-core",
+        "com.fasterxml.jackson.core:jackson-databind",
+        "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml",
+        "com.fasterxml.jackson.datatype:jackson-datatype-jsr310",
+        "com.fasterxml.jackson.jaxrs:jackson-jaxrs-base",
+        "com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider",
+        "com.fasterxml.jackson.module:jackson-module-jaxb-annotations",
+        "com.github.ben-manes.caffeine:caffeine",
+        "com.github.luben:zstd-jni",
+        "com.github.stephenc.jcip:jcip-annotations",
+        "com.github.wendykierp:JTransforms",
+        "com.google.code.findbugs:jsr305",
+        "com.google.code.gson:gson",
+        "com.google.errorprone:error_prone_annotations",
+        "com.google.guava:failureaccess",
+        "com.google.guava:guava",
+        "com.google.guava:listenablefuture",
+        "com.google.j2objc:j2objc-annotations",
+        "com.h2database:h2-mvstore",
+        "com.librato.metrics:librato-java",
+        "com.librato.metrics:metrics-librato",
+        "com.lmax:disruptor",
+        "com.nimbusds:content-type",
+        "com.nimbusds:lang-tag",
+        "com.nimbusds:nimbus-jose-jwt",
+        "com.nimbusds:oauth2-oidc-sdk",
+        "com.sun.istack:istack-commons-runtime",
+        "com.zaxxer:HikariCP",
+        "commons-cli:commons-cli",
+        "commons-codec:commons-codec",
+        "commons-io:commons-io",
+        "commons-logging:commons-logging",
+        "io.airlift:airline",
+        "io.airlift:concurrent",
+        "io.airlift:log",
+        "io.airlift:units",
+        "io.dropwizard.metrics:metrics-core",
+        "io.dropwizard.metrics:metrics-jvm",
+        "io.jsonwebtoken:jjwt-api",
+        "io.micrometer:micrometer-commons",
+        "io.micrometer:micrometer-core",
+        "io.micrometer:micrometer-observation",
+        "io.moquette:moquette-broker",
+        "io.netty:netty-buffer",
+        "io.netty:netty-codec",
+        "io.netty:netty-codec-dns",
+        "io.netty:netty-codec-http",
+        "io.netty:netty-codec-http2",
+        "io.netty:netty-codec-mqtt",
+        "io.netty:netty-codec-socks",
+        "io.netty:netty-common",
+        "io.netty:netty-handler",
+        "io.netty:netty-handler-proxy",
+        "io.netty:netty-resolver",
+        "io.netty:netty-resolver-dns",
+        "io.netty:netty-resolver-dns-classes-macos",
+        "io.netty:netty-resolver-dns-native-macos",
+        "io.netty:netty-transport",
+        "io.netty:netty-transport-classes-epoll",
+        "io.netty:netty-transport-native-epoll",
+        "io.netty:netty-transport-native-unix-common",
+        "io.projectreactor:reactor-core",
+        "io.projectreactor.netty:reactor-netty-core",
+        "io.projectreactor.netty:reactor-netty-http",
+        "io.swagger:swagger-annotations",
+        "io.swagger:swagger-core",
+        "io.swagger:swagger-jaxrs",
+        "io.swagger:swagger-models",
+        "jakarta.activation:jakarta.activation-api",
+        "jakarta.annotation:jakarta.annotation-api",
+        "jakarta.servlet:jakarta.servlet-api",
+        "jakarta.validation:jakarta.validation-api",
+        "jakarta.ws.rs:jakarta.ws.rs-api",
+        "jakarta.xml.bind:jakarta.xml.bind-api",
+        "net.java.dev.jna:jna",
+        "net.minidev:accessors-smart",
+        "net.minidev:json-smart",
+        "org.antlr:antlr4-runtime",
+        "org.apache.commons:commons-collections4",
+        "org.apache.commons:commons-csv",
+        "org.apache.commons:commons-jexl3",
+        "org.apache.commons:commons-lang3",
+        "org.apache.commons:commons-math3",
+        "org.apache.commons:commons-pool2",
+        "org.apache.httpcomponents:httpclient",
+        "org.apache.httpcomponents:httpcore",
+        "org.apache.ratis:ratis-client",
+        "org.apache.ratis:ratis-common",
+        "org.apache.ratis:ratis-grpc",
+        "org.apache.ratis:ratis-metrics-api",
+        "org.apache.ratis:ratis-proto",
+        "org.apache.ratis:ratis-server",
+        "org.apache.ratis:ratis-server-api",
+        "org.apache.ratis:ratis-thirdparty-misc",
+        "org.apache.thrift:libthrift",
+        "org.apache.tsfile:common",
+        "org.apache.tsfile:tsfile",
+        "org.bouncycastle:bcpkix-jdk18on",
+        "org.bouncycastle:bcprov-jdk18on",
+        "org.bouncycastle:bcutil-jdk18on",
+        "org.checkerframework:checker-qual",
+        "org.eclipse.collections:eclipse-collections",
+        "org.eclipse.collections:eclipse-collections-api",
+        "org.eclipse.jetty:jetty-http",
+        "org.eclipse.jetty:jetty-io",
+        "org.eclipse.jetty:jetty-security",
+        "org.eclipse.jetty:jetty-server",
+        "org.eclipse.jetty:jetty-servlet",
+        "org.eclipse.jetty:jetty-util",
+        "org.eclipse.jetty:jetty-util-ajax",
+        "org.eclipse.milo:bsd-core",
+        "org.eclipse.milo:bsd-generator",
+        "org.eclipse.milo:sdk-client",
+        "org.eclipse.milo:sdk-core",
+        "org.eclipse.milo:sdk-server",
+        "org.eclipse.milo:stack-client",
+        "org.eclipse.milo:stack-core",
+        "org.eclipse.milo:stack-server",
+        "org.fusesource.hawtbuf:hawtbuf",
+        "org.fusesource.hawtdispatch:hawtdispatch",
+        "org.fusesource.hawtdispatch:hawtdispatch-transport",
+        "org.fusesource.mqtt-client:mqtt-client",
+        "org.glassfish.hk2:hk2-api",
+        "org.glassfish.hk2:hk2-locator",
+        "org.glassfish.hk2:hk2-utils",
+        "org.glassfish.hk2:osgi-resource-locator",
+        "org.glassfish.hk2.external:aopalliance-repackaged",
+        "org.glassfish.hk2.external:jakarta.inject",
+        "org.glassfish.jaxb:jaxb-runtime",
+        "org.glassfish.jaxb:txw2",
+        "org.glassfish.jersey.containers:jersey-container-servlet-core",
+        "org.glassfish.jersey.core:jersey-client",
+        "org.glassfish.jersey.core:jersey-common",
+        "org.glassfish.jersey.core:jersey-server",
+        "org.glassfish.jersey.inject:jersey-hk2",
+        "org.glassfish.jersey.media:jersey-media-multipart",
+        "org.hdrhistogram:HdrHistogram",
+        "org.java-websocket:Java-WebSocket",
+        "org.javassist:javassist",
+        "org.jline:jline",
+        "org.jvnet.mimepull:mimepull",
+        "org.latencyutils:LatencyUtils",
+        "org.lz4:lz4-java",
+        "org.ops4j.pax.jdbc:pax-jdbc-common",
+        "org.osgi:osgi.cmpn",
+        "org.osgi:osgi.core",
+        "org.ow2.asm:asm",
+        "org.reactivestreams:reactive-streams",
+        "org.reflections:reflections",
+        "org.slf4j:slf4j-api",
+        "org.slf4j:slf4j-reload4j",
+        "org.tukaani:xz",
+        "org.xerial.snappy:snappy-java",
+        "org.yaml:snakeyaml",
+        "pl.edu.icm:JLargeArrays"
+    ]
+}

pom.xml

@@ -68,6 +68,7 @@
         <commons-pool2.version>2.11.1</commons-pool2.version>
         <commons.collections4.version>4.4</commons.collections4.version>
         <ctest.skip.tests>false</ctest.skip.tests>
+        <dependencyCheck.skip>true</dependencyCheck.skip>
         <disruptor.version>3.4.4</disruptor.version>
         <drill.freemarker.maven.plugin.version>1.21.1</drill.freemarker.maven.plugin.version>
         <dropwizard.metrics.version>4.2.19</dropwizard.metrics.version>
@@ -1360,6 +1361,90 @@
                     </execution>
                 </executions>
             </plugin>
+            <!-- Check if we've changed any dependencies being included -->
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <!-- Only run this in the root module of the project -->
+                <inherited>false</inherited>
+                <configuration>
+                    <outputName>apache-${project.artifactId}-${project.version}-sbom</outputName>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>makeAggregateBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>xml-maven-plugin</artifactId>
+                <version>1.1.0</version>
+                <!-- Only run this in the root module of the project -->
+                <inherited>false</inherited>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>transform</goal>
+                        </goals>
+                        <configuration>
+                            <transformationSets>
+                                <transformationSet>
+                                    <dir>${project.basedir}/target/</dir>
+                                    <includes>apache-${project.artifactId}-${project.version}-sbom.xml</includes>
+                                    <stylesheet>src/main/xslt/sbom-filter.xsl</stylesheet>
+                                    <outputDir>${project.basedir}/target/</outputDir>
+                                    <fileMappers>
+                                        <fileMapper implementation="org.codehaus.plexus.components.io.filemappers.FileExtensionMapper">
+                                            <targetExtension>transformed.json</targetExtension>
+                                        </fileMapper>
+                                    </fileMappers>
+                                </transformationSet>
+                            </transformationSets>
+                        </configuration>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>net.sf.saxon</groupId>
+                        <artifactId>Saxon-HE</artifactId>
+                        <version>12.5</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.gmaven</groupId>
+                <artifactId>groovy-maven-plugin</artifactId>
+                <version>2.1.1</version>
+                <!-- Only run this in the root module of the project -->
+                <inherited>false</inherited>
+                <executions>
+                    <execution>
+                        <id>compare-with-reference-list</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>execute</goal>
+                        </goals>
+                        <configuration>
+                            <properties>
+                                <skipDependencyCheck>${dependencyCheck.skip}</skipDependencyCheck>
+                            </properties>
+                            <source>src/main/groovy/checkDependencies.groovy</source>
+                        </configuration>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.groovy</groupId>
+                        <artifactId>groovy</artifactId>
+                        <version>4.0.22</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
         </plugins>
     </build>
     <licenses>

src/main/groovy/checkDependencies.groovy

@@ -0,0 +1,60 @@
+package src.main.groovy
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import groovy.json.JsonSlurper
+
+if(Boolean.parseBoolean(properties['skipDependencyCheck']).booleanValue()) {
+    println "Skipping dependency check"
+    return
+}
+
+def jsonSlurper = new JsonSlurper()
+
+var referenceFile = new File(basedir, "dependencies.json")
+if(!referenceFile.exists()) {
+    throw new RuntimeException("Missing Reference: dependencies.json")
+}
+def referenceJson = jsonSlurper.parse(referenceFile)
+
+var curBuildFile = new File(project.build.directory, "apache-${project.artifactId}-${project.version}-sbom.transformed.json")
+if(!curBuildFile.exists()) {
+    throw new RuntimeException("Missing Build: apache-${project.artifactId}-${project.version}-sbom.transformed.json")
+}
+def curBuildJson = jsonSlurper.parse(curBuildFile)
+
+def differencesFound = false
+referenceJson.dependencies.each {
+    if(!curBuildJson.dependencies.contains(it)) {
+        println "current build has removed a dependency: " + it
+        differencesFound = true
+    }
+}
+curBuildJson.dependencies.each {
+    if(!referenceJson.dependencies.contains(it)) {
+        println "current build has added a dependency: " + it
+        differencesFound = true
+    }
+}
+
+if(differencesFound) {
+    println "Differences were found between the information in ${referenceFile.getPath()} and ${curBuildFile.toPath()}"
+    println "The simplest fix for this, is to replace the content of ${referenceFile.getPath()} with that of ${curBuildFile.toPath()} and to inspect the diff of the resulting file in your IDE of choice."
+    throw new RuntimeException("Differences found.")
+}