GEODE-8496: dependency updates (apache#5822)

onichols-pivotal · web-flow · commit 424cd7282e91 · 2020-12-08T18:14:32.000-08:00
* Bump spring-security from 5.4.1 to 5.4.2
* Bump archunit from 0.12.0 to 0.14.1
* Bump fastutil from 8.4.3 to 8.4.4
* Bump httpcore from 4.4.13 to 4.4.14
* Bump istack-commons from 3.0.11 to 4.0.0
* Bump lettuce from 5.3.5.RELEASE to 6.0.1.RELEASE
* Bump dependencyUpdates from 0.28.0 to 0.36.0
* Bump nebula-lint from 16.4.0 to 16.15.9
* Bump dependency-management from 1.0.9.RELEASE to 1.0.10.RELEASE
* Bump grgit from 4.0.1 to 4.1.0
* Bump sonarqube from "2.8" to "3.0"
* Bump nebula.facet from 6.0.2 to 6.2.0
* Bump spotless from 3.28.0 to 5.8.2
* remove unused dependency jackson-module-scala_2.10
* update bump exclusions and readme
diff --git a/boms/geode-all-bom/src/test/resources/expected-pom.xml b/boms/geode-all-bom/src/test/resources/expected-pom.xml
@@ -73,12 +73,6 @@
         <version>2.11.3</version>
         <scope>compile</scope>
       </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.module</groupId>
-        <artifactId>jackson-module-scala_2.10</artifactId>
-        <version>2.11.3</version>
-        <scope>compile</scope>
-      </dependency>
       <dependency>
         <groupId>com.github.davidmoten</groupId>
         <artifactId>geo</artifactId>
@@ -148,7 +142,7 @@
       <dependency>
         <groupId>com.sun.istack</groupId>
         <artifactId>istack-commons-runtime</artifactId>
-        <version>3.0.11</version>
+        <version>4.0.0</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
@@ -166,7 +160,7 @@
       <dependency>
         <groupId>com.tngtech.archunit</groupId>
         <artifactId>archunit-junit4</artifactId>
-        <version>0.12.0</version>
+        <version>0.14.1</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
@@ -262,7 +256,7 @@
       <dependency>
         <groupId>it.unimi.dsi</groupId>
         <artifactId>fastutil</artifactId>
-        <version>8.4.3</version>
+        <version>8.4.4</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
@@ -406,7 +400,7 @@
       <dependency>
         <groupId>org.apache.httpcomponents</groupId>
         <artifactId>httpcore</artifactId>
-        <version>4.4.13</version>
+        <version>4.4.14</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
@@ -550,7 +544,7 @@
       <dependency>
         <groupId>io.lettuce</groupId>
         <artifactId>lettuce-core</artifactId>
-        <version>5.3.5.RELEASE</version>
+        <version>6.0.1.RELEASE</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
@@ -748,49 +742,49 @@
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-config</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-core</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-test</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-web</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-oauth2-core</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-oauth2-client</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-oauth2-jose</artifactId>
-        <version>5.4.1</version>
+        <version>5.4.2</version>
         <scope>compile</scope>
       </dependency>
       <dependency>
diff --git a/build.gradle b/build.gradle
@@ -17,18 +17,18 @@
 
 plugins {
   id "wrapper"
-  id "nebula.facet" version "6.0.2" apply false
+  id "nebula.facet" version "6.2.0" apply false
   id "base"
   id "idea"
   id "eclipse"
-  id "com.diffplug.gradle.spotless" version "3.28.0" apply false
-  id "com.github.ben-manes.versions" version "0.28.0" apply false
-  id "nebula.lint" version "16.4.0" apply false
+  id "com.diffplug.spotless" version "5.8.2" apply false
+  id "com.github.ben-manes.versions" version "0.36.0" apply false
+  id "nebula.lint" version "16.15.9" apply false
   id "com.palantir.docker" version "0.22.1" apply false
-  id "io.spring.dependency-management" version "1.0.9.RELEASE" apply false
-  id "org.ajoberstar.grgit" version "4.0.1" apply false
+  id "io.spring.dependency-management" version "1.0.10.RELEASE" apply false
+  id "org.ajoberstar.grgit" version "4.1.0" apply false
   id "org.nosphere.apache.rat" version "0.6.0" apply false
-  id "org.sonarqube" version "2.8" apply false
+  id "org.sonarqube" version "3.0" apply false
   id "me.champeau.gradle.japicmp" apply false // Version defined in buildSrc/build.gradle
   id 'me.champeau.gradle.jmh' version '0.5.2' apply false
 }
diff --git a/buildSrc/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/buildSrc/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -37,7 +37,7 @@ class DependencyConstraints implements Plugin<Project> {
     deps.put("commons-io.version", "2.8.0")
     deps.put("commons-lang3.version", "3.11")
     deps.put("commons-validator.version", "1.7")
-    deps.put("fastutil.version", "8.4.3")
+    deps.put("fastutil.version", "8.4.4")
     deps.put("javax.transaction-api.version", "1.3")
     deps.put("jgroups.version", "3.6.14.Final")
     deps.put("log4j.version", "2.14.0")
@@ -89,7 +89,6 @@ class DependencyConstraints implements Plugin<Project> {
         api(group: 'com.carrotsearch.randomizedtesting', name: 'randomizedtesting-runner', version: '2.7.8')
         api(group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-joda', version: '2.9.8')
         api(group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: '2.11.3')
-        api(group: 'com.fasterxml.jackson.module', name: 'jackson-module-scala_2.10', version: '2.11.3')
         api(group: 'com.github.davidmoten', name: 'geo', version: '0.7.7')
         api(group: 'com.github.stefanbirkner', name: 'system-rules', version: '1.19.0')
         api(group: 'com.github.stephenc.findbugs', name: 'findbugs-annotations', version: '1.3.9-1')
@@ -102,10 +101,10 @@ class DependencyConstraints implements Plugin<Project> {
         api(group: 'com.nimbusds', name:'nimbus-jose-jwt', version:'8.11')
         // Pinning transitive dependency from spring-security-oauth2 to clean up our licenses.
         api(group: 'com.nimbusds', name: 'oauth2-oidc-sdk', version: '8.9')
-        api(group: 'com.sun.istack', name: 'istack-commons-runtime', version: '3.0.11')
+        api(group: 'com.sun.istack', name: 'istack-commons-runtime', version: '4.0.0')
         api(group: 'com.sun.mail', name: 'javax.mail', version: '1.6.2')
         api(group: 'com.sun.xml.bind', name: 'jaxb-impl', version: '2.3.2')
-        api(group: 'com.tngtech.archunit', name:'archunit-junit4', version: '0.12.0')
+        api(group: 'com.tngtech.archunit', name:'archunit-junit4', version: '0.14.1')
         api(group: 'com.zaxxer', name: 'HikariCP', version: '3.4.5')
         api(group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.4')
         api(group: 'commons-codec', name: 'commons-codec', version: '1.15')
@@ -146,7 +145,7 @@ class DependencyConstraints implements Plugin<Project> {
         api(group: 'org.apache.commons', name: 'commons-text', version: 1.9)
         api(group: 'org.apache.derby', name: 'derby', version: '10.14.2.0')
         api(group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.13')
-        api(group: 'org.apache.httpcomponents', name: 'httpcore', version: '4.4.13')
+        api(group: 'org.apache.httpcomponents', name: 'httpcore', version: '4.4.14')
         api(group: 'org.apache.shiro', name: 'shiro-core', version: get('shiro.version'))
         api(group: 'org.assertj', name: 'assertj-core', version: '3.18.1')
         api(group: 'org.awaitility', name: 'awaitility', version: '4.0.3')
@@ -170,7 +169,7 @@ class DependencyConstraints implements Plugin<Project> {
         api(group: 'org.testcontainers', name: 'testcontainers', version: '1.14.3')
         api(group: 'pl.pragmatists', name: 'JUnitParams', version: '1.1.0')
         api(group: 'redis.clients', name: 'jedis', version: '3.3.0')
-        api(group: 'io.lettuce', name: 'lettuce-core', version: '5.3.5.RELEASE')
+        api(group: 'io.lettuce', name: 'lettuce-core', version: '6.0.1.RELEASE')
         api(group: 'xerces', name: 'xercesImpl', version: '2.12.0')
       }
     }
@@ -239,7 +238,7 @@ class DependencyConstraints implements Plugin<Project> {
       entry('selenium-support')
     }
 
-    dependencySet(group: 'org.springframework.security', version: '5.4.1') {
+    dependencySet(group: 'org.springframework.security', version: '5.4.2') {
       entry('spring-security-config')
       entry('spring-security-core')
       entry('spring-security-ldap')
diff --git a/dev-tools/dependencies/README.md b/dev-tools/dependencies/README.md
@@ -9,28 +9,15 @@ Step 0: Create a JIRA ticket for this work.
 Step 1: List bump commands for all dependencies for which maven offers a newer version:
 
 cd geode
-dev-tools/dependencies/bump.sh -l <jira you will be committing this work under>
-
-Step 2: Filter out certain dependencies that we cannot change, such as:
-- jgroups
-- classgraph
-- gradle-tooling-api
-- JUnitParams
-- docker-compose-rule
-- javax.servlet-api
-- protobuf
-- lucene
-- tomcat 6
-- archunit (13.0 and later get OOM on JDK8)
-
-Step 3: In some cases, maven suggests new majors, beta releases, or just wrong releases.
+dev-tools/dependencies/bump.sh <jira you will be committing this work under> -l
+
+Step 2: In some cases, maven suggests beta releases, which Geode should not use.
 Manually search for those dependencies on mavencentral to see if there is a better choice.
-Examples include:
-- commons-collections (versioning back in 2004 predated semver)
-- springfox-swagger (stay on 2.9, as 2.10 and later is completely re-architected)
-- selenium-api (these tests are very old, so stay on version pi)
+Special cases:
+- tomcat6 (do not upgrade)
+- tomcat (upgrade to latest patch only for each of 7, 8.5, and 9)
 
-Step 4: Create a PR and start bumping dependencies.  Push to the PR every few to run PR
+Step 3: Create a PR and start bumping dependencies.  Push to the PR every few to run PR
 checks.  Later, review the PR checks and try to narrow down which bump introduced problems
 and revert it.  At the end, create separate PRs for each one that was problematic and ask
 for help from someone in the community who knows that area better.
diff --git a/dev-tools/dependencies/bump.sh b/dev-tools/dependencies/bump.sh
@@ -22,25 +22,21 @@ if ! [ -d dev-tools ] ; then
   exit 1
 fi
 
-if [ "$1" = "-l" ] ; then
-	if [ "$2" = "" ] ; then
-		echo "Usage: $0 -l <jira>"
-		exit 1
-	fi
-  ./gradlew dependencyUpdates; find . | grep build/dependencyUpdates/report.txt | xargs cat \
-   | grep ' -> ' | egrep -v '(Gradle|antlr|protobuf|lucene|JUnitParams|docker-compose-rule|javax.servlet-api|gradle-tooling-api|springfox|archunit)' \
-   | sort -u | tr -d '][' | sed -e 's/ -> / /' -e 's#.*:#'"$0 $2"' #'
+if [ "$2" = "-l" ] ; then
+  ./gradlew dependencyUpdates -Drevision=release ; find . | grep build/dependencyUpdates/report.txt | xargs cat \
+   | grep ' -> ' | egrep -v '(Gradle|antlr|protobuf|lucene|JUnitParams|docker-compose-rule|javax.servlet-api|gradle-tooling-api|springfox|derby|classgraph|selenium|jgroups|jmh| 6.0.37|commons-collections|jaxb|testcontainers.*1.15.0)' \
+   | sort -u | tr -d '][' | sed -e 's/ -> / /' -e 's#.*:#'"$0 $1"' #'
   exit 0
 fi
 
 if [ "$4" = "" ] ; then
   echo "Usage: $0 <jira> <library-name> <old-ver> <new-ver>"
-  echo "   or: $0 -l <jira>"
+  echo "   or: $0 <jira> -l"
   exit 1
 fi
 
 if [ $(git diff | wc -l) -gt 0 ] ; then
-  echo "Your workspace has uncommitted changes, please stash them."
+  echo "Your workspace has uncommitted changes, please stash or commit them."
   exit 1
 fi
 
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt
@@ -987,7 +987,7 @@ lib/commons-lang3-3.11.jar
 lib/commons-logging-1.2.jar
 lib/commons-modeler-2.0.1.jar
 lib/commons-validator-1.7.jar
-lib/fastutil-8.4.3.jar
+lib/fastutil-8.4.4.jar
 lib/findbugs-annotations-1.3.9-1.jar
 lib/geo-0.7.7.jar
 lib/geode-common-0.0.0.jar
@@ -1015,8 +1015,8 @@ lib/geode-unsafe-0.0.0.jar
 lib/geode-wan-0.0.0.jar
 lib/gfsh-dependencies.jar
 lib/httpclient-4.5.13.jar
-lib/httpcore-4.4.13.jar
-lib/istack-commons-runtime-3.0.11.jar
+lib/httpcore-4.4.14.jar
+lib/istack-commons-runtime-4.0.0.jar
 lib/jackson-annotations-2.11.3.jar
 lib/jackson-core-2.11.3.jar
 lib/jackson-databind-2.11.3.jar
diff --git a/geode-assembly/src/integrationTest/resources/dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/dependency_classpath.txt
@@ -23,7 +23,7 @@ geode-membership-0.0.0.jar
 geode-http-service-0.0.0.jar
 geode-unsafe-0.0.0.jar
 httpclient-4.5.13.jar
-httpcore-4.4.13.jar
+httpcore-4.4.14.jar
 HikariCP-3.4.5.jar
 commons-lang3-3.11.jar
 jaxb-api-2.3.1.jar
@@ -32,7 +32,7 @@ log4j-api-2.14.0.jar
 spring-shell-1.2.0.RELEASE.jar
 rmiio-2.1.2.jar
 antlr-2.7.7.jar
-istack-commons-runtime-3.0.11.jar
+istack-commons-runtime-4.0.0.jar
 jaxb-impl-2.3.2.jar
 commons-validator-1.7.jar
 shiro-core-1.7.0.jar
@@ -45,7 +45,7 @@ commons-logging-1.2.jar
 classgraph-4.8.52.jar
 micrometer-core-1.6.1.jar
 swagger-annotations-1.6.2.jar
-fastutil-8.4.3.jar
+fastutil-8.4.4.jar
 javax.resource-api-1.7.1.jar
 jetty-webapp-9.4.35.v20201120.jar
 jetty-servlet-9.4.35.v20201120.jar
diff --git a/geode-assembly/src/main/dist/LICENSE b/geode-assembly/src/main/dist/LICENSE
@@ -1024,7 +1024,7 @@ The EDL 1.0 License (http://www.eclipse.org/org/documents/edl-v10.php)
 
 Apache Geode bundles the following file under the EDL 1.0 License:
 
-  - istack-commons-runtime v3.0.11
+  - istack-commons-runtime v4.0.0
 
 Eclipse Distribution License - v 1.0
 
diff --git a/geode-docs/managing/logging/how_logging_works.html.md.erb b/geode-docs/managing/logging/how_logging_works.html.md.erb
@@ -21,9 +21,9 @@ limitations under the License.
 
 <%=vars.product_name%> uses [Apache Log4j 2](http://logging.apache.org/log4j/2.x/) API and Core libraries as the basis for its logging system. Log4j 2 API is a popular and powerful front-end logging API used by all the <%=vars.product_name%> classes to generate log statements. Log4j 2 Core is a backend implementation for logging; you can route any of the front-end logging API libraries to log to this backend. <%=vars.product_name%> uses the Core backend to run three custom Log4j 2 Appenders: **GeodeConsole**, **GeodeLogWriter**, and **GeodeAlert**.
 
-<%=vars.product_name%> has been tested with Log4j 2.12.
+<%=vars.product_name%> has been tested with Log4j 2.14.
 <%=vars.product_name%> requires the 
-`log4j-api-2.11.0.jar` and `log4j-core-2.11.0.jar`
+`log4j-api-2.14.0.jar` and `log4j-core-2.14.0.jar`
 JAR files to be in the classpath.
 Both of these JARs are distributed in the `<path-to-product>/lib` directory and included in the appropriate `*-dependencies.jar` convenience libraries.
 
diff --git a/geode-web-api/build.gradle b/geode-web-api/build.gradle
@@ -51,7 +51,6 @@ dependencies {
     exclude module: 'jackson-annotations'
   }
 
-  compileOnly('com.fasterxml.jackson.module:jackson-module-scala_2.10')
   compileOnly('io.swagger:swagger-annotations')
 
   implementation('io.springfox:springfox-swagger2') {
diff --git a/geode-web-management/build.gradle b/geode-web-management/build.gradle
@@ -68,7 +68,6 @@ dependencies {
     exclude module: 'jackson-annotations'
   }
 
-  compileOnly('com.fasterxml.jackson.module:jackson-module-scala_2.10')
   compileOnly('io.swagger:swagger-annotations')
 
   implementation('io.springfox:springfox-swagger2') {
diff --git a/gradle/spotless.gradle b/gradle/spotless.gradle
@@ -29,7 +29,7 @@ logger.debug("Using partial md5 (${thisFileIntegerHash}) of file ${thisFile} as
 project.ext.set("spotless-file-hash", thisFileIntegerHash)
 
 
-apply plugin: "com.diffplug.gradle.spotless"
+apply plugin: "com.diffplug.spotless"
 spotless {
   lineEndings = 'unix'
   java {

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,6 @@ dependencies {`
`51`	`51`	`exclude module: 'jackson-annotations'`
`52`	`52`	`}`
`53`	`53`
`54`		`- compileOnly('com.fasterxml.jackson.module:jackson-module-scala_2.10')`
`55`	`54`	`compileOnly('io.swagger:swagger-annotations')`
`56`	`55`
`57`	`56`	`implementation('io.springfox:springfox-swagger2') {`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,6 @@ dependencies {`
`68`	`68`	`exclude module: 'jackson-annotations'`
`69`	`69`	`}`
`70`	`70`
`71`		`- compileOnly('com.fasterxml.jackson.module:jackson-module-scala_2.10')`
`72`	`71`	`compileOnly('io.swagger:swagger-annotations')`
`73`	`72`
`74`	`73`	`implementation('io.springfox:springfox-swagger2') {`