-
Notifications
You must be signed in to change notification settings - Fork 4.6k
Substitute org.lz4:lz4-java with at.yawk.lz4:lz4-java in all subprojects #39297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1056,3 +1056,22 @@ if (project.hasProperty("testJavaVersion")) { | |
| } | ||
| } | ||
| } | ||
|
|
||
| subprojects { | ||
| configurations { | ||
| configureEach { | ||
| resolutionStrategy { | ||
| dependencySubstitution { | ||
| // Substitute dependencies (including transitive) on org.lz4:lz4-java regardless of capability conflicts. | ||
| // All published versions of org.lz4:lz4-java have known vulnerabilities. | ||
| // At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have known vulnerabilities. | ||
| // Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java is always selected. | ||
| // Gradle resolves version conflicts by selecting the highest version by default. | ||
| // Gradle only resolves capability conflicts when multiple modules provide the same capability. | ||
| // This would allow org.lz4:lz4-java to still be selected, which is undesirable because of vulnerabilities. | ||
| substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:1.10.1")) | ||
| } | ||
| } | ||
| } | ||
|
Comment on lines
+1062
to
+1075
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There are two improvement opportunities in this block:
configureEach {
if (isCanBeResolved) {
val lz4Version = project.findProperty("lz4.version") ?: "1.10.1"
resolutionStrategy {
dependencySubstitution {
// Substitute dependencies (including transitive) on org.lz4:lz4-java regardless of capability conflicts.
// All published versions of org.lz4:lz4-java have known vulnerabilities.
// At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have known vulnerabilities.
// Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java is always selected.
// Gradle resolves version conflicts by selecting the highest version by default.
// Gradle only resolves capability conflicts when multiple modules provide the same capability.
// This would allow org.lz4:lz4-java to still be selected, which is undesirable because of vulnerabilities.
substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:$lz4Version"))
}
}
}
}
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Suggestion 1 is not commonly applied as far as I can tell from other Gradle projects. var lz4Java = (project.ext.get("library") as Map<String, Map<String, *>>).get("java")!!.get("lz4_java").toString()
subprojects {
configurations {
configureEach {
resolutionStrategy {
dependencySubstitution {
// Substitute dependencies (including transitive) on org.lz4:lz4-java regardless of capability conflicts.
// All published versions of org.lz4:lz4-java have known vulnerabilities.
// At present, all versions of at.yawk.lz4:lz4-java <1.10.1 have known vulnerabilities.
// Substituting org.lz4:lz4-java ensures that at.yawk.lz4:lz4-java is always selected.
// Gradle resolves version conflicts by selecting the highest version by default.
// Gradle only resolves capability conflicts when multiple modules provide the same capability.
// This would allow org.lz4:lz4-java to still be selected, which is undesirable because of vulnerabilities.
substitute(module("org.lz4:lz4-java")).using(module(lz4Java))
}
}
} |
||
| } | ||
| } | ||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The consideration I made capability resolution opt-in, instead of the default, in #39061 was to make sure we don't introduce new capability conflict in other Beam modules unintentionally. Because Gradle's
resolutionStrategy.capabilitiesResolution.withCapabilityclosure isn't transitive. i.e., downstream module compilation still need the same override. This was exactly what happens to beam-runners-flink-2.1 (after Flink 2.1 override "org.lz4:lz4-java" -> "at.yawk.lz4:lz4-java") and beam-examples-java (after Beam Flink runner override "org.lz4:lz4-java" -> "at.yawk.lz4:lz4-java")Flink runner related components currently have this conflict due to Flink 2.1+ and Kafka 2.4 each have transitive dependency on 'org.lz4:lz4-java' capability from different packages
The bottom line is we don't propagate this conflict to user if they use a critical setup (Beam core + GCP dependencies + Dataflow runner)
I recommend we remain the opt-in mechism (use resolveCapabilitiesConflict in individual module), and if ever it propagates to (Beam core + GCP dependencies + Dataflow runner), we then need to bump their transitive dependency version to make sure there isn't capability conflict in the first place
It's fine to bump Beam's Kafka version requirement to 3.9.2, if it eliminates the capability conflict
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bumping Kafka to 3.9.2 shifts the conflict around. The reverse pops up for the Spark Runner and Flink Runner subprojects, with versions 1.x of Flink and iirc both versions 3.x and 4.x of Spark still depending on
org.lz4:lz4-java.After setting up capabilities resolution for the Flink Runner, Flink Job Server, Spark Runner and Spark Job Server I saw an additional conflict pop up for Java Examples since capabilities resolution only applies to the project for the current task. I wasn't aware of that, so I only saw it when the PR actions for Java Examples on the Spark Runner failed.
Conditionally applying capability resolution and manually propagating capability resolution (and conditions?) to dependent subprojects seemed like a lot more friction for contributors than applying a prescriptive configuration for it from the root project down to all subprojects. Looks like that's the case for the Java conventions configuration used by subprojects of Deephaven and Pulsar.
Enforcing dependency substitution would prevent any unnoticed direct dependencies on
org.lz4:lz4-javafrom landing in a release. As mentioned, I realize that's a tad paranoid perhaps compared to enforcing capability resolution which would only alter a Beam POM when a direct dependency onorg.lz4:lz4-javaclashes with a transitive dependency onat.yawk.lz4:lz4-java.Regardless, I'll unstack this change from #39284 and #39285 for now.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For reference, b191394 shows the ripple of capability conflicts after upgrading Kafka to 3.9.2.
Running the
dependenciestask on all subprojects doesn't catch all new capability conflicts since the conflicts in Nexmark and TPC-DS don't show up until you specify-Pnexmark.runneror-Ptpcds.runnerand go through:runners:flink:1.19,:runners:flink:1.20,:runners:flink:2.0,:runners:flink:2.1,:runners:flink:2.2,:runners:spark:3and:runners:spark:4.If I'm not mistaken, the Nexmark and TPC-DS failures would not have been caught by the Github actions running against #39284.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack, is it safe to say neither 'org.lz4:lz4-java' nor 'at.yawk.lz4' is Beam's dependency (direct or transitive) based on b191394 ? If so I'm fine with the current approach, as it would be a no-op for this dependency set
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not a direct dependency in any subproject and only a transitive dependency outside of core (Flink, Kafka and Spark afaik).
To my understanding, the proposed changes would alter release artifacts when:
org.lz4:lz4-javaand is compiled as a regular JAR, altering the POM to includeat.yawk.lz4:lz4-java.org.lz4:lz4-javaand is compiled as a fat JAR, altering the bundled classes to includeat.yawk.lz4:lz4-java.Under ideal circumstances the former would be flagged and corrected during review.
The latter is slightly more difficult to reason about, but as far as I can tell by grepping for
configuration:\s+['"]shadowthere are no subprojects with shadowed dependencies that include a transitive dependency onorg.lz4:lz4-java.