[BUILD-291] Remove ununused com.google.code.findbugs:annotations Created: 23/Nov/17  Updated: 27/Oct/22

Status: Accepted
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Maxime Michel Assignee: Mikaël Geljić
Resolution: Unresolved Votes: 0
Labels: foundation_team
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relation
is related to BUILD-285 Further define the effort for clean d... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:
Team: Foundation

 Description   

While I was working on MGNLCE-103 this artifact showed up as being used in resources and main. We made the decision to not add com.google.code.findbugs:annotations to the BOM but to add it to the POM files where Maven suggested it. As this shows up as a 'used undeclared' dependency, it was a warning we needed to take care of, it is more critical than 'unused declared' ones, which we ignore.

However, as far as I can see, we actually don't use this dependency at all. It is brought in the following way in resource-loader, and somehow Maven's analyzer thinks we are using it:

[INFO] +- org.reflections:reflections:jar:0.9.9:compile
[INFO] |  +- org.javassist:javassist:jar:3.18.2-GA:compile
[INFO] |  \- com.google.code.findbugs:annotations:jar:2.0.1:compile

I don't think we should care because this project is dead. I would therefore suggest the following:

  1. bump reflections to 0.9.11, which no longer uses this dependency
  2. remove the mention of it from main's resource-loader and resource-app
  3. remove it also from the supplemental models?


 Comments   
Comment by Mikaël Geljić [ 06/Jun/18 ]

For the record, greater versions than 0.9.9 had critical regressions for the specific usage we have (resource scanning on the classpath).

  • We might as well check if annotations jar is critical at runtime (otherwise exclude it)
  • Or check if my statement above still stands in whatever version reflections is nowadays
  • Alternatively replace reflections with plain Java 8 usage or any more modern library
Comment by Mikaël Geljić [ 12/Nov/18 ]

check if annotations jar is critical at runtime

—certainly shouldn't be, JSR-305 was intended for defect-detection tools, and is now abandoned/dormant since 2012. Most of our usages are remnants of pre-JDK8 functional idioms (generated from Guava Predicate/Function impls), and are thus trivial to remove.
I will log my QA commits as related (~ BUILD-291) and report back over here.
However, reflections will keep dragging the annotations jar over.

greater versions than 0.9.9 had critical regressions for the specific usage we have (resource scanning on the classpath)

—afaict, as of 0.9.12-SNAPSHOT, ResourceScanner still suffers the same (#102), although since our ClasspathService was refactored circa 2016, we don't rely on this anymore; but only on Reflections' FilterBuilder and Vfs functionality.

Consequently:

  • We can try out the "hard" maven-exclusion; I'd even recommend we ban both c.g.c.findbugs:annotations and c.g.c.findbugs:jsr305 with the mighty enforcer.
  • We can attempt the upgrade to 0.9.11 (findbugs-annotations has been demoted to "provided" iirc)
  • We can/should ditch WTF-licensed (sic) reflections, in favor of the more modern/maintained/recognized ClassGraph (formerly fast-cp-scanner). cc apchelintcev
Comment by Maxime Michel [ 20/Nov/18 ]

I totally vote for at least trying out the alternative library (timebox?), and evaluating the next steps from there.

Comment by Maxime Michel [ 20/Jun/22 ]

TODO:

  • double check that annotations has no runtime impact
  • If so, define it as provided. Do that for all 3 flavors:
    • com.google.code.findbugs:jsr305:jar:3.0.2:compile
    • com.google.code.findbugs:annotations:jar:2.0.1:compile
    • org.jetbrains:annotations:jar:13.0:compile
Generated at Sun Feb 11 23:40:33 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.