[java] remove Apache Commons dependency

[titusfortner]

User description

🔗 Related Issues

Fixes #16863

💥 What does this PR do?

• Removed dependency
• updated lockfile

🔄 Types of changes

• Cleanup (formatting, renaming)

---

PR Type

Enhancement

---

Description

• Remove Apache Commons Exec dependency from Java module

• Update Maven lockfile with new dependency hashes

• Simplify build configuration by removing unused imports

---

Diagram Walkthrough

flowchart LR
  A["MODULE.bazel<br/>Remove commons-exec"] --> B["Build Configuration<br/>Simplified"]
  C["java/maven_install.json<br/>Update hashes"] --> B
  D["BUILD.bazel<br/>Remove artifact import"] --> B

Loading

File Walkthrough

	Relevant files
Dependencies	MODULE.bazel Remove commons-exec Maven dependency                                          MODULE.bazel Removed org.apache.commons:commons-exec:1.6.0 dependency declaration Cleaned up Maven dependency list +0/-1      BUILD.bazel Remove commons-exec dependency from build                                java/src/org/openqa/selenium/os/BUILD.bazel Removed load("@rules_jvm_external//:defs.bzl", "artifact") import statement Removed artifact("org.apache.commons:commons-exec") from deps list +0/-2
Configuration changes	maven_install.json Update Maven lockfile with new dependency hashes                  java/maven_install.json Updated __INPUT_ARTIFACTS_HASH from -1443520336 to -1221745853 Updated __RESOLVED_ARTIFACTS_HASH from 870861529 to -267267215 Downgraded org.apache.commons:commons-exec from version 1.6.0 to 1.4.0 Updated corresponding jar and sources checksums +5/-5

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Vulnerable dependency Description: The PR downgrades the pinned dependency org.apache.commons:commons-exec to version 1.4.0, which may reintroduce known vulnerabilities fixed in later releases and should be validated against current dependency-security policies/CVEs. maven_install.json [627-633] Referred Code "org.apache.commons:commons-exec": { "shasums": { "jar": "f51cf8bee467efe2be76e46fc08078d96afa280a794283364291beda892a67ef", "sources": "52dd9db2e64649143631680ca6dabcd75e4457761dddf5e72406086cd19eee88" }, "version": "1.4.0" },
Ticket Compliance
🟡	🎫 #5678 🔴 Investigate and fix repeated ChromeDriver instantiation failures showing Error: ConnectFailure (Connection refused) after the first instance. Provide a solution or mitigation for the reported Linux/Chrome/ChromeDriver/Selenium version combination.
🟡	🎫 #1234 🔴 Restore/ensure that click() triggers JavaScript in a link's href as it did in Selenium 2.47.1 (regression in 2.48.x) for the provided Firefox scenario. Validate behavior against the provided reproduction artifacts/videos.
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Avoid unintended dependency version downgrade The commons-exec dependency has been unintentionally downgraded to version 1.4.0. To avoid potential security risks, either restore the direct dependency in MODULE.bazel to pin it to a newer version like 1.6.0, or investigate and manage the transitive dependency that is pulling it in. java/maven_install.json [627-633] "org.apache.commons:commons-exec": { "shasums": { - "jar": "f51cf8bee467efe2be76e46fc08078d96afa280a794283364291beda892a67ef", - "sources": "52dd9db2e64649143631680ca6dabcd75e4457761dddf5e72406086cd19eee88" + "jar": "13dcf3850478ef8de5d24d298a60eed5e8305eb20538fe632c82ea1dff6b5ea0", + "sources": "30be24e81829579865f0c020dcaa70a5c5972a8175effe67748589eebba1af90" }, - "version": "1.4.0" + "version": "1.6.0" }, Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies an unintended dependency downgrade from version 1.6.0 to 1.4.0, which could reintroduce bugs or security vulnerabilities. Managing dependency versions explicitly is crucial for stability and security.	Medium
Update

[asolntsev]

What exactly this line means?
Looks like instead of removing "commons-exec" dependency, you downgraded its version from "1.6.0" to "1.4.0"? @titusfortner

[titusfortner]

Makes sense it is a transitive dependency
If we don't need it for our code, we should let whatever does need it set the version, unless there's a security issue or bug, or a potential concern. I don't think any of those apply to this.