Ban javax.* dependencies (#3866)

The `javax.*` group ID artifacts are often GPL+CE licensed, which is often concerning, even if it is not a real issue. Technically, we do not need those dependencies in production code. This means that we can savely remove those dependencies from the Quarkus production runtime.

Due to the Spark integration tests, as Spark needs the old Servlet API in the `javax.*` namespace, we cannot globally ban the old servlet API, which causes some special handling.

Author: snazy

build-logic/src/main/kotlin/polaris-java.gradle.kts

@@ -17,13 +17,13 @@
  * under the License.
  */
 
+import asf.AsfProject.Companion.unsafeCast
 import java.util.Properties
 import kotlin.jvm.java
 import net.ltgt.gradle.errorprone.CheckSeverity
 import net.ltgt.gradle.errorprone.errorprone
 import org.gradle.api.tasks.compile.JavaCompile
 import org.gradle.api.tasks.testing.Test
-import org.gradle.kotlin.dsl.assign
 import org.gradle.kotlin.dsl.named
 import org.kordamp.gradle.plugin.jandex.JandexExtension
 import org.kordamp.gradle.plugin.jandex.JandexPlugin
@@ -238,26 +238,62 @@ tasks.register("printRuntimeClasspath").configure {
   }
 }
 
-configurations.all {
-  rootProject
-    .file("gradle/banned-dependencies.txt")
-    .readText(Charsets.UTF_8)
-    .trim()
-    .lines()
-    .map { it.trim() }
-    .filterNot { it.isBlank() || it.startsWith("#") }
-    .forEach { line ->
-      val idx = line.indexOf(':')
-      if (idx == -1) {
-        exclude(group = line)
-      } else {
-        val group = line.substring(0, idx)
-        val module = line.substring(idx + 1)
-        exclude(group = group, module = module)
-      }
+class BannedDependency(val group: String, val module: String?) {
+  fun exclude(configuration: Configuration) = configuration.exclude(group = group, module = module)
+
+  companion object {
+    fun parseList(file: File): List<BannedDependency> =
+      file
+        .readText(Charsets.UTF_8)
+        .trim()
+        .lines()
+        .map { it.trim() }
+        .filterNot { it.isBlank() || it.startsWith("#") }
+        .map { line ->
+          val idx = line.indexOf(':')
+          if (idx == -1) {
+            BannedDependency(line, null)
+          } else {
+            val group = line.substring(0, idx)
+            val module = line.substring(idx + 1)
+            BannedDependency(group, module)
+          }
+        }
+  }
+}
+
+class BannedDependencies(
+  val globallyBanned: List<BannedDependency>,
+  val quarkusProdBanned: List<BannedDependency>,
+) {
+  fun applyTo(configuration: Configuration) {
+    globallyBanned.forEach { it.exclude(configuration) }
+    if (configuration.name.startsWith("quarkusProd")) {
+      quarkusProdBanned.forEach { it.exclude(configuration) }
     }
+  }
+
+  fun applyTo(configurations: ConfigurationContainer) {
+    configurations.all { applyTo(this) }
+  }
+}
+
+fun bannedDependencies(): BannedDependencies {
+  return if (rootProject.extra.has("bannedDependencies")) {
+    unsafeCast(rootProject.extra["bannedDependencies"]) as BannedDependencies
+  } else {
+    val bannedDependencies =
+      BannedDependencies(
+        BannedDependency.parseList(rootProject.file("gradle/banned-dependencies.txt")),
+        BannedDependency.parseList(rootProject.file("gradle/banned-quarkus-prod-dependencies.txt")),
+      )
+    rootProject.extra["bannedDependencies"] = bannedDependencies
+    bannedDependencies
+  }
 }
 
+bannedDependencies().applyTo(configurations)
+
 gradle.sharedServices.registerIfAbsent(
   "intTestParallelismConstraint",
   TestingParallelismHelper::class.java,

gradle/banned-dependencies.txt

@@ -18,6 +18,7 @@
 #
 
 # This file contains the globally banned dependencies.
+
 # Each banned dependency must be in the form
 #   <group-id> ':' <module>
 # or
@@ -26,6 +27,12 @@
 
 # Contains old javax.* annotations that we do not want
 com.google.code.findbugs:jsr305
+javax.annotation:javax.annotation-api
+javax.servlet.jsp:jsp-api
+# Cannot globally ban javax.servlet:javax.servlet-api, because it is needed by Spark 3.5 integration tests
+javax.validation:validation-api
+javax.ws.rs:jsr311-api
+
 
 # See https://github.com/RoaringBitmap/RoaringBitmap/issues/749, should only use org.roaringbitmap:RoaringBitmap
 com.github.RoaringBitmap.RoaringBitmap

gradle/banned-quarkus-prod-dependencies.txt

@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# This file contains the dependencies banned from Quarkus production runtime.
+
+# Each banned dependency must be in the form
+#   <group-id> ':' <module>
+# or
+#   <group-id>
+
+
+# Contains old javax.* annotations that we do not want
+javax.servlet:javax.servlet-api

integration-tests/build.gradle.kts

@@ -58,6 +58,8 @@ dependencies {
     exclude("org.slf4j", "jul-to-slf4j")
   }
 
+  implementation(libs.jakarta.ws.rs.api)
+
   implementation(platform(libs.junit.bom))
   implementation("org.junit.jupiter:junit-jupiter")
   implementation("org.junit.jupiter:junit-jupiter-api")

integration-tests/src/main/java/org/apache/polaris/service/it/test/PolarisManagementServiceIntegrationTest.java

@@ -18,8 +18,8 @@
  */
 package org.apache.polaris.service.it.test;
 
-import static javax.ws.rs.core.Response.Status.CREATED;
-import static javax.ws.rs.core.Response.Status.FORBIDDEN;
+import static jakarta.ws.rs.core.Response.Status.CREATED;
+import static jakarta.ws.rs.core.Response.Status.FORBIDDEN;
 import static org.apache.polaris.service.it.env.PolarisClient.polarisClient;
 import static org.apache.polaris.service.it.test.PolarisApplicationIntegrationTest.PRINCIPAL_ROLE_ALL;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -188,7 +188,7 @@ public void testListCatalogsUnauthorized() {
         managementApi.createPrincipal(client.newEntityName("a_new_user"));
     String authToken = client.obtainToken(principal);
     try (Response response = client.managementApi(authToken).request("v1/catalogs").get()) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
   }
 
@@ -200,7 +200,7 @@ public void testCreateCatalog() {
             .post(
                 Entity.json(
                     "{\"catalog\":{\"type\":\"INTERNAL\",\"name\":\"my-catalog\",\"properties\":{\"default-base-location\":\"s3://my-bucket/path/to/data\"},\"storageConfigInfo\":{\"storageType\":\"S3\",\"roleArn\":\"arn:aws:iam::123456789012:role/my-role\",\"externalId\":\"externalId\",\"userArn\":\"userArn\",\"allowedLocations\":[\"s3://my-old-bucket/path/to/data\"]}}}"))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // 204 Successful delete
@@ -230,7 +230,7 @@ public void testCreateCatalogWithInvalidName() {
             .setStorageConfigInfo(awsConfigModel)
             .build();
     try (Response response = managementApi.request("v1/catalogs").post(Entity.json(catalog))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     String longInvalidName = newRandomString(MAX_IDENTIFIER_LENGTH + 1);
@@ -282,7 +282,7 @@ public void testCreateCatalogWithAzureStorageConfig() {
             .build();
     try (Response response =
         managementApi.request("v1/catalogs").post(Entity.json(new CreateCatalogRequest(catalog)))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
     try (Response response = managementApi.request("v1/catalogs/my-catalog").get()) {
       assertThat(response).returns(Response.Status.OK.getStatusCode(), Response::getStatus);
@@ -431,7 +431,7 @@ public void testUpdateCatalogWithoutDefaultBaseLocationInUpdate() {
             .build();
     try (Response response =
         managementApi.request("v1/catalogs").post(Entity.json(new CreateCatalogRequest(catalog)))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // 200 successful GET after creation
@@ -819,7 +819,7 @@ public void testListPrincipalsUnauthorized() {
         managementApi.createPrincipal(client.newEntityName("new_admin"));
     String authToken = client.obtainToken(principal);
     try (Response response = client.managementApi(authToken).request("v1/principals").get()) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
   }
 
@@ -842,7 +842,7 @@ public void testCreatePrincipalAndRotateCredentials() {
         managementApi
             .request("v1/principals/{p}/rotate", Map.of("p", principal.getName()))
             .post(Entity.json(""))) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
 
     String oldUserToken = client.obtainToken(creds);
@@ -853,7 +853,7 @@ public void testCreatePrincipalAndRotateCredentials() {
             .managementApi(oldUserToken)
             .request("v1/principals/{p}", Map.of("p", principal.getName()))
             .get()) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
       ErrorResponse error = response.readEntity(ErrorResponse.class);
       assertThat(error)
           .isNotNull()
@@ -932,7 +932,7 @@ public void testCreatePrincipalAndResetCredentialsWithCustomValues() {
             .request("v1/principals/{p}/reset", Map.of("p", principal.getName()))
             .post(Entity.json(customBody))) {
 
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
   }
 
@@ -1288,7 +1288,7 @@ public void testCreateListUpdateAndDeleteCatalogRole() {
             .request("v1/catalogs/{cat}/catalog-roles", Map.of("cat", catalogName))
             .post(Entity.json(new CreateCatalogRoleRequest(catalogRole)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // Second attempt to create the same entity should fail with CONFLICT.
@@ -1428,7 +1428,7 @@ public void testAssignListAndRevokePrincipalRoles() {
             .request("v1/principals")
             .post(Entity.json(new CreatePrincipalRequest(principal1, false)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     Principal principal2 = new Principal(client.newEntityName("myprincipal2"));
@@ -1437,7 +1437,7 @@ public void testAssignListAndRevokePrincipalRoles() {
             .request("v1/principals")
             .post(Entity.json(new CreatePrincipalRequest(principal2, false)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // One PrincipalRole
@@ -1450,7 +1450,7 @@ public void testAssignListAndRevokePrincipalRoles() {
             .request(
                 "v1/principals/{prince}/principal-roles", Map.of("prince", principal1.getName()))
             .put(Entity.json(principalRole))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // Should list myprincipalrole
@@ -1582,7 +1582,7 @@ public void testAssignListAndRevokeCatalogRoles() {
             .request("v1/catalogs/{cat}/catalog-roles", Map.of("cat", catalog.getName()))
             .post(Entity.json(new CreateCatalogRoleRequest(catalogRole)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // Create another one in a different catalog.
@@ -1601,7 +1601,7 @@ public void testAssignListAndRevokeCatalogRoles() {
             .request("v1/catalogs/{cat}/catalog-roles", Map.of("cat", otherCatalog.getName()))
             .post(Entity.json(new CreateCatalogRoleRequest(otherCatalogRole)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // Assign both the roles to mypr1
@@ -1612,7 +1612,7 @@ public void testAssignListAndRevokeCatalogRoles() {
                 Map.of("pr", principalRole1.getName(), "cat", catalog.getName()))
             .put(Entity.json(new GrantCatalogRoleRequest(catalogRole)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
     try (Response response =
         managementApi
@@ -1621,7 +1621,7 @@ public void testAssignListAndRevokeCatalogRoles() {
                 Map.of("pr", principalRole1.getName(), "cat", otherCatalog.getName()))
             .put(Entity.json(new GrantCatalogRoleRequest(otherCatalogRole)))) {
 
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     // Should list only mycr
@@ -1787,7 +1787,7 @@ public void testCatalogAdminGrantAndRevokeCatalogRoles() {
                     + "/"
                     + catalogRoleName)
             .delete()) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
 
     // The service admin can revoke the role because it has the
@@ -1879,8 +1879,7 @@ public void testServiceAdminCanTransferCatalogAdmin() {
                       + catalogName
                       + "/catalog_admin")
               .delete()) {
-        assertThat(response)
-            .returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+        assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
       }
     } finally {
       // grant the admin role back to service_admin so that cleanup can happen
@@ -1953,7 +1952,7 @@ public void testCatalogAdminGrantAndRevokeCatalogRolesFromWrongCatalog() {
             .managementApi(catalogAdminToken)
             .request("v1/principal-roles/" + principalRoleName + "/catalog-roles/" + catalogName2)
             .put(Entity.json(new GrantCatalogRoleRequest(new CatalogRole(catalogRoleName))))) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
   }
 
@@ -2046,7 +2045,7 @@ public void testTableManageAccessCanGrantAndRevokeFromCatalogRoles() {
             .request("v1/principal-roles/" + principalRoleName + "/catalog-roles/" + catalogName)
             .put(
                 Entity.json(new GrantCatalogRoleRequest(new CatalogRole("target_catalog_role"))))) {
-      assertThat(response).returns(Response.Status.FORBIDDEN.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(FORBIDDEN.getStatusCode(), Response::getStatus);
     }
 
     // The user cannot grant catalog-level privileges to the catalog role
@@ -2223,7 +2222,7 @@ public void testCreateAndUpdateCatalogRoleWithReservedProperties() {
         managementApi
             .request("v1/catalogs/{cat}/catalog-roles", Map.of("cat", catalogName))
             .post(Entity.json(new CreateCatalogRoleRequest(okCatalogRole)))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     UpdateCatalogRoleRequest updateRequest =
@@ -2271,7 +2270,7 @@ public void testCreateAndUpdatePrincipalRoleWithReservedProperties() {
         managementApi
             .request("v1/principal-roles")
             .post(Entity.json(new CreatePrincipalRoleRequest(goodPrincipalRole)))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     UpdatePrincipalRoleRequest badUpdate =
@@ -2310,7 +2309,7 @@ public void testCreateAndUpdatePrincipalWithReservedProperties() {
         managementApi
             .request("v1/principals")
             .post(Entity.json(new CreatePrincipalRequest(goodPrincipal, false)))) {
-      assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus);
+      assertThat(response).returns(CREATED.getStatusCode(), Response::getStatus);
     }
 
     UpdatePrincipalRequest badUpdate =