diff --git a/.fossa.yml b/.fossa.yml new file mode 100644 index 000000000..f13f5fe60 --- /dev/null +++ b/.fossa.yml @@ -0,0 +1,11 @@ +version: 3 + +targets: + only: + - type: gradle + +experimental: + gradle: + configurations-only: + # consumer will only be exposed to these dependencies + - runtimeClasspath diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 000000000..23cabfc68 --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,19 @@ +name: FOSSA + +on: + push: + branches: + - main + +permissions: + contents: read + +jobs: + fossa: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0 + with: + api-key: ${{secrets.FOSSA_API_KEY}} diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts index e65c69538..f39ae5c5e 100644 --- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts +++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts @@ -135,6 +135,11 @@ testing { dependencies { implementation(project(project.path)) + implementation(enforcedPlatform("org.junit:junit-bom:5.11.4")) + implementation(enforcedPlatform("org.testcontainers:testcontainers-bom:1.20.4")) + implementation(enforcedPlatform("com.google.guava:guava-bom:33.4.0-jre")) + implementation(enforcedPlatform("com.linecorp.armeria:armeria-bom:1.31.3")) + compileOnly("com.google.auto.value:auto-value-annotations") compileOnly("com.google.errorprone:error_prone_annotations") compileOnly("com.google.code.findbugs:jsr305") diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts index b2c6902f6..ce40f320d 100644 --- a/dependencyManagement/build.gradle.kts +++ b/dependencyManagement/build.gradle.kts @@ -2,96 +2,60 @@ plugins { `java-platform` } -data class DependencySet(val group: String, val version: String, val modules: List) - -val dependencyVersions = hashMapOf() -rootProject.extra["versions"] = dependencyVersions - val otelInstrumentationVersion = "2.12.0-alpha" - -val DEPENDENCY_BOMS = listOf( - "com.fasterxml.jackson:jackson-bom:2.18.2", - "com.google.guava:guava-bom:33.4.0-jre", - "com.linecorp.armeria:armeria-bom:1.31.3", - "org.junit:junit-bom:5.11.4", - "io.grpc:grpc-bom:1.70.0", - "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:${otelInstrumentationVersion}", - "org.testcontainers:testcontainers-bom:1.20.4" -) - -val autoServiceVersion = "1.1.1" -val autoValueVersion = "1.11.0" -val errorProneVersion = "2.36.0" -val prometheusVersion = "0.16.0" -val mockitoVersion = "4.11.0" -val slf4jVersion = "2.0.16" -val semConvVersion = "1.30.0-rc.1" - -val CORE_DEPENDENCIES = listOf( - "com.google.auto.service:auto-service:${autoServiceVersion}", - "com.google.auto.service:auto-service-annotations:${autoServiceVersion}", - "com.google.auto.value:auto-value:${autoValueVersion}", - "com.google.auto.value:auto-value-annotations:${autoValueVersion}", - "com.google.errorprone:error_prone_annotations:${errorProneVersion}", - "com.google.errorprone:error_prone_core:${errorProneVersion}", - "io.github.netmikey.logunit:logunit-jul:2.0.0", - "io.opentelemetry.proto:opentelemetry-proto:1.5.0-alpha", - // these two constraints can be removed once the opentelemetry-instrumentation-bom-alpha - // is updated to contain the latest version of opentelemetry-semconv - "io.opentelemetry.semconv:opentelemetry-semconv:${semConvVersion}", - "io.opentelemetry.semconv:opentelemetry-semconv-incubating:${semConvVersion}", - "io.prometheus:simpleclient:${prometheusVersion}", - "io.prometheus:simpleclient_common:${prometheusVersion}", - "io.prometheus:simpleclient_httpserver:${prometheusVersion}", - "org.mockito:mockito-core:${mockitoVersion}", - "org.mockito:mockito-inline:${mockitoVersion}", - "org.mockito:mockito-junit-jupiter:${mockitoVersion}", - "org.slf4j:slf4j-api:${slf4jVersion}", - "org.slf4j:slf4j-simple:${slf4jVersion}", - "org.slf4j:log4j-over-slf4j:${slf4jVersion}", - "org.slf4j:jcl-over-slf4j:${slf4jVersion}", - "org.slf4j:jul-to-slf4j:${slf4jVersion}" -) - -val DEPENDENCIES = listOf( - "com.google.code.findbugs:annotations:3.0.1u2", - "com.google.code.findbugs:jsr305:3.0.2", - "com.squareup.okhttp3:okhttp:4.12.0", - "com.uber.nullaway:nullaway:0.12.3", - "org.assertj:assertj-core:3.27.3", - "org.awaitility:awaitility:4.2.2", - "org.bouncycastle:bcpkix-jdk15on:1.70", - "org.junit-pioneer:junit-pioneer:1.9.1", - "org.skyscreamer:jsonassert:1.5.3", - "org.apache.kafka:kafka-clients:3.9.0", - "org.testcontainers:kafka:1.20.4", - "com.lmax:disruptor:3.4.4", - "org.jctools:jctools-core:4.0.5", - "tools.profiler:async-profiler:3.0", - "com.blogspot.mydailyjava:weak-lock-free:0.18", - "org.agrona:agrona:1.22.0" -) +val semconvVersion = "1.30.0-rc.1" javaPlatform { allowDependencies() } dependencies { - for (bom in DEPENDENCY_BOMS) { - api(enforcedPlatform(bom)) - val split = bom.split(':') - dependencyVersions[split[0]] = split[2] - } + // boms that are only used by tests should be added in otel.java-conventions.gradle.kts + // under JvmTestSuite so they don't show up as runtime dependencies in license and vulnerability scans + // (the constraints section below doesn't have this issue, and will only show up + // as runtime dependencies if they are actually used as runtime dependencies) + api(enforcedPlatform("io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:${otelInstrumentationVersion}")) + api(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.18.2")) + constraints { - for (dependency in CORE_DEPENDENCIES) { - api(dependency) - val split = dependency.split(':') - dependencyVersions[split[0]] = split[2] - } - for (dependency in DEPENDENCIES) { - api(dependency) - val split = dependency.split(':') - dependencyVersions[split[0]] = split[2] - } + api("io.opentelemetry.semconv:opentelemetry-semconv:${semconvVersion}") + api("io.opentelemetry.semconv:opentelemetry-semconv-incubating:${semconvVersion}") + + api("com.google.auto.service:auto-service:1.1.1") + api("com.google.auto.service:auto-service-annotations:1.1.1") + api("com.google.auto.value:auto-value:1.11.0") + api("com.google.auto.value:auto-value-annotations:1.11.0") + api("com.google.errorprone:error_prone_annotations:2.36.0") + api("com.google.errorprone:error_prone_core:2.36.0") + api("io.github.netmikey.logunit:logunit-jul:2.0.0") + api("io.opentelemetry.proto:opentelemetry-proto:1.5.0-alpha") + api("io.prometheus:simpleclient:0.16.0") + api("io.prometheus:simpleclient_common:0.16.0") + api("io.prometheus:simpleclient_httpserver:0.16.0") + api("org.mockito:mockito-core:4.11.0") + api("org.mockito:mockito-inline:4.11.0") + api("org.mockito:mockito-junit-jupiter:4.11.0") + api("org.slf4j:slf4j-api:2.0.16") + api("org.slf4j:slf4j-simple:2.0.16") + api("org.slf4j:log4j-over-slf4j:2.0.16") + api("org.slf4j:jcl-over-slf4j:2.0.16") + api("org.slf4j:jul-to-slf4j:2.0.16") + + api("com.google.code.findbugs:annotations:3.0.1u2") + api("com.google.code.findbugs:jsr305:3.0.2") + api("com.squareup.okhttp3:okhttp:4.12.0") + api("com.uber.nullaway:nullaway:0.12.3") + api("org.assertj:assertj-core:3.27.3") + api("org.awaitility:awaitility:4.2.2") + api("org.bouncycastle:bcpkix-jdk15on:1.70") + api("org.junit-pioneer:junit-pioneer:1.9.1") + api("org.skyscreamer:jsonassert:1.5.3") + api("org.apache.kafka:kafka-clients:3.9.0") + api("org.testcontainers:kafka:1.20.4") + api("com.lmax:disruptor:3.4.4") + api("org.jctools:jctools-core:4.0.5") + api("tools.profiler:async-profiler:3.0") + api("com.blogspot.mydailyjava:weak-lock-free:0.18") + api("org.agrona:agrona:1.22.0") } } diff --git a/jmx-metrics/build.gradle.kts b/jmx-metrics/build.gradle.kts index 4a72b54a9..0088a6988 100644 --- a/jmx-metrics/build.gradle.kts +++ b/jmx-metrics/build.gradle.kts @@ -27,7 +27,7 @@ val groovyVersion = "3.0.23" dependencies { api(platform("org.codehaus.groovy:groovy-bom:$groovyVersion")) - implementation("io.grpc:grpc-netty-shaded") + implementation("io.grpc:grpc-netty-shaded:1.70.0") implementation("org.codehaus.groovy:groovy-jmx") implementation("org.codehaus.groovy:groovy") implementation("io.prometheus:simpleclient") diff --git a/jmx-scraper/test-webapp/build.gradle.kts b/jmx-scraper/test-webapp/build.gradle.kts index 4b4191d56..f8d324088 100644 --- a/jmx-scraper/test-webapp/build.gradle.kts +++ b/jmx-scraper/test-webapp/build.gradle.kts @@ -7,5 +7,5 @@ plugins { description = "JMX metrics scraper - test web application" dependencies { - providedCompile("jakarta.servlet:jakarta.servlet-api:5.0.0") + compileOnly("jakarta.servlet:jakarta.servlet-api:5.0.0") }