You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by sl...@apache.org on 2021/01/22 22:35:58 UTC
[maven-indexer] 01/01: [MINDEXER-126] Remove guava dependency from indexer-core

This is an automated email from the ASF dual-hosted git repository.

slachiewicz pushed a commit to branch MINDEXER-126
in repository https://gitbox.apache.org/repos/asf/maven-indexer.git

commit 7651b9bf3b7162aa83fa0de5a06864c78a495a38
Author: Alexander Kurtakov <ak...@redhat.com>
AuthorDate: Fri Jan 22 23:51:52 2021 +0200

    [MINDEXER-126] Remove guava dependency from indexer-core
    
    It suffers from multiple CVEs:
    * guava < 24.1.1 is vulnerable to CVE-2018-10237.
    * guava < 30.0 is vulnerable to CVE-2020-8908.
    
    Moving to guava 30.1 will require moving to Java 8 so it's actually
    simpler to just remove the dependency altogether.
    
    Signed-off-by: Alexander Kurtakov <ak...@redhat.com>
---
 indexer-core/pom.xml                                         |  5 -----
 .../src/main/java/org/apache/maven/index/ArtifactInfo.java   |  5 ++---
 .../org/apache/maven/index/context/TrackingLockFactory.java  | 12 +++++++-----
 .../org/apache/maven/index/packer/IndexPackingRequest.java   | 10 +++++-----
 .../java/org/apache/maven/index/updater/IndexDataReader.java |  7 +++----
 5 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/indexer-core/pom.xml b/indexer-core/pom.xml
index d6f6fdc..c36de84 100644
--- a/indexer-core/pom.xml
+++ b/indexer-core/pom.xml
@@ -40,11 +40,6 @@ under the License.
       <artifactId>slf4j-api</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>com.google.guava</groupId>
-      <artifactId>guava</artifactId>
-    </dependency>
-
     <!-- DI -->
     <dependency>
       <groupId>javax.inject</groupId>
diff --git a/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java b/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
index 7f75838..ca95342 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
@@ -37,8 +37,6 @@ import org.eclipse.aether.version.InvalidVersionSpecificationException;
 import org.eclipse.aether.version.Version;
 import org.eclipse.aether.version.VersionScheme;
 
-import com.google.common.base.Strings;
-
 /**
  * ArtifactInfo holds the values known about an repository artifact. This is a simple Value Object kind of stuff.
  * Phasing out.
@@ -431,7 +429,8 @@ public class ArtifactInfo
     public String toString()
     {
         final StringBuilder result = new StringBuilder( getUinfo() );
-        if ( !Strings.isNullOrEmpty( getPackaging() ) )
+        String packaging = getPackaging();
+        if (packaging != null && !getPackaging().isEmpty())
         {
             result.append( "[" ).append( getPackaging() ).append( "]" );
         }
diff --git a/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java b/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java
index 9bc6a02..fc85f9c 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java
@@ -1,5 +1,7 @@
 package org.apache.maven.index.context;
 
+import static java.util.Objects.requireNonNull;
+
 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
@@ -21,13 +23,13 @@ package org.apache.maven.index.context;
 
 import java.io.IOException;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+
 import org.apache.lucene.store.Directory;
 import org.apache.lucene.store.Lock;
 import org.apache.lucene.store.LockFactory;
-import static com.google.common.base.Preconditions.checkNotNull;
-import java.util.HashSet;
 
 /**
  *
@@ -43,7 +45,7 @@ final class TrackingLockFactory
 
     TrackingLockFactory( final LockFactory delegate )
     {
-        this.delegate = checkNotNull( delegate );
+        this.delegate = requireNonNull( delegate );
         this.emittedLocks = Collections.newSetFromMap( new ConcurrentHashMap<TrackingLock, Boolean>() );
     }
 
@@ -78,8 +80,8 @@ final class TrackingLockFactory
 
         TrackingLock( final Lock delegate, final String name )
         {
-            this.delegate = checkNotNull( delegate );
-            this.name = checkNotNull( name );
+            this.delegate = requireNonNull( delegate );
+            this.name = requireNonNull( name );
         }
 
         String getName()
diff --git a/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java b/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java
index 850d9d8..98809d2 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java
@@ -1,5 +1,7 @@
 package org.apache.maven.index.packer;
 
+import static java.util.Objects.requireNonNull;
+
 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
@@ -26,8 +28,6 @@ import java.util.Collection;
 import org.apache.lucene.index.IndexReader;
 import org.apache.maven.index.context.IndexingContext;
 
-import static com.google.common.base.Preconditions.checkNotNull;
-
 /**
  * An index packing request.
  */
@@ -53,11 +53,11 @@ public class IndexPackingRequest
 
     public IndexPackingRequest( final IndexingContext context, final IndexReader indexReader, final File targetDir )
     {
-        this.context = checkNotNull( context );
+        this.context = requireNonNull( context );
 
-        this.indexReader = checkNotNull( indexReader );
+        this.indexReader = requireNonNull( indexReader );
 
-        this.targetDir = checkNotNull( targetDir );
+        this.targetDir = requireNonNull( targetDir );
 
         this.createIncrementalChunks = true;
 
diff --git a/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java b/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java
index c5f1d71..3e80c13 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java
@@ -27,11 +27,10 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.UTFDataFormatException;
 import java.util.Date;
-import java.util.zip.GZIPInputStream;
-
-import com.google.common.base.Strings;
 import java.util.LinkedHashSet;
 import java.util.Set;
+import java.util.zip.GZIPInputStream;
+
 import org.apache.lucene.document.Document;
 import org.apache.lucene.document.Field;
 import org.apache.lucene.document.FieldType;
@@ -159,7 +158,7 @@ public class IndexDataReader
         // Fix up UINFO field wrt MINDEXER-41
         final Field uinfoField = (Field) doc.getField( ArtifactInfo.UINFO );
         final String info =  doc.get( ArtifactInfo.INFO );
-        if ( uinfoField != null && !Strings.isNullOrEmpty( info ) )
+        if ( uinfoField != null && info != null && !info.isEmpty() )
         {
             final String[] splitInfo = ArtifactInfo.FS_PATTERN.split( info );
             if ( splitInfo.length > 6 )