You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Steinar Bang <sb...@dod.no> on 2021/08/24 15:58:55 UTC
jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Platform: java 11, karaf 4.3.2
I got a security alert from github, telling me to upgrade jsoup to 1.14.2.
However, jsoup 1.14.2 is an OSGi bundle that requires the
javax.annotation package, with versions between 3.0 and 4.0, from the
jsoup 1.14.2 MANIFEST.MF:
Import-Package: javax.annotation;version="[3.0,4)",javax.annotation.meta
;version="[3.0,4)",javax.net.ssl,javax.xml.parsers,javax.xml.transform,
javax.xml.transform.dom,javax.xml.transform.stream,org.jsoup;version="[
1.14,2)",org.jsoup.helper;version="[1.14,2)",org.jsoup.internal;version
="[1.14,2)",org.jsoup.nodes;version="[1.14,2)",org.jsoup.parser;version
="[1.14,2)",org.jsoup.safety;version="[1.14,2)",org.jsoup.select;versio
n="[1.14,2)",org.w3c.dom
Problem: javax.annotation in karaf, is provided by the felix framework,
and is version 1.3:
karaf@root()> package:exports | grep annotation
java.lang.annotation x 0.0.0 x 0 x org.apache.felix.framework
javax.annotation.processing x 1.0.0 x 0 x org.apache.felix.framework
javax.annotation x 1.3.0 x 0 x org.apache.felix.framework
javax.xml.bind.annotation.adapters x 2.3.0 x 0 x org.apache.felix.framework
javax.xml.bind.annotation x 2.3.0 x 0 x org.apache.felix.framework
karaf@root()>
(Is javax.annotation 3.0 a even real thing...?
I found this when googling https://mvnrepository.com/artifact/org.glassfish/javax.annotation
The version numbers are weird and the dates are old (2011), and AFAIK
this isn't a package that have had any actual changes for, like, ever...)
Is there a workaround, other than re-bundling jsoup?
Thanks!
- Steinar
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and
4.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
All depends of the import package defined in jsoup bundle, so possible ;)
Regards
JB
On 25/08/2021 13:30, Eric Lilja wrote:
> Is the findbugs dependency really a runtime requirement for jsoup to
> function? It has <scope>provided</scope> in the pom file for jsoup
>
> - Eric L
>
> On Wed, Aug 25, 2021 at 10:58 AM Jean-Baptiste Onofré <jb@nanthrax.net
> <ma...@nanthrax.net>> wrote:
>
> IMHO, a possible solution is that I create a SMX Spec bundle merging
> both jakarta annotation and findbugs/jsr305.
>
> Thoughts ?
>
> Regards
> JB
>
> On 24/08/2021 21:53, Steinar Bang wrote:
> >>>>>> Steinar Bang <sb@dod.no <ma...@dod.no>>:
> >
> >>>>>> Steinar Bang <sb@dod.no <ma...@dod.no>>:
> >>> (I'll also open a ticket on jsoup and try to have them fix it
> >>> upstream. Since upstream is an OSGi bundle, it seems a pity to
> have it
> >>> be a broken OSGi bundle...)
> >
> >> jsoup issue on the problem:
> https://github.com/jhy/jsoup/issues/1616
> <https://github.com/jhy/jsoup/issues/1616>
> >
> > I've created a PR that fixes the issue, by removing the version
> > requirements from the javax.annotation imports:
> > https://github.com/jhy/jsoup/pull/1617
> <https://github.com/jhy/jsoup/pull/1617>
> >
> > But the problem is still not fixed, because jsoup also requires
> > javax.annotation.meta, which karaf does not provide.
> >
> > The "culprit" is a provded dependency to
> mvn:com.google.code.findbugs/jsr305/3.0.5
> >
> > See
> https://github.com/jhy/jsoup/issues/1616#issuecomment-904906532
> <https://github.com/jhy/jsoup/issues/1616#issuecomment-904906532>
> for details.
> >
>
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Eric Lilja <mi...@gmail.com>:
> Is the findbugs dependency really a runtime requirement for jsoup to
> function? It has <scope>provided</scope> in the pom file for jsoup
Good question!
More questions to answer:
1. Are the annotations fetched from these packages only used in test
code or, are they used in production code?
2. Do the annotations have RetentionPolicy.RUNTIME or SOURCE?
The following annotations are used in .java files in src/main/java/ of
jsoup:
javax.annotation.Nonnull (RetentionPolicy.RUNTIME)
javax.annotation.Nullable (RetentionPolicy.RUNTIME)
javax.annotation.ParametersAreNonnullByDefault (RetentionPolicy.RUNTIME)
javax.annotation.meta.TypeQualifierDefault (RetentionPolicy.RUNTIME)
So, yes, they are all required at runtime.
And they aren't slurped into the jsoup bundle, because of the copyright
of the findbugs jar (is what I'm guessing from the comment on the
dependency in the jsoup pom.xml file...?).
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Eric Lilja <mi...@gmail.com>.
Is the findbugs dependency really a runtime requirement for jsoup to
function? It has <scope>provided</scope> in the pom file for jsoup
- Eric L
On Wed, Aug 25, 2021 at 10:58 AM Jean-Baptiste Onofré <jb...@nanthrax.net>
wrote:
> IMHO, a possible solution is that I create a SMX Spec bundle merging
> both jakarta annotation and findbugs/jsr305.
>
> Thoughts ?
>
> Regards
> JB
>
> On 24/08/2021 21:53, Steinar Bang wrote:
> >>>>>> Steinar Bang <sb...@dod.no>:
> >
> >>>>>> Steinar Bang <sb...@dod.no>:
> >>> (I'll also open a ticket on jsoup and try to have them fix it
> >>> upstream. Since upstream is an OSGi bundle, it seems a pity to have it
> >>> be a broken OSGi bundle...)
> >
> >> jsoup issue on the problem: https://github.com/jhy/jsoup/issues/1616
> >
> > I've created a PR that fixes the issue, by removing the version
> > requirements from the javax.annotation imports:
> > https://github.com/jhy/jsoup/pull/1617
> >
> > But the problem is still not fixed, because jsoup also requires
> > javax.annotation.meta, which karaf does not provide.
> >
> > The "culprit" is a provded dependency to
> mvn:com.google.code.findbugs/jsr305/3.0.5
> >
> > See https://github.com/jhy/jsoup/issues/1616#issuecomment-904906532 for
> details.
> >
>
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and
4.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
IMHO, a possible solution is that I create a SMX Spec bundle merging
both jakarta annotation and findbugs/jsr305.
Thoughts ?
Regards
JB
On 24/08/2021 21:53, Steinar Bang wrote:
>>>>>> Steinar Bang <sb...@dod.no>:
>
>>>>>> Steinar Bang <sb...@dod.no>:
>>> (I'll also open a ticket on jsoup and try to have them fix it
>>> upstream. Since upstream is an OSGi bundle, it seems a pity to have it
>>> be a broken OSGi bundle...)
>
>> jsoup issue on the problem: https://github.com/jhy/jsoup/issues/1616
>
> I've created a PR that fixes the issue, by removing the version
> requirements from the javax.annotation imports:
> https://github.com/jhy/jsoup/pull/1617
>
> But the problem is still not fixed, because jsoup also requires
> javax.annotation.meta, which karaf does not provide.
>
> The "culprit" is a provded dependency to mvn:com.google.code.findbugs/jsr305/3.0.5
>
> See https://github.com/jhy/jsoup/issues/1616#issuecomment-904906532 for details.
>
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Paul Stanley <Pa...@saaconsultants.com>.
Hi.
I came across this a while ago. As you have spotted below
javax.activation version 3.0.5 is the findbugs bundle from google.
However this contains different classes to the Jakarta project. As such
its not just a simple fix of changing or repacking the jsoup bundle.
The findbugs bundle will need to be deployed into karaf. But given the way
that services are resolved in OSGI, you may hit the problem of a down
stream project depending on both Findbugs and Jakarta annotations.
My solution was to produce a bundle that merged both findbugs and
javax.annotation. This was then exported the package at both version 1
and 3.
Cheers
Paul
From: "Steinar Bang" <sb...@dod.no>
To: user@karaf.apache.org
Date: 24/08/2021 20:53
Subject: Re: jsoup 1.14.2 requires javax.annotation version between
3.0 and 4.0
>>>>> Steinar Bang <sb...@dod.no>:
>>>>> Steinar Bang <sb...@dod.no>:
>> (I'll also open a ticket on jsoup and try to have them fix it
>> upstream. Since upstream is an OSGi bundle, it seems a pity to have it
>> be a broken OSGi bundle...)
> jsoup issue on the problem: https://github.com/jhy/jsoup/issues/1616
I've created a PR that fixes the issue, by removing the version
requirements from the javax.annotation imports:
https://github.com/jhy/jsoup/pull/1617
But the problem is still not fixed, because jsoup also requires
javax.annotation.meta, which karaf does not provide.
The "culprit" is a provded dependency to
mvn:com.google.code.findbugs/jsr305/3.0.5
See https://github.com/jhy/jsoup/issues/1616#issuecomment-904906532 for
details.
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@dod.no>:
>>>>> Steinar Bang <sb...@dod.no>:
>> (I'll also open a ticket on jsoup and try to have them fix it
>> upstream. Since upstream is an OSGi bundle, it seems a pity to have it
>> be a broken OSGi bundle...)
> jsoup issue on the problem: https://github.com/jhy/jsoup/issues/1616
I've created a PR that fixes the issue, by removing the version
requirements from the javax.annotation imports:
https://github.com/jhy/jsoup/pull/1617
But the problem is still not fixed, because jsoup also requires
javax.annotation.meta, which karaf does not provide.
The "culprit" is a provded dependency to mvn:com.google.code.findbugs/jsr305/3.0.5
See https://github.com/jhy/jsoup/issues/1616#issuecomment-904906532 for details.
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@dod.no>:
> (I'll also open a ticket on jsoup and try to have them fix it
> upstream. Since upstream is an OSGi bundle, it seems a pity to have it
> be a broken OSGi bundle...)
jsoup issue on the problem: https://github.com/jhy/jsoup/issues/1616
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Jean-Baptiste Onofré <jb...@nanthrax.net>:
> Another option is to add jsoup bundle at ServiceMix: I can do it and
> include in the august release set.
+1
(I'll also open a ticket on jsoup and try to have them fix it
upstream. Since upstream is an OSGi bundle, it seems a pity to have it
be a broken OSGi bundle...)
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and
4.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Another option is to add jsoup bundle at ServiceMix: I can do it and
include in the august release set.
Regards
JB
On 24/08/2021 18:05, Steinar Bang wrote:
>>>>>> Jean-Baptiste Onofré <jb...@nanthrax.net>:
>
>> Hi Steinar,
>> IMHO, jsoup bundle is not accurate.
>
> Yep, that's what I thought.
>
>> IMHO, we only have two options:
>
>> 1. Creating a "fixed" jsoup bundle
>
> Yes, either rebundling it myself or creating a ticket on jsoup. No idea
> how fast they respond to tickets.
>
>> 2. Embed jsoup in your bundle where you need it
>
> Definitely last resort, IMO...!
>
> Thanks!
>
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Jean-Baptiste Onofré <jb...@nanthrax.net>:
> Hi Steinar,
> IMHO, jsoup bundle is not accurate.
Yep, that's what I thought.
> IMHO, we only have two options:
> 1. Creating a "fixed" jsoup bundle
Yes, either rebundling it myself or creating a ticket on jsoup. No idea
how fast they respond to tickets.
> 2. Embed jsoup in your bundle where you need it
Definitely last resort, IMO...!
Thanks!
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and
4.0
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Steinar,
IMHO, jsoup bundle is not accurate.
IMHO, we only have two options:
1. Creating a "fixed" jsoup bundle
2. Embed jsoup in your bundle where you need it
Regards
JB
On 24/08/2021 17:58, Steinar Bang wrote:
> Platform: java 11, karaf 4.3.2
>
> I got a security alert from github, telling me to upgrade jsoup to 1.14.2.
>
> However, jsoup 1.14.2 is an OSGi bundle that requires the
> javax.annotation package, with versions between 3.0 and 4.0, from the
> jsoup 1.14.2 MANIFEST.MF:
>
> Import-Package: javax.annotation;version="[3.0,4)",javax.annotation.meta
> ;version="[3.0,4)",javax.net.ssl,javax.xml.parsers,javax.xml.transform,
> javax.xml.transform.dom,javax.xml.transform.stream,org.jsoup;version="[
> 1.14,2)",org.jsoup.helper;version="[1.14,2)",org.jsoup.internal;version
> ="[1.14,2)",org.jsoup.nodes;version="[1.14,2)",org.jsoup.parser;version
> ="[1.14,2)",org.jsoup.safety;version="[1.14,2)",org.jsoup.select;versio
> n="[1.14,2)",org.w3c.dom
>
> Problem: javax.annotation in karaf, is provided by the felix framework,
> and is version 1.3:
>
> karaf@root()> package:exports | grep annotation
> java.lang.annotation x 0.0.0 x 0 x org.apache.felix.framework
> javax.annotation.processing x 1.0.0 x 0 x org.apache.felix.framework
> javax.annotation x 1.3.0 x 0 x org.apache.felix.framework
> javax.xml.bind.annotation.adapters x 2.3.0 x 0 x org.apache.felix.framework
> javax.xml.bind.annotation x 2.3.0 x 0 x org.apache.felix.framework
> karaf@root()>
>
> (Is javax.annotation 3.0 a even real thing...?
> I found this when googling https://mvnrepository.com/artifact/org.glassfish/javax.annotation
> The version numbers are weird and the dates are old (2011), and AFAIK
> this isn't a package that have had any actual changes for, like, ever...)
>
> Is there a workaround, other than re-bundling jsoup?
>
> Thanks!
>
>
> - Steinar
>
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Eric Lilja <mi...@gmail.com>:
> Anyway, I tried embedding the dependency in a service, and I removed
> the problematic import and then I let the service do JSoup.connect()
> and get the title of a webpage. My service was still satisfied and
> JSoup was able to do what I requested. So instead of embedding you can
> simply do a re-pack and remove the unwanted import.
Ok, I thought the retention policy runtime on the annotations, meant
that the bundle wouldn't load, if the annotations weren't available at
runtime.
But I followed what you said over, and removed the javax.annotation and
javax.annotation.meta imports from the MANIFEST.MF of the bundle, and
the result loaded fine in my applications that use jsoup.
So I have created a PR for jsoup that removes the imports from the MANIFEST.MF:
https://github.com/jhy/jsoup/pull/1621
FYI I use jsoup to handle HTML forms values in HTML forms that don't use
JavaScript:
https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/resources/PasswordsResource.java#L86
https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/resources/PasswordsResource.java#L102
https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/resources/web/password.html#L34
and also to set return messages
https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/resources/PasswordsResource.java#L85
https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/resources/HtmlTemplateResource.java#L50
(sort of a very simple templating engine...)
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Eric Lilja <mi...@gmail.com>.
When a dependency has provided scope, it is available at build time, but
not at runtime. It is also not contributed to the runtime classpath when
another module is depending on the module which has a declared provided
dependency. This choice by the Jsoup authors indicate it's build time only
Also, those annotations (NotNull, Nullable etc) are meant for an IDE, that
can detect certain API-misusage at source level (build level), like
explicit passing a null object (the IDE can figure out the object is always
null at that point) as a parameter, when the API is annotated @NotNull.
Anyway, I tried embedding the dependency in a service, and I removed the
problematic import and then I let the service do JSoup.connect() and get
the title of a webpage. My service was still satisfied and JSoup was able
to do what I requested. So instead of embedding you can simply do a re-pack
and remove the unwanted import.
Guava is another example, it has all these code analysis dependencies that
OSGi often wants to be provisioned, but can be omitted.
- Eric L
On Wed, Aug 25, 2021 at 6:37 PM Steinar Bang <sb...@dod.no> wrote:
> >>>>> Steinar Bang <sb...@dod.no>:
>
> >> Is there a workaround, other than re-bundling jsoup?
>
> > One workaround would be to load version 3.0 (or so) of the glassfish
> > packaged javax.annotation...?
>
> > Since the packages are versioned it shouldn't conflict with the felix
> > version...?
>
> > (but it just feels so hacky...)
>
> FWIW what I've done, for now, is to put a <scope>compile</scope>
> dependency to the findbugs jar in the pom files that have the
> <scope>compile</scope> dependency to jsoup.
>
> Again, FWIW, this seems to work.
>
> The one package that also exist in the felix runtime (javax.annotation),
> have a different version, and a version matching jsoup, so they
> shouldn't conflict...?
>
>
>
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@dod.no>:
>> Is there a workaround, other than re-bundling jsoup?
> One workaround would be to load version 3.0 (or so) of the glassfish
> packaged javax.annotation...?
> Since the packages are versioned it shouldn't conflict with the felix
> version...?
> (but it just feels so hacky...)
FWIW what I've done, for now, is to put a <scope>compile</scope>
dependency to the findbugs jar in the pom files that have the
<scope>compile</scope> dependency to jsoup.
Again, FWIW, this seems to work.
The one package that also exist in the felix runtime (javax.annotation),
have a different version, and a version matching jsoup, so they
shouldn't conflict...?
Re: jsoup 1.14.2 requires javax.annotation version between 3.0 and 4.0
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@dod.no>:
> Is there a workaround, other than re-bundling jsoup?
One workaround would be to load version 3.0 (or so) of the glassfish
packaged javax.annotation...?
Since the packages are versioned it shouldn't conflict with the felix
version...?
(but it just feels so hacky...)