Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency convergence errors with springwolf-kafka 0.12.1 #259

Closed
maksymgendin opened this issue Jun 28, 2023 · 13 comments
Closed

Dependency convergence errors with springwolf-kafka 0.12.1 #259

maksymgendin opened this issue Jun 28, 2023 · 13 comments
Labels
bug Something isn't working core Involves springwolf-core staged for release

Comments

@maksymgendin
Copy link

Describe the bug

I would like to report some new dependency convergence errors I'm getting with latest version of springwolf-kafka. You're not verifying dependency convergence with Maven enforcer plugin, right? Not sure how to correctly handle this...

Dependency convergence error for com.google.guava:guava:jar:31.0.1-android paths to dependency are:
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-io.swagger.parser.v3:swagger-parser:jar:2.1.12:runtime
          +-io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.12:runtime
            +-io.swagger:swagger-core:jar:1.6.9:runtime
              +-com.google.guava:guava:jar:31.0.1-android:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.google.guava:guava:jar:28.2-android:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:runtime
            +-com.google.guava:guava:jar:28.2-android:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:json-schema-core:jar:1.2.14:runtime
            +-com.google.guava:guava:jar:28.2-android:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:json-schema-core:jar:1.2.14:runtime
            +-com.github.java-json-tools:uri-template:jar:0.10:runtime
              +-com.google.guava:guava:jar:28.1-android:runtime
Dependency convergence error for commons-io:commons-io:jar:2.11.0 paths to dependency are:
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-io.swagger.parser.v3:swagger-parser:jar:2.1.12:runtime
          +-io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.12:runtime
            +-io.swagger:swagger-parser:jar:1.0.64:runtime
              +-commons-io:commons-io:jar:2.11.0:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-io.swagger.parser.v3:swagger-parser:jar:2.1.12:runtime
          +-io.swagger.parser.v3:swagger-parser-v3:jar:2.1.12:runtime
            +-commons-io:commons-io:jar:2.11.0:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-io.swagger.parser.v3:swagger-parser:jar:2.1.12:runtime
          +-commons-io:commons-io:jar:2.11.0:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-commons-io:commons-io:jar:2.11.0:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-commons-fileupload:commons-fileupload:jar:1.4:runtime
          +-commons-io:commons-io:jar:2.2:runtime
Dependency convergence error for joda-time:joda-time:jar:2.10.14 paths to dependency are:
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.15.2:runtime
          +-joda-time:joda-time:jar:2.10.14:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-joda-time:joda-time:jar:2.10.5:runtime
Dependency convergence error for com.google.code.findbugs:jsr305:jar:3.0.2 paths to dependency are:
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:runtime
            +-com.github.java-json-tools:jackson-coreutils:jar:2.0:runtime
              +-com.github.java-json-tools:msg-simple:jar:1.2:runtime
                +-com.github.java-json-tools:btf:jar:1.3:runtime
                  +-com.google.code.findbugs:jsr305:jar:2.0.1:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:runtime
            +-com.github.java-json-tools:jackson-coreutils:jar:2.0:runtime
              +-com.github.java-json-tools:msg-simple:jar:1.2:runtime
                +-com.google.code.findbugs:jsr305:jar:2.0.1:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:runtime
            +-com.github.java-json-tools:jackson-coreutils:jar:2.0:runtime
              +-com.google.code.findbugs:jsr305:jar:3.0.2:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:json-schema-core:jar:1.2.14:runtime
            +-com.github.java-json-tools:uri-template:jar:0.10:runtime
              +-com.google.code.findbugs:jsr305:jar:2.0.1:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.github.java-json-tools:json-schema-core:jar:1.2.14:runtime
            +-com.google.code.findbugs:jsr305:jar:3.0.2:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:compile
    +-io.github.springwolf:springwolf-core:jar:0.11.1:compile
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-com.google.code.findbugs:jsr305:jar:3.0.2:runtime

Dependencies and versions used
springwolf-kafka version 0.12.1

@maksymgendin maksymgendin added the bug Something isn't working label Jun 28, 2023
@maksymgendin
Copy link
Author

maksymgendin commented Jun 28, 2023

Additionally I have an absolutely weird exception in my integration tests now with springwolf-kafka version 0.12.1 which breaks the boot and is not happening with version 0.12.0:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.oauth2.jwt.ReactiveJwtDecoder' available
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:341)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:332)
	at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1172)
	at org.springframework.security.config.web.server.ServerHttpSecurity.getBean(ServerHttpSecurity.java:1638)
	at org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2ResourceServerSpec$JwtSpec.getJwtDecoder(ServerHttpSecurity.java:4583)
	at org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2ResourceServerSpec$JwtSpec.getAuthenticationManager(ServerHttpSecurity.java:4603)
	at org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2ResourceServerSpec$JwtSpec.configure(ServerHttpSecurity.java:4575)
	at org.springframework.security.config.web.server.ServerHttpSecurity$OAuth2ResourceServerSpec.configure(ServerHttpSecurity.java:4428)
	at org.springframework.security.config.web.server.ServerHttpSecurity.build(ServerHttpSecurity.java:1536)

I'm using OAuth 2.0 with JWT configured via spring.security.oauth2.resourceserver.jwt.issuer-uri property, this should autodiscover the certificates and build a org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder which is an implementation of org.springframework.security.oauth2.jwt.ReactiveJwtDecoder:

image
Source: org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerJwkConfiguration

Seems like this code is not executed with springwolf-kafka version 0.12.0 🤔 Maybe some spring autoconfigure stuff prevents this? Like Spring MVC jumps in and disables Spring Webflux... But I couldn't find a related change in the changes, single somehow related change which I've found is this:

image


Update: My guess was correct - it is some autoconfiguration thingy which jumps in with springwolf-kafka 0.12.1. Could fix this issue via explicitly specifying the web application type:

spring:
  main:
    web-application-type: reactive

@ctasada
Copy link
Collaborator

ctasada commented Jun 28, 2023

@maksymgendin The project is build with Gradle, so we don't use maven-enforcer, but with #214 we introduced support for ca.cutterslade.analyze which is similar. Maybe there's something misconfigured, I will review.

In any case, the warnings are not related with springworlf libraries, but all of them seem to be coming from io.swagger:swagger-inflector. I have a Maven project and "fixed" the conflicts adding an exclusion block

            <dependency>
                <groupId>io.github.springwolf</groupId>
                <artifactId>springwolf-core</artifactId>
                <version>0.11.1</version>
                <exclusions>
                    <exclusion>
                     .....
                    </exclusion>
                </exclusions>
            </dependency>

adding the bare minimum set of conflicting dependencies. In my project it works fine. Pay attention to ch.qos.logback:logback-classic since I needed to exclude it to avoid an issue with SLF4J.

@maksymgendin
Copy link
Author

I'm afraid I can't fix it with exclusions because this happens internally in springwolf-kafka artifact. I am only able to solve it via specifying all the versions of conflicting dependencies in the dependency management block and I would love to avoid it 😬

@ctasada
Copy link
Collaborator

ctasada commented Jul 3, 2023

@maksymgendin I will take a look to this issue the next days, but to me is unclear the reason you cannot apply a solution like

            <dependency>
                <groupId>io.github.springwolf</groupId>
                <artifactId>springwolf-core</artifactId>
                <version>0.11.1</version>
                <exclusions>
                    <exclusion>
                        <groupId>io.swagger.parser.v3</groupId>
                        <artifactId>swagger-parser-core</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>ch.qos.logback</groupId>
                        <artifactId>logback-classic</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>org.projectlombok</groupId>
                        <artifactId>lombok</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>jakarta.inject</groupId>
                        <artifactId>jakarta.inject-api</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>joda-time</groupId>
                        <artifactId>joda-time</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>com.google.code.findbugs</groupId>
                        <artifactId>jsr305</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>org.javassist</groupId>
                        <artifactId>javassist</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>org.apache.httpcomponents</groupId>
                        <artifactId>httpclient</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

That's exactly what I'm doing in one of my projects and everything works as expected.

@timonback
Copy link
Member

@maksymgendin Has your question been answered?

@sam0r040 and me are trying resolve some of the swagger-inflector dependency issues with #279

Lets us know you have found a solution. We can document it and refer it, like #259 (comment)

@maksymgendin
Copy link
Author

maksymgendin commented Jul 24, 2023

@timonback Not really. I still have the issue with dependency convergence and I can't use the proposal from @ctasada because the dependency convergence error happens in springwolf-kafka internally.

Here for example for the dependency joda-time:joda-time:

Dependency convergence error for joda-time:joda-time:jar:2.10.14 paths to dependency are:
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:runtime
    +-io.github.springwolf:springwolf-core:jar:0.11.1:runtime
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.15.2:runtime
          +-joda-time:joda-time:jar:2.10.14:runtime
and
+-my_service
  +-io.github.springwolf:springwolf-kafka:jar:0.12.1:runtime
    +-io.github.springwolf:springwolf-core:jar:0.11.1:runtime
      +-io.swagger:swagger-inflector:jar:2.0.9:runtime
        +-com.github.java-json-tools:json-schema-validator:jar:2.2.14:runtime
          +-joda-time:joda-time:jar:2.10.5:runtime

How should I solve this error? In my pom.xml I just include springwolf-kafka like this:

<dependency>
    <groupId>io.github.springwolf</groupId>
    <artifactId>springwolf-kafka</artifactId>
    <scope>runtime</scope>
    <version>${springwolf-kafka.version}</version>
</dependency>

My current workaround is to pin all the conflicting artifact versions via dependencyManagement but this is not a nice solution...

@timonback
Copy link
Member

I am not so familiar with maven. So I guess the exclusion does not work as part of the dependency block that you and @ctasada have posted?

<dependency>
    <groupId>io.github.springwolf</groupId>
    <artifactId>springwolf-kafka</artifactId>
    <scope>runtime</scope>
    <version>${springwolf-kafka.version}</version>
    <exclusions>
         <exclusion>
            <groupId>io.swagger.parser.v3</groupId>
            <artifactId>swagger-parser-core</artifactId>
         </exclusion>
....
</dependency>

Based on your report, I see the following conflict:

  1. com.google.guava:guava:jar:31.0.1-android
  2. commons-io:commons-io:jar:2.11.0
  3. joda-time:joda-time:jar:2.10.14
  4. com.google.code.findbugs:jsr305:jar:3.0.2

Interestingly enough, I see that swagger-inflector is included in all of them. I expect them to get resolved after we move away from swagger-inflector, which is targeted in 2 releases.
First, #279 replaces the logic and keeps the fallback for swagger-inflector. Second, swagger-inflector is removed completly.

@ctasada
Copy link
Collaborator

ctasada commented Jul 24, 2023

The block I posted is copy&paste for a real project and works properly.

@maksymgendin can you provide some extra information? Why that approach is not working? Can you include some minor example on how do you use the library?

@maksymgendin
Copy link
Author

maksymgendin commented Jul 25, 2023

@ctasada I just don't understand how it is supposed to work if I exclude transitive dependencies which are required for springwolf to work and I do not declare them anywhere else.

So, currently in my project I'm including springwolf-kafka like this:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>io.github.springwolf</groupId>
            <artifactId>springwolf-kafka</artifactId>
            <version>${springwolf-kafka.version}</version>
        </dependency>
    </dependencies>
</dependencyManagement>

and like this:

<dependencies>
    <dependency>
        <groupId>io.github.springwolf</groupId>
        <artifactId>springwolf-kafka</artifactId>
    </dependency>
</dependencies>

If I now add your proposal from above, my dependencyManagement block would look like this:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>io.github.springwolf</groupId>
            <artifactId>springwolf-kafka</artifactId>
            <version>${springwolf-kafka.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>io.swagger.parser.v3</groupId>
                    <artifactId>swagger-parser-core</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>ch.qos.logback</groupId>
                    <artifactId>logback-classic</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.projectlombok</groupId>
                    <artifactId>lombok</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>jakarta.inject</groupId>
                    <artifactId>jakarta.inject-api</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>joda-time</groupId>
                    <artifactId>joda-time</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>com.google.code.findbugs</groupId>
                    <artifactId>jsr305</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.javassist</groupId>
                    <artifactId>javassist</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpclient</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    </dependencies>
</dependencyManagement>

Now my application of course crashes on runtime with several java.lang.ClassNotFoundException's.

As I said - the dependency convergence error is inside the springwolf-kafka artifact and the single way to solve this error (at least which I'm aware of) is to pin the versions for the artifacts which cause the dependency convergence errors manually via Maven's dependencyManagement block like this:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>io.github.springwolf</groupId>
            <artifactId>springwolf-kafka</artifactId>
            <version>${springwolf-kafka.version}</version>
        </dependency>
        <!-- START: Dependency convergence management -->
        <dependency>
            <groupId>io.swagger.core.v3</groupId>
            <artifactId>swagger-annotations-jakarta</artifactId>
            <version>${swagger.version}</version>
        </dependency>
        <dependency>
            <groupId>io.swagger.core.v3</groupId>
            <artifactId>swagger-models-jakarta</artifactId>
            <version>${swagger.version}</version>
        </dependency>
        <dependency>
            <groupId>io.swagger.core.v3</groupId>
            <artifactId>swagger-core-jakarta</artifactId>
            <version>${swagger.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>jsr305</artifactId>
            <version>${jsr305.version}</version>
        </dependency>
        <dependency>
            <groupId>joda-time</groupId>
            <artifactId>joda-time</artifactId>
            <version>${joda-time.version}</version>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
            <version>${commons-io.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
        <!-- END: Dependency convergence management -->
    </dependencies>
</dependencyManagement>

There are several problems with doing it on my own, I would need to care about:

  • Updating the versions of all the transitive dependencies on my own, additionally to updating springwolf-kafka
  • I would need to verify if everything still fits together and works when I change some of the transitive dependency versions (my integration tests would probably cover a lot of this)
  • I'm introducing additional complexity to my application which I would like to avoid

@timonback timonback added the core Involves springwolf-core label Aug 7, 2023
@timonback
Copy link
Member

Heads up, swagger-inflector is removed from main, which seems to be the main cause.
You can try the SNAPSHOT version today, or wait for the upcoming release.

@timonback
Copy link
Member

Thank you for the report. The new version of Springwolf has been released including the removal of swagger-inflector.

In case you still encounter the issue, feel free to re-open the issue.

@maksymgendin
Copy link
Author

@timonback Many thanks, it works!

@timonback
Copy link
Member

timonback commented Oct 3, 2023

Awesome!

May you/we add your company to Springwolfs list of users? -> #342

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working core Involves springwolf-core staged for release
Projects
None yet
Development

No branches or pull requests

3 participants