[BSERV-8228] Plugins built with some Bitbucket Server dependencies unexpectedly bundle commons-lang

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.0.7, 4.1.4, 4.2.1, 4.3.0
Affects Version/s: 4.0.0, 4.1.0, 4.2.0
Component/s: Plugin Development
Labels:
None

Bug Fix Policy:
View Atlassian Server bug fix policy

Plugins which use a <scope>import</scope> for the com.atlassian.bitbucket.server:bitbucket-parent POM and have dependencies on certain modules, like bitbucket-spi, end up unexpectedly bundling commons-lang:commons-lang.

In bitbucket-parent, the commons-lang:commons-lang entry in <dependencyManagement/> has an explicit <scope>runtime</scope> applied. When commons-lang is pulled in transitively via a <scope>provided</scope> dependency, that explicit "runtime" ends up overriding the "provided" scope. As a result, commons-lang is bundled in the plugin.

Form Name

Bryan Turner (Inactive) added a comment - 12/Dec/2015 1:03 AM - edited

I built a very simple plugin, which has dependencies on bitbucket-api and bitbucket-spi. I noticed that the resulting plugin jar was significantly larger than I expected, so I looked inside and found all of the commons-lang classes.

A quick glance through mvn dependency:tree quickly showed the culprit:

$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Bitbucket Server - Example Hook 1.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ example-hook ---
[INFO] com.atlassian.bitbucket.server.example:example-hook:atlassian-plugin:1.0.0-SNAPSHOT
[INFO] +- com.atlassian.bitbucket.server:bitbucket-api:jar:4.2.0:provided
[INFO] |  +- com.atlassian.analytics:analytics-api:jar:4.3.2:provided
[INFO] |  +- com.atlassian.annotations:atlassian-annotations:jar:0.16:provided
[INFO] |  +- com.atlassian.crowd:embedded-crowd-api:jar:2.8.4-m2:provided
[INFO] |  +- com.atlassian.event:atlassian-event:jar:3.0.0:provided
[INFO] |  +- com.atlassian.extras:atlassian-extras-api:jar:3.3.0:provided
[INFO] |  +- com.atlassian.utils:atlassian-processutils:jar:1.7.5:provided
[INFO] |  |  \- org.jvnet.winp:winp:jar:1.17-atlassian1:provided
[INFO] |  +- com.google.guava:guava:jar:18.0:provided
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.4:provided
[INFO] |  \- org.hibernate:hibernate-validator:jar:5.2.1.Final:provided
[INFO] |     +- javax.validation:validation-api:jar:1.1.0.Final:provided
[INFO] |     +- org.jboss.logging:jboss-logging:jar:3.2.0.Final:provided
[INFO] |     \- com.fasterxml:classmate:jar:1.1.0:provided
[INFO] +- com.atlassian.bitbucket.server:bitbucket-spi:jar:4.2.0:provided
[INFO] |  +- com.atlassian.plugins:atlassian-plugins-core:jar:4.0.4:provided
[INFO] |  |  +- com.atlassian.plugins:atlassian-plugins-api:jar:4.0.4:provided
[INFO] |  |  |  \- com.atlassian.util.concurrent:atlassian-util-concurrent:jar:3.0.0:provided
[INFO] |  |  +- commons-lang:commons-lang:jar:2.6:runtime <--- Should not be runtime
[INFO] |  |  +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] |  |  +- commons-io:commons-io:jar:2.4:provided
[INFO] |  |  +- dom4j:dom4j:jar:1.4:provided
[INFO] |  |  \- com.atlassian.fugue:fugue:jar:2.5.0:provided
[INFO] |  \- com.atlassian.profiling:atlassian-profiling:jar:1.11:provided
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.0:provided
[INFO] \- org.slf4j:slf4j-api:jar:1.7.12:provided
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.538 s
[INFO] Finished at: 2015-12-11T17:56:47-07:00
[INFO] Final Memory: 23M/437M
[INFO] ------------------------------------------------------------------------

So bitbucket-spi is in <scope>provided</scope>, but commons-lang is <scope>runtime</scope>. A quick glance at bitbucket-parent, which is being imported to leverage its versions, shows:

<dependency>
    <groupId>commons-lang</groupId>
    <artifactId>commons-lang</artifactId>
    <version>${commons.lang.libversion}</version>
    <scope>runtime</scope>
</dependency>

Removing that explicit <scope/> tag results in:

$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Bitbucket Server - Example Hook 1.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ example-hook ---
[INFO] com.atlassian.bitbucket.server.example:example-hook:atlassian-plugin:1.0.0-SNAPSHOT
[INFO] +- com.atlassian.bitbucket.server:bitbucket-api:jar:4.0.7-SNAPSHOT:provided
[INFO] |  +- com.atlassian.analytics:analytics-api:jar:4.2.6:provided
[INFO] |  +- com.atlassian.annotations:atlassian-annotations:jar:0.16:provided
[INFO] |  +- com.atlassian.crowd:embedded-crowd-api:jar:2.8.4-m2:provided
[INFO] |  +- com.atlassian.event:atlassian-event:jar:3.0.0:provided
[INFO] |  +- com.atlassian.extras:atlassian-extras-api:jar:3.3.0:provided
[INFO] |  +- com.atlassian.utils:atlassian-processutils:jar:1.7.3:provided
[INFO] |  |  \- org.jvnet.winp:winp:jar:1.17-atlassian1:provided
[INFO] |  +- com.google.guava:guava:jar:18.0:provided
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.4:provided
[INFO] |  \- org.hibernate:hibernate-validator:jar:5.2.1.Final:provided
[INFO] |     +- javax.validation:validation-api:jar:1.1.0.Final:provided
[INFO] |     +- org.jboss.logging:jboss-logging:jar:3.2.0.Final:provided
[INFO] |     \- com.fasterxml:classmate:jar:1.1.0:provided
[INFO] +- com.atlassian.bitbucket.server:bitbucket-spi:jar:4.0.7-SNAPSHOT:provided
[INFO] |  +- com.atlassian.plugins:atlassian-plugins-core:jar:4.0.4:provided
[INFO] |  |  +- com.atlassian.plugins:atlassian-plugins-api:jar:4.0.4:provided
[INFO] |  |  |  \- com.atlassian.util.concurrent:atlassian-util-concurrent:jar:3.0.0:provided
[INFO] |  |  +- commons-lang:commons-lang:jar:2.6:provided <--- Now in provided scope, as it should be
[INFO] |  |  +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] |  |  +- commons-io:commons-io:jar:2.4:provided
[INFO] |  |  +- dom4j:dom4j:jar:1.4:provided
[INFO] |  |  \- com.atlassian.fugue:fugue:jar:2.5.0:provided
[INFO] |  \- com.atlassian.profiling:atlassian-profiling:jar:1.11:provided
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.0:provided
[INFO] \- org.slf4j:slf4j-api:jar:1.7.12:provided
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.567 s
[INFO] Finished at: 2015-12-11T18:00:14-07:00
[INFO] Final Memory: 23M/437M
[INFO] ------------------------------------------------------------------------

Bryan Turner (Inactive) added a comment - 12/Dec/2015 1:03 AM - edited I built a very simple plugin , which has dependencies on bitbucket-api and bitbucket-spi . I noticed that the resulting plugin jar was significantly larger than I expected, so I looked inside and found all of the commons-lang classes. A quick glance through mvn dependency:tree quickly showed the culprit: $ mvn dependency:tree [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building Bitbucket Server - Example Hook 1.0.0-SNAPSHOT [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ example-hook --- [INFO] com.atlassian.bitbucket.server.example:example-hook:atlassian-plugin:1.0.0-SNAPSHOT [INFO] +- com.atlassian.bitbucket.server:bitbucket-api:jar:4.2.0:provided [INFO] | +- com.atlassian.analytics:analytics-api:jar:4.3.2:provided [INFO] | +- com.atlassian.annotations:atlassian-annotations:jar:0.16:provided [INFO] | +- com.atlassian.crowd:embedded-crowd-api:jar:2.8.4-m2:provided [INFO] | +- com.atlassian.event:atlassian-event:jar:3.0.0:provided [INFO] | +- com.atlassian.extras:atlassian-extras-api:jar:3.3.0:provided [INFO] | +- com.atlassian.utils:atlassian-processutils:jar:1.7.5:provided [INFO] | | \- org.jvnet.winp:winp:jar:1.17-atlassian1:provided [INFO] | +- com.google.guava:guava:jar:18.0:provided [INFO] | +- org.apache.commons:commons-lang3:jar:3.4:provided [INFO] | \- org.hibernate:hibernate-validator:jar:5.2.1.Final:provided [INFO] | +- javax.validation:validation-api:jar:1.1.0.Final:provided [INFO] | +- org.jboss.logging:jboss-logging:jar:3.2.0.Final:provided [INFO] | \- com.fasterxml:classmate:jar:1.1.0:provided [INFO] +- com.atlassian.bitbucket.server:bitbucket-spi:jar:4.2.0:provided [INFO] | +- com.atlassian.plugins:atlassian-plugins-core:jar:4.0.4:provided [INFO] | | +- com.atlassian.plugins:atlassian-plugins-api:jar:4.0.4:provided [INFO] | | | \- com.atlassian.util.concurrent:atlassian-util-concurrent:jar:3.0.0:provided [INFO] | | +- commons-lang:commons-lang:jar:2.6:runtime <--- Should not be runtime [INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided [INFO] | | +- commons-io:commons-io:jar:2.4:provided [INFO] | | +- dom4j:dom4j:jar:1.4:provided [INFO] | | \- com.atlassian.fugue:fugue:jar:2.5.0:provided [INFO] | \- com.atlassian.profiling:atlassian-profiling:jar:1.11:provided [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.0:provided [INFO] \- org.slf4j:slf4j-api:jar:1.7.12:provided [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.538 s [INFO] Finished at: 2015-12-11T17:56:47-07:00 [INFO] Final Memory: 23M/437M [INFO] ------------------------------------------------------------------------ So bitbucket-spi is in <scope>provided</scope> , but commons-lang is <scope>runtime</scope> . A quick glance at bitbucket-parent , which is being imported to leverage its versions, shows: <dependency> <groupId>commons-lang</groupId> <artifactId>commons-lang</artifactId> <version>${commons.lang.libversion}</version> <scope>runtime</scope> </dependency> Removing that explicit <scope/> tag results in: $ mvn dependency:tree [INFO] Scanning for projects... [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building Bitbucket Server - Example Hook 1.0.0-SNAPSHOT [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ example-hook --- [INFO] com.atlassian.bitbucket.server.example:example-hook:atlassian-plugin:1.0.0-SNAPSHOT [INFO] +- com.atlassian.bitbucket.server:bitbucket-api:jar:4.0.7-SNAPSHOT:provided [INFO] | +- com.atlassian.analytics:analytics-api:jar:4.2.6:provided [INFO] | +- com.atlassian.annotations:atlassian-annotations:jar:0.16:provided [INFO] | +- com.atlassian.crowd:embedded-crowd-api:jar:2.8.4-m2:provided [INFO] | +- com.atlassian.event:atlassian-event:jar:3.0.0:provided [INFO] | +- com.atlassian.extras:atlassian-extras-api:jar:3.3.0:provided [INFO] | +- com.atlassian.utils:atlassian-processutils:jar:1.7.3:provided [INFO] | | \- org.jvnet.winp:winp:jar:1.17-atlassian1:provided [INFO] | +- com.google.guava:guava:jar:18.0:provided [INFO] | +- org.apache.commons:commons-lang3:jar:3.4:provided [INFO] | \- org.hibernate:hibernate-validator:jar:5.2.1.Final:provided [INFO] | +- javax.validation:validation-api:jar:1.1.0.Final:provided [INFO] | +- org.jboss.logging:jboss-logging:jar:3.2.0.Final:provided [INFO] | \- com.fasterxml:classmate:jar:1.1.0:provided [INFO] +- com.atlassian.bitbucket.server:bitbucket-spi:jar:4.0.7-SNAPSHOT:provided [INFO] | +- com.atlassian.plugins:atlassian-plugins-core:jar:4.0.4:provided [INFO] | | +- com.atlassian.plugins:atlassian-plugins-api:jar:4.0.4:provided [INFO] | | | \- com.atlassian.util.concurrent:atlassian-util-concurrent:jar:3.0.0:provided [INFO] | | +- commons-lang:commons-lang:jar:2.6:provided <--- Now in provided scope, as it should be [INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided [INFO] | | +- commons-io:commons-io:jar:2.4:provided [INFO] | | +- dom4j:dom4j:jar:1.4:provided [INFO] | | \- com.atlassian.fugue:fugue:jar:2.5.0:provided [INFO] | \- com.atlassian.profiling:atlassian-profiling:jar:1.11:provided [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.0:provided [INFO] \- org.slf4j:slf4j-api:jar:1.7.12:provided [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.567 s [INFO] Finished at: 2015-12-11T18:00:14-07:00 [INFO] Final Memory: 23M/437M [INFO] ------------------------------------------------------------------------

Details

Description

Attachments

Forms

Activity

Collapse comment: Bryan Turner (Inactive) added a comment - 12/Dec/2015 1:03 AM, Edited by Bryan Turner - 12/Dec/2015 1:04 AM

Expand comment: Bryan Turner (Inactive) added a comment - 12/Dec/2015 1:03 AM, Edited by Bryan Turner - 12/Dec/2015 1:04 AM

People

Dates

Backbone Issue Sync