Eliminate outdated 3rd party content from SimRel

[merks]

In order to ensure we can address any problems, e.g., CVEs, that might arise in 3rd party bundles in the future, we need to be prepared to update those dependencies. The following dependencies are not currently part of the restructured Orbit aggregation and need to be investigated to determine where and why these outdated versions are being used:

• bndtools.jareditor/7.0.0.202310060912
• This is a dependency of PDE that is consumed directly from Maven https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/8aa0d1e1d6a471baad29d26f286b1946e89b8f7c/eclipse.platform.releng.prereqs.sdk/eclipse-sdk-prereqs.target#L605-L622.
• It has not been included in Orbit because it has a very-many difficult-to-manage dependencies back to the Eclipse IDE. We can safely assume that PDE will update to newer versions of BND as they become available.
• ca.odell.glazedlists/1.9.0.v201303080712 → ca.odell.glazedlists/1.11.0
• I've opened the following issues:
  • https://gitlab.eclipse.org/eclipse/papyrus/org.eclipse.papyrus-designer/-/issues/14
  • Update NatTable to the latest dependencies eclipse-nattable/nattable#95
• com.google.gerrit.common/2.1.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gerrit.prettify/2.1.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gerrit.reviewdb/2.1.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gwt.servlet/2.1.0.v201111291940 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gwtjsonrpc/1.2.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gwtorm/1.1.4.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.protobuf/2.4.0.v201105131100 🚫
• Remove the com.google.protobuf bundle from the feature and the category eclipse-jsdt/webtools.jsdt#5
• com.mountainminds.eclemma.core/3.1.9.202405260028 ✔
• This is just p2 metadata from the eclemma project:
  • https://github.com/eclipse-eclemma/eclemma/blob/5c445fe234d36e88eafe31bbd78e829c42ebaedf/org.eclipse.eclemma.feature/p2.inf#L17-L19
• configure.logback.classic/2.6.1.20240411-1743 ✔
• This is just p2 metadata from the m2e project:
  • https://github.com/eclipse-m2e/m2e-core/blob/13c4a91529f9317399bfcb2a84392f1497d71677/org.eclipse.m2e.logback.feature/p2.inf#L8-L9
• jakarta.el/4.0.0.v20210105-0527 → jakarta.el-api/4.0.0 | jakarta.el-api/5.0.1
• [4.0.0.v20210105-0527] - org.eclipse.jst.web_core.feature.feature.group /3.34.0.v202405180419 - Web Tools Platform
• jakarta.servlet/5.0.0.v20210105-0527 → jakarta.servlet-api/5.0.0 → jakarta.servlet-api/6.1.0
• [5.0.0.v20210105-0527] - org.eclipse.jst.web_core.feature.feature.group /3.34.0.v202405180419 - Web Tools Platform
• 5.0.0 - org.eclipse.jst.standard.schemas /1.2.700.v202402030235 - Web Tools Platform
• jakarta.servlet.jsp/3.0.0.v20210105-0527 → jakarta.servlet.jsp-api/3.1.1
• [3.0.0.v20210105-0527] - org.eclipse.jst.web_core.feature.feature.group /3.34.0.v202405180419 - Web Tools Platform
• jakarta.xml.bind/2.3.3.v20201118-1818 → jakarta.xml.bind-api/4.0.2
• [2.3.3.v20201118-1818] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [2.3.3.v20201118-1818] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• javax.activation/1.1.0.v201211130549 → jakarta.activation-api/1.2.2
• [1.1.0,1.2.0) - javax.mail /1.4.0.v201005080615 - 3rd Party
• javax.activation/1.2.2.v20221203-1659 → jakarta.activation-api/1.2.2
• 1.0.0 - jakarta.xml.bind /2.3.3.v20201118-1818 - 3rd Party
• javax.annotation/1.3.5.v20200909-1856 → jakarta.annotation-api/1.3.5
• [1.3.5,2.0.0) - org.eclipse.papyrus.infra.ui.fonts /2.0.0.202406051429 - Papyrus
• javax.jws/2.0.0.v201005080400 → jakarta.jws-api/2.1.0
• [2.0.0.v201005080400] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [2.0.0.v201005080400] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• [2.0.0,2.1.0) - org.eclipse.jst.ws.cxf.core /1.2.0.v202308010145 - Web Tools Platform
• [2.0.0,2.1.0) - org.eclipse.jst.ws.cxf.creation.core /1.2.0.v202311232240 - Web Tools Platform
• [2.0.0,2.1.0) - org.eclipse.jst.ws.cxf.creation.ui /1.1.0.v202308010145 - Web Tools Platform
• javax.mail/1.4.0.v201005080615 → jakarta.mail-api/1.6.7
• 0.0.0 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• javax.persistence/2.2.1.v201807122140 → jakarta.persistence-api/2.2.3
• [2.2.1.v201807122140] - org.eclipse.jpt.jpa.feature.feature.group /3.8.0.v202405180120 - Web Tools Platform
• javax.wsdl/1.6.2.v201012040545 → javax.wsdl/1.6.3.v20230730-0710
• [1.6.2.v201012040545] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [1.6.2.v201012040545] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• javax.xml/1.3.4.v201005080400 🚫 available in the JDK
• javax.xml.rpc/1.1.0.v201209140446 → javax.xml.rpc-api/1.1.4
• 0.0.0 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• [1.1.0,2.0.0) - org.eclipse.wst.ws.explorer /1.1.2.v202308010145 - Web Tools Platform
• javax.xml.soap/1.2.0.v201005080501 → jakarta.xml.soap-api/1.4.2
• [1.2.0,1.3.0) - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• javax.xml.stream/1.0.1.v201004272200 🚫 available in the JDK
• [1.0.1.v201004272200] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [1.0.1.v201004272200] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• javax.xml.ws/2.1.0.v200902101523 → jakarta.xml.ws-api/2.3.3
• [2.1.0.v200902101523] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [2.1.0.v200902101523] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• org.apache.bcel/5.2.0.v201005080400 → org.apache.xalan/2.7.2.v20230928-1302
• 0.0.0 - org.eclipse.wst.xsl.feature.feature.group /1.3.1600.v202405130119 - Web Tools Platform
• org.apache.commons.codec/1.14.0.v20221112-0806 → org.apache.commons.commons-codec/1.17.0
• 0.0.0 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• [1.3.0,2.0.0) - org.eclipse.birt.chart.device.extension /4.12.0.v202211281949 - BIRT
• [1.3.0,2.0.0) - org.eclipse.birt.chart.device.swt /4.12.0.v202211281949 - BIRT
• [1.2.0,2.0.0) - org.eclipse.wst.ws.explorer /1.1.2.v202308010145 - Web Tools Platform
• [1.2.0,2.0.0) - org.eclipse.wst.ws.parser /1.1.0.v202308012257 - Web Tools Platform
• [1.2.0,2.0.0) - org.eclipse.wst.wsi /1.1.501.v202308010145 - Web Tools Platform
• PRs:
  • Use commons-codec and commons-logging eclipse-webservices/webservices#4
  • https://github.com/eclipse-sourceediting/sourceediting/pull/11u
  • Use commons-logging eclipse-servertools/servertools#8
• org.apache.commons.collections/3.2.2.v201511171945 → org.apache.commons.collections/3.2.2
• [3.2.2.v201511171945] - org.eclipse.jpt.jpa.feature.feature.group /3.8.0.v202405180120 - Web Tools Platform
• org.apache.commons.io/2.8.0.v20210415-0900 → org.apache.commons.commons-io/2.16.1
• [2.6.0,3.0.0) - org.eclipse.papyrus.infra.tools /4.2.0.202406051429 - Papyrus
• 0.0.0 - org.eclipse.php.composer.ui /8.2.0.202311292129 - PDT
• 0.0.0 - org.eclipse.php.phpunit /8.2.0.202311292129 - PDT
• PRs:
  • Import the org.apache.commons.logging/io package instead of the bundle  eclipse-pdt/pdt#280
• Appears to come from https://download.eclipse.org/mylyn/updates/release/4.3.0
• org.apache.commons.jxpath/1.3.0.v200911051830 → org.apache.commons.jxpath/1.3.0
• Orbit provides this direct-from-maven version which is used by the Plaform:
  • https://repo1.maven.org/maven2/commons-jxpath/commons-jxpath/1.3/
• Unfortunately Modisco has this feature include from an old Orbit repository
  • [1.3.0.v200911051830] - org.eclipse.modisco.infrastructure.feature.feature.group /1.5.4.v20240304-1105
  • https://git.eclipse.org/r/c/modisco/org.eclipse.modisco/+/207294
• Must explicitly exclude the old version from e(fx)
  • Exclude org.apache.commons.jxpath/1.3.0.v200911051830 from gef.aggrcon #444
• org.apache.commons.lang/2.6.0.v201404270220 → org.apache.commons.lang/2.6.0
• [2.6.0.v201404270220] - org.eclipse.jpt.jpa.feature.feature.group /3.8.0.v202405180120 - Web Tools Platform
• org.apache.commons.logging/1.2.0.v20180409-1502 → org.apache.commons.logging/1.2.0 | org.apache.commons.commons-logging/1.3.3
• [1.2.0,2.0.0) - org.eclipse.ecf.remoteservice.rest.feature.feature.group /1.0.303.v20240405-1603 - ECF
• [1.2.0.v20180409-1502] - org.eclipse.net4j.util.feature.group /4.23.0.v20240605-1049 - EMF CDO
• 1.0.4 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• 1.0.4 - org.eclipse.wst.xsl.feature.feature.group /1.3.1600.v202405130119 - Web Tools Platform
• 1.0.4 - org.eclipse.epp.mpc.core /1.10.3.v20240221-1216 - EPP Marketplace Client
• 0.0.0 - org.eclipse.php.composer.api /8.2.0.202311292129 - PDT
• 0.0.0 - org.eclipse.php.composer.core /8.2.0.202311292129 - PDT
  -[1.0.4,2.0.0) - org.eclipse.wst.server.preview /1.3.0.v202311130434 - Web Tools Platform
• 0.0.0 - org.eclipse.wst.wsi /1.1.501.v202308010145 - Web Tools Platform
  -1.0.4 - org.eclipse.wst.xsl.jaxp.debug /1.1.100.v202202230212 - Web Tools Platform
• PRs:
  • Use commons-codec and commons-logging eclipse-webservices/webservices#4
  • Use commons-logging eclipse-sourceediting/sourceediting#11
  • Use commons-logging eclipse-servertools/servertools#8
• org.apache.commons.net/3.2.0.v201305141515 → org.apache.commons.commons-net/3.11.1
• [3.2.0.v201305141515] - org.eclipse.rse.ftp.feature.group /4.5.600.202401151828 - TM: RSE
• 2.0.0 - org.eclipse.rse.ftp.feature.group /4.5.600.202401151828 - TM: RSE
• [3.2.0.v201305141515] - org.eclipse.rse.telnet.feature.group /4.5.600.202401151828 - TM: RSE
• [1.4.1,4.0.0) - org.eclipse.rse.connectorservice.telnet /4.5.600.202401151652 - TM: RSE
• [1.4.1,4.0.0) - org.eclipse.rse.services.files.ftp /4.5.600.202401151652 - TM: RSE
• [2.0.0,4.0.0) - org.eclipse.rse.services.telnet /4.5.600.202401151652 - TM: RSE
• [1.4.1,4.0.0) - org.eclipse.rse.subsystems.files.ftp /4.5.600.202401151652 - TM: RSE
• PR:
  • https://git.eclipse.org/c/tm/org.eclipse.tm.git/commit/?id=4c983325f3d0b75f9afd32a250ec0946ea79a5ef
• org.apache.httpcomponents.httpcore/4.4.16.v20221207-1049 → org.apache.httpcomponents.httpcore/4.4.16
• Appears to come from https://download.eclipse.org/mylyn/updates/release/4.3.0
• https://github.com/eclipse-simrel/simrel.build/pull/446/files
• org.apache.xml.serializer/2.7.1.v201005080400 → org.apache.xml.serializer/2.7.2.v20230928-1302
• [2.7.1.v201005080400] - org.eclipse.wst.xml_core.feature.feature.group /3.34.0.v202405130132 - Web Tools Platform
• 0.0.0 - org.eclipse.wst.xsl.feature.feature.group /1.3.1600.v202405130119 - Web Tools Platform
• [2.7.0,2.8.0) - org.eclipse.wst.xsl.xalan /1.1.100.v202301080401 - Web Tools Platform
• org.eclipse.m2e.maven.runtime/3.9.700.20240602-2313 ✔
• This is produced and actively maintained by m2e:
  • https://github.com/eclipse-m2e/m2e-core/tree/13c4a91529f9317399bfcb2a84392f1497d71677/org.eclipse.m2e.maven.runtime
• org.glassfish.hk2.osgi-resource-locator/2.5.0.v20161103-1916 → org.glassfish.hk2.osgi-resource-locator/1.0.3
• The 1.0.3 version in Orbit is actually newer than the 2.5.0.x version:
  • Use org.glassfish.hk2.osgi-resource-locator from latest Orbit eclipse-mylyn/org.eclipse.mylyn#569
  • https://repo1.maven.org/maven2/org/glassfish/hk2/osgi-resource-locator/
• org.gradle.toolingapi/8.1.1.v20240115-1636 ✔
• This appears to be based on checked-in jars located here:
  • https://github.com/eclipse/buildship/tree/master/org.gradle.toolingapi
• This is probably fine because buildship can update this, though I've asked about that.
  • Redistributing org.gradle.toolingapi eclipse/buildship#1308
• org.h2/1.3.168.v201212121212
• [1.3.168.v201212121212] - org.eclipse.net4j.db.h2.feature.group /4.5.5.v20240605-1049 - EMF CDO
• Potential replacement available as OSGi bundle:
  • https://repo1.maven.org/maven2/com/h2database/h2/
• org.jboss.tools.maven.jaxrs/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.jboss.tools.maven.jpa/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.jboss.tools.maven.jsf/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.jivesoftware.smack/3.4.0.v20231021-2050 ✔
• This is project content from ECF:
  • https://github.com/eclipse/ecf/tree/master/protocols/bundles/org.jivesoftware.smack
• org.maven.ide.eclipse.wtp/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.mozilla.javascript/1.7.10.v20190430-1943 → org.mozilla.rhino/1.7.15
• [1.7.10.v20190430-1943] - org.eclipse.wst.jsdt.feature.feature.group /2.4.500.v202307190318 - Web Tools Platform
• 1.7.4 - org.eclipse.birt.core /4.12.0.v202211281949 - BIRT
• 1.7.5 - org.eclipse.wst.jsdt.debug.rhino.debugger /1.1.0.v202307190318 - Web Tools Platform
• Update to org.eclipse.wst.jsdt.debug.rhino.debugger /1.1.0.v202307190318 blocked by this issue:
  • Migrate to newer Closure Compiler version eclipse-jsdt/webtools.jsdt#2
• Update needed for org.eclipse.birt.core /4.12.0.v202211281949 which is contributed by MAT

---

The above list was produced by adding validation repositories to both validation sets in simrel.aggr

and specifying to exclude all IUs available from a validation repository:

With this approach, the analysis editors view shows only the subset of 3rd party libraries that do not come from the restructured Orbit aggregation:

[HannesWell]

• org.eclipse.m2e.maven.runtime/3.9.700.20240602-2313

This is produced and actively maintained by m2e:
https://github.com/eclipse-m2e/m2e-core/tree/13c4a91529f9317399bfcb2a84392f1497d71677/org.eclipse.m2e.maven.runtime

• org.apache.commons.jxpath/1.3.0.v200911051830

In Eclipse-Platform this is used to process XPath expressions in E4 contributions. A while ago I looked into using the XPath supported provided by the JDK but didn't succeed yet. If there are no other users I could try to complete that work so we can get rid of that dependency in platform.

[merks]

In Eclipse-Platform this is used to process XPath expressions in E4 contributions. A while ago I looked into using the XPath supported provided by the JDK but didn't succeed yet. If there are no other users I could try to complete that work so we can get rid of that dependency in platform.

The problem here (and in a small number of cases) is that the version in the Orbit aggregation is smaller than the older version. In this case 1.3.0 versus 1.3.0.v200911051830.

As I hunt down these various cases, it's increasing frustrating the extent to which folks just keep pointing at older Orbit repositories sometimes for no apparent reason. And even if there is a reason, i.e., something is needed but is missing, that issue is never raised so of course never addressed.

[ewillink]

org.apache.commons.jxpath/1.3.0.v200911051830 → org.apache.commons.jxpath/1.3.0
Orbit provides this direct-from-maven version which is used by the Plaform:

https://repo1.maven.org/maven2/commons-jxpath/commons-jxpath/1.3/

Unfortunately Modisco has this feature include from an old Orbit repository

[1.3.0.v200911051830] - org.eclipse.modisco.infrastructure.feature.feature.group /1.5.4.v20240304-1105
https://git.eclipse.org/r/c/modisco/org.eclipse.modisco/+/207294

https://bugs.eclipse.org/bugs/show_bug.cgi?id=583467 raised. It seems that MoDisco should never have redistributed org.apache.commons.jxpath.

I can contribute MoDisco 1.5.5M1 to SimRel and so eliminate the redistributed org.apache.commons.jxpath once Jenkins gets some TLC. So far I have had 3 JustJ jobs fail with read timeout, 2 UI Gateway timeouts and jobs running at half speed.

[merks]

... once Jenkins gets some TLC. So far I have had 3 JustJ jobs fail with read timeout, 2 UI Gateway timeouts and jobs running at half speed.

Thanks. That's great. Yes, the ci instances seem to be very slow to respond today. I had to be quite patient getting the Orbit milestones built.

[bhufmann]

Please note that the Eclipse EASE project is depending on org.mozilla.javascript/1.7.10.v20190430-1943. Right now the dependency is pulled in from an older orbit version. However, the EASE project is not part of the simrel release. I don't know about the plans of the EASE project for this update. I just wanted to mention it.

https://gitlab.eclipse.org/eclipse/ease/ease/-/blob/main/releng/org.eclipse.ease.releng.target/org.eclipse.ease.releng.target.target?ref_type=heads#L28

[merks]

I think it's often tricky to find a replacement/updated version in a newer orbit update site because the bundle name has changed. That's the case for libraries that are available as OSGi bundles in Maven Central which are now consumed as-is rather than being rebundled by Orbit. as was done in the past.

Here is a good technique for that. In the Repository Explorer, switch to Export Mode and choose to view java.package capabilities.

Search for any package:

Double click the package to see the IU details and from that you can see which bundle provides that package:

If folks think something is missing, they should ask about it here:

https://github.com/orgs/eclipse-orbit/discussions

[avandorp]

SimRel 2024-09 M1 and M2 seem to suffer from incompatible versions of apache commons logging. I've filed bug eclipse-orbit/orbit-simrel#40 . Is this an issue that belongs here (I see some MRs regarding apache commons logging)?