Geonetwork on Spring 6 codesprint June 2023

Participants

Jose
Francois
...

Agenda

Java 11 runtime tests
> Metrics is broken
Java 17 runtime tests
Spring 6 and hibernate 6

Java 11 runtime tests

Based on https://github.com/geonetwork/core-geonetwork/pull/6276, the application is starting up with:

mvn jetty:run
from the release build
from Intellij

Issues

Failed to startup in Intellij while using maven 3.8.1. Fixed with maven 3.8.7.

One runtime issue identified:

Metrics are failing http://localhost:8080/geonetwork/monitor/metrics?pretty=true

HTTP ERROR 500 java.lang.reflect.InaccessibleObjectException: Unable to make public long com.sun.management.internal.OperatingSystemImpl.getOpenFileDescriptorCount() accessible: module jdk.management does not "opens com.sun.management.internal" to unnamed module @4f7f59dd

Fixed by

--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED

or we have to update or migrate to other library.

Conclusion

GeoNetwork on Java 11 looks to be usable.

Java 17 or 20 runtime tests

Issues on startup

Java package access

This type of issue is related to the fact that JDK17 does not provide illegal-access option and the default is like JDK11 --illegal-access=deny

java.lang

module java.base does not "opens java.lang" to unnamed module

fixed by

--add-opens java.base/java.lang=ALL-UNNAMED

javax.annotation

javax.annotation

Error creating bean with name 'translationPackBuilder' defined in file [classes/org/fao/geonet/api/tools/i18n/TranslationPackBuilder.class]: 
Post-processing of merged bean definition failed; nested exception is 
java.lang.NoSuchMethodError: 'java.lang.String javax.annotation.Resource.lookup()'

Moving to jakarta (as done by Spring 6.3+) eg. https://docs.openrewrite.org/recipes/java/migrate/jakarta/javaxannotationmigrationtojakartaannotation ?

Tested (do not update all classes - can be done by search/replace):

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run   -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-migrate-java:RELEASE   -Drewrite.activeRecipes=org.openrewrite.java.migrate.jakarta.JavaxAnnotationMigrationToJakartaAnnotation

org.codehaus.groovy.vmplugin.v7.Java7

From the release

java.lang.NoClassDefFoundError: Could not initialize class org.codehaus.groovy.vmplugin.v7.Java7

?

Conclusion

In order to run on Java 17+, Spring 6 migration is required (and Spring 6 requires Java 17 and Jakarta EE9).

So it probably means that GeoNetwork will then require (to be confirmed):

maven 3.8.7+
Java 17
Tomcat 10
Jetty 11

Spring 6 migration

Startup or build warning

[WARNING] The POM for com.sun.xml.bind:jaxb-impl:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details

Security vulnerability

One goal is to also update libraries which have CRITICIAL vulnerabilities reported.

Check github security alerts
Trivy

Scan the application with trivy

cd core-geonetwork
docker pull aquasec/trivy:latest
  
docker run -v $PWD:/core-geonetwork aquasec/trivy fs --cache-dir /core-geonetwork/.trivycache/  --download-java-db-only
docker run -v $PWD:/core-geonetwork aquasec/trivy fs --cache-dir /core-geonetwork/.trivycache/  --download-db-only
docker run -v $PWD:/core-geonetwork aquasec/trivy \
  rootfs --cache-dir /core-geonetwork/.trivycache/ \
  --vuln-type library --skip-db-update --scanners vuln --severity CRITICAL \
  /core-geonetwork/web/target/geonetwork


# Scanning docker image
docker run -v $PWD:/core-geonetwork aquasec/trivy image --cache-dir /core-geonetwork/.trivycache/   --vuln-type library --skip-db-update --scanners vuln --severity HIGH,CRITICAL geonetwork:4.2.4