The dependency management tool is back. See the latest report <https://builds.apache.org/job/beam_Dependency_Check/234/artifact/src/build/dependencyUpdates/beam-dependency-check-report.html> .
On Tue, Nov 12, 2019 at 9:51 AM Yifan Zou <[email protected]> wrote: > Thanks Tomo. I'll follow up in JIRA. > > On Tue, Nov 12, 2019 at 9:44 AM Tomo Suzuki <[email protected]> wrote: > >> Yifan, >> I created a ticket to track this finding: >> https://issues.apache.org/jira/browse/BEAM-8621 . >> >> >> On Mon, Nov 11, 2019 at 5:08 PM Tomo Suzuki <[email protected]> wrote: >> >>> Kenn, >>> >>> Thank you for the analysis. Although Guava was randomly picked up, it's >>> great learning for me to learn how you analyzed other modules using Guava. >>> >>> On Mon, Nov 11, 2019 at 4:29 PM Kenneth Knowles <[email protected]> wrote: >>> >>>> BeamModulePlugin just contains lists of versions to ease coordination >>>> across Beam modules, but mostly does not create dependencies. Most of >>>> Beam's modules only depend on a few things there. For example Guava is not >>>> a core dependency, but here is where it is actually depended upon: >>>> >>>> $ find . -name build.gradle | xargs grep library.java.guava >>>> ./sdks/java/core/build.gradle: shadowTest library.java.guava_testlib >>>> ./sdks/java/extensions/sql/jdbc/build.gradle: compile >>>> library.java.guava >>>> ./sdks/java/io/google-cloud-platform/build.gradle: compile >>>> library.java.guava >>>> ./sdks/java/io/kinesis/build.gradle: testCompile >>>> library.java.guava_testlib >>>> >>>> These results appear to be misleading. Grepping for 'import >>>> com.google.common', I see this as the actual state of things: >>>> >>>> - GCP connector does not appear to actually depend on Guava in compile >>>> scope >>>> - The Beam SQL JDBC driver does not appear to actually depend on Guava >>>> in compile scope >>>> - The Dataflow Java worker does depend on Guava at compile scope but >>>> has incorrect dependencies (and it probably shouldn't) >>>> - KinesisIO does depend on Guava at compile scope but has incorrect >>>> dependencies (Kinesis libs have Guava on API surface so it is OK here, but >>>> should be correctly declared) >>>> - ZetaSQL translator does depend on Guava at compile scope but has >>>> incorrect dependencies (ZetaSQL has it on API surface so it is OK here, but >>>> should be correctly declared) >>>> >>>> We used to have an analysis that prevented this class of error. >>>> >>>> Once the errors are fixed, the guava_version is simply a version that >>>> we have discovered that seems to work for both Kinesis and ZetaSQL, >>>> libraries we do not control. Kinesis producer is built against 18.0. >>>> Kinesis client against 26.0-jre. ZetaSQL against 26.0-android. >>>> >>>> (or maybe I messed up in my analysis) >>>> >>>> Kenn >>>> >>>> On Mon, Nov 11, 2019 at 12:07 PM Tomo Suzuki <[email protected]> >>>> wrote: >>>> >>>>> >>>>> Chamikara and Yifan, >>>>> Thank you for the responses! Looking forward to hearing the >>>>> investigation result. >>>>> In the meantime, I'll explore .test-infra/jenkins/dependency_check >>>>> directory. >>>>> >>>>> >>> >>> -- >>> Regards, >>> Tomo >>> >> >> >> -- >> Regards, >> Tomo >> >
