Guillaume Nodet created SLING-13220:
---------------------------------------
Summary: 13 projects have unenforced OSGi aggregate dependency ban
due to enforcer 3.1.0 bug
Key: SLING-13220
URL: https://issues.apache.org/jira/browse/SLING-13220
Project: Sling
Issue Type: Bug
Reporter: Guillaume Nodet
The {{sling-bundle-parent}} defines an enforcer rule in the
{{ban-plugins-and-dependencies}} execution that bans OSGi aggregate
dependencies ({{org.osgi:osgi.core}} and {{org.osgi:osgi.cmpn}}):
{code:xml}
<bannedDependencies>
<excludes>
<exclude>org.osgi:osgi.core</exclude>
<exclude>org.osgi:osgi.cmpn</exclude>
</excludes>
<message>Use the individual OSGi chapter dependencies instead of the
aggregate ones.</message>
</bannedDependencies>
{code}
However, this rule has been *silently unenforced* for projects using
{{sling-bundle-parent:49}} or older versions that inherit enforcer 3.1.0 (via
{{apache:27}}).
h3. Root Cause
In enforcer 3.1.0, {{BannedPlugins}} extends {{BannedDependencies}}. When the
{{<rules>}} element mixes {{<bannedPlugins>}} and {{<bannedDependencies>}}
elements (as the Sling parent does), the Plexus configurator cross-wires the
{{excludes}} configuration. The second {{<bannedDependencies>}} element (the
OSGi aggregate ban, Rule 4) silently gets its excludes dropped.
This was fixed in enforcer 3.2.1 where {{BannedPlugins}} was rewritten as an
independent class. The newer {{sling-bundle-parent:66}} inherits {{apache:37}}
which uses enforcer 3.6.2, and *correctly enforces all rules*. The enforcer
upgrade is correct behavior — it fixes a real bug that was silently hiding
violations.
h3. Affected Projects
The following 13 projects (all on {{sling-bundle-parent:49}}) declare
{{org.osgi:osgi.core}} or {{org.osgi:osgi.cmpn}} as direct dependencies in
violation of the Sling parent's own rule. These projects need to be fixed to
follow the rule:
* sling-org-apache-sling-commons-threaddump
* sling-org-apache-sling-distribution-core
* sling-org-apache-sling-distribution-journal
* sling-org-apache-sling-distribution-journal-messages
* sling-org-apache-sling-featureflags
* sling-org-apache-sling-graphql-core
* sling-org-apache-sling-hapi-client
* sling-org-apache-sling-installer-factory-deploymentpackage
* sling-org-apache-sling-installer-factory-feature
* sling-org-apache-sling-installer-factory-model
* sling-org-apache-sling-installer-factory-subsystems-base
* sling-org-apache-sling-karaf-integration-tests
* sling-org-apache-sling-pipes
Upgrading any of these projects to {{sling-bundle-parent:66}} (or any parent
using enforcer >= 3.2.1) will cause their builds to fail. The projects should
be fixed by replacing {{org.osgi:osgi.core}} / {{org.osgi:osgi.cmpn}} with the
individual OSGi chapter dependencies (e.g., {{org.osgi:org.osgi.framework}},
{{org.osgi:org.osgi.util.tracker}}, etc.) as the rule message recommends.
h3. Reproduction
{code}
<!-- Using sling-bundle-parent:49 (enforcer 3.1.0 from apache:27) -->
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling-bundle-parent</artifactId>
<version>49</version>
</parent>
<dependencies>
<dependency>
<groupId>org.osgi</groupId>
<artifactId>osgi.core</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
{code}
With {{sling-bundle-parent:49}} → {{BUILD SUCCESS}} (ban silently unenforced
due to enforcer 3.1.0 bug)
With {{sling-bundle-parent:66}} → {{BUILD FAILURE}} (ban correctly enforced
with enforcer 3.6.2)
_Claude Code on behalf of Guillaume Nodet_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
