[
https://issues.apache.org/jira/browse/SLING-13220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18084381#comment-18084381
]
Carsten Ziegeler commented on SLING-13220:
------------------------------------------
I created PRs for all projects to update to the latest parent pom, except for
org-apache-sling-karaf-integration-tests
I am not sure if that one is still active
> 13 projects have unenforced OSGi aggregate dependency ban due to enforcer
> 3.1.0 bug
> -----------------------------------------------------------------------------------
>
> Key: SLING-13220
> URL: https://issues.apache.org/jira/browse/SLING-13220
> Project: Sling
> Issue Type: Bug
> Reporter: Guillaume Nodet
> Priority: Major
>
> The {{sling-bundle-parent}} defines an enforcer rule in the
> {{ban-plugins-and-dependencies}} execution that bans OSGi aggregate
> dependencies ({{org.osgi:osgi.core}} and {{org.osgi:osgi.cmpn}}):
> {code:xml}
> <bannedDependencies>
> <excludes>
> <exclude>org.osgi:osgi.core</exclude>
> <exclude>org.osgi:osgi.cmpn</exclude>
> </excludes>
> <message>Use the individual OSGi chapter dependencies instead of the
> aggregate ones.</message>
> </bannedDependencies>
> {code}
> However, this rule has been *silently unenforced* for projects using
> {{sling-bundle-parent:49}} or older versions that inherit enforcer 3.1.0 (via
> {{apache:27}}).
> h3. Root Cause
> In enforcer 3.1.0, {{BannedPlugins}} extends {{BannedDependencies}}. When the
> {{<rules>}} element mixes {{<bannedPlugins>}} and {{<bannedDependencies>}}
> elements (as the Sling parent does), the Plexus configurator cross-wires the
> {{excludes}} configuration. The second {{<bannedDependencies>}} element (the
> OSGi aggregate ban, Rule 4) silently gets its excludes dropped.
> This was fixed in enforcer 3.2.1 where {{BannedPlugins}} was rewritten as an
> independent class. The newer {{sling-bundle-parent:66}} inherits
> {{apache:37}} which uses enforcer 3.6.2, and *correctly enforces all rules*.
> The enforcer upgrade is correct behavior — it fixes a real bug that was
> silently hiding violations.
> h3. Affected Projects
> The following 13 projects (all on {{sling-bundle-parent:49}}) declare
> {{org.osgi:osgi.core}} or {{org.osgi:osgi.cmpn}} as direct dependencies in
> violation of the Sling parent's own rule. These projects need to be fixed to
> follow the rule:
> * sling-org-apache-sling-commons-threaddump
> * sling-org-apache-sling-distribution-core
> * sling-org-apache-sling-distribution-journal
> * sling-org-apache-sling-distribution-journal-messages
> * sling-org-apache-sling-featureflags
> * sling-org-apache-sling-graphql-core
> * sling-org-apache-sling-hapi-client
> * sling-org-apache-sling-installer-factory-deploymentpackage
> * sling-org-apache-sling-installer-factory-feature
> * sling-org-apache-sling-installer-factory-model
> * sling-org-apache-sling-installer-factory-subsystems-base
> * sling-org-apache-sling-karaf-integration-tests
> * sling-org-apache-sling-pipes
> Upgrading any of these projects to {{sling-bundle-parent:66}} (or any parent
> using enforcer >= 3.2.1) will cause their builds to fail. The projects should
> be fixed by replacing {{org.osgi:osgi.core}} / {{org.osgi:osgi.cmpn}} with
> the individual OSGi chapter dependencies (e.g.,
> {{org.osgi:org.osgi.framework}}, {{org.osgi:org.osgi.util.tracker}}, etc.) as
> the rule message recommends.
> h3. Reproduction
> {code}
> <!-- Using sling-bundle-parent:49 (enforcer 3.1.0 from apache:27) -->
> <parent>
> <groupId>org.apache.sling</groupId>
> <artifactId>sling-bundle-parent</artifactId>
> <version>49</version>
> </parent>
> <dependencies>
> <dependency>
> <groupId>org.osgi</groupId>
> <artifactId>osgi.core</artifactId>
> <scope>provided</scope>
> </dependency>
> </dependencies>
> {code}
> With {{sling-bundle-parent:49}} → {{BUILD SUCCESS}} (ban silently unenforced
> due to enforcer 3.1.0 bug)
> With {{sling-bundle-parent:66}} → {{BUILD FAILURE}} (ban correctly enforced
> with enforcer 3.6.2)
> _Claude Code on behalf of Guillaume Nodet_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
