Yifan, I created a ticket to track this finding: https://issues.apache.org/jira/browse/BEAM-8621 .
On Mon, Nov 11, 2019 at 5:08 PM Tomo Suzuki <[email protected]> wrote: > Kenn, > > Thank you for the analysis. Although Guava was randomly picked up, it's > great learning for me to learn how you analyzed other modules using Guava. > > On Mon, Nov 11, 2019 at 4:29 PM Kenneth Knowles <[email protected]> wrote: > >> BeamModulePlugin just contains lists of versions to ease coordination >> across Beam modules, but mostly does not create dependencies. Most of >> Beam's modules only depend on a few things there. For example Guava is not >> a core dependency, but here is where it is actually depended upon: >> >> $ find . -name build.gradle | xargs grep library.java.guava >> ./sdks/java/core/build.gradle: shadowTest library.java.guava_testlib >> ./sdks/java/extensions/sql/jdbc/build.gradle: compile library.java.guava >> ./sdks/java/io/google-cloud-platform/build.gradle: compile >> library.java.guava >> ./sdks/java/io/kinesis/build.gradle: testCompile >> library.java.guava_testlib >> >> These results appear to be misleading. Grepping for 'import >> com.google.common', I see this as the actual state of things: >> >> - GCP connector does not appear to actually depend on Guava in compile >> scope >> - The Beam SQL JDBC driver does not appear to actually depend on Guava >> in compile scope >> - The Dataflow Java worker does depend on Guava at compile scope but has >> incorrect dependencies (and it probably shouldn't) >> - KinesisIO does depend on Guava at compile scope but has incorrect >> dependencies (Kinesis libs have Guava on API surface so it is OK here, but >> should be correctly declared) >> - ZetaSQL translator does depend on Guava at compile scope but has >> incorrect dependencies (ZetaSQL has it on API surface so it is OK here, but >> should be correctly declared) >> >> We used to have an analysis that prevented this class of error. >> >> Once the errors are fixed, the guava_version is simply a version that we >> have discovered that seems to work for both Kinesis and ZetaSQL, libraries >> we do not control. Kinesis producer is built against 18.0. Kinesis client >> against 26.0-jre. ZetaSQL against 26.0-android. >> >> (or maybe I messed up in my analysis) >> >> Kenn >> >> On Mon, Nov 11, 2019 at 12:07 PM Tomo Suzuki <[email protected]> wrote: >> >>> >>> Chamikara and Yifan, >>> Thank you for the responses! Looking forward to hearing the >>> investigation result. >>> In the meantime, I'll explore .test-infra/jenkins/dependency_check >>> directory. >>> >>> > > -- > Regards, > Tomo > -- Regards, Tomo
