Hi, Currently Stratos components do not properly import/export packages to/from OSGi bundles. This might lead to unexpected behaviors in an OSGi runtime. Also dependency versions in pom files are currently hard-coded which is less maintainable. I've done a refactoring of all pom files to fix the above issues. Following is a summary of changes done;
- Removed hard-coded maven dependency versions and moved everything to parent pom - Parameterized dependency versions with maven properties - Added OSGi import ranges for external dependencies which are set from parent pom as a maven property - Added OSGi import version for Stratos internal dependencies as project.version. This will ensure only intended component will always - Upgraded commons-collections dependency to version 3.2.2 to mitigate the security vulnerability as reported in [1] While working on this I found several issues in the code base. I've summarized the issues and fixes done below. - Incorrect import of Arrays class in [2] Changed the import to java.util.Arrays - CloudController imports a private package of StratosCommon component [3] Changed the import to CC's service holder class - Incorrect dependency to org.wso2.carbon.identity.oauth.stub component at [4,5] resulting unrunnable code at [6, 7] This is because actual identity.oauth.stub bundle version packed into the distribution is 4.2.3 and the dependency version defined in the Stratos component is 4.2.0. Changed the dependency version to 4.2.3 and updated code to be compatible with newer version. - Metadata service webapp imports a private package of StratosCommon component [8] - Stratos rest endpoint webapp imports a private package of StratosManager component [9] Removed the private package import and used PrivilegedCarbonContext->getOSGiService method in the Carbon kernel to retrieve the ComponentStartUpSynchronizer OSGi service. - Unnecessary Activator class in Autoscaler component [10]. Removed the class and reference in maven-bundle-plugin Bundle-Activator directive. - Embedded dependencies are not added as maven dependencies in the pom for fabric8/kubernetes-api [11] Added all relevant maven dependencies to the parent pom (with versions) and sub-module (without versions). Created a JIRA [12] to track these changes. Following is a list of jars that were changed/upgraded as part of this effort; Old version -> New version commons-collections-3.2.1.jar -> commons-collections-3.2.2.wso2v1.jar commons-lang-2.6.jar -> commons-lang-2.6.0.wso2v1.jar cxf-bundle-2.7.6.jar -> cxf-bundle-2.7.7.jar httpasyncclient-4.0-beta3.jar -> httpasyncclient-4.0.jar httpclient-4.2.5.jar -> httpclient-4.5.1.jar httpcore-4.2.4.jar -> httpcore-4.4.4.jar javax.ws.rs-api-2.0-m10.jar -> javax.ws.rs-api-2.0.1.jar neethi-3.0.2.jar -> neethi-2.0.4.wso2v4.jar wsdl4j-1.6.3.jar -> wsdl4j-1.6.2.wso2v4.jar xmlschema-core-2.0.3.jar -> xmlschema-core-2.2.1.jar slf4j.api_1.6.4.jar -> slf4j.api_1.7.6.jar slf4j.log4j12_1.6.4.jar -> slf4j.log4j12_1.7.5.jar Following jars were added commons-collections_3.2.2.wso2v1.jar org.apache.commons.configuration_1.9.0.jar org.apache.httpcomponents.httpclient_4.5.1.jar org.apache.httpcomponents.httpcore_4.4.4.jar org.mvel2_2.1.3.Final.jar [1] https://issues.apache.org/jira/browse/COLLECTIONS-580 [2] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.autoscaler/src/main/java/org/apache/stratos/autoscaler/algorithms/networkpartition/AllAtOnceAlgorithm.java#L21 [3] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.cloud.controller/src/main/java/org/apache/stratos/cloud/controller/registry/RegistryManager.java#L26 [4] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.metadata.service/pom.xml#L99 [5] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.rest.endpoint/pom.xml#L101 [6] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.metadata.service/src/main/java/org/apache/stratos/metadata/service/oauth2/ValidationServiceClient.java#L54 [7] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.rest.endpoint/src/main/java/org/apache/stratos/rest/endpoint/oauth2/ValidationServiceClient.java#L53 [8] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.metadata.service/src/main/java/org/apache/stratos/metadata/service/registry/MetadataApiRegistry.java#L253 [9] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.rest.endpoint/src/main/java/org/apache/stratos/rest/endpoint/handlers/ComponentSynchronizerHandler.java#L28 [10] https://github.com/apache/stratos/blob/4.1.4/components/org.apache.stratos.autoscaler/src/main/java/org/apache/stratos/autoscaler/internal/ASBundleActivater.java [11] https://github.com/apache/stratos/blob/4.1.4/dependencies/fabric8/kubernetes-api/pom.xml#L153 [12] https://issues.apache.org/jira/browse/STRATOS-1623 Thanks. -- Akila Ravihansa Perera WSO2 Inc.; http://wso2.com/ Blog: http://ravihansa3000.blogspot.com
