[
https://issues.apache.org/jira/browse/THRIFT-5375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391553#comment-17391553
]
Eric Colinet edited comment on THRIFT-5375 at 8/2/21, 12:31 PM:
----------------------------------------------------------------
Thanks for your help.
But we are using gradle (with Kotlin DSL) and I didn't found a way to exclude
the dependency.
When I try that on a project built from scratch, it works:
{code:java}
implementation("org.apache.thrift:libthrift:0.14.2") {
exclude("org.apache.tomcat.embed:tomcat-embed-core")
}{code}
But when used as a dependency of a dependency I didn't manage to get it
excluded.
Here are the dependency graph:
{noformat}
our-lib
| +--- io.jaegertracing:jaeger-client:1.6.0
| | +--- io.jaegertracing:jaeger-thrift:1.6.0
| | | +--- io.jaegertracing:jaeger-core:1.6.0
| | | | +--- io.opentracing:opentracing-api:0.33.0
| | | | +--- io.opentracing:opentracing-util:0.33.0 (*)
| | | | +--- com.google.code.gson:gson:2.8.6
| | | | \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.32
| | | +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.32
| | | +--- org.apache.thrift:libthrift:0.14.1 -> 0.14.2
| | | | +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.32
| | | | +--- org.apache.tomcat.embed:tomcat-embed-core:8.5.46
| | | | | \--- org.apache.tomcat:tomcat-annotations-api:8.5.46
| | | | \--- javax.annotation:javax.annotation-api:1.3.2
| | | \--- com.squareup.okhttp3:okhttp:4.9.0
| | | +--- com.squareup.okio:okio:2.8.0 -> 2.10.0
| | | | +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.20 ->
1.5.21 (*)
| | | | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.4.20
-> 1.5.21
| | | \--- org.jetbrains.kotlin:kotlin-stdlib:1.4.10 -> 1.5.21 (*)
| | +--- io.jaegertracing:jaeger-core:1.6.0 (*)
| | \--- io.jaegertracing:jaeger-tracerresolver:1.6.0
| | +--- io.jaegertracing:jaeger-core:1.6.0 (*)
| | \--- io.opentracing.contrib:opentracing-tracerresolver:0.1.8
| | \--- io.opentracing:opentracing-api:0.33.0{noformat}
The fun fact here is that we are able to ask for a newer version of
tomcat-embed (by implementing it directly) but since we are producing a WAR
that we will deploy on ... Tomcat we are not really confident of the result.
So for now we stick to the vulnerable 0.13.0 version of libthrift.
was (Author: ecolinet):
Thanks for your help.
But we are using gradle (with Kotlin DSL) and I didn't found any way to exclude
the dependency.
When I try that on a project built from scratch, it works:
{code:java}
implementation("org.apache.thrift:libthrift:0.14.2") {
exclude("org.apache.tomcat.embed:tomcat-embed-core")
}{code}
But when used as a dependency of a dependency I didn't manage to get it
excluded.
Here are the dependency graph:
{noformat}
our-lib
| +--- io.jaegertracing:jaeger-client:1.6.0
| | +--- io.jaegertracing:jaeger-thrift:1.6.0
| | | +--- io.jaegertracing:jaeger-core:1.6.0
| | | | +--- io.opentracing:opentracing-api:0.33.0
| | | | +--- io.opentracing:opentracing-util:0.33.0 (*)
| | | | +--- com.google.code.gson:gson:2.8.6
| | | | \--- org.slf4j:slf4j-api:1.7.28 -> 1.7.32
| | | +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.32
| | | +--- org.apache.thrift:libthrift:0.14.1 -> 0.14.2
| | | | +--- org.slf4j:slf4j-api:1.7.28 -> 1.7.32
| | | | +--- org.apache.tomcat.embed:tomcat-embed-core:8.5.46
| | | | | \--- org.apache.tomcat:tomcat-annotations-api:8.5.46
| | | | \--- javax.annotation:javax.annotation-api:1.3.2
| | | \--- com.squareup.okhttp3:okhttp:4.9.0
| | | +--- com.squareup.okio:okio:2.8.0 -> 2.10.0
| | | | +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.20 ->
1.5.21 (*)
| | | | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.4.20
-> 1.5.21
| | | \--- org.jetbrains.kotlin:kotlin-stdlib:1.4.10 -> 1.5.21 (*)
| | +--- io.jaegertracing:jaeger-core:1.6.0 (*)
| | \--- io.jaegertracing:jaeger-tracerresolver:1.6.0
| | +--- io.jaegertracing:jaeger-core:1.6.0 (*)
| | \--- io.opentracing.contrib:opentracing-tracerresolver:0.1.8
| | \--- io.opentracing:opentracing-api:0.33.0{noformat}
The fun fact here is that we are able to ask for a newer version of
tomcat-embed (by implementing it directly) but since we are producing a WAR
that we will deploy on ... Tomcat we are not really confident of the result.
So for now we stick to the vulnerable 0.13.0 version of libthrift.
> Put org.apache.tomcat.embed:tomcat-embed-core into scope test
> -------------------------------------------------------------
>
> Key: THRIFT-5375
> URL: https://issues.apache.org/jira/browse/THRIFT-5375
> Project: Thrift
> Issue Type: Improvement
> Components: Java - Library
> Affects Versions: 0.14.0, 0.14.1
> Reporter: Andy Seaborne
> Assignee: Andy Seaborne
> Priority: Major
> Fix For: 0.15.0
>
>
> 0.14.0 adds org.apache.tomcat.embed:tomcat-embed-core as a dependency with
> scope=compile. It becomes a dependency of systems using libthrift(java).
> It includes a tomcat-specific its own javax.servlet causing a conflict with
> javax.servlet:javax.servlet-api:jar:3.1.0 It gets included in combined jars
> that use Jetty.
> It causes tomcat-emdedded to be downstream systems that produce combined jars
> and docker images.
> The dependency was added by THRIFT-4949.
> The use of this seems to be specific to
> lib/java/test/org/apache/thrift/test/TestTServletServer.java and is not
> necessary at runtime.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
