KAFKA-13518: Update gson dependency

[dongjinleekr]

Here is the fix. Since spotbugs 4.5.1 was released just 12 hours ago, it would take a little bit to be synched with maven central.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[showuon]

@dongjinleekr , thanks for the PR. But there's spotBugs 4.5.2. Could you upgrade to the latest one? Also, the PR title/description can't tell what's the relationship between spotBugs and gson, could you add explanation there? Thanks.

[showuon]

Also, there are build errors. Please fix them. Thanks.

[dongjinleekr]

Hi @showuon,

Here it is. I just updated the issue title more clearly and updated the spotbugs dependency into 4.5.2.

[showuon]

LGTM!

[showuon]

Please also help fix the build failure. Thanks.

[dongjinleekr]

@showuon Sorry for bothering you. Here is the update. There were some updates on spotbugs between 4.2.2 and 4.5.2 and some previously-unfound problems are now detected:

• In 4.3.0, spotbugs improved their detection logic for MS_EXPOSE_REP:

  MS_EXPOSE_REP and EI_EXPOSE_REP are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)

• In 4.4.2, spotbugs fixed some false positives for DMI_RANDOM_USED_ONLY_ONCE and started to detect some unfound problems:

  DMI_RANDOM_USED_ONLY_ONCE false positive

After the update, it works like a charm:

[showuon]

@dongjinleekr , thanks for the update, but it looks like there are other failed spotBugs.

[dongjinleekr]

@showuon My bad. I found several other false-positives from other modules with spotbugs; They are now fixed. (Please see the comments.) 🙇

[ijuma]

Thanks for the PR. Seems like the new version has more false positives. Do you know if they intend to fix those?

[dongjinleekr]

@ijuma

Do you know if they intend to fix those?

Oh yes, as you can see in the updated PR, I updated spotbugs to 4.5.3 following the gradle plugin 5.0.5, and rebased onto the latest trunk. It seems like there are a bunch of false positives in the recent version of spotbugs (below) but, I verified that none of them are affecting.

+1. They also have not fixed the issues I commented on in spotbugs-exclude.xml yet. I will follow up and apply them as soon as they fix them.

[ijuma]

Should we wait until they fix these issues in spotBugs? It doesn't look like the cost/benefit in upgrading here isn't favorable.

[dongjinleekr]

@ijuma If you don't mind CVE WS-2021-0419 introduced by gson 2.8.6. This PR is to fix it.

[dongjinleekr]

Rebased onto the latest trunk. cc/ @ijuma

[Boojapho]

Gson library has another recent vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-25647. Gson library 2.8.9 fixes this, which is included in Spotbugs 4.5.0 and higher.

[dongjinleekr]

@Boojapho Thanks for reporting. Here is the fix - rebased onto the latest trunk and upgraded spotbugs into 4.7.0, which also fixes the gson vulnerability.

[ijuma]

Looks like spotbugs/spotbugs@720af6c would help, but it's not available in a released version yet.

[ijuma]

Disabled by default here spotbugs/spotbugs@7ba0e74 (not released yet).

[ijuma]

Why do we have to disable this one?

[dongjinleekr]

1. Public static org.apache.kafka.server.metrics.KafkaYammerMetrics.defaultRegistry() may expose internal representation by returning KafkaYammerMetrics.metricsRegistry.
2. Public static org.apache.kafka.common.security.auth.SecurityProtocol.names() may expose internal representation by returning SecurityProtocol.NAMES

[ijuma]

Are we disabling this one due to false positives?

[dongjinleekr]

Yes.

1. Random object created and used only once in new kafka.tools.ConsoleConsumer$ConsumerConfig(String[])
2. Random object created and used only once in new kafka.tools.ConsumerPerformance$ConsumerPerfConfig(String[])

[dongjinleekr]

@ijuma Here is the update:

1. Rebased onto the latest trunk.
2. Gather the false positives together and add some TODO comments not to leave the workarounds later.
3. Reduce the scope of DMI_RANDOM_USED_ONLY_ONCE and MS_EXPOSE_REP into scala-only and some specific classes only, respectively.

[ijuma]

Can you please update to spotbugs 4.7.1? It seems like it fixes the false positives.

[omkreddy]

@dongjinleekr I have not seen this PR. I have raised draft PR #12768 to upgrade spotbugs. Can we update to spotbugs 4.7.3?

[omkreddy]

Closing this PR in favour of #12768