[discovery-gce] Upgrade all Google dependencies#85132
[discovery-gce] Upgrade all Google dependencies#85132arteam merged 12 commits intoelastic:masterfrom
Conversation
23eda98 to
dc2b7dd
Compare
plugins/discovery-gce/build.gradle
Outdated
|
|
||
| versions << [ | ||
| 'google': '1.23.0' | ||
| 'google' : '1.41.4', |
There was a problem hiding this comment.
Sorry for the delay on this, I'm not sure if these versions align with what the library expects?
[INFO] \- com.google.apis:google-api-services-compute:jar:v1-rev235-1.25.0:compile
[INFO] \- com.google.api-client:google-api-client:jar:1.25.0:compile
[INFO] +- com.google.oauth-client:google-oauth-client:jar:1.25.0:compile
[INFO] | +- com.google.http-client:google-http-client:jar:1.25.0:compile
[INFO] | | +- org.apache.httpcomponents:httpclient:jar:4.5.5:compile
[INFO] | | | +- org.apache.httpcomponents:httpcore:jar:4.4.9:compile
[INFO] | | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] +- com.google.http-client:google-http-client-jackson2:jar:1.25.0:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.6:compile
[INFO] \- com.google.guava:guava:jar:20.0:compile
Am I missing something? @arteam
There was a problem hiding this comment.
You're correct! Let me pinpoint the exact versions of the transitive dependencies instead of the latest.
There was a problem hiding this comment.
Actually, now I remember why I picked the 1.41.4 version. google-api-services-compute uses an outdated version of google-api/google-oauth-client (1.25.0). The original intention was to upgrade google-oauth-client to 1.33.1+ to avoid it being flagged for CVEs
There was a problem hiding this comment.
It seems like they discontinued that library in favor of https://mvnrepository.com/artifact/com.google.cloud/google-cloud-compute/1.8.1?
There was a problem hiding this comment.
Interesting! Let me try this dependency
There was a problem hiding this comment.
It seems it still gets updated! https://repo1.maven.org/maven2/com/google/apis/google-api-services-compute/v1-rev20220322-1.32.1/ got released a couple of days go. It seems that the artefacts stopped being indexed by mvnrepository.com at some point. I should have checked https://search.maven.org/search?q=google-api-services-compute at the beggining 🤦
There was a problem hiding this comment.
Okay, it's there https://mvnrepository.com/artifact/com.google.apis/google-api-services-compute/v1-rev20220322-1.32.1, just the sorting on https://mvnrepository.com/artifact/com.google.apis/google-api-services-compute is broken
There was a problem hiding this comment.
Oh 🤦, I was looking into the google cloud documentation and I didn't manage to find a good release list... thanks for looking into this!
6868a7f to
0cd0939
Compare
|
@elasticmachine update branch |
plugins/discovery-gce/build.gradle
Outdated
| 'google' : '1.41.1', | ||
| 'google_api_client' : '1.33.1', | ||
| 'api_services_compute': 'v1-rev20220322-1.32.1', | ||
| 'google_oauth_client' : '1.33.1', |
There was a problem hiding this comment.
I think this expects 1.33.0
[INFO] \- com.google.apis:google-api-services-compute:jar:v1-rev20220322-1.32.1:compile
[INFO] \- com.google.api-client:google-api-client:jar:1.33.1:compile
[INFO] +- com.google.oauth-client:google-oauth-client:jar:1.33.0:compile <---
[INFO] +- com.google.http-client:google-http-client-gson:jar:1.41.1:compile
[INFO] | \- com.google.code.gson:gson:jar:2.8.9:compile
[INFO] +- com.google.guava:guava:jar:31.0.1-jre:compile
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.7.1:compile
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- com.google.http-client:google-http-client-apache-v2:jar:1.41.1:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-codec:commons-codec:jar:1.11:compile
[INFO] \- com.google.http-client:google-http-client:jar:1.41.1:compile
[INFO] +- io.opencensus:opencensus-api:jar:0.30.0:compile
[INFO] | \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] \- io.opencensus:opencensus-contrib-http-util:jar:0.30.0:compile
plugins/discovery-gce/build.gradle
Outdated
| 'google' : '1.41.1', | ||
| 'google_api_client' : '1.33.1', | ||
| 'api_services_compute': 'v1-rev20220322-1.32.1', | ||
| 'google_oauth_client' : '1.33.1', |
There was a problem hiding this comment.
I think this expects 1.33.0
[INFO] \- com.google.apis:google-api-services-compute:jar:v1-rev20220322-1.32.1:compile
[INFO] \- com.google.api-client:google-api-client:jar:1.33.1:compile
[INFO] +- com.google.oauth-client:google-oauth-client:jar:1.33.0:compile <---
[INFO] +- com.google.http-client:google-http-client-gson:jar:1.41.1:compile
[INFO] | \- com.google.code.gson:gson:jar:2.8.9:compile
[INFO] +- com.google.guava:guava:jar:31.0.1-jre:compile
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.7.1:compile
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- com.google.http-client:google-http-client-apache-v2:jar:1.41.1:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-codec:commons-codec:jar:1.11:compile
[INFO] \- com.google.http-client:google-http-client:jar:1.41.1:compile
[INFO] +- io.opencensus:opencensus-api:jar:0.30.0:compile
[INFO] | \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] \- io.opencensus:opencensus-contrib-http-util:jar:0.30.0:compile
fcofdez
left a comment
There was a problem hiding this comment.
LGTM, I left a comment about the expected google_oauth_client version but otherwise it looks good. Sorry again for the delay on this!
|
Thanks Francisco! |
This commit syncs the dependencies for discovery GCE plugin with the dependency versions in use in main.
Specifically, this commit upgrades the following for the discovery GCE plugin:
com.google.apis:google-api-services-compute:v1-rev160-1.23.0 -> v1-rev20220322-1.32
com.google.api-client:google-api-client:1.23.0 -> 1.33.1
com.google.oauth-client:google-oauth-client:1.23.0 -> 1.34.1
com.google.code.findbugs:jsr305:1.3.9 -> 3.0.2
and introduces the following for the discovery GCE plugin:
api "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
api "com.google.http-client:google-http-client-gson:1.41.1"
runtimeOnly 'com.google.guava:guava:32.0.1-jre'
runtimeOnly 'com.google.guava:failureaccess:1.0.1'
api 'io.opencensus:opencensus-api:0.30.0'
api 'io.opencensus:opencensus-contrib-http-util:0.30.0'
api 'io.grpc:grpc-context:1.27.2'
backport of #85132 and #91722
Upgrade the dependencies in order to avoid them being flagged for CVEs.