[JENKINS-68468] Prepare InsightVM Container Image Scanner for removal of JAXB and Java 11 requirement

Type: Improvement
Resolution: Unresolved
Priority: Major
Component/s: rapid7-insightvm-container-assessment-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Java 11/JAXB compatibility: Long tail

JAXB was removed from Java 9+. In 2.164, JAXB was detached into the JAXB API plugin, which means that any plugin with a Jenkins baseline prior to 2.164 will get JAXB on its classpath via the detached plugin mechanism. Any plugin with a Jenkins baseline greater than or equal to 2.164 will get JAXB on its classpath if and only if it declares a plugin-to-plugin dependency on JAXB (recommended) or embeds JAXB into its own .jpi via a direct or transitive dependency.

A systematic search of the plugin corpus was conducted on May 9, 2022; this search revealed that this plugin has a baseline greater than or equal to 2.164, a direct or transitive usage of JAXB, no plugin-to-plugin dependency on JAXB, and no copy of JAXB in the .jpi. For compatibility with Java 11, this plugin must declare an explicit dependency on the JAXB API plugin as follows:

<dependency>
  <groupId>io.jenkins.plugins</groupId>
  <artifactId>jaxb</artifactId>
  <version>2.3.6-1</version>
</dependency>

This plugin's identified usage of JAXB is as follows:

Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/adapters/XmlAdapter via javax/ws/rs/core/Link$JaxbAdapter.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/adapters/XmlAdapter via org/sonatype/goodies/packageurl/jaxb/PackageUrlXmlAdapter.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/adapters/XmlJavaTypeAdapter via org/sonatype/ossindex/service/api/componentreport/ComponentReport.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/adapters/XmlJavaTypeAdapter via org/sonatype/ossindex/service/api/componentreport/ComponentReportRequest.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAccessorType via org/sonatype/ossindex/service/api/componentreport/ComponentReport.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAccessorType via org/sonatype/ossindex/service/api/componentreport/ComponentReportRequest.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAccessorType via org/sonatype/ossindex/service/api/componentreport/ComponentReportVulnerability.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAccessType via org/sonatype/ossindex/service/api/componentreport/ComponentReport.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAccessType via org/sonatype/ossindex/service/api/componentreport/ComponentReportRequest.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAccessType via org/sonatype/ossindex/service/api/componentreport/ComponentReportVulnerability.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAnyAttribute via javax/ws/rs/core/Link$JaxbLink.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlAttribute via javax/ws/rs/core/Link$JaxbLink.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlElement via org/sonatype/ossindex/service/api/componentreport/ComponentReport.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlElement via org/sonatype/ossindex/service/api/componentreport/ComponentReportRequest.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlElement via org/sonatype/ossindex/service/api/componentreport/ComponentReportVulnerability.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlElementWrapper via org/sonatype/ossindex/service/api/componentreport/ComponentReport.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlElementWrapper via org/sonatype/ossindex/service/api/componentreport/ComponentReportRequest.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlRootElement via org/sonatype/ossindex/service/api/componentreport/ComponentReport.class
Plugin rapid7-insightvm-container-assessment:1.0.21 using javax/xml/bind/annotation/XmlRootElement via org/sonatype/ossindex/service/api/componentreport/ComponentReportRequest.class

Basil Crow added a comment - 2022-05-20 19:10

Hi gschneider_r7, gentle ping regarding this ticket. As a reminder, Jenkins will begin requiring Java 11 in weekly releases on or after June 21, 2022, and in LTS releases on or after September 2022.

Basil Crow added a comment - 2022-05-20 19:10 Hi gschneider_r7 , gentle ping regarding this ticket. As a reminder, Jenkins will begin requiring Java 11 in weekly releases on or after June 21, 2022, and in LTS releases on or after September 2022.

Gavin Schneider added a comment - 2022-05-20 20:02

Hi basil thanks for the heads up. The team working on this is aware and will follow up.

Gavin Schneider added a comment - 2022-05-20 20:02 Hi basil thanks for the heads up. The team working on this is aware and will follow up.

james hahn added a comment - 2022-06-16 18:16

basil we're trying to add the jaxb dependency, but we are getting this error when trying to build the plugin,

Caused by: java.io.IOException: Failed to load: JAXB plugin (jaxb 2.3.6-1)
 - Update required: JavaBeans Activation Framework (JAF) API (javax-activation-api 1.2.0-2) to be updated to 1.2.0-3 or higher

we get this after adding the correct version of the javax-activation-api as a dependency. we are using a 4.0+ jenkins parent pom.

james hahn added a comment - 2022-06-16 18:16 basil we're trying to add the jaxb dependency, but we are getting this error when trying to build the plugin, Caused by: java.io.IOException: Failed to load: JAXB plugin (jaxb 2.3.6-1) - Update required: JavaBeans Activation Framework (JAF) API (javax-activation-api 1.2.0-2) to be updated to 1.2.0-3 or higher we get this after adding the correct version of the javax-activation-api as a dependency. we are using a 4.0+ jenkins parent pom.

Basil Crow added a comment - 2022-06-17 17:05

Hi jhahn_r7, I cannot debug by telegram without being able to see your code, so why don't you file a draft PR with what you have so far and then I can assist you further.

Basil Crow added a comment - 2022-06-17 17:05 Hi jhahn_r7 , I cannot debug by telegram without being able to see your code, so why don't you file a draft PR with what you have so far and then I can assist you further.

james hahn added a comment - 2022-06-17 20:13

basil

https://github.com/jenkinsci/rapid7-insightvm-container-assessment-plugin/pull/33

james hahn added a comment - 2022-06-17 20:13 basil https://github.com/jenkinsci/rapid7-insightvm-container-assessment-plugin/pull/33

Basil Crow added a comment - 2022-06-17 20:50

jhahn_r7 This should take care of it (untested): https://github.com/basil/rapid7-insightvm-container-assessment-plugin/commit/7d42fb789079972b2f3b593b883552700ce80db4

Basil Crow added a comment - 2022-06-17 20:50 jhahn_r7 This should take care of it (untested): https://github.com/basil/rapid7-insightvm-container-assessment-plugin/commit/7d42fb789079972b2f3b593b883552700ce80db4

james hahn added a comment - 2022-06-17 21:00

thanks i'll check it out basil

james hahn added a comment - 2022-06-17 21:00 thanks i'll check it out basil

Basil Crow added a comment - 2022-06-17 21:10

(Unrelated to Java 11 support, but <pluginFirstClassLoader>true</pluginFirstClassLoader> is not recommended and probably unnecessary as of 2.319.x which upgrades Guava. If you are about to do a round of end-to-end testing, might be worth removing it; if tests pass, I would recommend getting rid of it.)

Basil Crow added a comment - 2022-06-17 21:10 (Unrelated to Java 11 support, but <pluginFirstClassLoader>true</pluginFirstClassLoader> is not recommended and probably unnecessary as of 2.319.x which upgrades Guava. If you are about to do a round of end-to-end testing, might be worth removing it; if tests pass, I would recommend getting rid of it.)

Assignee:: Rapid7 User

Reporter:: Basil Crow

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022-05-09 21:53

Updated:: 2022-06-17 21:10

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Basil Crow added a comment - 2022-05-20 19:10

Expand comment: Basil Crow added a comment - 2022-05-20 19:10

Collapse comment: Gavin Schneider added a comment - 2022-05-20 20:02

Expand comment: Gavin Schneider added a comment - 2022-05-20 20:02

Collapse comment: james hahn added a comment - 2022-06-16 18:16

Expand comment: james hahn added a comment - 2022-06-16 18:16

Collapse comment: Basil Crow added a comment - 2022-06-17 17:05

Expand comment: Basil Crow added a comment - 2022-06-17 17:05

Collapse comment: james hahn added a comment - 2022-06-17 20:13

Expand comment: james hahn added a comment - 2022-06-17 20:13

Collapse comment: Basil Crow added a comment - 2022-06-17 20:50

Expand comment: Basil Crow added a comment - 2022-06-17 20:50

Collapse comment: james hahn added a comment - 2022-06-17 21:00

Expand comment: james hahn added a comment - 2022-06-17 21:00

Collapse comment: Basil Crow added a comment - 2022-06-17 21:10

Expand comment: Basil Crow added a comment - 2022-06-17 21:10

People

Dates