Transitive dependencies breaks usage of apache-httpcomponents plugin from shared libraries

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Minor
    • Component/s: analysis-model-api-plugin
    • None
    • Environment:
      analysis-model-api-plugin 10.10.1

      This report is a little light on providing details regarding environment and lacks any attempt to provide a reproducible example (since I'm fairly certain on the cause and solution), but I can expand on both if necessary.

       

      Symptom: for a few months we have been unable to upgrade analysis-model-api-plugin (for the sake of warnings-ng) past 10.10.0 as they all resulted in our shared libraries failing with:

      hudson.remoting.ProxyException: groovy.lang.MissingMethodException: No signature of method: com.my.company.util.HttpUtils$_createConnectionCreator_closure5.doCall() is applicable for argument types: (org.apache.http.impl.client.InternalHttpClient) values: [org.apache.http.impl.client.InternalHttpClient@6811377e]
Possible solutions: doCall(org.apache.http.impl.client.CloseableHttpClient), findAll(), findAll(), isCase(java.lang.Object), isCase(java.lang.Object)
    at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:256)
    at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
    at groovy.lang.Closure.call(Closure.java:420)
    at org.codehaus.groovy.runtime.ConvertedClosure.invokeCustom(ConvertedClosure.java:54)
    at org.codehaus.groovy.runtime.ConversionHandler.invoke(ConversionHandler.java:124)
    at com.sun.proxy.$Proxy236.connect(Unknown Source)
    at io.jenkins.plugins.httpclient.RobustHTTPClient.lambda$connect$0(RobustHTTPClient.java:167)
    at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:48)
    at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:82)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)

      Without fail, every upgrade attempt (across multiple Jenkins versions) resulted in this same stacktrace.  There's no obvious connection, but I believe I've now identified it.

       

      Summary: 10.10.1 (up to current) transitively includes apache-httpcomponent libraries, which seem to conflict with those provided by the actual Jenkins plugin.  There are a few other plugins we use that include those libraries as well; I'm not immediately clear on why only this plugin causes problems (the actual versions in this plugin are the same major/minor version as all the other plugins).  But in the script admin console, manually looking up the classloader for the relevant classes e.g., 

      Class.forName('org.apache.http.impl.client.CloseableHttpClient').classLoader.dump()

      always yields the the (desired) wrapper plugin for 10.10.0, but always yields this analysis plugin for 10.10.1 onward.  I assume that holds true in my shared libraries as well.

       

      Fix: Adding a dependency on the wrapper plugin results in the client libraries not being bundled in this plugin, and my shared libraries continue to work.

       

      The sequence of events that resulted in this new (and I assume unintended/unnoticed) behavior:

      1. This downstream bug was fixed (and resulted in their poms having declared dependencies, where none existed before)
      2. Dependabot upgraded spotbug's dependencies with that change
      3. Dependabot upgraded analysis-model with the spotbugs change
      4. Dependabot upgraded this plugin to use the new analysis-model

      No http libraries are present in the dependency graph for 10.0.0:

      $ git checkout -b v10.10.0
Switched to a new branch 'v10.10.0'HEAD is now at 6f228c3 [maven-release-plugin] prepare release v10.0.0

$ /opt/maven/bin/mvn -V dependency:tree -Dincludes='org.apache.httpcomponents:*'
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /opt/maven
Java version: 11.0.16, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.14.0-1051-oem", arch: "amd64", family: "unix"
[INFO] Scanning for projects...
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[WARNING] The POM for org.jenkins-ci.tools:maven-hpi-plugin:jar:3.17 is missing, no dependency information available
[WARNING] Failed to build parent project for org.jvnet.hudson.plugins:analysis-pom:pom:5.4.0
[WARNING] Failed to build parent project for io.jenkins.plugins:analysis-model-api:hpi:10.0.0
[INFO]
[INFO] ---------------< io.jenkins.plugins:analysis-model-api >----------------
[INFO] Building Analysis Model API Plugin 10.0.0
[INFO] --------------------------------[ hpi ]---------------------------------
[WARNING] The artifact xerces:xerces:jar:2.2.1 has been relocated to xerces:xercesImpl:jar:2.2.1
[INFO]
[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ analysis-model-api ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS

      But they are present in 10.10.1 (and onwards):

      $ git checkout v10.10.1
Previous HEAD position was 6f228c3 [maven-release-plugin] prepare release v10.0.0
HEAD is now at d7e4351 [maven-release-plugin] prepare release v10.10.1

$ /opt/maven/bin/mvn -V dependency:tree -Dincludes='org.apache.httpcomponents:*'
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /opt/maven
Java version: 11.0.16, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.14.0-1051-oem", arch: "amd64", family: "unix"
[INFO] Scanning for projects...
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[WARNING] The POM for org.jenkins-ci.tools:maven-hpi-plugin:jar:3.27 is missing, no dependency information available
[WARNING] Failed to build parent project for org.jvnet.hudson.plugins:analysis-pom:pom:5.25.0
[WARNING] Failed to build parent project for io.jenkins.plugins:analysis-model-api:hpi:10.10.1
[INFO]
[INFO] ---------------< io.jenkins.plugins:analysis-model-api >----------------
[INFO] Building Analysis Model API Plugin 10.10.1
[INFO] --------------------------------[ hpi ]---------------------------------
[WARNING] The artifact xerces:xerces:jar:2.2.1 has been relocated to xerces:xercesImpl:jar:2.2.1
[INFO]
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ analysis-model-api ---
[INFO] io.jenkins.plugins:analysis-model-api:hpi:10.10.1
[INFO] \- edu.hm.hafner:analysis-model:jar:10.10.1:compile
[INFO]    \- com.github.spotbugs:spotbugs:jar:4.7.0:compile
[INFO]       \- net.sf.saxon:Saxon-HE:jar:11.3:runtime
[INFO]          \- org.xmlresolver:xmlresolver:jar:4.2.0:runtime
[INFO]             +- org.apache.httpcomponents:httpclient:jar:4.5.13:runtime
[INFO]             \- org.apache.httpcomponents:httpcore:jar:4.4.13:runtime

      I suspect what I proposed may not be the ideal solution, but it may strike a fair balance between ease and correctness.  That said, I'm just an end-user (of warnings-ng).

            Assignee:
            Roberto Villarreal
            Reporter:
            Roberto Villarreal
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: