Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove swagger from run distribution #4467

Open
1 task
toco-cam opened this issue Jul 2, 2024 · 4 comments
Open
1 task

Remove swagger from run distribution #4467

toco-cam opened this issue Jul 2, 2024 · 4 comments
Assignees
@psavidis
Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.22.0

Comments

@toco-cam
Copy link
Member

toco-cam commented Jul 2, 2024

Acceptance Criteria (Required on creation)

  • Swagger is removed from the run distribution
  • Swagger is removed from the docs

Hints

Links

Breakdown

Pull Requests
Beta Give feedback
No tasks being tracked yet.

Dev2QA handover

  • Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment
@toco-cam toco-cam added the type:task Issues that are a change to the project that is neither a feature nor a bug fix. label Jul 2, 2024
@amardeep2006
Copy link
Contributor

May I know what is the reason for removing swagger ? This was a good feature.

Please clarify it does not impact following artifact (OPENAPI specifications) and only impacts camunda run.

<dependency>
  <groupId>org.camunda.bpm</groupId>
  <artifactId>camunda-engine-rest-openapi</artifactId>
  <version>${version.camunda}</version>
</dependency>

@toco-cam
Copy link
Member Author

toco-cam commented Jul 4, 2024
edited
Loading

Hello @amardeep2006

May I know what is the reason for removing swagger ?

SwaggerUI has faced many security problems recently, resulting in high maintenance efforts on our side. The alternative to SwaggerUI is OpenAPI and a REST client like Postman. The REST client with the OpenAPI can, in our opinion, cover the intended use case for SwaggerUI: "Easy testing of API interfaces".

Please clarify it does not impact following artifact (OPENAPI specifications) and only impacts camunda run.

There was no impact on OpenAPI. And yes, only Camunda Run, as the other distributions never supported SwaggerUI.

Regards Tobias (Product Management)

@amardeep2006
Copy link
Contributor

Thanks for clarification. We are using https://springdoc.org/ with camunda provided openapi specs in our project and has proven to be low maintenance . We scan daily for security.

@psavidis psavidis mentioned this issue Jul 25, 2024
Draft
@psavidis
Copy link
Contributor

psavidis commented Jul 25, 2024
edited
Loading

Kickoff

Context

Swagger is removed from the camunda-run distribution.

Business Value

The removal of swagger will reduce the maintenance effort required for keeping up with all the security updates that swagger requires from time to time.

Customer Requirements

Swagger is removed entirely from camunda-run.

Backwards compatibility

Starting from version 7.22, swagger will not be accessible. Our users can simply use the OpenAPI in combination with a REST client like Postman. That should be sufficient to cover their existing needs.

Technical Solution Proposal

The technical proposal is pretty straightforward for this case, the changes will consist of removing swagger entirely from the camunda-run module.

Changes Required

A. Adjust assembly module

  • 1. Remove SwaggerUI references from README
  • 2. Remove Swagger Parameterization from the run scripts (run.bat, run.sh). That includes:
    • --swaggerui blocks
    • All swagger related parameters (swaggerPath, swaggeruiChosen)
    • Echoes to the STD OUT related to swagger
    • Comments
  • 3. Remove camunda-bpm-run-modules-swaggerui import from run's assembly module `pom.xml`
  • 4. Remove Swagger Entries from assembly.xml
    • The above descriptor is responsible for putting together the swagger files into the zipped camunda run installation camunda-bpm-run-{camunda.version}/internal/swaggerui folder

B. Adjust core module- Remove Comment references

C. Adjust modules module - Delete swaggerui Module

D. Adjust QA Tests

  • 1. Remove Test from ProductionConfigurationIT
  • 2. Remove Test SwaggerUIGetRequestIT
  • 3. Adjust ComponentAvailabilityIT
    • Delete shouldFindSwaggerUI test
    • Remove --swaggerui parameter from commands
    • Remove swaggerUIAvailable parameter from runStartScript

E. Adjust Documentation

  • 1. Installation | Remote Engine Distribution | Installation Procedure - Remove point 7 which references swagger
  • 2. User Guide | Camunda 7 Run
    • 2.1 What is Camunda Run - Remove list element mentioning swagger
    • 2.2 Starting with Camunda Run - Remove swagger reference from the paragraph
    • 2.3. Start Script Arguments - Remove swagger reference from the available arguments
    • 2.4. Optional Components - Remove references a and b
    • 2.5 Example Application - Remove swagger reference
    • 2.6 Choose between default and production configuration - Remove swagger reference, only the example application is disabled on production mode anymore. Also, rephrase that only only example application can be explicitly enabled (not swagger).
  • 3. Content | Update | Minor | 7.21-to-7.22 - Add a Camunda Run and Swagger Update
    • For administrators and developers: State that camunda-run will be discontinued and mention the alternative of using OpenAPI along with a REST client of choice
  • 4. Introduction | Third-Party Libraries | Camunda 7 License Book | Swagger UI Javascript Dependencies - Delete the whole section
  • 5. Reference | REST API | Open API - Delete the section which mentions camunda-run and swagger

Breakdown

All the above changes can be incorporated into a simple task (this ticket can be used for simplicity sake).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@psavidis psavidis

Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix. version:7.22.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tasso94 @amardeep2006 @psavidis @toco-cam