refactor: add kafka bom (#63)

aaron-steinfeld · web-flow · commit e47290b91650 · 2023-06-21T09:18:43.000-07:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -5,7 +5,7 @@ plugins {
   id("org.hypertrace.repository-plugin") version "0.4.1"
   id("org.hypertrace.ci-utils-plugin") version "0.3.0"
   id("org.hypertrace.avro-plugin") version "0.4.0" apply false
-  id("org.hypertrace.publish-plugin") version "1.0.4" apply false
+  id("org.hypertrace.publish-plugin") version "1.0.5" apply false
   id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false
   id("org.hypertrace.code-style-plugin") version "1.1.2" apply false
   id("org.owasp.dependencycheck") version "8.2.1"
diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts
@@ -0,0 +1,24 @@
+plugins {
+  `java-platform`
+  id("org.hypertrace.publish-plugin")
+}
+
+
+var kafkaVersion = "7.2.1"
+var kafkaCcsVersion = "$kafkaVersion-ccs"
+
+dependencies {
+  constraints {
+    api("com.fasterxml.jackson.core:jackson-databind:2.15.2")
+    api("org.xerial.snappy:snappy-java:1.1.10.1") {
+      because("[https://nvd.nist.gov/vuln/detail/CVE-2023-34455] in 'org.apache.kafka:kafka-clients:*'")
+    }
+
+    api("io.confluent:kafka-streams-avro-serde:$kafkaVersion")
+    api("io.confluent:kafka-protobuf-serializer:$kafkaVersion")
+    api("org.apache.kafka:kafka-clients:$kafkaCcsVersion")
+    api("org.apache.kafka:kafka-streams:$kafkaCcsVersion")
+    api("org.apache.kafka:kafka-streams-test-utils:$kafkaCcsVersion")
+    api("org.apache.avro:avro:1.11.1")
+  }
+}
diff --git a/kafka-streams-framework/build.gradle.kts b/kafka-streams-framework/build.gradle.kts
@@ -11,28 +11,24 @@ tasks.test {
 }
 
 dependencies {
-  constraints {
-    implementation("org.xerial.snappy:snappy-java:1.1.10.1") {
-      because("[https://nvd.nist.gov/vuln/detail/CVE-2023-34455] in 'org.apache.kafka:kafka-clients:*' > 'org.xerial.snappy:snappy-java:1.1.8.2'")
-    }
-  }
   annotationProcessor("org.projectlombok:lombok:1.18.26")
   compileOnly("org.projectlombok:lombok:1.18.26")
 
   api(project(":kafka-streams-serdes"))
-  api("org.apache.kafka:kafka-streams:7.2.1-ccs")
-  api("io.confluent:kafka-streams-avro-serde:7.2.1")
+  api(platform(project(":kafka-bom")))
+  api("org.apache.kafka:kafka-streams")
+  api("io.confluent:kafka-streams-avro-serde")
   api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.0")
 
-  implementation("org.apache.avro:avro:1.11.1")
-  implementation("org.apache.kafka:kafka-clients:7.2.1-ccs")
+  implementation("org.apache.avro:avro")
+  implementation("org.apache.kafka:kafka-clients")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.52")
   implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.52")
   implementation("org.apache.commons:commons-lang3:3.12.0")
 
   testCompileOnly("org.projectlombok:lombok:1.18.26")
   testAnnotationProcessor("org.projectlombok:lombok:1.18.26")
-  testImplementation("org.apache.kafka:kafka-streams-test-utils:7.2.1-ccs")
+  testImplementation("org.apache.kafka:kafka-streams-test-utils")
   testImplementation("org.junit.jupiter:junit-jupiter:5.9.2")
   testImplementation("org.junit-pioneer:junit-pioneer:2.0.0")
   testImplementation("org.mockito:mockito-core:5.2.0")
diff --git a/kafka-streams-partitioners/avro-partitioners/build.gradle.kts b/kafka-streams-partitioners/avro-partitioners/build.gradle.kts
@@ -11,22 +11,16 @@ tasks.test {
 }
 
 dependencies {
-  constraints {
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2")
-
-    implementation("org.xerial.snappy:snappy-java:1.1.10.1") {
-      because("[https://nvd.nist.gov/vuln/detail/CVE-2023-34455] in 'org.apache.kafka:kafka-clients:*' > 'org.xerial.snappy:snappy-java:1.1.8.2'")
-    }
-  }
+  api(platform(project(":kafka-bom")))
 
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
   implementation("com.google.guava:guava:32.0.1-jre")
-  implementation("org.apache.avro:avro:1.11.1")
+  implementation("org.apache.avro:avro")
   implementation("com.typesafe:config:1.4.2")
-  implementation("org.apache.kafka:kafka-clients:7.2.1-ccs")
-  implementation("org.apache.kafka:kafka-streams:7.2.1-ccs")
+  implementation("org.apache.kafka:kafka-clients")
+  implementation("org.apache.kafka:kafka-streams")
   implementation("org.slf4j:slf4j-api:1.7.36")
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
diff --git a/kafka-streams-partitioners/weighted-group-partitioner/build.gradle.kts b/kafka-streams-partitioners/weighted-group-partitioner/build.gradle.kts
@@ -10,20 +10,13 @@ tasks.test {
 }
 
 dependencies {
-  constraints {
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2")
-
-    implementation("org.xerial.snappy:snappy-java:1.1.10.1") {
-      because("[https://nvd.nist.gov/vuln/detail/CVE-2023-34455] in 'org.apache.kafka:kafka-clients:*' > 'org.xerial.snappy:snappy-java:1.1.8.2'")
-    }
-  }
-
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
-  api("com.typesafe:config:1.4.2")
-  api("org.apache.kafka:kafka-streams:7.2.1-ccs")
+  api(platform(project(":kafka-bom")))
+  api("org.apache.kafka:kafka-streams")
   api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.0")
+  api("com.typesafe:config:1.4.2")
   implementation("com.google.guava:guava:32.0.1-jre")
   implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.0")
   implementation("org.hypertrace.config.service:partitioner-config-service-api:0.1.46")
diff --git a/kafka-streams-serdes/build.gradle.kts b/kafka-streams-serdes/build.gradle.kts
@@ -11,16 +11,10 @@ tasks.test {
 }
 
 dependencies {
-  constraints {
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2")
+  api(platform(project(":kafka-bom")))
 
-    implementation("org.xerial.snappy:snappy-java:1.1.10.1") {
-      because("[https://nvd.nist.gov/vuln/detail/CVE-2023-34455] in 'org.apache.kafka:kafka-clients:*' > 'org.xerial.snappy:snappy-java:1.1.8.2'")
-    }
-  }
-
-  api("org.apache.kafka:kafka-clients:7.2.1-ccs")
-  api("org.apache.avro:avro:1.11.1")
+  api("org.apache.kafka:kafka-clients")
+  api("org.apache.avro:avro")
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
 }
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -2,18 +2,9 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <notes><![CDATA[
-   This is a false alert.
-   Hypertrace grpc packages are falsely identified as old versions of open source grpc packages.
+   Any hypertrace core dep
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.hypertrace\.core\.grpcutils/grpc-client-utils@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   This is a false alert.
-   Hypertrace grpc packages are falsely identified as old versions of open source grpc packages.
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.hypertrace\.core\.grpcutils/grpc-context-utils@.*$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.hypertrace\.core\..*@.*$</packageUrl>
         <cpe>cpe:/a:grpc:grpc</cpe>
     </suppress>
     <suppress>
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -16,3 +16,4 @@ include(":kafka-streams-framework")
 include(":kafka-streams-serdes")
 include(":kafka-streams-partitioners:avro-partitioners")
 include(":kafka-streams-partitioners:weighted-group-partitioner")
+include(":kafka-bom")
