Eliminate outdated 3rd party content from SimRel

[merks]

In order to ensure we can address any problems, e.g., CVEs, that might arise in 3rd party bundles in the future, we need to be prepared to update those dependencies. The following dependencies are not currently part of the restructured Orbit aggregation and need to be investigated to determine where and why these outdated versions are being used:

• bndtools.jareditor/7.0.0.202310060912
• This is a dependency of PDE that is consumed directly from Maven https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/8aa0d1e1d6a471baad29d26f286b1946e89b8f7c/eclipse.platform.releng.prereqs.sdk/eclipse-sdk-prereqs.target#L605-L622.
• It has not been included in Orbit because it has a very-many difficult-to-manage dependencies back to the Eclipse IDE. We can safely assume that PDE will update to newer versions of BND as they become available.
• ca.odell.glazedlists/1.9.0.v201303080712 → ca.odell.glazedlists/1.11.0
• I've opened the following issues:
  • https://gitlab.eclipse.org/eclipse/papyrus/org.eclipse.papyrus-designer/-/issues/14
  • Update NatTable to the latest dependencies eclipse-nattable/nattable#95
• com.google.gerrit.common/2.1.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gerrit.prettify/2.1.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gerrit.reviewdb/2.1.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gwt.servlet/2.1.0.v201111291940 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gwtjsonrpc/1.2.5.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.gwtorm/1.1.4.v201112241444 🚫
• Update transitive com.google.gerrit dependencies eclipse-mylyn/org.eclipse.mylyn#567
• Disable Mylyn's gerrit features #445
• com.google.protobuf/2.4.0.v201105131100 🚫
• Remove the com.google.protobuf bundle from the feature and the category eclipse-jsdt/webtools.jsdt#5
• com.mountainminds.eclemma.core/3.1.9.202405260028 ✔
• This is just p2 metadata from the eclemma project:
  • https://github.com/eclipse-eclemma/eclemma/blob/5c445fe234d36e88eafe31bbd78e829c42ebaedf/org.eclipse.eclemma.feature/p2.inf#L17-L19
• configure.logback.classic/2.6.1.20240411-1743 ✔
• This is just p2 metadata from the m2e project:
  • https://github.com/eclipse-m2e/m2e-core/blob/13c4a91529f9317399bfcb2a84392f1497d71677/org.eclipse.m2e.logback.feature/p2.inf#L8-L9
• jakarta.el/4.0.0.v20210105-0527 → jakarta.el-api/4.0.0 | jakarta.el-api/5.0.1
• [4.0.0.v20210105-0527] - org.eclipse.jst.web_core.feature.feature.group /3.34.0.v202405180419 - Web Tools Platform
• jakarta.servlet/5.0.0.v20210105-0527 → jakarta.servlet-api/5.0.0 → jakarta.servlet-api/6.1.0
• [5.0.0.v20210105-0527] - org.eclipse.jst.web_core.feature.feature.group /3.34.0.v202405180419 - Web Tools Platform
• 5.0.0 - org.eclipse.jst.standard.schemas /1.2.700.v202402030235 - Web Tools Platform
• jakarta.servlet.jsp/3.0.0.v20210105-0527 → jakarta.servlet.jsp-api/3.1.1
• [3.0.0.v20210105-0527] - org.eclipse.jst.web_core.feature.feature.group /3.34.0.v202405180419 - Web Tools Platform
• jakarta.xml.bind/2.3.3.v20201118-1818 → jakarta.xml.bind-api/4.0.2
• [2.3.3.v20201118-1818] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [2.3.3.v20201118-1818] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• javax.activation/1.1.0.v201211130549 → jakarta.activation-api/1.2.2
• [1.1.0,1.2.0) - javax.mail /1.4.0.v201005080615 - 3rd Party
• javax.activation/1.2.2.v20221203-1659 → jakarta.activation-api/1.2.2
• 1.0.0 - jakarta.xml.bind /2.3.3.v20201118-1818 - 3rd Party
• javax.annotation/1.3.5.v20200909-1856 → jakarta.annotation-api/1.3.5
• [1.3.5,2.0.0) - org.eclipse.papyrus.infra.ui.fonts /2.0.0.202406051429 - Papyrus
• javax.jws/2.0.0.v201005080400 → jakarta.jws-api/2.1.0
• [2.0.0.v201005080400] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [2.0.0.v201005080400] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• [2.0.0,2.1.0) - org.eclipse.jst.ws.cxf.core /1.2.0.v202308010145 - Web Tools Platform
• [2.0.0,2.1.0) - org.eclipse.jst.ws.cxf.creation.core /1.2.0.v202311232240 - Web Tools Platform
• [2.0.0,2.1.0) - org.eclipse.jst.ws.cxf.creation.ui /1.1.0.v202308010145 - Web Tools Platform
• javax.mail/1.4.0.v201005080615 → jakarta.mail-api/1.6.7
• 0.0.0 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• javax.persistence/2.2.1.v201807122140 → jakarta.persistence-api/2.2.3
• [2.2.1.v201807122140] - org.eclipse.jpt.jpa.feature.feature.group /3.8.0.v202405180120 - Web Tools Platform
• javax.wsdl/1.6.2.v201012040545 → javax.wsdl/1.6.3.v20230730-0710
• [1.6.2.v201012040545] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [1.6.2.v201012040545] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• javax.xml/1.3.4.v201005080400 🚫 available in the JDK
• javax.xml.rpc/1.1.0.v201209140446 → javax.xml.rpc-api/1.1.4
• 0.0.0 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• [1.1.0,2.0.0) - org.eclipse.wst.ws.explorer /1.1.2.v202308010145 - Web Tools Platform
• javax.xml.soap/1.2.0.v201005080501 → jakarta.xml.soap-api/1.4.2
• [1.2.0,1.3.0) - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• javax.xml.stream/1.0.1.v201004272200 🚫 available in the JDK
• [1.0.1.v201004272200] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [1.0.1.v201004272200] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• javax.xml.ws/2.1.0.v200902101523 → jakarta.xml.ws-api/2.3.3
• [2.1.0.v200902101523] - org.eclipse.jst.ws.cxf.feature.feature.group /1.1.1200.v202311232240 - Web Tools Platform
• [2.1.0.v200902101523] - org.eclipse.jst.ws.jaxws.feature.feature.group /1.2.1000.v202311280000 - Web Tools Platform
• org.apache.bcel/5.2.0.v201005080400 → org.apache.xalan/2.7.2.v20230928-1302
• 0.0.0 - org.eclipse.wst.xsl.feature.feature.group /1.3.1600.v202405130119 - Web Tools Platform
• org.apache.commons.codec/1.14.0.v20221112-0806 → org.apache.commons.commons-codec/1.17.0
• 0.0.0 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• [1.3.0,2.0.0) - org.eclipse.birt.chart.device.extension /4.12.0.v202211281949 - BIRT
• [1.3.0,2.0.0) - org.eclipse.birt.chart.device.swt /4.12.0.v202211281949 - BIRT
• [1.2.0,2.0.0) - org.eclipse.wst.ws.explorer /1.1.2.v202308010145 - Web Tools Platform
• [1.2.0,2.0.0) - org.eclipse.wst.ws.parser /1.1.0.v202308012257 - Web Tools Platform
• [1.2.0,2.0.0) - org.eclipse.wst.wsi /1.1.501.v202308010145 - Web Tools Platform
• PRs:
  • Use commons-codec and commons-logging eclipse-webservices/webservices#4
  • https://github.com/eclipse-sourceediting/sourceediting/pull/11u
  • Use commons-logging eclipse-servertools/servertools#8
• org.apache.commons.collections/3.2.2.v201511171945 → org.apache.commons.collections/3.2.2
• [3.2.2.v201511171945] - org.eclipse.jpt.jpa.feature.feature.group /3.8.0.v202405180120 - Web Tools Platform
• org.apache.commons.io/2.8.0.v20210415-0900 → org.apache.commons.commons-io/2.16.1
• [2.6.0,3.0.0) - org.eclipse.papyrus.infra.tools /4.2.0.202406051429 - Papyrus
• 0.0.0 - org.eclipse.php.composer.ui /8.2.0.202311292129 - PDT
• 0.0.0 - org.eclipse.php.phpunit /8.2.0.202311292129 - PDT
• PRs:
  • Import the org.apache.commons.logging/io package instead of the bundle  eclipse-pdt/pdt#280
• Appears to come from https://download.eclipse.org/mylyn/updates/release/4.3.0
• org.apache.commons.jxpath/1.3.0.v200911051830 → org.apache.commons.jxpath/1.3.0
• Orbit provides this direct-from-maven version which is used by the Plaform:
  • https://repo1.maven.org/maven2/commons-jxpath/commons-jxpath/1.3/
• Unfortunately Modisco has this feature include from an old Orbit repository
  • [1.3.0.v200911051830] - org.eclipse.modisco.infrastructure.feature.feature.group /1.5.4.v20240304-1105
  • https://git.eclipse.org/r/c/modisco/org.eclipse.modisco/+/207294
• Must explicitly exclude the old version from e(fx)
  • Exclude org.apache.commons.jxpath/1.3.0.v200911051830 from gef.aggrcon #444
• org.apache.commons.lang/2.6.0.v201404270220 → org.apache.commons.lang/2.6.0
• [2.6.0.v201404270220] - org.eclipse.jpt.jpa.feature.feature.group /3.8.0.v202405180120 - Web Tools Platform
• org.apache.commons.logging/1.2.0.v20180409-1502 → org.apache.commons.logging/1.2.0 | org.apache.commons.commons-logging/1.3.3
• [1.2.0,2.0.0) - org.eclipse.ecf.remoteservice.rest.feature.feature.group /1.0.303.v20240405-1603 - ECF
• [1.2.0.v20180409-1502] - org.eclipse.net4j.util.feature.group /4.23.0.v20240605-1049 - EMF CDO
• 1.0.4 - org.eclipse.wst.ws_core.feature.feature.group /3.31.0.v202308021509 - Web Tools Platform
• 1.0.4 - org.eclipse.wst.xsl.feature.feature.group /1.3.1600.v202405130119 - Web Tools Platform
• 1.0.4 - org.eclipse.epp.mpc.core /1.10.3.v20240221-1216 - EPP Marketplace Client
• 0.0.0 - org.eclipse.php.composer.api /8.2.0.202311292129 - PDT
• 0.0.0 - org.eclipse.php.composer.core /8.2.0.202311292129 - PDT
  -[1.0.4,2.0.0) - org.eclipse.wst.server.preview /1.3.0.v202311130434 - Web Tools Platform
• 0.0.0 - org.eclipse.wst.wsi /1.1.501.v202308010145 - Web Tools Platform
  -1.0.4 - org.eclipse.wst.xsl.jaxp.debug /1.1.100.v202202230212 - Web Tools Platform
• PRs:
  • Use commons-codec and commons-logging eclipse-webservices/webservices#4
  • Use commons-logging eclipse-sourceediting/sourceediting#11
  • Use commons-logging eclipse-servertools/servertools#8
• org.apache.commons.net/3.2.0.v201305141515 → org.apache.commons.commons-net/3.11.1
• [3.2.0.v201305141515] - org.eclipse.rse.ftp.feature.group /4.5.600.202401151828 - TM: RSE
• 2.0.0 - org.eclipse.rse.ftp.feature.group /4.5.600.202401151828 - TM: RSE
• [3.2.0.v201305141515] - org.eclipse.rse.telnet.feature.group /4.5.600.202401151828 - TM: RSE
• [1.4.1,4.0.0) - org.eclipse.rse.connectorservice.telnet /4.5.600.202401151652 - TM: RSE
• [1.4.1,4.0.0) - org.eclipse.rse.services.files.ftp /4.5.600.202401151652 - TM: RSE
• [2.0.0,4.0.0) - org.eclipse.rse.services.telnet /4.5.600.202401151652 - TM: RSE
• [1.4.1,4.0.0) - org.eclipse.rse.subsystems.files.ftp /4.5.600.202401151652 - TM: RSE
• PR:
  • https://git.eclipse.org/c/tm/org.eclipse.tm.git/commit/?id=4c983325f3d0b75f9afd32a250ec0946ea79a5ef
• org.apache.httpcomponents.httpcore/4.4.16.v20221207-1049 → org.apache.httpcomponents.httpcore/4.4.16
• Appears to come from https://download.eclipse.org/mylyn/updates/release/4.3.0
• https://github.com/eclipse-simrel/simrel.build/pull/446/files
• org.apache.xml.serializer/2.7.1.v201005080400 → org.apache.xml.serializer/2.7.2.v20230928-1302
• [2.7.1.v201005080400] - org.eclipse.wst.xml_core.feature.feature.group /3.34.0.v202405130132 - Web Tools Platform
• 0.0.0 - org.eclipse.wst.xsl.feature.feature.group /1.3.1600.v202405130119 - Web Tools Platform
• [2.7.0,2.8.0) - org.eclipse.wst.xsl.xalan /1.1.100.v202301080401 - Web Tools Platform
• org.eclipse.m2e.maven.runtime/3.9.700.20240602-2313 ✔
• This is produced and actively maintained by m2e:
  • https://github.com/eclipse-m2e/m2e-core/tree/13c4a91529f9317399bfcb2a84392f1497d71677/org.eclipse.m2e.maven.runtime
• org.glassfish.hk2.osgi-resource-locator/2.5.0.v20161103-1916 → org.glassfish.hk2.osgi-resource-locator/1.0.3
• The 1.0.3 version in Orbit is actually newer than the 2.5.0.x version:
  • Use org.glassfish.hk2.osgi-resource-locator from latest Orbit eclipse-mylyn/org.eclipse.mylyn#569
  • https://repo1.maven.org/maven2/org/glassfish/hk2/osgi-resource-locator/
• org.gradle.toolingapi/8.1.1.v20240115-1636 ✔
• This appears to be based on checked-in jars located here:
  • https://github.com/eclipse/buildship/tree/master/org.gradle.toolingapi
• This is probably fine because buildship can update this, though I've asked about that.
  • Redistributing org.gradle.toolingapi eclipse-buildship/buildship#1308
• org.h2/1.3.168.v201212121212
• [1.3.168.v201212121212] - org.eclipse.net4j.db.h2.feature.group /4.5.5.v20240605-1049 - EMF CDO
• Potential replacement available as OSGi bundle:
  • https://repo1.maven.org/maven2/com/h2database/h2/
• org.jboss.tools.maven.jaxrs/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.jboss.tools.maven.jpa/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.jboss.tools.maven.jsf/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.jivesoftware.smack/3.4.0.v20231021-2050 ✔
• This is project content from ECF:
  • https://github.com/eclipse/ecf/tree/master/protocols/bundles/org.jivesoftware.smack
• org.maven.ide.eclipse.wtp/1.6.1.20231024-1618 ✔
• This is merely content metadata with no corresponding artifact contributed by m2e-wtp.
• org.mozilla.javascript/1.7.10.v20190430-1943 → org.mozilla.rhino/1.7.15
• [1.7.10.v20190430-1943] - org.eclipse.wst.jsdt.feature.feature.group /2.4.500.v202307190318 - Web Tools Platform
• 1.7.4 - org.eclipse.birt.core /4.12.0.v202211281949 - BIRT
• 1.7.5 - org.eclipse.wst.jsdt.debug.rhino.debugger /1.1.0.v202307190318 - Web Tools Platform
• Update to org.eclipse.wst.jsdt.debug.rhino.debugger /1.1.0.v202307190318 blocked by this issue:
  • Migrate to newer Closure Compiler version eclipse-jsdt/webtools.jsdt#2
• Update needed for org.eclipse.birt.core /4.12.0.v202211281949 which is contributed by MAT

---

The above list was produced by adding validation repositories to both validation sets in simrel.aggr

and specifying to exclude all IUs available from a validation repository:

With this approach, the analysis editors view shows only the subset of 3rd party libraries that do not come from the restructured Orbit aggregation:

[HannesWell]

• org.eclipse.m2e.maven.runtime/3.9.700.20240602-2313

This is produced and actively maintained by m2e:
https://github.com/eclipse-m2e/m2e-core/tree/13c4a91529f9317399bfcb2a84392f1497d71677/org.eclipse.m2e.maven.runtime

• org.apache.commons.jxpath/1.3.0.v200911051830

In Eclipse-Platform this is used to process XPath expressions in E4 contributions. A while ago I looked into using the XPath supported provided by the JDK but didn't succeed yet. If there are no other users I could try to complete that work so we can get rid of that dependency in platform.

[merks]

In Eclipse-Platform this is used to process XPath expressions in E4 contributions. A while ago I looked into using the XPath supported provided by the JDK but didn't succeed yet. If there are no other users I could try to complete that work so we can get rid of that dependency in platform.

The problem here (and in a small number of cases) is that the version in the Orbit aggregation is smaller than the older version. In this case 1.3.0 versus 1.3.0.v200911051830.

As I hunt down these various cases, it's increasing frustrating the extent to which folks just keep pointing at older Orbit repositories sometimes for no apparent reason. And even if there is a reason, i.e., something is needed but is missing, that issue is never raised so of course never addressed.