search

GoogleCloudPlatform / cloud-opensource-java

Tools for detecting and avoiding linkage errors in GCP open source projects
Apache License 2.0
157 stars 74 forks source link

Linkage Checker incorrectly picks up provided dependency rather than compile dependency #1185

Open suztomo opened 4 years ago

suztomo commented 4 years ago

Linkage Checker reported an error that will never manifest in users environment.

(gson-2.2.4.jar) com.google.gson.stream.JsonReader's method getPath() is not found;
  referenced by 1 class file
    io.grpc.internal.JsonParser (grpc-core-1.25.0.jar)

In veblush's Linkage Check result https://gist.github.com/veblush/a9470a977ed8dfa2f3e94f4c9f3957c7#file-gistfile1-txt-L83, it shows that Linkage Checker picks up gson:2.2.4 (old) in provided dependency. However, Maven (or Gradle) will never pick up the old version for users' environments, because it's provided dependency.

gson:2.2.4 (provided) was picked up

org.apache.beam:beam-runners-google-cloud-dataflow-java:2.20.0-SNAPSHOT (compile)
 / org.apache.beam:beam-sdks-java-extensions-google-cloud-platform-core:2.20.0-SNAPSHOT (compile)
 / com.google.cloud.bigdataoss:gcsio:2.0.0 (compile)
 / com.google.code.gson:gson:2.2.4 (provided)

gson:2.8.5 (compile) was not picked up.

org.apache.beam:beam-runners-google-cloud-dataflow-java:2.20.0-SNAPSHOT (compile)
 / org.apache.beam:beam-sdks-java-io-google-cloud-platform:2.20.0-SNAPSHOT (compile)
 / io.grpc:grpc-core:1.25.0 (compile)
 / com.google.code.gson:gson:2.8.5 (compile)
suztomo commented 4 years ago

This also implies Linkage Checker fails to detect real problems:

project A / gson:2.8.5 (provided)
project A / grpc-core:1.25.0 (compile) /  gson:2.2.4 (compile)

Maven (and Gradle) would pick up gson:2.2.4 but Linkage Checker reads gson:2.8.5.