search

mock-server / mockserver

MockServer enables easy mocking of any system you integrate with via HTTP or HTTPS with clients written in Java, JavaScript and Ruby. MockServer also includes a proxy that introspects all proxied traffic including encrypted SSL traffic and supports Port Forwarding, Web Proxying (i.e. HTTP proxy), HTTPS Tunneling Proxying (using HTTP CONNECT) and SOCKS Proxying (i.e. dynamic port forwarding).
http://mock-server.com
Apache License 2.0
4.52k stars 1.06k forks source link

Removed useless/Minimize dependencies of ``mockserver-client-java`` #1494

Open AB-xdev opened 1 year ago

AB-xdev commented 1 year ago

Describe the feature request While using the mockserver-client-java I noticed that it introduces a lot of (transitive) dependencies into our projects.

List of dependencies ``` [INFO] \- org.mock-server:mockserver-client-java:jar:5.14.0:compile [INFO] +- org.mock-server:mockserver-core:jar:5.14.0:compile [INFO] | +- com.lmax:disruptor:jar:3.4.4:compile [INFO] | +- javax.servlet:javax.servlet-api:jar:4.0.1:compile [INFO] | +- io.netty:netty-buffer:jar:4.1.79.Final:compile [INFO] | | \- io.netty:netty-common:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-codec:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-codec-http:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-codec-socks:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-handler:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-resolver:jar:4.1.79.Final:compile [INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-transport:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile [INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile [INFO] | +- com.jcraft:jzlib:jar:1.1.3:compile [INFO] | +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:compile [INFO] | +- org.bouncycastle:bcprov-jdk18on:jar:1.71:compile [INFO] | +- org.bouncycastle:bcpkix-jdk18on:jar:1.71:compile [INFO] | | \- org.bouncycastle:bcutil-jdk18on:jar:1.71:compile [INFO] | +- com.nimbusds:nimbus-jose-jwt:jar:9.24.2:compile [INFO] | | \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | +- org.apache.velocity:velocity-engine-scripting:jar:2.3:compile [INFO] | +- org.apache.velocity:velocity-engine-core:jar:2.3:compile [INFO] | +- org.apache.velocity.tools:velocity-tools-generic:jar:3.1:compile [INFO] | | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile [INFO] | | | +- commons-logging:commons-logging:jar:1.2:compile [INFO] | | | \- commons-collections:commons-collections:jar:3.2.2:compile [INFO] | | +- org.apache.commons:commons-digester3:jar:3.2:compile [INFO] | | \- com.github.cliftonlabs:json-simple:jar:3.0.2:compile [INFO] | +- com.samskivert:jmustache:jar:1.15:compile [INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile [INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile [INFO] | +- net.javacrumbs.json-unit:json-unit-core:jar:2.35.0:compile [INFO] | | \- org.hamcrest:hamcrest-core:jar:2.2:compile [INFO] | | \- org.hamcrest:hamcrest:jar:2.2:compile [INFO] | +- com.networknt:json-schema-validator:jar:1.0.72:compile [INFO] | | \- com.ethlo.time:itu:jar:1.7.0:compile [INFO] | +- com.jayway.jsonpath:json-path:jar:2.7.0:compile [INFO] | | \- net.minidev:json-smart:jar:2.4.7:compile [INFO] | | \- net.minidev:accessors-smart:jar:2.4.7:compile [INFO] | | \- org.ow2.asm:asm:jar:9.1:compile [INFO] | +- io.swagger.parser.v3:swagger-parser:jar:2.1.2:compile [INFO] | | +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.2:compile [INFO] | | | +- io.swagger:swagger-core:jar:1.6.6:compile [INFO] | | | | \- io.swagger:swagger-models:jar:1.6.6:compile [INFO] | | | | \- io.swagger:swagger-annotations:jar:1.6.6:compile [INFO] | | | +- io.swagger:swagger-parser:jar:1.0.61:compile [INFO] | | | +- io.swagger:swagger-compat-spec-parser:jar:1.0.61:compile [INFO] | | | | +- com.github.java-json-tools:json-schema-validator:jar:2.2.14:compile [INFO] | | | | | +- com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:compile [INFO] | | | | | +- com.github.java-json-tools:json-schema-core:jar:1.2.14:compile [INFO] | | | | | | +- com.github.java-json-tools:uri-template:jar:0.10:compile [INFO] | | | | | | \- org.mozilla:rhino:jar:1.7.7.2:compile [INFO] | | | | | +- com.sun.mail:mailapi:jar:1.6.2:compile [INFO] | | | | | +- joda-time:joda-time:jar:2.10.5:compile [INFO] | | | | | +- com.googlecode.libphonenumber:libphonenumber:jar:8.11.1:compile [INFO] | | | | | \- net.sf.jopt-simple:jopt-simple:jar:5.0.4:compile [INFO] | | | | +- com.github.java-json-tools:json-patch:jar:1.13:compile [INFO] | | | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile [INFO] | | | | | | \- com.github.java-json-tools:btf:jar:1.3:compile [INFO] | | | | | \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile [INFO] | | | | \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile [INFO] | | | | \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile [INFO] | | | +- io.swagger.core.v3:swagger-models:jar:2.2.2:compile [INFO] | | | \- io.swagger.parser.v3:swagger-parser-core:jar:2.1.2:compile [INFO] | | \- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.2:compile [INFO] | | +- io.swagger.core.v3:swagger-core:jar:2.2.2:compile [INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile [INFO] | | | +- io.swagger.core.v3:swagger-annotations:jar:2.2.2:compile [INFO] | | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile [INFO] | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.2:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:3.0.1:compile [INFO] | | \- com.sun.activation:jakarta.activation:jar:2.0.1:compile [INFO] | +- com.sun.xml.bind:jaxb-impl:jar:4.0.0:runtime [INFO] | | \- com.sun.xml.bind:jaxb-core:jar:4.0.0:runtime [INFO] | | \- org.eclipse.angus:angus-activation:jar:1.0.0:runtime [INFO] | | \- jakarta.activation:jakarta.activation-api:jar:2.1.0:runtime [INFO] | +- org.xmlunit:xmlunit-core:jar:2.9.0:compile [INFO] | +- org.xmlunit:xmlunit-placeholders:jar:2.9.0:compile [INFO] | +- commons-io:commons-io:jar:2.11.0:compile [INFO] | +- org.apache.commons:commons-text:jar:1.9:compile [INFO] | +- commons-codec:commons-codec:jar:1.15:compile [INFO] | \- io.github.classgraph:classgraph:jar:4.8.149:compile [INFO] +- org.apache.commons:commons-lang3:jar:3.12.0:compile [INFO] +- com.google.guava:guava:jar:31.1-jre:compile [INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | +- org.checkerframework:checker-qual:jar:3.12.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile [INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] \- org.slf4j:slf4j-api:jar:1.7.36:compile ```

Most of them seem to be introduced through the core module and are useless for the client.

What you are trying to do Trying to use the client as mentioned above. And only the client part because the server part is running inside a docker container. We are running a code scanner regularly and I'm not in the mood to fix security vulnerabilities for unused dependencies (Example: snakeyaml:1.30 - CVE-2022-25857).

The solution you'd like Remove the not required dependencies from the client. Maybe remove the core module completely and generate the client based on the OpenAPI specification or create a model module that just contains the needed models.

Describe alternatives you've considered For now I ignored a lot of dependencies that are delivered:

<dependency>
    <groupId>org.mock-server</groupId>
    <artifactId>mockserver-client-java</artifactId>
    <version>5.14.0</version>
    <!-- Excluded not required dependencies -->
    <exclusions>
        <!-- We don't do anything with OpenAPI - ignore as much as possible -->
        <exclusion>
            <groupId>io.swagger.core.v3</groupId>
            <artifactId>swagger-core</artifactId>
        </exclusion>
        <exclusion>
            <groupId>io.swagger.parser.v3</groupId>
            <artifactId>swagger-parser-v2-converter</artifactId>
        </exclusion>
        <exclusion>
            <groupId>io.swagger.parser.v3</groupId>
            <artifactId>swagger-parser-core</artifactId>
        </exclusion>
        <!-- Brings a vulnerable version of SnakeYAML; Also unused -->
        <exclusion>
            <groupId>com.fasterxml.jackson.dataformat</groupId>
            <artifactId>jackson-dataformat-yaml</artifactId>
        </exclusion>
        <!-- Why is templating needed in a Rest API? -->
        <exclusion>
            <groupId>org.apache.velocity</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.apache.velocity.tools</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <exclusion>
            <groupId>com.samskivert</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <!-- Completely unused, seems to be only required for server component -->
        <exclusion>
            <groupId>com.jcraft</groupId>
            <artifactId>jzlib</artifactId>
        </exclusion>
        <!-- Jakarta bind api is only used in unit tests -->
        <exclusion>
            <groupId>com.sun.xml.bind</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <exclusion>
            <groupId>jakarta.xml.bind</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <!-- Unittests? -->
        <exclusion>
            <groupId>org.xmlunit</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <exclusion>
            <groupId>io.github.classgraph</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <exclusion>
            <groupId>net.javacrumbs.json-unit</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <!-- Unused Json -->
        <exclusion>
            <groupId>com.jayway.jsonpath</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <!-- Unused JWT -->
        <exclusion>
            <groupId>com.nimbusds</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <!-- Servlet API in a Client? -->
        <exclusion>
            <groupId>javax.servlet</groupId>
            <artifactId>*</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<!-- Undeclared used dependency for above; Was transitively excluded above but is needed -->
<dependency>
    <groupId>com.github.java-json-tools</groupId>
    <artifactId>jackson-coreutils</artifactId>
    <version>2.0</version>
</dependency>
List of dependencies ``` [INFO] +- org.mock-server:mockserver-client-java:jar:5.14.0:compile [INFO] | +- org.mock-server:mockserver-core:jar:5.14.0:compile [INFO] | | +- com.lmax:disruptor:jar:3.4.4:compile [INFO] | | +- io.netty:netty-buffer:jar:4.1.79.Final:compile [INFO] | | | \- io.netty:netty-common:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-codec:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-codec-http:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-codec-socks:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-handler:jar:4.1.79.Final:compile [INFO] | | | +- io.netty:netty-resolver:jar:4.1.79.Final:compile [INFO] | | | \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-transport:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile [INFO] | | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile [INFO] | | +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:compile [INFO] | | +- org.bouncycastle:bcprov-jdk18on:jar:1.71:compile [INFO] | | +- org.bouncycastle:bcpkix-jdk18on:jar:1.71:compile [INFO] | | | \- org.bouncycastle:bcutil-jdk18on:jar:1.71:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile [INFO] | | +- com.networknt:json-schema-validator:jar:1.0.72:compile [INFO] | | | \- com.ethlo.time:itu:jar:1.7.0:compile [INFO] | | +- io.swagger.parser.v3:swagger-parser:jar:2.1.2:compile [INFO] | | | \- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.2:compile [INFO] | | | \- io.swagger.core.v3:swagger-models:jar:2.2.2:compile [INFO] | | +- commons-io:commons-io:jar:2.11.0:compile [INFO] | | +- org.apache.commons:commons-text:jar:1.9:compile [INFO] | | \- commons-codec:commons-codec:jar:1.15:compile [INFO] | +- org.apache.commons:commons-lang3:jar:3.12.0:compile [INFO] | +- com.google.guava:guava:jar:31.1-jre:compile [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | | +- org.checkerframework:checker-qual:jar:3.12.0:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile [INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile [INFO] \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:compile [INFO] +- com.github.java-json-tools:msg-simple:jar:1.2:runtime [INFO] | \- com.github.java-json-tools:btf:jar:1.3:runtime [INFO] \- com.google.code.findbugs:jsr305:jar:3.0.2:compile ```
AB-xdev commented 1 month ago

After we monitored the situation here for a while now and after determining that this project was likely abandoned, we decided to fork the project and fix the problems ourself: https://github.com/xdev-software/mockserver-neolight

Disclaimer: The fork focuses on simplicity and maintainability - some functionality was removed to bring the code into a maintainable state.