Open AB-xdev opened 1 year ago
After we monitored the situation here for a while now and after determining that this project was likely abandoned, we decided to fork the project and fix the problems ourself: https://github.com/xdev-software/mockserver-neolight
Disclaimer: The fork focuses on simplicity and maintainability - some functionality was removed to bring the code into a maintainable state.
Describe the feature request While using the
mockserver-client-java
I noticed that it introduces a lot of (transitive) dependencies into our projects.List of dependencies
``` [INFO] \- org.mock-server:mockserver-client-java:jar:5.14.0:compile [INFO] +- org.mock-server:mockserver-core:jar:5.14.0:compile [INFO] | +- com.lmax:disruptor:jar:3.4.4:compile [INFO] | +- javax.servlet:javax.servlet-api:jar:4.0.1:compile [INFO] | +- io.netty:netty-buffer:jar:4.1.79.Final:compile [INFO] | | \- io.netty:netty-common:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-codec:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-codec-http:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-codec-socks:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-handler:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-resolver:jar:4.1.79.Final:compile [INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-transport:jar:4.1.79.Final:compile [INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile [INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile [INFO] | +- com.jcraft:jzlib:jar:1.1.3:compile [INFO] | +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:compile [INFO] | +- org.bouncycastle:bcprov-jdk18on:jar:1.71:compile [INFO] | +- org.bouncycastle:bcpkix-jdk18on:jar:1.71:compile [INFO] | | \- org.bouncycastle:bcutil-jdk18on:jar:1.71:compile [INFO] | +- com.nimbusds:nimbus-jose-jwt:jar:9.24.2:compile [INFO] | | \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | +- org.apache.velocity:velocity-engine-scripting:jar:2.3:compile [INFO] | +- org.apache.velocity:velocity-engine-core:jar:2.3:compile [INFO] | +- org.apache.velocity.tools:velocity-tools-generic:jar:3.1:compile [INFO] | | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile [INFO] | | | +- commons-logging:commons-logging:jar:1.2:compile [INFO] | | | \- commons-collections:commons-collections:jar:3.2.2:compile [INFO] | | +- org.apache.commons:commons-digester3:jar:3.2:compile [INFO] | | \- com.github.cliftonlabs:json-simple:jar:3.0.2:compile [INFO] | +- com.samskivert:jmustache:jar:1.15:compile [INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile [INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile [INFO] | +- net.javacrumbs.json-unit:json-unit-core:jar:2.35.0:compile [INFO] | | \- org.hamcrest:hamcrest-core:jar:2.2:compile [INFO] | | \- org.hamcrest:hamcrest:jar:2.2:compile [INFO] | +- com.networknt:json-schema-validator:jar:1.0.72:compile [INFO] | | \- com.ethlo.time:itu:jar:1.7.0:compile [INFO] | +- com.jayway.jsonpath:json-path:jar:2.7.0:compile [INFO] | | \- net.minidev:json-smart:jar:2.4.7:compile [INFO] | | \- net.minidev:accessors-smart:jar:2.4.7:compile [INFO] | | \- org.ow2.asm:asm:jar:9.1:compile [INFO] | +- io.swagger.parser.v3:swagger-parser:jar:2.1.2:compile [INFO] | | +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.2:compile [INFO] | | | +- io.swagger:swagger-core:jar:1.6.6:compile [INFO] | | | | \- io.swagger:swagger-models:jar:1.6.6:compile [INFO] | | | | \- io.swagger:swagger-annotations:jar:1.6.6:compile [INFO] | | | +- io.swagger:swagger-parser:jar:1.0.61:compile [INFO] | | | +- io.swagger:swagger-compat-spec-parser:jar:1.0.61:compile [INFO] | | | | +- com.github.java-json-tools:json-schema-validator:jar:2.2.14:compile [INFO] | | | | | +- com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:compile [INFO] | | | | | +- com.github.java-json-tools:json-schema-core:jar:1.2.14:compile [INFO] | | | | | | +- com.github.java-json-tools:uri-template:jar:0.10:compile [INFO] | | | | | | \- org.mozilla:rhino:jar:1.7.7.2:compile [INFO] | | | | | +- com.sun.mail:mailapi:jar:1.6.2:compile [INFO] | | | | | +- joda-time:joda-time:jar:2.10.5:compile [INFO] | | | | | +- com.googlecode.libphonenumber:libphonenumber:jar:8.11.1:compile [INFO] | | | | | \- net.sf.jopt-simple:jopt-simple:jar:5.0.4:compile [INFO] | | | | +- com.github.java-json-tools:json-patch:jar:1.13:compile [INFO] | | | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile [INFO] | | | | | | \- com.github.java-json-tools:btf:jar:1.3:compile [INFO] | | | | | \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile [INFO] | | | | \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile [INFO] | | | | \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile [INFO] | | | +- io.swagger.core.v3:swagger-models:jar:2.2.2:compile [INFO] | | | \- io.swagger.parser.v3:swagger-parser-core:jar:2.1.2:compile [INFO] | | \- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.2:compile [INFO] | | +- io.swagger.core.v3:swagger-core:jar:2.2.2:compile [INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile [INFO] | | | +- io.swagger.core.v3:swagger-annotations:jar:2.2.2:compile [INFO] | | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile [INFO] | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.2:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:3.0.1:compile [INFO] | | \- com.sun.activation:jakarta.activation:jar:2.0.1:compile [INFO] | +- com.sun.xml.bind:jaxb-impl:jar:4.0.0:runtime [INFO] | | \- com.sun.xml.bind:jaxb-core:jar:4.0.0:runtime [INFO] | | \- org.eclipse.angus:angus-activation:jar:1.0.0:runtime [INFO] | | \- jakarta.activation:jakarta.activation-api:jar:2.1.0:runtime [INFO] | +- org.xmlunit:xmlunit-core:jar:2.9.0:compile [INFO] | +- org.xmlunit:xmlunit-placeholders:jar:2.9.0:compile [INFO] | +- commons-io:commons-io:jar:2.11.0:compile [INFO] | +- org.apache.commons:commons-text:jar:1.9:compile [INFO] | +- commons-codec:commons-codec:jar:1.15:compile [INFO] | \- io.github.classgraph:classgraph:jar:4.8.149:compile [INFO] +- org.apache.commons:commons-lang3:jar:3.12.0:compile [INFO] +- com.google.guava:guava:jar:31.1-jre:compile [INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | +- org.checkerframework:checker-qual:jar:3.12.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile [INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] \- org.slf4j:slf4j-api:jar:1.7.36:compile ```Most of them seem to be introduced through the
core
module and are useless for the client.What you are trying to do Trying to use the client as mentioned above. And only the client part because the server part is running inside a docker container. We are running a code scanner regularly and I'm not in the mood to fix security vulnerabilities for unused dependencies (Example:
snakeyaml:1.30
- CVE-2022-25857).The solution you'd like Remove the not required dependencies from the client. Maybe remove the
core
module completely and generate the client based on the OpenAPI specification or create amodel
module that just contains the needed models.Describe alternatives you've considered For now I ignored a lot of dependencies that are delivered:
List of dependencies
``` [INFO] +- org.mock-server:mockserver-client-java:jar:5.14.0:compile [INFO] | +- org.mock-server:mockserver-core:jar:5.14.0:compile [INFO] | | +- com.lmax:disruptor:jar:3.4.4:compile [INFO] | | +- io.netty:netty-buffer:jar:4.1.79.Final:compile [INFO] | | | \- io.netty:netty-common:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-codec:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-codec-http:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-codec-socks:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-handler:jar:4.1.79.Final:compile [INFO] | | | +- io.netty:netty-resolver:jar:4.1.79.Final:compile [INFO] | | | \- io.netty:netty-transport-native-unix-common:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-transport:jar:4.1.79.Final:compile [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile [INFO] | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile [INFO] | | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile [INFO] | | +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:compile [INFO] | | +- org.bouncycastle:bcprov-jdk18on:jar:1.71:compile [INFO] | | +- org.bouncycastle:bcpkix-jdk18on:jar:1.71:compile [INFO] | | | \- org.bouncycastle:bcutil-jdk18on:jar:1.71:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile [INFO] | | +- com.networknt:json-schema-validator:jar:1.0.72:compile [INFO] | | | \- com.ethlo.time:itu:jar:1.7.0:compile [INFO] | | +- io.swagger.parser.v3:swagger-parser:jar:2.1.2:compile [INFO] | | | \- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.2:compile [INFO] | | | \- io.swagger.core.v3:swagger-models:jar:2.2.2:compile [INFO] | | +- commons-io:commons-io:jar:2.11.0:compile [INFO] | | +- org.apache.commons:commons-text:jar:1.9:compile [INFO] | | \- commons-codec:commons-codec:jar:1.15:compile [INFO] | +- org.apache.commons:commons-lang3:jar:3.12.0:compile [INFO] | +- com.google.guava:guava:jar:31.1-jre:compile [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | | +- org.checkerframework:checker-qual:jar:3.12.0:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile [INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile [INFO] \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:compile [INFO] +- com.github.java-json-tools:msg-simple:jar:1.2:runtime [INFO] | \- com.github.java-json-tools:btf:jar:1.3:runtime [INFO] \- com.google.code.findbugs:jsr305:jar:3.0.2:compile ```