What is Vaadin Copilot, why is it inside vaadin-core/dev since 24.3 - not mentioned in any changelog - and why is it loading DLLs for telemetry despite having telemetry disabled?

[AB-xdev]

Description of the bug

Update to Vaadin 24.3+

Start the application

• that only contains free components (vaadin-core)
• in dev mode
• with logging set to debug
• and disabled telemetry via vaadin.devmode.usageStatistics.enabled=false

After server startup the following is reported:

2024-01-12T12:31:43.775+01:00 DEBUG 18488 --- [io-8080-exec-10] c.v.pro.licensechecker.LicenseChecker    : Found proKey in C:\Users\xxx\.vaadin\proKey
2024-01-12T12:31:43.838+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.Native                       : Looking in classpath from jdk.internal.loader.ClassLoaders$AppClassLoader@4617c264 for /com/sun/jna/win32-x86-64/jnidispatch.dll
2024-01-12T12:31:43.838+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.Native                       : Found library resource at jar:file:/C:/Users/xxx/.m2/repository/net/java/dev/jna/jna/5.13.0/jna-5.13.0.jar!/com/sun/jna/win32-x86-64/jnidispatch.dll
2024-01-12T12:31:43.839+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.Native                       : Extracting library to C:\Users\xxx\AppData\Local\Temp\jna-1432765156\jna14499820768289914182.dll
2024-01-12T12:31:43.845+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.Native                       : Trying C:\Users\xxx\AppData\Local\Temp\jna-1432765156\jna14499820768289914182.dll
2024-01-12T12:31:43.848+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.Native                       : Found jnidispatch at C:\Users\xxx\AppData\Local\Temp\jna-1432765156\jna14499820768289914182.dll
2024-01-12T12:31:43.862+01:00 DEBUG 18488 --- [nio-8080-exec-7] c.v.f.server.communication.PushHandler   : New push connection for resource b65d354d-5b38-472e-9259-3eac3c0e179a with transport WEBSOCKET
2024-01-12T12:40:17.029+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Looking for library 'Ole32'
2024-01-12T12:40:17.030+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Adding paths from jna.library.path: null
2024-01-12T12:40:17.030+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Trying Ole32.dll
2024-01-12T12:40:17.030+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Found library 'Ole32' at Ole32.dll
2024-01-12T12:40:18.110+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Looking for library 'OleAut32'
2024-01-12T12:40:18.110+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Adding paths from jna.library.path: null
2024-01-12T12:40:18.110+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Trying OleAut32.dll
2024-01-12T12:40:18.111+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Found library 'OleAut32' at OleAut32.dll
2024-01-12T12:40:18.988+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Looking for library 'kernel32'
2024-01-12T12:40:18.988+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Adding paths from jna.library.path: null
2024-01-12T12:40:18.988+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Trying kernel32.dll
2024-01-12T12:40:18.988+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Found library 'kernel32' at kernel32.dll
2024-01-12T12:40:19.923+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Looking for library 'Advapi32'
2024-01-12T12:40:19.923+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Adding paths from jna.library.path: null
2024-01-12T12:40:19.923+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Trying Advapi32.dll
2024-01-12T12:40:19.924+01:00 DEBUG 18488 --- [io-8080-exec-10] com.sun.jna.NativeLibrary                : Found library 'Advapi32' at Advapi32.dll

After reading this I instantly knew that this must be related to OSHI/JNA which is only used inside Vaadin telemetry or pro-key validation which shouldn't happen due to the applications configuration.

After a bit of debugging I found out that this is caused by vaadin-copilot?

``` com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:483) com.sun.jna.Library$Handler.(Library.java:197) com.sun.jna.Native.load(Native.java:622) com.sun.jna.platform.win32.Ole32.(Ole32.java:50) oshi.util.platform.windows.WmiQueryHandler.initCOM(WmiQueryHandler.java:207) oshi.util.platform.windows.WmiQueryHandler.initCOM(WmiQueryHandler.java:180) oshi.util.platform.windows.WmiQueryHandler.queryWMI(WmiQueryHandler.java:126) oshi.util.platform.windows.WmiQueryHandler.queryWMI(WmiQueryHandler.java:104) oshi.driver.windows.wmi.Win32ComputerSystemProduct.queryIdentifyingNumberUUID(Win32ComputerSystemProduct.java:41) oshi.hardware.platform.windows.WindowsComputerSystem.querySystemSerialNumberUUID(WindowsComputerSystem.java:85) oshi.util.Memoizer$1.get(Memoizer.java:61) oshi.hardware.platform.windows.WindowsComputerSystem.getHardwareUUID(WindowsComputerSystem.java:56) com.vaadin.pro.licensechecker.MachineId.getComputerId(MachineId.java:32) com.vaadin.pro.licensechecker.MachineId.get(MachineId.java:19) com.vaadin.copilot.analytics.AnalyticsClient.(AnalyticsClient.java:27) com.vaadin.copilot.Copilot.handleConnect(Copilot.java:39) com.vaadin.base.devserver.DebugWindowConnection.handleConnect(DebugWindowConnection.java:222) com.vaadin.base.devserver.DebugWindowConnection.onConnect(DebugWindowConnection.java:202) com.vaadin.flow.server.communication.PushHandler.lambda$onConnect$3(PushHandler.java:599) java.base/java.util.Optional.ifPresent(Optional.java:178) com.vaadin.flow.server.communication.PushHandler.lambda$onConnect$4(PushHandler.java:598) ... ``` 

That is somehow inside of vaadin-core:

What is vaadin-copilot and why is it there?

• I couldn't find any reference to com.vaadin:copilot in the changelogs
• The README of https://github.com/vaadin/copilot consist of "Public repository for creating Copilot related issues." and that's it
• When searching the web the only thing that pops up is this a blog post from 2023-06-19 that also doesn't explain much
• And why is it inside vaadin-core (as a transitive dependency)? The description of vaadin-core is "This package contains all free Vaadin web components.".

I suspect that this (experimental) dependency was introduced by accident and should not be there.

Expected behavior

com.vaadin:copilot dependency is not included/shipped by default

Minimal reproducible example

Update to Vaadin 24.3+

See above

Versions

• Vaadin / Flow version: 24.3.2
• Java version: 21
• OS version: Windows

[MarcinVaadin]

Copilot is one of our internal projects. Of course tracking flag value needs to be respected. Fix should be delivered in next Platform release.

[MarcinVaadin]

Update delivered, will be present in next 24.3 Platform release.