Use newer org.apache.commons.codec

[lasselindqvist]

For some reason BIRT bundles commons-codec inside it and uses such an old version it causes issue with other libraries trying to use a newer version.

https://github.com/eclipse-birt/birt/blob/f32bef1d44ecccc4f22aeb682ba35b9cafb84ea4/build/org.eclipse.birt.build/externalRepo.properties#L27C83-L27C107

BIRT could use 1.16.0 for example https://mvnrepository.com/artifact/commons-codec/commons-codec

Alternatively, try not to use commons-codec at all, or if necessary use https://maven.apache.org/plugins/maven-shade-plugin/ to shade the classes there to avoid conflicts with other libraries that try to use newer versions.

[merks]

That's what's being used in the release repository:

https://download.eclipse.org/birt/updates/release/4.14.0/plugins/org.apache.commons.commons-codec_1.16.0.jar

There is quite a bit of garbage so I don't think the file you mention is even used. But there are two of those bundles that embed the jar which seems like an abomination!

I think that should be cleaned up...

[lasselindqvist]

I opened this because I had a conflict with https://mvnrepository.com/artifact/org.opensaml/opensaml-core/4.1.1 which uses commons-codec 1.15. I removed the following folder from the JAR manually

and it fixed the issue.

I cannot currently be yet sure which exact version ends up in the inside the runtime JAR, but if I had to guess, I would guess it is commons-codec-1.3.

[merks]

The timestamps are quite old. In any case you are looking at the 4.13 release but there is a 4.14 release:

https://download.eclipse.org/birt/updates/release/4.14.0/

But that looks not much different:

The build does so many inexplicable things with various ant scripts and maven magic. Some hunting will be required. (But then again, no one funds such work, so self-serve would be the better option.)

[lasselindqvist]

I can personally try to update the version for Birt, but while I think shading the dependency would better, the build seems so unorthodox and complicated, I might not know how to shade it.

[merks]

The build is horrible. I think maybe that thing is created by this monstrosity:

https://github.com/eclipse-birt/birt/blob/master/build/birt-packages/birt-runtime/build.xml

As launched by this:

birt/build/birt-packages/birt-runtime/pom.xml

Lines 54 to 89 in f32bef1

	<plugin>
	<groupId>org.apache.maven.plugins</groupId>
	<artifactId>maven-antrun-plugin</artifactId>
	<version>1.8</version>
	<executions>
	<execution>
	<id>clean</id>
	<phase>clean</phase>
	<configuration>
	<target>
	<ant antfile="build.xml" target="clean" dir="${basedir}" />
	</target>
	</configuration>
	<goals>
	<goal>run</goal>
	</goals>
	</execution>
	<execution>
	<id>package</id>
	<phase>package</phase>
	<configuration>
	<target>
	<ant antfile="build.xml" target="package" dir="${basedir}">
	<property name="BIRT_VERSION" value="${unqualifiedVersion}-${maven.build.timestamp}" />
	</ant>
	<attachartifact file="${project.build.directory}/birt-runtime-${unqualifiedVersion}-${maven.build.timestamp}.zip" type="zip" />
	</target>
	</configuration>
	<goals>
	<goal>run</goal>
	</goals>
	</execution>
	</executions>
	</plugin>
	</plugins>
	</build>

That thing tells me next to nothing about where the classes we see in the jar actually come from. Detective work is required... 😱

[lasselindqvist]

I guess since the JAR is available at https://download.eclipse.org/birt/updates/release/4.14.0/plugins/org.apache.commons.commons-codec_1.16.0.jar it must be inside the runtime JAR accidentally. Need to investigate a bit, why that happens. It also contains some other 3rd party classes as well.