Modernizing POM

[jglick]

Unclear how this will all work at runtime; without RealJenkinsRule it is hard to predict. https://www.jenkins.io/doc/developer/plugin-development/dependencies-and-class-loading/ The dependencies in this plugin seem to overlap heavily with things supplied by Jenkins core.

[dillense]

Hi Jesse,
Thanks for your support to update this plugin build. As far as I understand, you are trying to make it work with Java 11. I see that CI is reporting a code quality check failure:

Error in error step, with arguments Static analysis quality gates not passed; halting early.

So, I cloned your fork and I'm working on the issue:

[ERROR] High: Boxing/unboxing to parse a primitive org.ow2.clif.jenkins.ClifPublisher.getDouble(String) [org.ow2.clif.jenkins.ClifPublisher] At ClifPublisher.java:[line 370] DM_BOXED_PRIMITIVE_FOR_PARSING

[dillense]

Fix pulled to master branch in upstream repo.

[jglick]

you are trying to make it work with Java 11.

Yes, that would be one benefit.

Fix pulled to master branch in upstream repo.

b89e536, OK.

To be clear, this patch is untested.

[jglick]

(first LTS with new Spring Security)

[jglick]

Generally means that runtime behavior is hard to predict. You can try

• manual sanity checks
• RealJenkinsRule
• pluginFirstClassLoading (also dangerous)
• using a different artifact that has fewer deps
• forking a tool rather than trying to load it inside the controller’s JVM

[dillense]

I'm going to test this.
Just one question: I understand the refreshing work about the POM, but what about modifications regarding @nonnull annotations? I see you are using an alternative not included in JDK, and I'm concerned about adding a new dependency. Is it mandatory, or does it come with significant benefits?

[jglick]

an alternative not included in JDK

Neither is the javax.** version. It was part of a JSR which was later abandoned.

Is it mandatory

Yes, newer POM and core versions do not include the javax.** variant of the annotation library, so you must switch.

[dillense]

OK, thanks for your feedback. OK, let's switch to this implementation bound to the spotbugs tool.
A final observation: I see some warnings related to this initial one:

Downloading from maven-default-http-blocker: http://0.0.0.0/javax/servlet/servlet-api/maven-metadata.xml
[WARNING] Could not transfer metadata javax.servlet:servlet-api/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): transfer failed for http://0.0.0.0/javax/servlet/servlet-api/maven-metadata.xml

I tried to get some information about this issue but could not find a solution. Are you aware of this issue? Is it a problem or may we just live with it?

[jglick]

Not sure what is causing that warning exactly. Maven is seeing some repository definition, either in some transitive POM or in your local settings, which uses insecure http protocol, which it will no longer honor.