Removing gson and everit dependencies #238
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
|
Although this is very important, we need to handle the CVEs while they don't release a new version: https://mvnrepository.com/artifact/com.github.java-json-tools/json-schema-validator/2.2.14
|
Signed-off-by: Francisco Javier Tirado Sarti <ftirados@redhat.com>
|
We can instead use this: https://github.com/networknt/json-schema-validator |
To remove this CVEs, lets use https://github.com/networknt/json-schema-validator, reworking the PR |
|
Will review. Just note that if you add this much refactoring would be nice to add some additional tests for it in addition to existing. |
api/src/main/java/io/serverlessworkflow/api/deserializers/RetriesDeserializer.java
Outdated
Show resolved
Hide resolved
fjtirado
force-pushed
the
removing_everit
branch
2 times, most recently
from
97a7857 to
b12ea91
Compare
Signed-off-by: Francisco Javier Tirado Sarti <ftirados@redhat.com>
validation/src/main/java/io/serverlessworkflow/validation/WorkflowValidatorImpl.java
Outdated
Show resolved
Hide resolved
|
thanks for the updates. i would really like to request some more tests since its a bigger refactor. can we add some positive/negative tests (and not just one please :) ) |
@tsurdilo Since this PR, despite apparently large, is not adding any new functionality (just keeping the existing one using a library that avoid dependencies that bring vulnerabilities), fortunately (kudos for the original writer ;)), the tests that are related with the change: basically serialization/deserialization and validation, were already there. In fact, they were changed as result of this change because the valitadion error messaged are library dependent. |
|
|
||
| import com.fasterxml.jackson.databind.ObjectMapper; | ||
|
|
||
| public class JsonObjectMapperFactory { |
There was a problem hiding this comment.
Not sure i get point of this class. Just maybe have static instance of yaml/json mappers in a util class?
There was a problem hiding this comment.
This avoid creating a new object mapper instance every time is needed
There was a problem hiding this comment.
ok got it. i think since you return just the basic "new" mapper just define it in static field in some util class no need imo
for separate class. if you want to allow users to set specific configuration for the mappers then having it in some separate class like this maybe makes more sense
There was a problem hiding this comment.
This is done in a separate class to only initialize the mapper object when it is really used. If you put it into an utils class it will get initialized the firts time you use the utilities class, even in the utility method being used is unrelated (imagine an use that never use yaml format)
|
|
||
| import com.fasterxml.jackson.databind.ObjectMapper; | ||
|
|
||
| public class YamlObjectMapperFactory { |
There was a problem hiding this comment.
same, to avoid creating multiple object mapper instances
api/src/main/java/io/serverlessworkflow/api/validation/ValidationError.java
Outdated
Show resolved
Hide resolved
| @@ -1,5 +1,5 @@ | |||
| { | |||
| "$id": "https://wg-serverless.org/workflow.schema.json", | |||
| "$id": "classpath:schema/workflow.schema.json", | |||
There was a problem hiding this comment.
why is this change needed?
There was a problem hiding this comment.
the new validation library tries to download the schema from a not existing url (Because wg-serverless-org is fake), hence changing to real location (which is library classpath)
There was a problem hiding this comment.
tell me if im wrong you already define the hard-coded path to the schema in code, if so then why here? i think it was by design to put some id like this and not use classpath
There was a problem hiding this comment.
this id path is used to upload other schemas referred from this schema
So, if we leave wg-.serverless.org, the library will fail to retrieve, any nested shema, for example, start.json.
validation/src/main/java/io/serverlessworkflow/validation/WorkflowValidatorImpl.java
Outdated
Show resolved
Hide resolved
validation/src/main/java/io/serverlessworkflow/validation/WorkflowValidatorImpl.java
Show resolved
Hide resolved
|
i understand what you are saying as in you modified the existing validation tests some and they still pass. |
fjtirado
force-pushed
the
removing_everit
branch
2 times, most recently
from
8fabaf5 to
39f17ff
Compare
I added a couple of tests to ensure that workflows with functions and events are properly validated |
fjtirado
force-pushed
the
removing_everit
branch
from
39f17ff to
dc650a8
Compare
Signed-off-by: Francisco Javier Tirado Sarti <ftirados@redhat.com>
fjtirado
force-pushed
the
removing_everit
branch
from
dc650a8 to
c6e7a75
Compare
Signed-off-by: Francisco Javier Tirado Sarti <ftirados@redhat.com>
api/src/test/java/io/serverlessworkflow/api/test/ValidationErrorTest.java
Outdated
Show resolved
Hide resolved
|
I think the validation piece (List/Collection + the added imho ambiguous uniqueness constraint) is whats holding up the pr |
Signed-off-by: Francisco Javier Tirado Sarti <ftirados@redhat.com>
|
@tsurdilo I think this PR is ready since the conversation about |
Many thanks for submitting your Pull Request ❤️!
What this PR does / why we need it:
It removed org.json and everit validation dependencies and add json-schema-validator for validation.
See https://github.com/everit-org/json-schema#when-to-use-this-library
Since we are using Jackson for serialization/deserialization of the workflow, we should use https://github.com/networknt/json-schema-validator instead of everit, and hence avoid having dependencies to two different json parsers.
Special notes for reviewers:
This remove unneeded dependencies for poms and slightly change the validator interface (it now returns a Collection of ValidationErrors rather than a List, which easily remove duplicated validation messages)
Additional information (if needed):