Geonetwork on Spring 6 codesprint June 2023

Participants

• Jose
• Francois
• ...

Sponsors

• BRGM

Agenda

• Java 11 runtime tests
• > Metrics is broken
• Java 17 runtime tests
• Spring 5 and hibernate 5 update
• Spring 6 and hibernate 6 evaluation

Java 11 runtime tests

Based on https://github.com/geonetwork/core-geonetwork/pull/6276, the application is starting up with:

• mvn jetty:run
• from the release build
• from Intellij

Issues

Failed to startup in Intellij while using maven 3.8.1. Fixed with maven 3.8.7.

One runtime issue identified:

• Metrics are failing http://localhost:8080/geonetwork/monitor/metrics?pretty=true

HTTP ERROR 500 java.lang.reflect.InaccessibleObjectException: 
Unable to make public long
 com.sun.management.internal.OperatingSystemImpl.getOpenFileDescriptorCount() accessible: 
module jdk.management does not "opens com.sun.management.internal" 
to unnamed module @4f7f59dd

Fixed by

--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED

Conclusion

GeoNetwork on Java 11 looks to be usable. Question: Do we keep the possibility to build with Java 8 ? or we just move to Java 11 and add a warning if Java >11.

Java 17 or 20 runtime tests

Issues on startup

Java package access

This type of issue is related to the fact that JDK17 does not provide illegal-access option and the default is like JDK11 --illegal-access=deny

• java.lang

module java.base does not "opens java.lang" to unnamed module

fixed by

--add-opens java.base/java.lang=ALL-UNNAMED

javax.annotation

• javax.annotation

Error creating bean with name 'translationPackBuilder' defined in file [classes/org/fao/geonet/api/tools/i18n/TranslationPackBuilder.class]: 
Post-processing of merged bean definition failed; nested exception is 
java.lang.NoSuchMethodError: 'java.lang.String javax.annotation.Resource.lookup()'

Moving to jakarta (as done by Spring 6.3+) eg. https://docs.openrewrite.org/recipes/java/migrate/jakarta/javaxannotationmigrationtojakartaannotation ?

Tested (do not update all classes - can be done by search/replace):

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run   -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-migrate-java:RELEASE   -Drewrite.activeRecipes=org.openrewrite.java.migrate.jakarta.JavaxAnnotationMigrationToJakartaAnnotation

org.codehaus.groovy.vmplugin.v7.Java7

From the release

java.lang.NoClassDefFoundError: Could not initialize class org.codehaus.groovy.vmplugin.v7.Java7

?

Conclusion

In order to run on Java 17+, Spring 6 migration is required (and Spring 6 requires Java 17 and Jakarta EE9).

So it probably means that GeoNetwork will then require (to be confirmed):

• maven 3.8.7+
• Java 17
• Tomcat 10
• Jetty 11

Spring 5 update

Update to latest version:

• Spring, Hibernate 5
• Jetty 9,

Spring 6 migration?

Evaluate Spring 6 migration.

Related documents:

• https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x
• https://spring.io/blog/2022/11/16/spring-framework-6-0-goes-ga

"Spring Framework 6 and Spring Boot 3 based applications will require a minimum of JDK 17 at runtime, as well as a minimum of Tomcat 10 / Jetty 11"

Libraries to add/update:

• Spring
• Jakarta EE9 javax.annotation > jakarta.annotation, javax.servlet imports to jakarta.servlet
• Hibernate Validator 8.0
• Hibernate ORM 6.3 moved to Jakarta https://hibernate.atlassian.net/browse/HHH-16563?jql=project%20%3D%20HHH%20AND%20component%20%3D%20hibernate-jpamodelgen
• Password stored in database / EncryptedStringType not supported by jasypt https://github.com/jasypt/jasypt/issues/147
• Cache / Ehcache 2 to 3 migration https://www.ehcache.org/documentation/3.10/migration-guide.html and https://docs.jboss.org/hibernate/orm/6.2/userguide/html_single/Hibernate_User_Guide.html#caching-provider-jcache-cache-manager
• Java / ReadOnlyMvcInterceptor / Something to remove?
• Java / ServiceManager / EofException
• Java / MailUtil / use jakarta.mail.*?
• Spring security / Check openid (getClientRegistration), keycloak (todo), cas (change to apero)
• Wro4J / No support for Spring6 https://github.com/wro4j/wro4j/issues/1135
• HTTP Proxy / Jakarta migration in progress https://github.com/mitre/HTTP-Proxy-Servlet/pull/238#issuecomment-1563728877
• Camel / https://camel.apache.org/blog/2022/05/camel317-whatsnew/
• Jetty on maven plugin/deps/docker
• ...

Startup or build warning

[WARNING] The POM for com.sun.xml.bind:jaxb-impl:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details

Security vulnerability

One goal is to also update libraries which have CRITICIAL vulnerabilities reported.

• Check github security alerts
• Trivy

Scan the application with trivy

cd core-geonetwork
docker pull aquasec/trivy:latest
  
docker run -v $PWD:/core-geonetwork aquasec/trivy fs --cache-dir /core-geonetwork/.trivycache/  --download-java-db-only
docker run -v $PWD:/core-geonetwork aquasec/trivy fs --cache-dir /core-geonetwork/.trivycache/  --download-db-only
docker run -v $PWD:/core-geonetwork aquasec/trivy \
  rootfs --cache-dir /core-geonetwork/.trivycache/ \
  --vuln-type library --skip-db-update --scanners vuln --severity CRITICAL \
  /core-geonetwork/web/target/geonetwork


# Scanning docker image
docker run -v $PWD:/core-geonetwork aquasec/trivy image --cache-dir /core-geonetwork/.trivycache/   --vuln-type library --skip-db-update --scanners vuln --severity HIGH,CRITICAL geonetwork:4.2.4

Related work

• GeoNetwork Java 11 PR https://github.com/geonetwork/core-geonetwork/pull/6276
• geOrchestra PR https://github.com/georchestra/geonetwork/pull/191