Use assembly to ensure all classes are there

.github/workflows/ci.yml

@@ -49,45 +49,3 @@ jobs:
           path: target/surefire-reports/
           retention-days: 7
 
-  sonar:
-    name: SonarCloud Scan
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          # Disabling shallow clone is recommended for improving relevancy of reporting
-          fetch-depth: 0
-      - uses: actions/setup-java@v1
-        with:
-          java-version: 11
-      - name: Cache dependencies
-        uses: actions/[email protected]
-        continue-on-error: true
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2
-      - name: SonarCloud Scan
-        run: mvn -B clean package sonar:sonar -Psonar
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONARCLOUD_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-  vulnerability:
-    name: Dependency Vulnerability Scan
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-java@v1
-        with:
-          java-version: 11
-      - name: Cache dependencies
-        uses: actions/[email protected]
-        continue-on-error: true
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2
-      - name: Check
-        id: check
-        run: mvn -B -DskipTests package dependency-check:check

exporter/pom.xml

@@ -120,23 +120,24 @@
         </configuration>
       </plugin>
 
-      <!-- build JAR with dependencies -->
+      <!-- build a JAR with the minimal set of dependencies included -->
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-shade-plugin</artifactId>
+        <artifactId>maven-assembly-plugin</artifactId>
         <configuration>
-          <artifactSet>
-            <includes>
-              <!-- serialization/deserialization -->
-              <include>${project.groupId}:zeebe-kafka-exporter-serde</include>
-
-              <!-- kafka specific dependencies -->
-              <include>org.apache.kafka:kafka-clients</include>
-              <include>com.github.luben:zstd-jni</include>
-              <include>org.xerial.snappy:snappy-java</include>
-            </includes>
-          </artifactSet>
+          <descriptors>
+            <descriptor>${project.basedir}/src/assembly/standalone.xml</descriptor>
+          </descriptors>
         </configuration>
+        <executions>
+          <execution>
+            <id>standalone</id>
+            <goals>
+              <goal>single</goal>
+            </goals>
+            <phase>package</phase>
+          </execution>
+        </executions>
       </plugin>
     </plugins>
   </build>

exporter/src/assembly/standalone.xml

@@ -0,0 +1,16 @@
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.1.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.1.0 http://maven.apache.org/xsd/assembly-2.1.0.xsd">
+  <id>jar-with-dependencies</id>
+  <formats>
+    <format>jar</format>
+  </formats>
+  <dependencySets>
+    <dependencySet>
+      <outputDirectory>/</outputDirectory>
+      <useProjectArtifact>true</useProjectArtifact>
+      <unpack>true</unpack>
+      <scope>runtime</scope>
+    </dependencySet>
+  </dependencySets>
+</assembly>

pom.xml

@@ -57,6 +57,7 @@
 
     <!-- plugin version -->
     <plugin.version.animal-sniffer>1.20</plugin.version.animal-sniffer>
+    <plugin.version.assembly>3.3.0</plugin.version.assembly>
     <plugin.version.compiler>3.8.1</plugin.version.compiler>
     <plugin.version.checkstyle>3.1.2</plugin.version.checkstyle>
     <plugin.version.clean>3.1.0</plugin.version.clean>
@@ -67,12 +68,9 @@
     <plugin.version.gpg>3.0.1</plugin.version.gpg>
     <plugin.version.javadoc>3.3.0</plugin.version.javadoc>
     <plugin.version.license>4.1</plugin.version.license>
-    <plugin.version.owasp>6.2.2</plugin.version.owasp>
     <plugin.version.protobuf>0.6.1</plugin.version.protobuf>
     <plugin.version.proto-compat>1.0.6</plugin.version.proto-compat>
     <plugin.version.revapi>0.14.3</plugin.version.revapi>
-    <plugin.version.sonar>3.9.0.2155</plugin.version.sonar>
-    <plugin.version.shade>3.2.4</plugin.version.shade>
     <plugin.version.surefire>3.0.0-M5</plugin.version.surefire>
 
     <!-- maven extensions -->
@@ -438,31 +436,8 @@
         <!-- jar with dependency assembly -->
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
-          <artifactId>maven-shade-plugin</artifactId>
-          <version>${plugin.version.shade}</version>
-          <executions>
-            <execution>
-              <phase>package</phase>
-              <goals>
-                <goal>shade</goal>
-              </goals>
-              <configuration>
-                <transformers>
-                  <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheNoticeResourceTransformer">
-                    <addHeader>false</addHeader>
-                  </transformer>
-                  <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheLicenseResourceTransformer">
-                  </transformer>
-                </transformers>
-                <shadedArtifactAttached>true</shadedArtifactAttached>
-                <shadedClassifierName>jar-with-dependencies</shadedClassifierName>
-                <minimizeJar>true</minimizeJar>
-                <finalName>${project.build.finalName}</finalName>
-                <createDependencyReducedPom>true</createDependencyReducedPom>
-                <promoteTransitiveDependencies>false</promoteTransitiveDependencies>
-              </configuration>
-            </execution>
-          </executions>
+          <artifactId>maven-assembly-plugin</artifactId>
+          <version>${plugin.version.assembly}</version>
         </plugin>
 
         <!-- enforce unique dependencies and convergence -->
@@ -546,30 +521,6 @@
           </configuration>
         </plugin>
 
-        <!-- vulnerability scanning -->
-        <plugin>
-          <groupId>org.owasp</groupId>
-          <artifactId>dependency-check-maven</artifactId>
-          <version>${plugin.version.owasp}</version>
-          <configuration>
-            <skipProvidedScope>true</skipProvidedScope>
-            <skipRuntimeScope>true</skipRuntimeScope>
-            <failBuildOnCVSS>7</failBuildOnCVSS>
-            <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
-            <format>JSON</format>
-            <prettyPrint>true</prettyPrint>
-            <skip>${skip.check}</skip>
-          </configuration>
-          <executions>
-            <execution>
-              <phase>verify</phase>
-              <goals>
-                <goal>check</goal>
-              </goals>
-            </execution>
-          </executions>
-        </plugin>
-
         <plugin>
           <groupId>org.codehaus.mojo</groupId>
           <artifactId>animal-sniffer-maven-plugin</artifactId>
@@ -619,11 +570,6 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-clean-plugin</artifactId>
       </plugin>
-
-      <plugin>
-        <groupId>org.owasp</groupId>
-        <artifactId>dependency-check-maven</artifactId>
-      </plugin>
     </plugins>
   </build>
 
@@ -662,39 +608,6 @@
       </build>
     </profile>
 
-    <profile>
-      <id>sonar</id>
-      <properties>
-        <!-- sonarscanner integration -->
-        <!-- sonar.login token must be passed at runtime to avoid sharing token -->
-        <sonar.host.url>https://sonarcloud.io</sonar.host.url>
-        <sonar.organization>zeebe-io</sonar.organization>
-        <sonar.login>${env.SONARCLOUD_TOKEN}</sonar.login>
-
-        <!-- skip some checks -->
-        <skipTests>true</skipTests>
-        <skip.check>true</skip.check>
-      </properties>
-
-      <build>
-        <plugins>
-          <plugin>
-            <groupId>org.sonarsource.scanner.maven</groupId>
-            <artifactId>sonar-maven-plugin</artifactId>
-            <version>${plugin.version.sonar}</version>
-            <executions>
-              <execution>
-                <phase>verify</phase>
-                <goals>
-                  <goal>sonar</goal>
-                </goals>
-              </execution>
-            </executions>
-          </plugin>
-        </plugins>
-      </build>
-    </profile>
-
     <!--
       development profile is on by default, but disabled during release
      -->

revapi.json

@@ -1,30 +1,67 @@
 [
   {
-    "extension": "revapi.filter",
+    "extension": "revapi.java",
+    "configuration": {
+      "reportUsesFor": "all-differences",
+      "missing-classes": {
+        "behavior": "ignore",
+        "ignoreMissingAnnotations": true
+      },
+      "matchOverloads": false
+    }
+  },
+  {
+    "extension": "revapi.versions",
     "configuration": {
       "enabled": true,
-      "elements": {
-        "exclude": [
-          {
-            "matcher": "java",
-            "match": "@org.apiguardian.api.API(status != org.apiguardian.api.API.Status.STABLE) ^*;"
+      "passThroughDifferences": [
+        "java.class.nonPublicPartOfAPI"
+      ],
+      "versionIncreaseAllows": {
+        "major": {
+          "severity": "BREAKING"
+        },
+        "minor": {
+          "classification": {
+            "BINARY": "NON_BREAKING",
+            "SOURCE": "BREAKING",
+            "SEMANTIC": "BREAKING",
+            "OTHER": "BREAKING"
           }
-        ]
+        },
+        "patch": {
+          "classification": {
+            "BINARY": "NON_BREAKING",
+            "SOURCE": "BREAKING",
+            "SEMANTIC": "BREAKING",
+            "OTHER": "BREAKING"
+          }
+        }
       }
     }
   },
   {
-    "extension": "revapi.semver.ignore",
+    "extension": "revapi.filter",
+    "justification": "Ignore everything not included in the module itself",
     "configuration": {
-      "enabled": true,
-      "versionIncreaseAllows": {
-        "major": "breaking",
-        "minor": "nonBreaking",
-        "patch": "equivalent"
+      "archives": {
+        "include": [
+          "io\\.zeebe:zeebe-kafka-exporter:.*"
+        ]
       },
-      "passThroughDifferences": [
-        "java.class.nonPublicPartOfAPI"
+      "exclude": [
+        {
+          "matcher": "java",
+          "match": "@org.apiguardian.api.API(status != org.apiguardian.api.API.Status.STABLE) ^*;"
+        }
       ]
     }
+  },
+  {
+    "extension": "revapi.differences",
+    "id": "intentional-api-changes",
+    "configuration": {
+      "differences": []
+    }
   }
 ]