update multiple dependencies (#16136)

This upgrades multiple java libraries:

* snakeyaml
* shadow
* gradle
* guava
* commons-io
* commons-logging
* commons-codec
* commons-compress
* commons-lang3
* commons-csv
* log4j
* google-java-format
* httpclient
* httpcore
* javassist
* jackson
* jackson-databind
* wiremock-standalone

Gems:

* rack
*sinatra
*octokit
* gems
* rake
* webmock

Also upgrades Java to 17.0.11+9.

Leftover upgrades:

* commons-csv 1.8 breaks license checker
* janino 3.1.12 breaks java tests
* log4j 2.21.0 breaks java compilation

build.gradle

@@ -19,8 +19,8 @@
 
 buildscript {
     ext {
-        snakeYamlVersion = '2.0'
-        shadowGradlePluginVersion = '7.0.0'
+        snakeYamlVersion = '2.2'
+        shadowGradlePluginVersion = '8.1.1'
     }
 
     repositories {
@@ -37,8 +37,6 @@ buildscript {
 plugins {
     id "de.undercouch.download" version "4.0.4"
     id "com.dorongold.task-tree" version "2.1.0"
-//    id "jacoco"
-//    id "org.sonarqube" version "4.3.0.3225"
 }
 
 apply plugin: 'de.undercouch.download'
@@ -925,4 +923,4 @@ if (System.getenv('OSS') != 'true') {
  tasks.register("runXPackIntegrationTests") {
      dependsOn copyPluginTestAlias
      dependsOn ":logstash-xpack:rubyIntegrationTests"
- }
+ }

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradlew.bat

@@ -43,11 +43,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
 
-echo.
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 
@@ -57,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
 if exist "%JAVA_EXE%" goto execute
 
-echo.
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 

logstash-core/benchmarks/build.gradle

@@ -37,7 +37,7 @@ buildscript {
   }
   dependencies {
     classpath "org.yaml:snakeyaml:${snakeYamlVersion}"
-    classpath "gradle.plugin.com.github.jengelman.gradle.plugins:shadow:${shadowGradlePluginVersion}"
+    classpath "com.github.johnrengelman:shadow:${shadowGradlePluginVersion}"
   }
 }
 
@@ -57,8 +57,8 @@ dependencies {
   implementation project(':logstash-core')
   implementation "org.openjdk.jmh:jmh-core:$jmh"
   annotationProcessor "org.openjdk.jmh:jmh-generator-annprocess:$jmh"
-  implementation 'com.google.guava:guava:24.1.1-jre'
-  implementation 'commons-io:commons-io:2.13.0'
+  implementation 'com.google.guava:guava:33.1.0-jre'
+  implementation 'commons-io:commons-io:2.16.1'
   runtimeOnly 'joda-time:joda-time:2.8.2'
   api "org.jruby:jruby-core:$jrubyVersion"
 }

logstash-core/benchmarks/src/main/java/org/logstash/benchmark/QueueRWBenchmark.java

@@ -20,7 +20,7 @@
 
 package org.logstash.benchmark;
 
-import com.google.common.io.Files;
+import java.nio.file.Files;
 import java.io.File;
 import java.io.IOException;
 import java.util.concurrent.ArrayBlockingQueue;
@@ -136,8 +136,8 @@ public class QueueRWBenchmark {
         future.get();
     }
 
-    private static Settings settings() {
-        return SettingsImpl.fileSettingsBuilder(Files.createTempDir().getPath())
+    private static Settings settings() throws IOException {
+        return SettingsImpl.fileSettingsBuilder(String.valueOf(Files.createTempDirectory(null)))
             .capacity(256 * 1024 * 1024)
             .queueMaxBytes(Long.MAX_VALUE)
             .checkpointMaxWrites(ACK_INTERVAL)

logstash-core/benchmarks/src/main/java/org/logstash/benchmark/QueueWriteBenchmark.java

@@ -20,7 +20,7 @@
 
 package org.logstash.benchmark;
 
-import com.google.common.io.Files;
+import java.nio.file.Files;
 import java.io.File;
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
@@ -88,8 +88,8 @@ public class QueueWriteBenchmark {
         }
     }
 
-    private static Settings settings() {
-        return SettingsImpl.fileSettingsBuilder(Files.createTempDir().getPath())
+    private static Settings settings() throws IOException {
+        return SettingsImpl.fileSettingsBuilder(String.valueOf(Files.createTempDirectory(null)))
             .capacity(256 * 1024 * 1024)
             .queueMaxBytes(Long.MAX_VALUE)
             .checkpointMaxWrites(1024)

logstash-core/build.gradle

@@ -61,7 +61,7 @@ String jacksonVersion = versionMap['jackson']
 String jacksonDatabindVersion = versionMap['jackson-databind']
 String jrubyVersion = versionMap['jruby']['version']
 
-String log4jVersion = '2.17.1'
+String log4jVersion = '2.17.2'
 
 tasks.register("sourcesJar", Jar) {
     dependsOn classes
@@ -202,13 +202,13 @@ dependencies {
     // concerns libraries such as manticore's http-client 4.5 (using commons-logging)
     runtimeOnly "org.apache.logging.log4j:log4j-jcl:${log4jVersion}"
     // for the log4j-jcl bridge to work commons-logging needs to be on the same class-path
-    runtimeOnly 'commons-logging:commons-logging:1.2'
+    runtimeOnly 'commons-logging:commons-logging:1.3.1'
     // also handle libraries relying on log4j 1.x to redirect their logs
     runtimeOnly "org.apache.logging.log4j:log4j-1.2-api:${log4jVersion}"
     implementation('org.reflections:reflections:0.10.2') {
         exclude group: 'com.google.guava', module: 'guava'
     }
-    implementation 'commons-codec:commons-codec:1.15'
+    implementation 'commons-codec:commons-codec:1.17.0'
     // Jackson version moved to versions.yml in the project root (the JrJackson version is there too)
     implementation "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}"
     api "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"
@@ -216,11 +216,11 @@ dependencies {
     implementation 'org.codehaus.janino:janino:3.1.0'
     implementation "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:${jacksonVersion}"
     implementation group: 'org.yaml', name: 'snakeyaml', version: '2.2'
-    implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'
-    implementation('com.google.googlejavaformat:google-java-format:1.15.0') {
+    implementation group: 'com.google.guava', name: 'guava', version: '33.1.0-jre'
+    implementation('com.google.googlejavaformat:google-java-format:1.22.0') {
         exclude group: 'com.google.guava', module: 'guava'
     }
-    implementation 'org.javassist:javassist:3.29.0-GA'
+    implementation 'org.javassist:javassist:3.30.2-GA'
     testImplementation "org.apache.logging.log4j:log4j-core:${log4jVersion}:tests"
     testImplementation 'org.hamcrest:hamcrest:2.2'
     testImplementation 'org.hamcrest:hamcrest-library:2.2'
@@ -230,6 +230,7 @@ dependencies {
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.awaitility:awaitility:4.2.0'
 
-    api group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.13'
-    api group: 'org.apache.httpcomponents', name: 'httpcore', version: '4.4.14'
+    api group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.14'
+    api group: 'commons-codec', name: 'commons-codec', version: '1.17.0'
+    api group: 'org.apache.httpcomponents', name: 'httpcore', version: '4.4.16'
 }

logstash-core/logstash-core.gemspec

@@ -53,8 +53,8 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency "filesize", "~> 0.2" #(MIT license) for :bytes config validator
   gem.add_runtime_dependency "gems", "~> 1"  #(MIT license)
   gem.add_runtime_dependency "concurrent-ruby", "~> 1", "< 1.1.10" # pinned until https://github.com/elastic/logstash/issues/13956
-  gem.add_runtime_dependency "rack", '~> 2'
-  gem.add_runtime_dependency "sinatra", '~> 2'
+  gem.add_runtime_dependency "rack", '~> 3'
+  gem.add_runtime_dependency "sinatra", '~> 4'
   gem.add_runtime_dependency 'puma', '~> 6.3', '>= 6.4.2'
   gem.add_runtime_dependency "jruby-openssl", "~> 0.14.1"
   gem.add_runtime_dependency 'ruby-maven-libs', '~> 3', '>= 3.8.9'

tools/benchmark-cli/build.gradle

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
 import org.yaml.snakeyaml.Yaml
 
 // fetch version from Logstash's main versions.yml file
@@ -37,29 +36,30 @@ buildscript {
     gradlePluginPortal()
   }
   dependencies {
-    classpath "org.yaml:snakeyaml:${snakeYamlVersion}"
-    classpath "gradle.plugin.com.github.jengelman.gradle.plugins:shadow:${shadowGradlePluginVersion}"
+    classpath group: 'org.yaml', name: 'snakeyaml', version: "${snakeYamlVersion}"
+    classpath "com.github.johnrengelman:shadow:${shadowGradlePluginVersion}"
   }
 }
 
 ext {
-  jmh = '1.23'
+  jmh = '1.37'
   elasticsearch = '5.6.16'
 }
 
 dependencies {
-  implementation 'net.sf.jopt-simple:jopt-simple:5.0.3'
-  implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.12'
-  implementation group: 'org.apache.commons', name: 'commons-compress', version: '1.23.0'
-  implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
-  implementation group: 'commons-codec', name: 'commons-codec', version: '1.14'
+  implementation 'net.sf.jopt-simple:jopt-simple:5.0.4'
+  implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.14'
+  implementation group: 'org.apache.commons', name: 'commons-compress', version: '1.26.1'
+  implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0'
+  implementation group: 'commons-codec', name: 'commons-codec', version: '1.17.0'
 
-  implementation group: 'commons-io', name: 'commons-io', version: '2.13.0'
+  implementation group: 'commons-io', name: 'commons-io', version: '2.16.1'
   implementation "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}"
   api "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"
   implementation group: 'org.elasticsearch.client', name: 'elasticsearch-rest-client', version: elasticsearch
   implementation "org.openjdk.jmh:jmh-core:$jmh"
-  testImplementation group: 'com.github.tomakehurst', name: 'wiremock-standalone', version: '2.27.0'
+  testImplementation group: 'org.wiremock', name: 'wiremock-standalone', version: '3.0.4'
+
   testImplementation "junit:junit:4.13.2"
 }
 
@@ -76,6 +76,7 @@ test {
 }
 
 apply plugin: 'com.github.johnrengelman.shadow'
+apply plugin: 'java'
 
 shadowJar {
   archiveBaseName = 'benchmark-cli'

tools/benchmark-cli/src/main/java/org/logstash/benchmark/cli/util/LsBenchCompressUtil.java

@@ -33,7 +33,7 @@ import org.apache.commons.compress.archivers.ArchiveInputStream;
 import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
 import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
-import org.apache.commons.compress.utils.IOUtils;
+import org.apache.commons.io.IOUtils;
 
 /**
  * Utility class for decompressing archives.
@@ -48,7 +48,7 @@ final class LsBenchCompressUtil {
         if (!folder.exists() && !folder.mkdir()) {
             throw new IllegalStateException("unzip failed");
         }
-        try (ArchiveInputStream zis = new ZipArchiveInputStream(new FileInputStream(zipFile))) {
+        try (ArchiveInputStream<?> zis = new ZipArchiveInputStream(new FileInputStream(zipFile))) {
             unpackDir(folder, zis);
         }
     }
@@ -64,7 +64,7 @@ final class LsBenchCompressUtil {
         LsBenchFileUtil.ensureDeleted(ball);
     }
 
-    private static void unpackDir(final File destination, final ArchiveInputStream archive)
+    private static void unpackDir(final File destination, final ArchiveInputStream<?> archive)
         throws IOException {
         ArchiveEntry entry = archive.getNextEntry();
         while (entry != null) {

tools/benchmark-cli/src/main/java/org/logstash/benchmark/cli/util/LsBenchDownloader.java

@@ -57,7 +57,7 @@ public final class LsBenchDownloader {
                     target.flush();
                 }
             }
-            if (GzipUtils.isCompressedFilename(url)) {
+            if (GzipUtils.isCompressedFileName(url)) {
                 LsBenchCompressUtil.gunzipDir(temp, file);
             }
             if (url.endsWith(".zip")) {

tools/dependencies-report/build.gradle

@@ -37,13 +37,13 @@ buildscript {
   }
   dependencies {
     classpath "org.yaml:snakeyaml:${snakeYamlVersion}"
-    classpath "gradle.plugin.com.github.jengelman.gradle.plugins:shadow:${shadowGradlePluginVersion}"
+    classpath "com.github.johnrengelman:shadow:${shadowGradlePluginVersion}"
   }
 }
 
 dependencies {
-  implementation 'commons-io:commons-io:2.13.0'
-  implementation 'org.apache.commons:commons-csv:1.5'
+  implementation 'commons-io:commons-io:2.16.1'
+  implementation 'org.apache.commons:commons-csv:1.7'
   implementation "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}"
   implementation "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}"
   implementation "com.fasterxml.jackson.core:jackson-annotations:${jacksonVersion}"

tools/dependencies-report/src/main/resources/licenseMapping.csv

@@ -164,6 +164,7 @@ dependency,dependencyUrl,licenseOverride,copyright,sourceURL
 "raabro",https://github.com/floraison/raabro,MIT
 "racc:",https://github.com/ruby/rake,Ruby
 "rack-protection:",http://github.com/rkh/rack-protection,MIT
+"rack-session:",https://github.com/rack/rack-session,MIT
 "rack:",http://rack.github.io/,MIT
 "rake:",https://github.com/ruby/rake,MIT
 "Red Hat Universal Base Image minimal:",https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8,Custom;https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf,,https://oss-dependencies.elastic.co/red-hat-universal-base-image-minimal/8/ubi-minimal-8-source.tar.gz

tools/dependencies-report/src/main/resources/notices/rack-session-NOTICE.txt

@@ -0,0 +1,72 @@
+# MIT License
+
+Copyright, 2007-2008, by Leah Neukirchen.  
+Copyright, 2007-2009, by Scytrin dai Kinthra.  
+Copyright, 2008, by Daniel Roethlisberger.  
+Copyright, 2009, by Joshua Peek.  
+Copyright, 2009, by Mickaël Riga.  
+Copyright, 2010, by Simon Chiang.  
+Copyright, 2010-2011, by José Valim.  
+Copyright, 2010-2013, by James Tucker.  
+Copyright, 2010-2019, by Aaron Patterson.  
+Copyright, 2011, by Max Cantor.  
+Copyright, 2011-2012, by Konstantin Haase.  
+Copyright, 2011, by Will Leinweber.  
+Copyright, 2011, by John Manoogian III.  
+Copyright, 2012, by Yun Huang Yong.  
+Copyright, 2012, by Ravil Bayramgalin.  
+Copyright, 2012, by Timothy Elliott.  
+Copyright, 2012, by Jamie Macey.  
+Copyright, 2012-2015, by Santiago Pastorino.  
+Copyright, 2013, by Andrew Cole.  
+Copyright, 2013, by Postmodern.  
+Copyright, 2013, by Vipul A M.  
+Copyright, 2013, by Charles Hornberger.  
+Copyright, 2014, by Michal Bryxí.  
+Copyright, 2015, by deepj.  
+Copyright, 2015, by Doug McInnes.  
+Copyright, 2015, by David Runger.  
+Copyright, 2015, by Francesco Rodríguez.  
+Copyright, 2015, by Yuichiro Kaneko.  
+Copyright, 2015, by Michael Sauter.  
+Copyright, 2016, by Kir Shatrov.  
+Copyright, 2016, by Yann Vanhalewyn.  
+Copyright, 2016, by Jian Weihang.  
+Copyright, 2017, by Jordan Raine.  
+Copyright, 2018, by Dillon Welch.  
+Copyright, 2018, by Yoshiyuki Hirano.  
+Copyright, 2019, by Krzysztof Rybka.  
+Copyright, 2019, by Frederick Cheung.  
+Copyright, 2019, by Adrian Setyadi.  
+Copyright, 2019, by Rafael Mendonça França.  
+Copyright, 2019-2020, by Pavel Rosicky.  
+Copyright, 2019, by Dima Fatko.  
+Copyright, 2019, by Oleh Demianiuk.  
+Copyright, 2020-2023, by Samuel Williams.  
+Copyright, 2020-2022, by Jeremy Evans.  
+Copyright, 2020, by Alex Speller.  
+Copyright, 2020, by Ryuta Kamizono.  
+Copyright, 2020, by Yudai Suzuki.  
+Copyright, 2020, by Bart de Water.  
+Copyright, 2020, by Alec Clarke.  
+Copyright, 2021, by Michael Coyne.  
+Copyright, 2022, by Philip Arndt.  
+Copyright, 2022, by Jon Dufresne.  
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

tools/ingest-converter/build.gradle

@@ -37,7 +37,7 @@ buildscript {
   }
   dependencies {
     classpath "org.yaml:snakeyaml:${snakeYamlVersion}"
-    classpath "gradle.plugin.com.github.jengelman.gradle.plugins:shadow:${shadowGradlePluginVersion}"
+    classpath "com.github.johnrengelman:shadow:${shadowGradlePluginVersion}"
   }
 }
 
@@ -45,7 +45,7 @@ dependencies {
   implementation 'net.sf.jopt-simple:jopt-simple:4.6'
   implementation "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"
   testImplementation "junit:junit:4.13.2"
-  testImplementation 'commons-io:commons-io:2.13.0'
+  testImplementation 'commons-io:commons-io:2.16.1'
 }
 
 javadoc {

tools/logstash-docgen/logstash-docgen.gemspec

@@ -24,15 +24,15 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "asciidoctor"
   spec.add_runtime_dependency "pry"
   spec.add_runtime_dependency "addressable"
-  spec.add_runtime_dependency "octokit", "~> 3.8.0"
+  spec.add_runtime_dependency "octokit", "~> 8"
 
   # gems 1.0.0 requires Ruby 2.1.9 or newer, so we pin down.
-  spec.add_runtime_dependency "gems", "0.8.3"
+  spec.add_runtime_dependency "gems", "~> 1"
 
-  spec.add_development_dependency "rake", "~> 12"
+  spec.add_development_dependency "rake", "~> 13"
   spec.add_development_dependency "rspec"
 
   # Used for the dependency lookup code
   spec.add_development_dependency "vcr"
-  spec.add_development_dependency "webmock", "2.2.0"
+  spec.add_development_dependency "webmock", "~> 3"
 end

tools/paquet/paquet.gemspec

@@ -23,6 +23,6 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "rspec"
   spec.add_development_dependency "pry"
-  spec.add_development_dependency "webmock", "~> 2.2.0"
+  spec.add_development_dependency "webmock", "~> 3"
   spec.add_development_dependency "stud"
 end

versions.yml

@@ -7,8 +7,8 @@ logstash-core-plugin-api: 2.1.16
 bundled_jdk:
   # for AdoptOpenJDK/OpenJDK jdk-14.0.1+7.1, the revision is 14.0.1 while the build is 7.1
   vendor: "adoptium"
-  revision: 17.0.10
-  build: 7
+  revision: 17.0.11
+  build: 9
 
 # jruby must reference a *released* version of jruby which can be downloaded from the official download url
 # *and* for which jars artifacts are published for compile-time
@@ -25,5 +25,5 @@ jruby:
 #       bundler evaluates the gemspec via bin/logstash
 # Ensure Jackson version here is kept in sync with version used by jrjackson gem
 jrjackson: 0.4.18
-jackson: 2.15.3
-jackson-databind: 2.15.3
+jackson: 2.16.2
+jackson-databind: 2.16.2