bazel: incompatible_remove_native_maven_jar
The native maven_jar rule will no longer be available with this flag set to true.
(Update: managed by @jin as of July 12)
A migration tool will be provided to automatically convert maven_jar targets to rules_jvm_external’s maven_install rule, and modify BUILD files to use the new labels.
See https://docs.google.com/document/d/1CqxPv-TwvFWBHgtg7_QhVfck4vH4rnmCU_IuMdC7O2M/edit# for a design document of this migration tool.
Proposal by @dkelmer as of Nov 28, which is another valid migration solution that is done manually:
Use
load("@bazel_tools//tools/build_defs/repo:java.bzl", "java_import_external")
or the convenience wrapper
load("@bazel_tools//tools/build_defs/repo:jvm.bzl", "jvm_maven_import_external")
instead.
Given a WORKSPACE file that looks like the following:
maven_jar(
name = "truth",
artifact = "com.google.truth:truth:0.30",
sha1 = "9d591b5a66eda81f0b88cf1c748ab8853d99b18b",
)
It will need to look like this after updating:
load("@bazel_tools//tools/build_defs/repo:jvm.bzl", "jvm_maven_import_external")
jvm_maven_import_external(
name = "truth",
artifact = "com.google.truth:truth:0.30",
artifact_sha256 = "59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a",
server_urls = ["http://central.maven.org/maven2"],
licenses = ["notice"], # Apache 2.0
)
Notably
- the
licensesattribute is mandatory - sha1 is no longer supported, only sha256 is
- the
server_urlsattribute is mandatory. If yourmaven_jarrule did not specify a url then you should use the default server (“http://central.maven.org/maven2”). If your rule did specify a url then keep using that one.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 33 (25 by maintainers)
Commits related to this issue
- Add flag to control native maven jar rule deprecation. Closes #6768. Relevant to #6799. PiperOrigin-RevId: 223375698 — committed to bazelbuild/bazel by dkelmer 6 years ago
- Stop using native maven_jar rule See https://github.com/bazelbuild/bazel/issues/6799 for more details — committed to dkelmer/rules_gwt by dkelmer 5 years ago
- Stop using native maven_jar rule (#20) See https://github.com/bazelbuild/bazel/issues/6799 for more details — committed to bazelbuild/rules_gwt by dkelmer 5 years ago
- Stop using maven_jar in android-testing See https://github.com/bazelbuild/bazel/issues/6799 for more details — committed to dkelmer/android-testing by dkelmer 5 years ago
- Update bazel-deps to HEAD This removes our dependency on the deprecated native maven_jar rule: https://github.com/bazelbuild/bazel/issues/6799 All changes except maven_dependencies.yaml are generate... — committed to googlecloudrobotics/core by drigz 5 years ago
- Remove java.desktop dependency from javax.xml. The only dependency to java.desktop was coming from JAXB.java where a 25 line method from java.beans.Introspector was used to decapitalize a Java class ... — committed to meisterT/bazel by meisterT 5 years ago
- Remove java.desktop dependency from javax.xml. The only dependency to java.desktop was coming from JAXB.java where a 25 line method from java.beans.Introspector was used to decapitalize a Java class ... — committed to meisterT/bazel by meisterT 5 years ago
- Remove java.desktop dependency from javax.xml. The only dependency to java.desktop was coming from JAXB.java where a 25 line method from java.beans.Introspector was used to decapitalize a Java class ... — committed to bazelbuild/bazel by meisterT 5 years ago
- Fork sync (#3) * Fix commits in WORKSPACE * Use http_archive instead of git_repository to fetch dependencies * Update gmaven_rules target to use gmaven_artifact * Simplify Bazel instructions... — committed to bitrise-io/android-testing by BirmacherAkos 5 years ago
- Wire up --incompatible_disallow_unverified_http_downloads for maven_server Force usage of either HTTPS or HTTP w/ SHA-1. Note that SHA-1 is still susceptible to collision attacks, but this should red... — committed to bazelbuild/bazel by jin 5 years ago
- Add sha256 and sha256_src attributes to maven_jar ..and print warnings if sha256 or sha256_src aren't used, like this: > `WARNING: /usr/local/google/home/jingwen/code/copybara/WORKSPACE:192:1: maven... — committed to bazelbuild/bazel by jin 5 years ago
- Replace maven_jar with maven_install Context: https://github.com/bazelbuild/bazel/issues/6799 — committed to laszlocsomor/rules_scala by laszlocsomor 5 years ago
- Replace maven_jar with maven_install Context: https://github.com/bazelbuild/bazel/issues/6799 — committed to laszlocsomor/rules_scala by laszlocsomor 5 years ago
- Release 2.0.0 (2019-12-19) Baseline: 807ed23e4f53a5e008ec823e9c23e2c9baa36d0d Cherry picks: + db0e32ca6296e56e5314993fe9939bc7331768ec: build.sh: Fix bug in build script for RC release +... — committed to bazelbuild/bazel by a-googler 5 years ago
- Remove use of maven_jar. This is no longer supported in bazel 2: https://github.com/bazelbuild/bazel/issues/6799 — committed to scode/bazelplay by scode 5 years ago
- Release 2.0.0 (2019-12-19) Baseline: 807ed23e4f53a5e008ec823e9c23e2c9baa36d0d Cherry picks: + db0e32ca6296e56e5314993fe9939bc7331768ec: build.sh: Fix bug in build script for RC release +... — committed to meteorcloudy/bazel by a-googler 5 years ago
- Remove incompatible native.maven_jar usage (#127) Bazel 2.0 removes `maven_jar` from native rules. In order for us to migrate to newer Bazel, `checkstyle_dependencies` need to be adapted according to... — committed to vaticle/dependencies by vmax 4 years ago
- Stop using maven_jar in android-testing See https://github.com/bazelbuild/bazel/issues/6799 for more details — committed to mukundsrinivasb/espresso-testing-tuorial by dkelmer 5 years ago
merged: https://github.com/bazelbuild/rules_gwt/pull/20 merged: https://github.com/bazelbuild/rules_appengine/pull/96 merged: https://critique.corp.google.com/#review/229611659&tab=a (intellij, SOT is internal) merged: https://github.com/grpc/grpc-java/pull/5327 merged: https://github.com/googlesamples/android-testing/pull/245 filed issue: https://github.com/bazelbuild/BUILD_file_generator/issues/48 (they use bazel-deps and updating requires updating their custom scripts so I’ll leave that to them)
rules_k8s is breaking because of grpc, so marking it as fixed
The automated migration tool is available here: https://github.com/bazelbuild/rules_jvm_external/tree/master/migration
If you don’t wish to migrate to
rules_jvm_external, please follow the alternative instructions to manually migrate tojvm_maven_import_external.@JLLeitschuh I do not have the answer for you at the moment. I am following up with folks from the security team with your question on issuing a CVE, the next steps, and also to verify our remediation approaches (#9237, #9235, https://github.com/bazelbuild/bazel/commit/b065b1318641db2e75b12ca6a29c89d9265f3389, original sha1 issue ref: https://github.com/bazelbuild/bazel/issues/8880)
@dapengzhang0 There is not an automated tool. You need to independently fetch the jars and calculate the sha256. One thing you can do is omit the
artifact_sha256attribute and runbazel fetch. Bazel will then tell you what sha it expected for each jar.Broken projects: