JCIP Annotations being old
Issue #366
wontfix
Hi,
One of the code scanning tools we’re using reported JCIP Annotations dependency as a potential problem since it is older than 7 years.
The dependency
<dependency>
<groupId>com.github.stephenc.jcip</groupId>
<artifactId>jcip-annotations</artifactId>
<version>1.0-1</version>
</dependency>
is listed at Maven repository as having only that one version from 2013 https://mvnrepository.com/artifact/com.github.stephenc.jcip/jcip-annotations
with source located here https://github.com/stephenc/jcip-annotations
But it looks like there are at least two newer version, listed under a different group com.io7m.jcip
One of them is https://mvnrepository.com/artifact/com.io7m.jcip/jcip-annotations version 1.0.2 from 2016
and another one https://mvnrepository.com/artifact/com.io7m.jcip/com.io7m.jcip.annotations version from 2020 with source located here https://github.com/io7m/jcip-annotations
Based on the Maven repository, the author listed is the same and the new GitHub repository is a fork of the previous one so I assume that this is really a newer version of the same library.
Would it be possible to upgrade and start using the new JCIP Annotations dependency?
Thank you
Comments (3)
-
-
reporter
Hi Yavor,
The tool used is Synopsys Black Duck. It does not identify any code problems with this library. The only issue is that the library is old. This presents an operational risk since likely the library or the used version is no longer maintained. The tool itself is not doing any examination of the actual package to see if there is executable code inside or not. We do based on the scanning results and the findings are the same as yours, it contains four annotations only. The concern here is that anyone from our users can use the same or similar tool to scan the application and start asking questions. Since this library is a transitive dependency for us, we can just ask, share our results and let you know that there are scanning tools which can flag this.
Best Regards,
Michal
-
- changed status to wontfix
I'm closing this as won't fix as no issues were demonstrated.
The four annotations are essentially the four kinds of classes in a concurrent environment - immutable class, threadsafe class, not threadsafe class, class guarded by X. You can think of those as an enum.
The newer projects that you mention are essentially repackaging of the same annotations, e.g. pom.xml with osgi support.
If you are curious what an annotations looks like:
package net.jcip.annotations; import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; @Documented @Target({ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) public @interface Immutable { } - Log in to comment
Hi Michal,
What tool was used? Did it identify a specific code issue?
If this was some arbitrary setting that automatically tags any code older that 7 years as a problem, this isn’t a valid reason on itself to update (or to make a particular tool happy). What if another tool was set to tag code from 2016 as a problem? Code doesn’t age and become bad or buggy because of age. If the tool examined the package it would find that it only defines four annotations and has no executable part at all.