8481: Update lz4-java to 1.10.2

[aptmac]

There's currently a security advisory open for the version of lz4-java we are using. lz4-java had been archived, but has been updated by a new maintainer with a fix for the security issue.

See: GHSA-cmp6-m4wj-q63q

---

Progress

• Commit message must refer to an issue
• Change must be properly reviewed (1 review required, with at least 1 Committer)

Issue

• JMC-8481: Update lz4-java to 1.10.2 (Bug - P4)

Reviewers

• Christoph Langer (@RealCLanger - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jmc.git pull/694/head:pull/694
$ git checkout pull/694

Update a local copy of the PR:
$ git checkout pull/694
$ git pull https://git.openjdk.org/jmc.git pull/694/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 694

View PR using the GUI difftool:
$ git pr show -t 694

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jmc/pull/694.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back aptmac! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@aptmac This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8481: Update lz4-java to 1.10.2

Reviewed-by: clanger

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 2 new commits pushed to the master branch:

• 3f11594: 8479: Update jolokia third party for JMC 10.0.0
• eb78a2d: 8489: Inaccurate Chinese translations on TLAB page

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[mlbridge]

Webrevs

• 06: Full - Incremental (1ddd237a)
• 05: Full (fed802c2)
• 04: Full - Incremental (2cd87152)
• 03: Full - Incremental (bdd083f6)
• 02: Full - Incremental (6de10fba)
• 01: Full - Incremental (2ee9692c)
• 00: Full (76f313d4)

[openjdk]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[openjdk]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[aptmac]

Will have to go back over this one, looks like the test case isn't able to find the lz4-java class that we're trying to use:

  NotificationModelTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationModelTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream

[aptmac]

Hm, taking a look at the jar that's pulled in from maven central, the packages aren't exported:

Manifest-Version: 1.0
Automatic-Module-Name: org.lz4.java
Build-Jdk-Spec: 21
Bundle-ManifestVersion: 2
Bundle-Name: lz4-java
Bundle-SymbolicName: lz4-java
Bundle-Version: 0
Import-Package: java.io,java.lang,java.lang.reflect,java.nio,java.util
 ,java.util.zip,sun.misc
Originally-Created-By: Maven JAR Plugin 3.4.1
Private-Package: net.jpountz.lz4,net.jpountz.util,net.jpountz.util.dar
 win.aarch64,net.jpountz.util.darwin.x86_64,net.jpountz.util.linux.aar
 ch64,net.jpountz.util.linux.amd64,net.jpountz.util.linux.i386,net.jpo
 untz.util.linux.ppc64le,net.jpountz.util.linux.s390x,net.jpountz.util
 .win32.amd64,net.jpountz.xxhash
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"

Edit: that require-capability on java 7 is also kind of suspicious

[aptmac]

I contributed a PR to the new lz4-java repo, which should fix the package exports: yawkat/lz4-java#28

Will need to check back here once it's released and verify that it actually works.

[aptmac]

Gave this a test now that the 1.10.2 release is out, and it's working as expected now

[openjdk]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[parttimenerd]

Could we merge this soon?

[aptmac]

Could we merge this soon?

Yeah, but it needs a review first

[parttimenerd]

Sorry, I mistook it for another PR.

[RealCLanger]

Looks correct and tests are green.

[aptmac]

Closing in-favor of #702, upstream should be updated with everything else Oracle included in their latest release