Exclude mina-core from Apache Directory LDAP API library

[Akanksha-kedia]

Description

• Mina-core (org.apache.mina:mina-core):2.2.3

  • Not directly referenced in the code
  • transitive dependency through org.apache.directory.api:api-all
  • No direct evidence of usage

even on excluding from org.apache.directory.api:api-all and adding explicit

    <dependency>
        <groupId>org.apache.mina</groupId>
        <artifactId>mina-core</artifactId>
        <version>2.2.4</version>
    </dependency> 
    [ERROR] Unused declared dependencies found:

[ERROR] org.apache.mina:mina-core:jar:2.2.4:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 31:31 min
[INFO] Finished at: 2025-06-25T16:58:59+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.8.1:analyze-only (default) on project gateway-ha: Dependency problems found -> [Help 1]
[ERROR] and also checked all the classes no import or this dependency is being used.

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required, with the following suggested text:

* Fix some things.

[Akanksha-kedia]

@mosabua please review

[Akanksha-kedia]

https://github.com/trinodb/trino-gateway/security/advisories/GHSA-mxr2-jc8m-j6gh

[mosabua]

Please separate the changes into different commits.

[Akanksha-kedia]

[mosabua]

How do you know this transitive dependency is not required ? Also please reword and update the rest of this PR.

[Akanksha-kedia]

yes i had added the dependency and --- dependency:3.8.1:analyze-only (default) @ gateway-ha ---
[ERROR] Unused declared dependencies found:
[ERROR] org.apache.mina:mina-core:jar:2.2.4:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 31:31 min
[INFO] Finished at: 2025-06-25T16:58:59+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.8.1:analyze-only (default) on project gateway-ha: Dependency problems found -> [Help 1]
[ERROR] and also checked all the classes no import or this dependency is being used.

[Akanksha-kedia]

How do you know this transitive dependency is not required ? Also please reword and update the rest of this PR.

@mosabuai have done rewording and also explained why i suspect its not being used or else we would have got classnotfounderror or something around that.

[ebyhr]

Vulnerability for postgresql, mina-core, test-containers

Please change the commit title. It should be "Exclude mina-core from Apache Directory LDAP API library" or something.

[Akanksha-kedia]

@ebyhr please review

[Akanksha-kedia]

@mosabua @ebyhr please review

[ebyhr]

https://github.com/apache/directory-ldap-api/blob/cf6a8fde3dea3034fa3f6a3c4a30e6031367ebb4/pom.xml#L81

This exclusion will be unnecessary once the new directory-ldap-api is released.

[mosabua]

Given that the dependency is unused we can probably still merge this now .. wdyt @ebyhr ?

[Akanksha-kedia]

@ebyhr

[Akanksha-kedia]

any update on this @mosabua ?

[mosabua]

Looks good. Let go ahead with it.

[ebyhr]

Please file a GitHub issue so we can revert this change when upgrading directory-ldap-api to the new version.

[mosabua]

Filed #735

[Akanksha-kedia]

I ll raise a pr to revert the chnages once the new pr is merged