Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the API server distribution from an executable WAR to a thin JAR plus a lib/ directory of dependencies, aiming to improve container layer caching and simplify development/runtime by removing the WAR overlay + Jetty Maven plugin approach.
Changes:
- Switch
apiserverpackaging fromwartojarand introduce dependency copying totarget/lib/. - Replace
web.xml/ Jetty context XML configuration with a Java entrypoint that bootstraps an embedded Jetty server and serves static resources from the classpath. - Update Docker build and GitHub workflows to publish/use the new JAR +
lib/layout.
Reviewed changes
Copilot reviewed 18 out of 20 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| coverage-report/pom.xml | Stops depending on the classes classifier now that apiserver is a normal JAR. |
| apiserver/src/main/webapp/WEB-INF/web.xml | Removed legacy WAR-based servlet/filter/listener configuration. |
| apiserver/src/main/webapp/WEB-INF/jetty-context.xml | Removed Jetty XML customization used by the WAR-based setup. |
| apiserver/src/main/resources/static/index.html | Adds a simple static landing page and links (now served from the JAR). |
| apiserver/src/main/java/org/dependencytrack/parser/spdx/json/SpdxLicenseDetailParser.java | Adjusts license data loading to work from a JAR filesystem as well as from directories. |
| apiserver/src/main/java/org/dependencytrack/Application.java | New embedded Jetty bootstrap replacing executable WAR entrypoint. |
| apiserver/src/main/docker/create-jre.sh | Updates jdeps analysis to use thin JAR + lib/* rather than exploded WAR contents. |
| apiserver/src/main/docker/Dockerfile | Copies target/lib/ into the image and runs the app from a classpath instead of -jar. |
| apiserver/pom.xml | Switches packaging to JAR, configures JAR manifest main class/classpath, and adds dependency copying to target/lib. |
| apiserver/.dockerignore | Allows inclusion of nested target/**.jar files (for target/lib/ contents). |
| alpine/pom.xml | Removes the alpine-executable-war module from the build. |
| alpine/alpine-executable-war/src/main/resources/jetty-logging.properties | Deleted along with removal of the executable WAR module. |
| alpine/alpine-executable-war/src/main/resources/alpine-executable-war.version | Deleted along with removal of the executable WAR module. |
| alpine/alpine-executable-war/src/main/java/alpine/embedded/EmbeddedJettyServer.java | Deleted executable-WAR Jetty bootstrap. |
| alpine/alpine-executable-war/src/main/java/alpine/embedded/CliArgs.java | Deleted CLI argument parser used by executable WAR entrypoint. |
| alpine/alpine-executable-war/pom.xml | Deleted the executable WAR helper module POM. |
| .mvn/maven-build-cache-config.xml | Updates build-cache config to run the new dependency-copy execution. |
| .idea/runConfigurations/Jetty.xml | Removes IntelliJ Jetty Maven run configuration tied to the old setup. |
| .github/workflows/ci-publish.yaml | Renames artifact set from WARs to JARs for publishing pipeline. |
| .github/workflows/_meta-build.yaml | Uploads/downloads JAR + lib/ artifacts instead of WAR-focused artifacts. |
Files not reviewed (1)
- .idea/runConfigurations/Jetty.xml: Language not supported
Comments suppressed due to low confidence (1)
apiserver/src/main/java/org/dependencytrack/parser/spdx/json/SpdxLicenseDetailParser.java:55
SpdxLicenseDetailParser.parse()now wrapsIOExceptioninUncheckedIOException, but callers (e.g. database seeding) only catchIOException. A read failure will bypass the catch block and surface as an unexpected runtime exception. Consider keeping checked IO semantics here (e.g., letparse(...)throwIOExceptionand adapt the stream mapping to rethrow asIOException, or catchUncheckedIOExceptioningetLicenseDefinitions()and wrap it back intoIOException).
private static License parse(final Path path) {
try {
final byte[] jdon = Files.readAllBytes(path);
final ObjectMapper objectMapper = new ObjectMapper();
return objectMapper.readValue(jdon, License.class);
} catch (IOException e) {
throw new UncheckedIOException(e);
}
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 21 changed files in this pull request and generated 2 comments.
Files not reviewed (1)
- .idea/runConfigurations/Jetty.xml: Language not supported
Comments suppressed due to low confidence (1)
apiserver/src/main/docker/create-jre.sh:76
create-jre.shwritesmodule-deps.txtinto the working directory and never removes it. In Docker builds this ends up baked into the image layer (small but unnecessary) and can also confuse local runs of the script. Consider writing to a temp file (e.g., viamktemp) and/or deleting it at the end of the script.
echo '[+] detecting module dependencies'
jdeps \
--class-path "lib/*" \
--print-module-deps \
--ignore-missing-deps \
--multi-release 21 \
"${input_jar}" \
> module-deps.txt
module_deps="$(cat module-deps.txt),${static_module_deps}"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesFootnotes
|
Switches from an executable WAR distribution to normal JAR one. Instead of shading dependencies, ships them as separate JARs in a lib directory. This is a better fit for container because it allows for more effective layer caching. The build is faster because the expensive WAR overlays are no longer required. The development setup also becomes less involved, as it removes the need to go through the Jetty Maven plugin. Signed-off-by: nscuro <nscuro@protonmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Switches from an executable WAR distribution to normal JAR one. Instead of shading dependencies, ships them as separate JARs in a
libdirectory. This is a better fit for container because it allows for more effective layer caching.The build is faster because the expensive WAR overlays are no longer required.
The development setup also becomes less involved, as it removes the need to go through the Jetty Maven plugin.
Addressed Issue
N/A
Additional Details
N/A
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have updated the migration changelog accordinglyThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly