Java library best practices

[Preston4tw]

Related to SNOW-765525. This PR addresses a number of build issues related to the current pom.xml as well as adding safety checks via plugins to prevent regressions.

• fix pom.xml url
• add sortpom plugin and sort pom.xml
• remove internal repository reference
• fix scm section
• add a pluginManagement section
• add version properties for plugins
• update plugin versions
• add dependency convergence and upper bounds checks
• fill out dependencyManagement section to converge all dependencies at the upper bound
• add unused declared and used undeclared dependency checks
• remove unused declared dependencies
• add used undeclared dependencies
• fix the declaration of several dependencies
• remove all dependency sections
• remove maven-install-plugin
• add japicmp plugin to enforce semantic versioning
• update maven required version to 3.6.3
• add linkage checker enforcer rule
• add linkage exclusions covering the current set of linkage issues
• add duplicate class enforcer check from extra-enforcer-rules
• adjust the java-9 profile to activate for jdks 9 or greater
• add JPMS line for tests with jdk>8 "--add-opens=java.base/java.nio=ALL-UNNAMED"
• update fmt-maven-plugin
• add maven wrapper, pin maven to 3.8 for compatibility with linkage checker
• disable shading by default, fixes Light driver jar? #174 JDBC driver should not be shade/relocate Bouncycastle #608
• dependency fixes possibly fix SNOW-755718: net.snowflake.client.jdbc.internal.apache.arrow.memory.UnsafeAllocationManager #1211
• update json-smart to 2.4.9, related [Snyk] Fix for 2 vulnerabilities #1311
• httpclient to 4.5.14, [Snyk] Upgrade org.apache.httpcomponents:httpclient from 4.5.5 to 4.5.14 #1273

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[Preston4tw]

I have read the CLA Document and I hereby sign the CLA

[Preston4tw]

Here's the diff of dependencies since it won't be obvious by trying to read the pom.xml diff.

• small version increases were to coverage dependencies by upper bounds: https://jlbp.dev/JLBP-16
• removals were unused dependencies

--- pom.xml.old		2023-03-25 03:22:51
+++ pom.xml		2023-03-25 03:23:02
@@ -1,16 +1,16 @@
 - ch.qos.logback:logback-classic:jar:1.2.3:test
 - ch.qos.logback:logback-core:jar:1.2.3:test
-- classworlds:classworlds:jar:1.1:test
 - com.amazonaws:aws-java-sdk-core:jar:1.12.327:compile
 - com.amazonaws:aws-java-sdk-kms:jar:1.12.327:compile
 - com.amazonaws:aws-java-sdk-s3:jar:1.12.327:compile
 - com.amazonaws:aws-java-sdk-sns:jar:1.12.327:test
 - com.amazonaws:aws-java-sdk-sqs:jar:1.12.327:test
 - com.amazonaws:jmespath-java:jar:1.12.327:compile
-- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
-- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile
-- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.2:compile
-- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.12.6:compile
+- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.5:compile
+- com.fasterxml.jackson.core:jackson-core:jar:2.13.5:compile
+- com.fasterxml.jackson.core:jackson-databind:jar:2.13.5:compile
+- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.13.5:compile
+- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.5:runtime
 - com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
 - com.google.api-client:google-api-client:jar:1.34.0:compile
 - com.google.api.grpc:proto-google-common-protos:jar:2.8.4:compile
@@ -19,126 +19,86 @@
 - com.google.api:gax-httpjson:jar:0.101.0:compile
 - com.google.api:gax:jar:2.16.0:compile
 - com.google.apis:google-api-services-storage:jar:v1-rev20220401-1.32.1:compile
-- com.google.auth:google-auth-library-credentials:jar:1.5.3:compile
-- com.google.auth:google-auth-library-oauth2-http:jar:1.5.3:compile
+- com.google.auth:google-auth-library-credentials:jar:1.6.0:compile
+- com.google.auth:google-auth-library-oauth2-http:jar:1.6.0:compile
 - com.google.auto.value:auto-value-annotations:jar:1.9:compile
 - com.google.cloud:google-cloud-core-http:jar:2.6.0:compile
 - com.google.cloud:google-cloud-core:jar:2.6.0:compile
 - com.google.cloud:google-cloud-storage:jar:2.6.2:compile
 - com.google.code.findbugs:jsr305:jar:3.0.2:compile
-- com.google.code.gson:gson:jar:2.8.9:compile
-- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
+- com.google.code.gson:gson:jar:2.9.0:compile
+- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
+- com.google.flatbuffers:flatbuffers-java:jar:1.12.0:runtime
 - com.google.guava:failureaccess:jar:1.0.1:compile
-- com.google.guava:guava:jar:30.0-jre:compile
+- com.google.guava:guava:jar:31.1-jre:compile
 - com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
 - com.google.http-client:google-http-client-apache-v2:jar:1.41.7:compile
 - com.google.http-client:google-http-client-appengine:jar:1.41.7:compile
-- com.google.http-client:google-http-client-gson:jar:1.41.3:compile
+- com.google.http-client:google-http-client-gson:jar:1.41.7:compile
 - com.google.http-client:google-http-client-jackson2:jar:1.41.7:compile
-- com.google.http-client:google-http-client:jar:1.41.4:compile
+- com.google.http-client:google-http-client:jar:1.41.7:compile
 - com.google.j2objc:j2objc-annotations:jar:1.3:compile
 - com.google.oauth-client:google-oauth-client:jar:1.33.3:compile
 - com.google.protobuf:protobuf-java-util:jar:3.19.6:compile
 - com.google.protobuf:protobuf-java:jar:3.19.6:compile
-- com.jcraft:jsch:jar:0.1.27:test
 - com.mchange:c3p0:jar:0.9.5.4:test
 - com.mchange:mchange-commons-java:jar:0.2.15:test
 - com.microsoft.azure:azure-keyvault-core:jar:0.8.0:compile
 - com.microsoft.azure:azure-storage:jar:5.0.0:compile
 - com.nimbusds:nimbus-jose-jwt:jar:9.21:compile
 - com.thoughtworks.paranamer:paranamer:jar:2.7:test
-- com.thoughtworks.qdox:qdox:jar:2.0-M9:test
 - com.yammer.metrics:metrics-core:jar:2.2.0:compile
-- com.yammer.metrics:metrics-graphite:jar:2.2.0:compile
 - com.yammer.metrics:metrics-servlet:jar:2.2.0:compile
 - com.zaxxer:HikariCP:jar:2.4.3:test
 - commons-cli:commons-cli:jar:1.2:test
-- commons-codec:commons-codec:jar:1.14:compile
+- commons-codec:commons-codec:jar:1.15:compile
 - commons-dbcp:commons-dbcp:jar:1.4:test
-- commons-io:commons-io:jar:2.8.0:compile
+- commons-io:commons-io:jar:2.11.0:compile
 - commons-logging:commons-logging:jar:1.2:compile
 - commons-pool:commons-pool:jar:1.5.4:test
 - io.grpc:grpc-context:jar:1.45.2:compile
-- io.netty:netty-buffer:jar:4.1.77.Final:compile
-- io.netty:netty-common:jar:4.1.77.Final:compile
+- io.netty:netty-buffer:jar:4.1.82.Final:runtime
+- io.netty:netty-common:jar:4.1.82.Final:runtime
 - io.opencensus:opencensus-api:jar:0.31.0:compile
 - io.opencensus:opencensus-contrib-http-util:jar:0.31.0:compile
 - javax.annotation:javax.annotation-api:jar:1.3.2:compile
 - javax.servlet:javax.servlet-api:jar:3.1.0:compile
 - joda-time:joda-time:jar:2.8.1:compile
-- jtidy:jtidy:jar:4aug2000r7-dev:test
-- junit:junit:jar:4.13.1:test
+- junit:junit:jar:4.13.2:test
 - net.bytebuddy:byte-buddy-agent:jar:1.10.13:test
 - net.bytebuddy:byte-buddy:jar:1.10.13:test
 - net.java.dev.jna:jna-platform:jar:5.13.0:provided
 - net.java.dev.jna:jna:jar:5.13.0:provided
-- net.minidev:accessors-smart:jar:2.4.8:compile
-- net.minidev:json-smart:jar:2.4.8:compile
+- net.minidev:accessors-smart:jar:2.4.9:compile
+- net.minidev:json-smart:jar:2.4.9:compile
 - net.snowflake:snowflake-common:jar:5.1.4:compile
-- org.apache.arrow:arrow-memory-netty:jar:10.0.1:compile
-- org.apache.arrow:arrow-memory-unsafe:jar:10.0.1:compile
+- org.apache.arrow:arrow-format:jar:10.0.1:runtime
+- org.apache.arrow:arrow-memory-core:jar:10.0.1:compile
+- org.apache.arrow:arrow-memory-netty:jar:10.0.1:runtime
+- org.apache.arrow:arrow-memory-unsafe:jar:10.0.1:runtime
 - org.apache.arrow:arrow-vector:jar:10.0.1:compile
 - org.apache.avro:avro:jar:1.8.1:test
-- org.apache.commons:commons-compress:jar:1.21:provided
-- org.apache.commons:commons-exec:jar:1.1:test
-- org.apache.commons:commons-lang3:jar:3.11:test
+- org.apache.commons:commons-compress:jar:1.21:test
+- org.apache.commons:commons-lang3:jar:3.12.0:test
 - org.apache.commons:commons-text:jar:1.10.0:test
-- org.apache.httpcomponents:httpclient:jar:4.5.11:compile
-- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
-- org.apache.maven.doxia:doxia-sink-api:jar:1.0-alpha-7:test
-- org.apache.maven.plugins:maven-failsafe-plugin:jar:3.0.0-M1:test
-- org.apache.maven.reporting:maven-reporting-api:jar:2.0.6:test
-- org.apache.maven.surefire:maven-surefire-common:jar:3.0.0-M1:test
-- org.apache.maven.surefire:surefire-api:jar:3.0.0-M1:test
-- org.apache.maven.surefire:surefire-booter:jar:3.0.0-M1:test
-- org.apache.maven.surefire:surefire-logger-api:jar:3.0.0-M1:test
-- org.apache.maven.wagon:wagon-file:jar:1.0-beta-2:test
-- org.apache.maven.wagon:wagon-http-lightweight:jar:1.0-beta-2:test
-- org.apache.maven.wagon:wagon-http-shared:jar:1.0-beta-2:test
-- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:test
-- org.apache.maven.wagon:wagon-ssh-common:jar:1.0-beta-2:test
-- org.apache.maven.wagon:wagon-ssh-external:jar:1.0-beta-2:test
-- org.apache.maven.wagon:wagon-ssh:jar:1.0-beta-2:test
-- org.apache.maven:maven-artifact-manager:jar:2.0.6:test
-- org.apache.maven:maven-artifact:jar:2.0.6:test
-- org.apache.maven:maven-core:jar:2.0.6:test
-- org.apache.maven:maven-error-diagnostics:jar:2.0.6:test
-- org.apache.maven:maven-model:jar:2.0.6:test
-- org.apache.maven:maven-monitor:jar:2.0.6:test
-- org.apache.maven:maven-plugin-api:jar:2.0.6:test
-- org.apache.maven:maven-plugin-descriptor:jar:2.0.6:test
-- org.apache.maven:maven-plugin-parameter-documenter:jar:2.0.6:test
-- org.apache.maven:maven-plugin-registry:jar:2.0.6:test
-- org.apache.maven:maven-profile:jar:2.0.6:test
-- org.apache.maven:maven-project:jar:2.0.6:test
-- org.apache.maven:maven-repository-metadata:jar:2.0.6:test
-- org.apache.maven:maven-settings:jar:2.0.6:test
-- org.apache.maven:maven-toolchain:jar:1.0:test
+- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
+- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
 - org.apache.tika:tika-core:jar:2.4.1:compile
 - org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile
 - org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
 - org.bouncycastle:bcutil-jdk15on:jar:1.70:compile
-- org.checkerframework:checker-qual:jar:3.5.0:compile
+- org.checkerframework:checker-qual:jar:3.21.4:compile
 - org.codehaus.jackson:jackson-core-asl:jar:1.9.13:test
 - org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:test
-- org.codehaus.mojo:exec-maven-plugin:jar:1.2.1:test
-- org.codehaus.plexus:plexus-archiver:jar:4.3.0:provided
-- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9:test
-- org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-4:test
-- org.codehaus.plexus:plexus-io:jar:3.3.1:provided
-- org.codehaus.plexus:plexus-java:jar:0.9.11:test
-- org.codehaus.plexus:plexus-utils:jar:2.0.5:provided
-- org.hamcrest:hamcrest-core:jar:1.3:test
-- org.hamcrest:hamcrest:jar:2.1:test
-- org.iq80.snappy:snappy:jar:0.4:provided
+- org.hamcrest:hamcrest-core:jar:2.2:test
+- org.hamcrest:hamcrest:jar:2.2:test
 - org.jsoup:jsoup:jar:1.15.3:compile
 - org.mockito:mockito-core:jar:3.5.6:test
 - org.mockito:mockito-inline:jar:3.5.6:test
 - org.objenesis:objenesis:jar:3.1:test
-- org.ow2.asm:asm:jar:9.1:compile
-- org.slf4j:slf4j-api:jar:1.7.25:provided
+- org.ow2.asm:asm:jar:9.3:compile
+- org.slf4j:slf4j-api:jar:1.7.36:compile
 - org.threeten:threetenbp:jar:1.6.0:compile
-- org.tukaani:xz:jar:1.9:provided
+- org.tukaani:xz:jar:1.9:test
 - org.xerial.snappy:snappy-java:jar:1.1.1.3:test
 - software.amazon.ion:ion-java:jar:1.0.2:compile
-- xml-apis:xml-apis:jar:1.0.b2:test

[sfc-gh-pbennes]

Note to self: looks like the japicmp plugin died for heap size because comparing the shaded jar requires lots of memory. Wufan had a good suggestion which is to see if the plugin config can be scoped to only check snowflake classes and exclude both other classes and internal shaded classes.

[sfc-gh-wshangguan]

@Preston4tw just FYI, the sortpom/VerifyMojo is compiled by Java 11, while the runtime java version is Java 8.

[sfc-gh-pbennes]

#1382