27.x : dependency cleanup (helidon-io#12093)

* Remove management of unused dependencie
* Suppress micrometer false positive

Author: barchetta

dependencies/pom.xml

@@ -50,14 +50,12 @@
         <version.lib.graphql-java>22.1</version.lib.graphql-java>
         <version.lib.graphql-java.extended.scalars>22.0</version.lib.graphql-java.extended.scalars>
         <version.lib.grpc>1.73.0</version.lib.grpc>
-        <version.lib.google-findbugs-jsr305>3.0.2</version.lib.google-findbugs-jsr305>
         <version.lib.guava>33.3.1-jre</version.lib.guava>
         <version.lib.h2>2.4.240</version.lib.h2>
         <version.lib.hamcrest>1.3</version.lib.hamcrest>
         <version.lib.handlebars>4.5.1</version.lib.handlebars>
         <version.lib.hibernate.family>6.3</version.lib.hibernate.family>
         <version.lib.hibernate>${version.lib.hibernate.family}.1.Final</version.lib.hibernate>
-        <version.lib.hibernate-validator>8.0.2.Final</version.lib.hibernate-validator>
         <version.lib.hikaricp>5.0.1</version.lib.hikaricp>
         <version.lib.jackson>2.21.3</version.lib.jackson>
         <version.lib.jakarta.activation-api>2.1.3</version.lib.jakarta.activation-api>
@@ -80,9 +78,6 @@
         <!-- Jetbrains annotations: dependency convergence requirement, we never use this directly -->
         <version.lib.jetbrains.annotations>17.0.0</version.lib.jetbrains.annotations>
         <version.lib.junit>5.12.2</version.lib.junit>
-        <version.lib.kafka>3.9.2</version.lib.kafka>
-        <!-- Kotlin: dependency convergence requirement, we never use this directly -->
-        <version.lib.kotlin>1.9.10</version.lib.kotlin>
         <version.lib.log4j>2.25.4</version.lib.log4j>
         <version.lib.micrometer>1.15.2</version.lib.micrometer>
         <version.lib.micrometer-prometheus>1.15.2</version.lib.micrometer-prometheus>
@@ -91,13 +86,8 @@
         <version.lib.narayana>7.1.0.Final</version.lib.narayana>
         <version.lib.ojdbc.family>23</version.lib.ojdbc.family>
         <version.lib.ojdbc>${version.lib.ojdbc.family}.26.1.0.0</version.lib.ojdbc>
-        <!-- Force upgrade of okio for dependency convergence -->
-        <version.lib.okio>3.6.0</version.lib.okio>
-        <!-- Force upgrade okhttp3 for dependency convergence -->
-        <version.lib.okhttp3>4.12.0</version.lib.okhttp3>
         <version.lib.opentelemetry.semconv>1.37.0</version.lib.opentelemetry.semconv>
         <version.lib.opentelemetry>1.58.0</version.lib.opentelemetry>
-        <version.lib.opentelemetry.instrumentation.annotations>2.24.0</version.lib.opentelemetry.instrumentation.annotations>
         <version.lib.parsson>1.1.7</version.lib.parsson>
         <version.lib.postgresql>42.7.11</version.lib.postgresql>
         <version.lib.prometheus>0.16.0</version.lib.prometheus>
@@ -107,7 +97,6 @@
         <version.lib.testcontainers>1.21.4</version.lib.testcontainers>
         <version.lib.typesafe-config>1.4.8</version.lib.typesafe-config>
         <version.lib.yasson>3.0.4</version.lib.yasson>
-        <version.lib.zookeeper>3.5.7</version.lib.zookeeper>
     </properties>
 
     <dependencyManagement>
@@ -161,17 +150,6 @@
                     </exclusion>
                 </exclusions>
             </dependency>
-            <!-- -->
-            <dependency>
-                <groupId>io.opentelemetry.instrumentation</groupId>
-                <artifactId>opentelemetry-instrumentation-annotations</artifactId>
-                <version>${version.lib.opentelemetry.instrumentation.annotations}</version>
-            </dependency>
-            <dependency>
-                <groupId>io.opentelemetry.instrumentation</groupId>
-                <artifactId>opentelemetry-instrumentation-api</artifactId>
-                <version>${version.lib.opentelemetry}</version>
-            </dependency>
             <!--
                 "Jakarta XML Binding API". (See
                 https://github.com/jakartaee/jaxb-api/blob/d8a68e76a5391cb2462f540c9e4c5c81d0a91942/jaxb-api/pom.xml#L23-L25)
@@ -248,11 +226,6 @@
                 <artifactId>parsson</artifactId>
                 <version>${version.lib.parsson}</version>
             </dependency>
-            <dependency>
-                <groupId>org.eclipse.parsson</groupId>
-                <artifactId>parsson-media</artifactId>
-                <version>${version.lib.parsson}</version>
-            </dependency>
             <dependency>
                 <groupId>org.eclipse</groupId>
                 <artifactId>yasson</artifactId>
@@ -276,16 +249,6 @@
                 <version>${version.lib.snakeyaml}</version>
             </dependency>
             <!-- Webserver related -->
-            <dependency>
-                <groupId>io.prometheus</groupId>
-                <artifactId>simpleclient</artifactId>
-                <version>${version.lib.prometheus}</version>
-            </dependency>
-            <dependency>
-                <groupId>io.prometheus</groupId>
-                <artifactId>simpleclient_common</artifactId>
-                <version>${version.lib.prometheus}</version>
-            </dependency>
             <dependency>
                 <groupId>io.prometheus</groupId>
                 <artifactId>simpleclient_tracer_common</artifactId>
@@ -330,12 +293,6 @@
                 <version>${version.lib.micrometer}</version>
             </dependency>
 
-            <dependency>
-                <groupId>io.smallrye</groupId>
-                <artifactId>jandex</artifactId>
-                <version>${version.lib.jandex}</version>
-            </dependency>
-
             <!-- Integrations related -->
             <dependency>
                 <groupId>jakarta.persistence</groupId>
@@ -388,11 +345,6 @@
                 <artifactId>hibernate-core</artifactId>
                 <version>${version.lib.hibernate}</version>
             </dependency>
-            <dependency>
-                <groupId>org.hibernate.validator</groupId>
-                <artifactId>hibernate-validator</artifactId>
-                <version>${version.lib.hibernate-validator}</version>
-            </dependency>
             <dependency>
                 <groupId>org.jboss.narayana.jta</groupId>
                 <artifactId>narayana-jta</artifactId>
@@ -423,27 +375,6 @@
                     </exclusion>
                 </exclusions>
             </dependency>
-            <!-- Kafka support -->
-            <dependency>
-                <groupId>org.apache.kafka</groupId>
-                <artifactId>kafka-clients</artifactId>
-                <version>${version.lib.kafka}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.jetbrains.kotlin</groupId>
-                <artifactId>kotlin-stdlib</artifactId>
-                <version>${version.lib.kotlin}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.jetbrains.kotlin</groupId>
-                <artifactId>kotlin-stdlib-common</artifactId>
-                <version>${version.lib.kotlin}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.jetbrains.kotlin</groupId>
-                <artifactId>kotlin-stdlib-jdk8</artifactId>
-                <version>${version.lib.kotlin}</version>
-            </dependency>
             <dependency>
                 <groupId>org.jetbrains</groupId>
                 <artifactId>annotations</artifactId>
@@ -460,17 +391,13 @@
                 <artifactId>reactive-streams</artifactId>
                 <version>${version.lib.reactivestreams}</version>
             </dependency>
-            <dependency>
-                <groupId>org.reactivestreams</groupId>
-                <artifactId>reactive-streams-tck</artifactId>
-                <version>${version.lib.reactivestreams}</version>
-            </dependency>
             <!-- END OF Section 1: direct third party dependencies -->
 
             <!-- Section 2: third party dependencies used by examples (obsolete) -->
             <!-- END OF Section 2: third party dependencies used by examples -->
 
             <!-- Section 3: transitive dependencies we manage the version of for convergence/upgrade -->
+            <!-- For dependency convergence -->
             <dependency>
                 <groupId>com.google.guava</groupId>
                 <artifactId>guava</artifactId>
@@ -488,40 +415,19 @@
                 <artifactId>commons-lang3</artifactId>
                 <version>${version.lib.commons-lang}</version>
             </dependency>
-            <dependency>
-                <!-- Force upgrade okhttp3 for dependency convergence -->
-                <groupId>com.squareup.okhttp3</groupId>
-                <artifactId>okhttp</artifactId>
-                <version>${version.lib.okhttp3}</version>
-            </dependency>
-            <dependency>
-                <!-- For dependency convergence -->
-                <groupId>com.squareup.okio</groupId>
-                <artifactId>okio</artifactId>
-                <version>${version.lib.okio}</version>
-            </dependency>
-            <dependency>
-            <!-- For dependency convergence -->
-                <groupId>com.squareup.okio</groupId>
-                <artifactId>okio-jvm</artifactId>
-                <version>${version.lib.okio}</version>
-            </dependency>
             <!-- For dependency convergence -->
             <dependency>
                 <groupId>com.google.errorprone</groupId>
                 <artifactId>error_prone_annotations</artifactId>
                 <version>${version.lib.google-error-prone-annotations}</version>
             </dependency>
-            <dependency>
-                <groupId>com.google.code.findbugs</groupId>
-                <artifactId>jsr305</artifactId>
-                <version>${version.lib.google-findbugs-jsr305}</version>
-            </dependency>
+            <!-- For dependency convergence -->
             <dependency>
                 <groupId>com.google.code.gson</groupId>
                 <artifactId>gson</artifactId>
                 <version>${version.lib.google-gson}</version>
             </dependency>
+            <!-- For dependency convergence -->
             <dependency>
                 <groupId>com.google.j2objc</groupId>
                 <artifactId>j2objc-annotations</artifactId>
@@ -550,11 +456,6 @@
                 <artifactId>testcontainers</artifactId>
                 <version>${version.lib.testcontainers}</version>
             </dependency>
-            <dependency>
-                <groupId>org.testcontainers</groupId>
-                <artifactId>mongodb</artifactId>
-                <version>${version.lib.testcontainers}</version>
-            </dependency>
             <dependency>
                 <groupId>org.testcontainers</groupId>
                 <artifactId>mysql</artifactId>
@@ -565,16 +466,6 @@
                 <artifactId>jdbc</artifactId>
                 <version>${version.lib.testcontainers}</version>
             </dependency>
-            <dependency>
-                <groupId>org.testcontainers</groupId>
-                <artifactId>oracle-xe</artifactId>
-                <version>${version.lib.testcontainers}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.slf4j</groupId>
-                <artifactId>slf4j-simple</artifactId>
-                <version>${version.lib.slf4j}</version>
-            </dependency>
             <!-- END OF Section 4: Testing -->
 
             <!-- imported boms -->

etc/dependency-check-suppression.xml

@@ -311,6 +311,24 @@
     <cve>CVE-2023-28867</cve>
 </suppress>
 
+<!-- False Positive
+     These CVEs are against micrometer server, not clinet libraries
+-->
+<suppress>
+    <notes><![CDATA[
+    file name: micrometer-core-1.15.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-core@.*$</packageUrl>
+    <vulnerabilityName>CVE-2026-40983</vulnerabilityName>
+</suppress>
+<suppress>
+    <notes><![CDATA[
+    file name: micrometer-core-1.15.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.micrometer/micrometer-core@.*$</packageUrl>
+    <vulnerabilityName>CVE-2026-40984</vulnerabilityName>
+</suppress>
+
 
 
 </suppressions>

pom.xml

@@ -70,17 +70,11 @@
         <version.lib.restito>0.9.1</version.lib.restito>
         <version.lib.rxjava2-jdk9-interop>0.1.0</version.lib.rxjava2-jdk9-interop>
         <version.lib.rxjava>2.2.10</version.lib.rxjava>
-        <version.lib.scala>2.12.10</version.lib.scala>
-        <!-- This is to force upgrade of transitive dep from arquillian -->
-        <!-- 2.x versions used http (not https) to access maven central -->
-        <version.lib.shrinkwrap-resolver>3.0.1</version.lib.shrinkwrap-resolver>
-        <version.lib.spotbugs-annotations>3.1.12</version.lib.spotbugs-annotations>
         <version.lib.testng>7.8.0</version.lib.testng>
         <version.lib.bedrock>7.0.1</version.lib.bedrock>
         <version.lib.awaitility>3.1.6</version.lib.awaitility>
         <version.lib.jmh>1.23</version.lib.jmh>
         <version.lib.vertx-core>4.3.8</version.lib.vertx-core>
-        <version.lib.commons-text>1.15.0</version.lib.commons-text>
         <version.lib.classgraph>4.8.165</version.lib.classgraph>
         <version.lib.maven.plugin.annotations>3.15.1</version.lib.maven.plugin.annotations>
         <version.lib.maven.plugin.api>3.9.15</version.lib.maven.plugin.api>
@@ -912,17 +906,6 @@
 
     <dependencyManagement>
         <dependencies>
-            <dependency>
-                <groupId>org.apache.zookeeper</groupId>
-                <artifactId>zookeeper</artifactId>
-                <version>${version.lib.zookeeper}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.scala-lang</groupId>
-                <artifactId>scala-library</artifactId>
-                <scope>test</scope>
-                <version>${version.lib.scala}</version>
-            </dependency>
             <dependency>
                 <groupId>com.github.akarnokd</groupId>
                 <artifactId>rxjava2-jdk9-interop</artifactId>
@@ -953,11 +936,6 @@
                 <artifactId>bedrock-testing-support</artifactId>
                 <version>${version.lib.bedrock}</version>
             </dependency>
-            <dependency>
-                <groupId>com.github.spotbugs</groupId>
-                <artifactId>spotbugs-annotations</artifactId>
-                <version>${version.lib.spotbugs-annotations}</version>
-            </dependency>
             <dependency>
                 <groupId>org.reactivestreams</groupId>
                 <artifactId>reactive-streams-tck-flow</artifactId>
@@ -973,23 +951,6 @@
                 <artifactId>vertx-web-client</artifactId>
                 <version>${version.lib.vertx-core}</version>
             </dependency>
-            <dependency>
-                <!-- for dependency convergence with handlebars and force upgrade -->
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-text</artifactId>
-                <version>${version.lib.commons-text}</version>
-            </dependency>
-            <dependency>
-                <!--
-                Required for dependency convergence
-                Used by both
-                io.rest-assured:rest-assured (from metrics rest TCK)
-                hamcrest-integration (from metrics API TCK)
-                -->
-                <groupId>org.hamcrest</groupId>
-                <artifactId>hamcrest-library</artifactId>
-                <version>${version.lib.hamcrest}</version>
-            </dependency>
             <dependency>
                 <groupId>org.testng</groupId>
                 <artifactId>testng</artifactId>
@@ -1001,17 +962,6 @@
                     </exclusion>
                 </exclusions>
             </dependency>
-            <!-- Force update of shrinkwrap version used by arquillian -->
-            <dependency>
-                <groupId>org.jboss.shrinkwrap.resolver</groupId>
-                <artifactId>shrinkwrap-resolver-impl-maven</artifactId>
-                <version>${version.lib.shrinkwrap-resolver}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.jboss.shrinkwrap.resolver</groupId>
-                <artifactId>shrinkwrap-resolver-api-maven</artifactId>
-                <version>${version.lib.shrinkwrap-resolver}</version>
-            </dependency>
             <dependency>
                 <groupId>org.awaitility</groupId>
                 <artifactId>awaitility</artifactId>
@@ -1033,12 +983,6 @@
                 <artifactId>classgraph</artifactId>
                 <version>${version.lib.classgraph}</version>
             </dependency>
-            <!-- Injection TCK tests -->
-            <dependency>
-                <groupId>jakarta.inject</groupId>
-                <artifactId>jakarta.inject-tck</artifactId>
-                <version>${version.lib.jakarta.inject}</version>
-            </dependency>
             <!-- Maven plugin -->
             <dependency>
                 <groupId>org.apache.maven</groupId>

tracing/providers/opentelemetry/pom.xml

@@ -96,17 +96,6 @@
             <artifactId>grpc-okhttp</artifactId>
             <scope>runtime</scope>
         </dependency>
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.google.code.findbugs</groupId>
-                    <artifactId>jsr305</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <!-- -->
         <dependency>
             <groupId>io.opentelemetry</groupId>
             <artifactId>opentelemetry-sdk-extension-autoconfigure</artifactId>