Improve thirdPartyAudit check, round 3

buildSrc/src/main/groovy/org/elasticsearch/gradle/AntTask.groovy

@@ -58,6 +58,9 @@ public abstract class AntTask extends DefaultTask {
             ant.project.removeBuildListener(listener)
         }
 
+        // otherwise groovy replaces System.out, and you have no chance to debug
+        // ant.saveStreams = false
+
         final int outputLevel = logger.isDebugEnabled() ? Project.MSG_DEBUG : Project.MSG_INFO
         final PrintStream stream = useStdout() ? System.out : new PrintStream(outputBuffer, true, Charset.defaultCharset().name())
         BuildLogger antLogger = makeLogger(stream, outputLevel)

buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/ThirdPartyAuditTask.groovy

@@ -16,51 +16,39 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.elasticsearch.gradle.precommit
+package org.elasticsearch.gradle.precommit;
 
-import org.apache.tools.ant.BuildLogger
+import org.apache.tools.ant.BuildEvent;
-import org.apache.tools.ant.DefaultLogger
+import org.apache.tools.ant.BuildException;
-import org.apache.tools.ant.Project
+import org.apache.tools.ant.BuildListener;
-import org.elasticsearch.gradle.AntTask
+import org.apache.tools.ant.BuildLogger;
-import org.gradle.api.artifacts.Configuration
+import org.apache.tools.ant.DefaultLogger;
-import org.gradle.api.file.FileCollection
+import org.apache.tools.ant.Project;
+import org.elasticsearch.gradle.AntTask;
+import org.gradle.api.artifacts.Configuration;
+import org.gradle.api.file.FileCollection;
 
-import java.nio.file.FileVisitResult
+import java.nio.file.FileVisitResult;
-import java.nio.file.Files
+import java.nio.file.Files;
-import java.nio.file.Path
+import java.nio.file.Path;
-import java.nio.file.SimpleFileVisitor
+import java.nio.file.SimpleFileVisitor;
-import java.nio.file.attribute.BasicFileAttributes
+import java.nio.file.attribute.BasicFileAttributes;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 /**
  * Basic static checking to keep tabs on third party JARs
  */
 public class ThirdPartyAuditTask extends AntTask {
     
-    // true to be lenient about MISSING CLASSES
-    private boolean missingClasses;
-    
     // patterns for classes to exclude, because we understand their issues
     private String[] excludes = new String[0];
     
     ThirdPartyAuditTask() {
-        dependsOn(project.configurations.testCompile)
+        // we depend on this because its the only reliable configuration
-        description = "Checks third party JAR bytecode for missing classes, use of internal APIs, and other horrors'"
+        // this probably makes the build slower: gradle you suck here when it comes to configurations, you pay the price.
-    }
+        dependsOn(project.configurations.testCompile);
-
+        description = "Checks third party JAR bytecode for missing classes, use of internal APIs, and other horrors'";
-    /** 
-     * Set to true to be lenient with missing classes. By default this check will fail if it finds
-     * MISSING CLASSES. This means the set of jars is incomplete. However, in some cases
-     * this can be due to intentional exclusions that are well-tested and understood.
-     */      
-    public void setMissingClasses(boolean value) {
-        missingClasses = value;
-    }
-    
-    /**
-     * Returns true if leniency about missing classes is enabled.
-     */
-    public boolean isMissingClasses() {
-        return missingClasses;
     }
     
     /**
@@ -70,7 +58,7 @@ public class ThirdPartyAuditTask extends AntTask {
     public void setExcludes(String[] classes) {
         for (String s : classes) {
             if (s.indexOf('*') != -1) {
-                throw new IllegalArgumentException("illegal third party audit exclusion: '" + s + "', wildcards are not permitted!")
+                throw new IllegalArgumentException("illegal third party audit exclusion: '" + s + "', wildcards are not permitted!");
             }
         }
         excludes = classes;
@@ -83,29 +71,78 @@ public class ThirdPartyAuditTask extends AntTask {
         return excludes;
     }
 
+    // yes, we parse Uwe Schindler's errors to find missing classes, and to keep a continuous audit. Just don't let him know!
+    static final Pattern MISSING_CLASS_PATTERN =
+        Pattern.compile(/WARNING: The referenced class '(.*)' cannot be loaded\. Please fix the classpath\!/);
+        
+    static final Pattern VIOLATION_PATTERN = 
+        Pattern.compile(/\s\sin ([a-zA-Z0-9\$\.]+) \(.*\)/);
+
+    // we log everything and capture errors and handle them with our whitelist
+    // this is important, as we detect stale whitelist entries, workaround forbidden apis bugs,
+    // and it also allows whitelisting missing classes!
+    static class EvilLogger extends DefaultLogger {
+        final Set<String> missingClasses = new TreeSet<>();
+        final Map<String,List<String>> violations = new TreeMap<>();
+        String previousLine = null;
+
+        @Override
+        public void messageLogged(BuildEvent event) {
+            if (event.getTask().getClass() == de.thetaphi.forbiddenapis.ant.AntTask.class) {
+                if (event.getPriority() == Project.MSG_WARN) {
+                    Matcher m = MISSING_CLASS_PATTERN.matcher(event.getMessage());
+                    if (m.matches()) {
+                        missingClasses.add(m.group(1).replace('.', '/') + ".class");
+                    }
+                } else if (event.getPriority() == Project.MSG_ERR) {
+                    Matcher m = VIOLATION_PATTERN.matcher(event.getMessage());
+                    if (m.matches()) {
+                        String violation = previousLine + '\n' + event.getMessage();
+                        String clazz = m.group(1).replace('.', '/') + ".class";
+                        List<String> current = violations.get(clazz);
+                        if (current == null) {
+                            current = new ArrayList<>();
+                            violations.put(clazz, current);
+                        }
+                        current.add(violation);
+                    }
+                    previousLine = event.getMessage();
+                }
+            }
+            super.messageLogged(event);
+        }
+    }
+
     @Override
     protected BuildLogger makeLogger(PrintStream stream, int outputLevel) {
-        return new DefaultLogger(
+        DefaultLogger log = new EvilLogger();
-            errorPrintStream: stream,
+        log.errorPrintStream = stream;
-            outputPrintStream: stream,
+        log.outputPrintStream = stream;
-            // ignore passed in outputLevel for now, until we are filtering warning messages
+        log.messageOutputLevel = outputLevel;
-            messageOutputLevel: Project.MSG_ERR)
+        return log;
     }
 
     @Override
     protected void runAnt(AntBuilder ant) {
-        ant.project.addTaskDefinition('thirdPartyAudit', de.thetaphi.forbiddenapis.ant.AntTask)
+        Configuration configuration = project.configurations.findByName('runtime');
+        if (configuration == null) {
+            // some projects apparently do not have 'runtime'? what a nice inconsistency,
+            // basically only serves to waste time in build logic!
+            configuration = project.configurations.findByName('testCompile');
+        }
+        assert configuration != null;
+        ant.project.addTaskDefinition('thirdPartyAudit', de.thetaphi.forbiddenapis.ant.AntTask);
 
         // we only want third party dependencies.
-        FileCollection jars = project.configurations.testCompile.fileCollection({ dependency ->
+        FileCollection jars = configuration.fileCollection({ dependency ->
             dependency.group.startsWith("org.elasticsearch") == false
-        })
+        });
 
         // we don't want provided dependencies, which we have already scanned. e.g. don't
         // scan ES core's dependencies for every single plugin
-        Configuration provided = project.configurations.findByName('provided')
+        Configuration provided = project.configurations.findByName('provided');
         if (provided != null) {
-            jars -= provided
+            jars -= provided;
         }
 
         // no dependencies matched, we are done
@@ -113,72 +150,101 @@ public class ThirdPartyAuditTask extends AntTask {
             return;
         }
 
-
         // print which jars we are going to scan, always
         // this is not the time to try to be succinct! Forbidden will print plenty on its own!
-        Set<String> names = new HashSet<>()
+        Set<String> names = new TreeSet<>();
         for (File jar : jars) {
-            names.add(jar.getName())
+            names.add(jar.getName());
-        }
-        logger.error("[thirdPartyAudit] Scanning: " + names)
-
-        // warn that classes are missing
-        // TODO: move these to excludes list!
-        if (missingClasses) {
-            logger.warn("[thirdPartyAudit] WARNING: CLASSES ARE MISSING! Expect NoClassDefFoundError in bug reports from users!")
         }
 
         // TODO: forbidden-apis + zipfileset gives O(n^2) behavior unless we dump to a tmpdir first,
         // and then remove our temp dir afterwards. don't complain: try it yourself.
         // we don't use gradle temp dir handling, just google it, or try it yourself.
 
-        File tmpDir = new File(project.buildDir, 'tmp/thirdPartyAudit')
+        File tmpDir = new File(project.buildDir, 'tmp/thirdPartyAudit');
 
         // clean up any previous mess (if we failed), then unzip everything to one directory
-        ant.delete(dir: tmpDir.getAbsolutePath())
+        ant.delete(dir: tmpDir.getAbsolutePath());
-        tmpDir.mkdirs()
+        tmpDir.mkdirs();
         for (File jar : jars) {
-            ant.unzip(src: jar.getAbsolutePath(), dest: tmpDir.getAbsolutePath())
+            ant.unzip(src: jar.getAbsolutePath(), dest: tmpDir.getAbsolutePath());
         }
 
         // convert exclusion class names to binary file names
         String[] excludedFiles = new String[excludes.length];
         for (int i = 0; i < excludes.length; i++) {
-            excludedFiles[i] = excludes[i].replace('.', '/') + ".class"
+            excludedFiles[i] = excludes[i].replace('.', '/') + ".class";
-            // check if the excluded file exists, if not, sure sign things are outdated
-            if (! new File(tmpDir, excludedFiles[i]).exists()) {
-                throw new IllegalStateException("bogus thirdPartyAudit exclusion: '" + excludes[i] + "', not found in any dependency")
-            }
         }
+        Set<String> excludedSet = new TreeSet<>(Arrays.asList(excludedFiles));
 
         // jarHellReprise
-        checkSheistyClasses(tmpDir.toPath(), new HashSet<>(Arrays.asList(excludedFiles)));
+        Set<String> sheistySet = getSheistyClasses(tmpDir.toPath());
 
-        ant.thirdPartyAudit(internalRuntimeForbidden: true,
+        try { 
+            ant.thirdPartyAudit(internalRuntimeForbidden: false,
                             failOnUnsupportedJava: false,
-                            failOnMissingClasses: !missingClasses,
+                            failOnMissingClasses: false,
-                            classpath: project.configurations.testCompile.asPath) {
+                            signaturesFile: new File(getClass().getResource('/forbidden/third-party-audit.txt').toURI()),
-            fileset(dir: tmpDir, excludes: excludedFiles.join(','))
+                            classpath: configuration.asPath) {
+                fileset(dir: tmpDir)
             }
+        } catch (BuildException ignore) {}
+
+	EvilLogger evilLogger = null;
+        for (BuildListener listener : ant.project.getBuildListeners()) {
+            if (listener instanceof EvilLogger) {
+                evilLogger = (EvilLogger) listener;
+                break;
+            }
+        }
+        assert evilLogger != null;
+
+        // keep our whitelist up to date
+        Set<String> bogusExclusions = new TreeSet<>(excludedSet);
+        bogusExclusions.removeAll(sheistySet);
+        bogusExclusions.removeAll(evilLogger.missingClasses);
+        bogusExclusions.removeAll(evilLogger.violations.keySet());
+        if (!bogusExclusions.isEmpty()) {
+            throw new IllegalStateException("Invalid exclusions, nothing is wrong with these classes: " + bogusExclusions);
+        }
+
+        // don't duplicate classes with the JDK
+        sheistySet.removeAll(excludedSet);
+        if (!sheistySet.isEmpty()) {
+            throw new IllegalStateException("JAR HELL WITH JDK! " + sheistySet);
+        }
+
+        // don't allow a broken classpath
+        evilLogger.missingClasses.removeAll(excludedSet);
+        if (!evilLogger.missingClasses.isEmpty()) {
+            throw new IllegalStateException("CLASSES ARE MISSING! " + evilLogger.missingClasses);
+        }
+
+        // don't use internal classes
+        evilLogger.violations.keySet().removeAll(excludedSet);
+        if (!evilLogger.violations.isEmpty()) {
+            throw new IllegalStateException("VIOLATIONS WERE FOUND! " + evilLogger.violations);
+        }
+
         // clean up our mess (if we succeed)
-        ant.delete(dir: tmpDir.getAbsolutePath())
+        ant.delete(dir: tmpDir.getAbsolutePath());
     }
 
     /**
      * check for sheisty classes: if they also exist in the extensions classloader, its jar hell with the jdk!
      */
-    private void checkSheistyClasses(Path root, Set<String> excluded) {
+    private Set<String> getSheistyClasses(Path root) {
         // system.parent = extensions loader.
         // note: for jigsaw, this evilness will need modifications (e.g. use jrt filesystem!). 
         // but groovy/gradle needs to work at all first!
-        ClassLoader ext = ClassLoader.getSystemClassLoader().getParent()
+        ClassLoader ext = ClassLoader.getSystemClassLoader().getParent();
-        assert ext != null
+        assert ext != null;
         
         Set<String> sheistySet = new TreeSet<>();
         Files.walkFileTree(root, new SimpleFileVisitor<Path>() {
             @Override
             public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
-                String entry = root.relativize(file).toString()
+                String entry = root.relativize(file).toString();
                 if (entry.endsWith(".class")) {
                     if (ext.getResource(entry) != null) {
                         sheistySet.add(entry);
@@ -187,19 +253,6 @@ public class ThirdPartyAuditTask extends AntTask {
                 return FileVisitResult.CONTINUE;
             }
         });
-        
+        return sheistySet;
-        // check if we are ok
-        if (sheistySet.isEmpty()) {
-            return;
-        }
-        
-        // leniency against exclusions list
-        sheistySet.removeAll(excluded);
-        
-        if (sheistySet.isEmpty()) {
-            logger.warn("[thirdPartyAudit] WARNING: JAR HELL WITH JDK! Expect insanely hard-to-debug problems!")
-        } else {
-            throw new IllegalStateException("JAR HELL WITH JDK! " + sheistySet);
-        }
     }
 }

buildSrc/src/main/resources/forbidden/third-party-audit.txt

@@ -0,0 +1,98 @@
+# Licensed to Elasticsearch under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance  with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on
+# an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+# Checks that we run against bytecode of third-party dependencies
+#  
+# Be judicious about what is denied here: MANY classes will be subject
+# to these rules, so please try to keep the false positive rate low!
+#
+# Each third party .class failing checks will need to be explicitly 
+# listed in the module's build.gradle file:
+#    
+#   thirdPartyAudit.excludes = [
+#    // uses internal java api: sun.misc.Unsafe
+#    'org.foo.Bar',
+#    // missing class!
+#    'com.missing.dependency.WTF',
+#    // ...
+#   ]
+#
+# Wildcards are not allowed, excludes must be exact. The build also fails with
+# the message "Invalid exclusions, nothing is wrong with these classes" if 
+# extraneous classes are in the excludes list, this ensures the list is 
+# up-to-date, and that each module accurately documents the evil things 
+# that its dependencies do.
+# 
+# For more information, look at ThirdPartyAuditTask.groovy in buildSrc/
+
+#
+# Ruleset to fail on java internal apis, using this logic:
+# http://docs.oracle.com/javase/8/docs/api/java/lang/SecurityManager.html#checkPackageAccess-java.lang.String-
+#
+# // The list may change at any time, regenerated with:
+# for (String pkg : new TreeSet<>(Arrays.asList(
+#                       Security.getProperty("package.access").split(",")))) {
+#   System.out.println(pkg + "**");
+# }
+#
+@defaultMessage non-public internal runtime class
+com.oracle.webservices.internal.**
+com.oracle.xmlns.internal.**
+com.sun.activation.registries.**
+com.sun.browser.**
+com.sun.corba.se.**
+com.sun.glass.**
+com.sun.imageio.**
+com.sun.istack.internal.**
+com.sun.javafx.**
+com.sun.jmx.**
+com.sun.media.**
+com.sun.media.sound.**
+com.sun.naming.internal.**
+com.sun.openpisces.**
+com.sun.org.apache.bcel.internal.**
+com.sun.org.apache.regexp.internal.**
+com.sun.org.apache.xalan.internal.extensions.**
+com.sun.org.apache.xalan.internal.lib.**
+com.sun.org.apache.xalan.internal.res.**
+com.sun.org.apache.xalan.internal.templates.**
+com.sun.org.apache.xalan.internal.utils.**
+com.sun.org.apache.xalan.internal.xslt.**
+com.sun.org.apache.xalan.internal.xsltc.cmdline.**
+com.sun.org.apache.xalan.internal.xsltc.compiler.**
+com.sun.org.apache.xalan.internal.xsltc.trax.**
+com.sun.org.apache.xalan.internal.xsltc.util.**
+com.sun.org.apache.xerces.internal.**
+com.sun.org.apache.xml.internal.res.**
+com.sun.org.apache.xml.internal.security.**
+com.sun.org.apache.xml.internal.serializer.utils.**
+com.sun.org.apache.xml.internal.utils.**
+com.sun.org.apache.xpath.internal.**
+com.sun.org.glassfish.**
+com.sun.pisces.**
+com.sun.prism.**
+com.sun.proxy.**
+com.sun.scenario.**
+com.sun.t2k.**
+com.sun.webkit.**
+com.sun.xml.internal.**
+jdk.internal.**
+jdk.management.resource.internal.**
+jdk.nashorn.internal.**
+jdk.nashorn.tools.**
+oracle.jrockit.jfr.**
+org.jcp.xml.dsig.internal.**
+sun.**

core/build.gradle

@@ -111,12 +111,121 @@ forbiddenPatterns {
   exclude '**/org/elasticsearch/cluster/routing/shard_routes.txt'
 }
 
-// classes are missing, e.g. org.jboss.marshalling.Marshaller
-thirdPartyAudit.missingClasses = true
-// uses internal sun ssl classes!
 thirdPartyAudit.excludes = [
   // uses internal java api: sun.security.x509 (X509CertInfo, X509CertImpl, X500Name)
   'org.jboss.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator',
+
+  // classes are missing!
+
+  // from com.fasterxml.jackson.dataformat.yaml.YAMLMapper (jackson-dataformat-yaml)
+  'com.fasterxml.jackson.databind.ObjectMapper', 
+
+  // from org.jboss.netty.handler.codec.protobuf.ProtobufVarint32FrameDecoder (netty)
+  'com.google.protobuf.CodedInputStream', 
+
+  // from org.jboss.netty.handler.codec.protobuf.ProtobufVarint32LengthFieldPrepender (netty)
+  'com.google.protobuf.CodedOutputStream', 
+
+  // from org.jboss.netty.handler.codec.protobuf.ProtobufDecoder (netty)
+  'com.google.protobuf.ExtensionRegistry', 
+  'com.google.protobuf.MessageLite$Builder', 
+  'com.google.protobuf.MessageLite', 
+  'com.google.protobuf.Parser', 
+
+  // from org.apache.log4j.receivers.net.JMSReceiver (log4j-extras)
+  'javax.jms.Message', 
+  'javax.jms.MessageListener', 
+  'javax.jms.ObjectMessage', 
+  'javax.jms.TopicConnection', 
+  'javax.jms.TopicConnectionFactory', 
+  'javax.jms.TopicPublisher', 
+  'javax.jms.TopicSession', 
+  'javax.jms.TopicSubscriber', 
+
+   // from org.apache.log4j.net.SMTPAppender (log4j)
+  'javax.mail.Authenticator', 
+  'javax.mail.Message$RecipientType', 
+  'javax.mail.Message', 
+  'javax.mail.Multipart', 
+  'javax.mail.PasswordAuthentication', 
+  'javax.mail.Session', 
+  'javax.mail.Transport', 
+  'javax.mail.internet.InternetAddress', 
+  'javax.mail.internet.InternetHeaders', 
+  'javax.mail.internet.MimeBodyPart', 
+  'javax.mail.internet.MimeMessage', 
+  'javax.mail.internet.MimeMultipart', 
+  'javax.mail.internet.MimeUtility', 
+
+  // from org.jboss.netty.channel.socket.http.HttpTunnelingServlet (netty)
+  'javax.servlet.ServletConfig', 
+  'javax.servlet.ServletException', 
+  'javax.servlet.ServletOutputStream', 
+  'javax.servlet.http.HttpServlet', 
+  'javax.servlet.http.HttpServletRequest', 
+  'javax.servlet.http.HttpServletResponse', 
+
+  // from org.jboss.netty.logging.CommonsLoggerFactory (netty)
+  'org.apache.commons.logging.Log', 
+  'org.apache.commons.logging.LogFactory',
+
+  // from org.apache.lucene.sandbox.queries.regex.JakartaRegexpCapabilities$JakartaRegexMatcher (lucene-sandbox)
+  'org.apache.regexp.CharacterIterator', 
+  'org.apache.regexp.RE', 
+  'org.apache.regexp.REProgram', 
+
+  // from org.jboss.netty.handler.ssl.OpenSslEngine (netty)
+  'org.apache.tomcat.jni.Buffer', 
+  'org.apache.tomcat.jni.Library', 
+  'org.apache.tomcat.jni.Pool', 
+  'org.apache.tomcat.jni.SSL', 
+  'org.apache.tomcat.jni.SSLContext', 
+  
+  // from org.jboss.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
+  'org.bouncycastle.asn1.x500.X500Name', 
+  'org.bouncycastle.cert.X509v3CertificateBuilder', 
+  'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', 
+  'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', 
+  'org.bouncycastle.jce.provider.BouncyCastleProvider', 
+  'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', 
+
+  // from org.jboss.netty.handler.ssl.JettyNpnSslEngine (netty)
+  'org.eclipse.jetty.npn.NextProtoNego$ClientProvider', 
+  'org.eclipse.jetty.npn.NextProtoNego$ServerProvider', 
+  'org.eclipse.jetty.npn.NextProtoNego', 
+
+  // from org.jboss.netty.logging.JBossLoggerFactory (netty)
+  'org.jboss.logging.Logger', 
+
+  // from org.jboss.netty.handler.codec.marshalling.ChannelBufferByteInput (netty)
+  'org.jboss.marshalling.ByteInput', 
+
+  // from org.jboss.netty.handler.codec.marshalling.ChannelBufferByteOutput (netty)
+  'org.jboss.marshalling.ByteOutput', 
+
+  // from org.jboss.netty.handler.codec.marshalling.CompatibleMarshallingEncoder (netty)
+  'org.jboss.marshalling.Marshaller', 
+
+  // from org.jboss.netty.handler.codec.marshalling.ContextBoundUnmarshallerProvider (netty)
+  'org.jboss.marshalling.MarshallerFactory', 
+  'org.jboss.marshalling.MarshallingConfiguration', 
+  'org.jboss.marshalling.Unmarshaller', 
+
+  // from com.spatial4j.core.io.GeoJSONReader (spatial4j)
+  'org.noggit.JSONParser', 
+
+  // from org.jboss.netty.container.osgi.NettyBundleActivator (netty)
+  'org.osgi.framework.BundleActivator', 
+  'org.osgi.framework.BundleContext', 
+
+  // from org.jboss.netty.logging.OsgiLoggerFactory$1 (netty)
+  'org.osgi.framework.ServiceReference', 
+  'org.osgi.service.log.LogService', 
+  'org.osgi.util.tracker.ServiceTracker', 
+  'org.osgi.util.tracker.ServiceTrackerCustomizer', 
+
+  'org.slf4j.impl.StaticMDCBinder', 
+  'org.slf4j.impl.StaticMarkerBinder',
 ]
 
 // dependency license are currently checked in distribution

core/src/main/resources/org/elasticsearch/bootstrap/untrusted.policy

@@ -26,10 +26,6 @@ grant {
   // groovy IndyInterface bootstrap requires this property for indy logging
   permission java.util.PropertyPermission "groovy.indy.logging", "read";
   
-  // groovy JsonOutput, just allow it to read these props so it works (unsafe is not allowed)
-  permission java.util.PropertyPermission "groovy.json.faststringutils.disable", "read";
-  permission java.util.PropertyPermission "groovy.json.faststringutils.write.to.final.fields", "read";
-
   // needed by Rhino engine exception handling
   permission java.util.PropertyPermission "rhino.stack.style", "read";
 

modules/lang-expression/build.gradle

@@ -27,16 +27,14 @@ dependencies {
   compile 'org.antlr:antlr4-runtime:4.5.1-1'
   compile 'org.ow2.asm:asm:5.0.4'
   compile 'org.ow2.asm:asm-commons:5.0.4'
+  compile 'org.ow2.asm:asm-tree:5.0.4'
 }
 
 dependencyLicenses {
   mapping from: /lucene-.*/, to: 'lucene'
+  mapping from: /asm-.*/, to: 'asm'
 }
 
-// do we or do we not depend on asm-tree, that is the question
-// classes are missing, e.g. org.objectweb.asm.tree.LabelNode
-thirdPartyAudit.missingClasses = true
-
 compileJava.options.compilerArgs << '-Xlint:-rawtypes'
 compileTestJava.options.compilerArgs << '-Xlint:-rawtypes'
 

modules/lang-expression/licenses/asm-commons-LICENSE.txt

@@ -1,26 +0,0 @@
-Copyright (c) 2012 France Télécom
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of the copyright holders nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-THE POSSIBILITY OF SUCH DAMAGE.

modules/lang-expression/licenses/asm-commons-NOTICE.txt

@@ -1 +0,0 @@
- 

modules/lang-expression/licenses/asm-tree-5.0.4.jar.sha1

@@ -0,0 +1 @@
+396ce0c07ba2b481f25a70195c7c94922f0d1b0b

modules/lang-groovy/build.gradle

@@ -23,7 +23,7 @@ esplugin {
 }
 
 dependencies {
-  compile 'org.codehaus.groovy:groovy-all:2.4.4:indy'
+  compile 'org.codehaus.groovy:groovy:2.4.4:indy'
 }
 
 compileJava.options.compilerArgs << '-Xlint:-rawtypes,-unchecked,-cast,-deprecation'
@@ -36,11 +36,33 @@ integTest {
   }
 }
 
-// classes are missing, e.g. jline.console.completer.Completer
-thirdPartyAudit.missingClasses = true
 thirdPartyAudit.excludes = [
-    // uses internal java api: sun.misc.Unsafe
+  // classes are missing, we bring in a minimal groovy dist
-    'groovy.json.internal.FastStringUtils',
+  // for example we do not need ivy, scripts arent allowed to download code
-    'groovy.json.internal.FastStringUtils$StringImplementation$1',
+  'com.thoughtworks.xstream.XStream', 
-    'groovy.json.internal.FastStringUtils$StringImplementation$2',
+  'groovyjarjarasm.asm.util.Textifiable', 
+  'org.apache.ivy.Ivy', 
+  'org.apache.ivy.core.event.IvyListener', 
+  'org.apache.ivy.core.event.download.PrepareDownloadEvent', 
+  'org.apache.ivy.core.event.resolve.StartResolveEvent', 
+  'org.apache.ivy.core.module.descriptor.Configuration', 
+  'org.apache.ivy.core.module.descriptor.DefaultDependencyArtifactDescriptor', 
+  'org.apache.ivy.core.module.descriptor.DefaultDependencyDescriptor', 
+  'org.apache.ivy.core.module.descriptor.DefaultExcludeRule', 
+  'org.apache.ivy.core.module.descriptor.DefaultModuleDescriptor', 
+  'org.apache.ivy.core.module.id.ArtifactId', 
+  'org.apache.ivy.core.module.id.ModuleId', 
+  'org.apache.ivy.core.module.id.ModuleRevisionId', 
+  'org.apache.ivy.core.report.ResolveReport', 
+  'org.apache.ivy.core.resolve.ResolveOptions', 
+  'org.apache.ivy.core.settings.IvySettings', 
+  'org.apache.ivy.plugins.matcher.ExactPatternMatcher', 
+  'org.apache.ivy.plugins.matcher.PatternMatcher', 
+  'org.apache.ivy.plugins.resolver.IBiblioResolver', 
+  'org.apache.ivy.util.DefaultMessageLogger', 
+  'org.apache.ivy.util.Message', 
+  'org.fusesource.jansi.Ansi$Attribute', 
+  'org.fusesource.jansi.Ansi$Color', 
+  'org.fusesource.jansi.Ansi', 
+  'org.fusesource.jansi.AnsiRenderWriter',
 ]

modules/lang-groovy/licenses/groovy-2.4.4-indy.jar.sha1

@@ -0,0 +1 @@
+139af316ac35534120c53f05393ce46d60d6da48

modules/lang-groovy/licenses/groovy-all-2.4.4-indy.jar.sha1

@@ -1 +0,0 @@
-574a15e35eba5f986a0564ae197c78e843ece954

modules/lang-groovy/licenses/groovy-all-LICENSE-ANTLR.txt

@@ -1,31 +0,0 @@
-
-SOFTWARE RIGHTS
-
-ANTLR 1989-2006 Developed by Terence Parr
-Partially supported by University of San Francisco & jGuru.com
-
-We reserve no legal rights to the ANTLR--it is fully in the
-public domain. An individual or company may do whatever
-they wish with source code distributed with ANTLR or the
-code generated by ANTLR, including the incorporation of
-ANTLR, or its output, into commerical software.
-
-We encourage users to develop software with ANTLR. However,
-we do ask that credit is given to us for developing
-ANTLR. By "credit", we mean that if you use ANTLR or
-incorporate any source code into one of your programs
-(commercial product, research project, or otherwise) that
-you acknowledge this fact somewhere in the documentation,
-research report, etc... If you like ANTLR and have
-developed a nice tool with the output, please mention that
-you developed it using ANTLR. In addition, we ask that the
-headers remain intact in our source code. As long as these
-guidelines are kept, we expect to continue enhancing this
-system and expect to make other tools available as they are
-completed.
-
-The primary ANTLR guy:
-
-Terence Parr
-parrt@cs.usfca.edu
-parrt@antlr.org

modules/lang-groovy/licenses/groovy-all-LICENSE-ASM.txt

@@ -1,31 +0,0 @@
-/***
- * http://asm.objectweb.org/
- *
- * ASM: a very small and fast Java bytecode manipulation framework
- * Copyright (c) 2000-2005 INRIA, France Telecom
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holders nor the names of its
- *    contributors may be used to endorse or promote products derived from
- *    this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */

modules/lang-groovy/licenses/groovy-all-LICENSE-CLI.txt

@@ -1,202 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-

modules/lang-groovy/licenses/groovy-all-LICENSE-JSR223.txt

@@ -1,30 +0,0 @@
-The following notice applies to the files:
-
-src/main/org/codehaus/groovy/jsr223/GroovyCompiledScript.java
-src/main/org/codehaus/groovy/jsr223/GroovyScriptEngineFactory.java
-src/main/org/codehaus/groovy/jsr223/GroovyScriptEngineImpl.java
-
-
-/*
- * Copyright 2006 Sun Microsystems, Inc. All rights reserved.  
- * Use is subject to license terms.
- *
- * Redistribution and use in source and binary forms, with or without modification, are 
- * permitted provided that the following conditions are met: Redistributions of source code 
- * must retain the above copyright notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice, this list of 
- * conditions and the following disclaimer in the documentation and/or other materials 
- * provided with the distribution. Neither the name of the Sun Microsystems nor the names of 
- * is contributors may be used to endorse or promote products derived from this software 
- * without specific prior written permission. 
-
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER 
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */

modules/lang-groovy/src/main/plugin-metadata/plugin-security.policy

@@ -34,7 +34,6 @@ grant {
   permission org.elasticsearch.script.ClassPermission "<<STANDARD>>";
   // groovy runtime (TODO: clean these up if possible)
   permission org.elasticsearch.script.ClassPermission "groovy.grape.GrabAnnotationTransformation";
-  permission org.elasticsearch.script.ClassPermission "groovy.json.JsonOutput";
   permission org.elasticsearch.script.ClassPermission "groovy.lang.Binding";
   permission org.elasticsearch.script.ClassPermission "groovy.lang.GroovyObject";
   permission org.elasticsearch.script.ClassPermission "groovy.lang.GString";

modules/lang-groovy/src/test/java/org/elasticsearch/script/groovy/GroovySecurityTests.java

@@ -83,8 +83,6 @@ public class GroovySecurityTests extends ESTestCase {
         assertSuccess("def range = 1..doc['foo'].value; def v = range.get(0)");
         // Maps
         assertSuccess("def v = doc['foo'].value; def m = [:]; m.put(\"value\", v)");
-        // serialization to json (this is best effort considering the unsafe etc at play)
-        assertSuccess("def x = 5; groovy.json.JsonOutput.toJson(x)");
         // Times
         assertSuccess("def t = Instant.now().getMillis()");
         // GroovyCollections

plugins/discovery-azure/build.gradle

@@ -62,15 +62,38 @@ compileJava.options.compilerArgs << '-Xlint:-deprecation'
 // TODO: and why does this static not show up in maven...
 compileTestJava.options.compilerArgs << '-Xlint:-static'
 
-// classes are missing, e.g. org.osgi.framework.BundleActivator
-thirdPartyAudit.missingClasses = true
-// TODO: figure out what is happening and fix this!!!!!!!!!!!
-// there might be still some undetected jar hell!
-// we need to fix https://github.com/policeman-tools/forbidden-apis/issues/91 first
 thirdPartyAudit.excludes = [
-    // uses internal java api: com.sun.xml.fastinfoset.stax.StAXDocumentParser
+  // classes are missing
-    'com.sun.xml.bind.v2.runtime.unmarshaller.FastInfosetConnector',
+  'javax.servlet.ServletContextEvent', 
-    'com.sun.xml.bind.v2.runtime.unmarshaller.FastInfosetConnector$CharSequenceImpl',
+  'javax.servlet.ServletContextListener', 
-    // uses internal java api: com.sun.xml.fastinfoset.stax.StAXDocumentSerializer
+  'org.apache.avalon.framework.logger.Logger', 
-    'com.sun.xml.bind.v2.runtime.output.FastInfosetStreamWriterOutput',
+  'org.apache.log.Hierarchy', 
+  'org.apache.log.Logger', 
+  'org.eclipse.persistence.descriptors.ClassDescriptor', 
+  'org.eclipse.persistence.internal.oxm.MappingNodeValue', 
+  'org.eclipse.persistence.internal.oxm.TreeObjectBuilder', 
+  'org.eclipse.persistence.internal.oxm.XPathFragment', 
+  'org.eclipse.persistence.internal.oxm.XPathNode', 
+  'org.eclipse.persistence.internal.queries.ContainerPolicy', 
+  'org.eclipse.persistence.jaxb.JAXBContext', 
+  'org.eclipse.persistence.jaxb.JAXBHelper', 
+  'org.eclipse.persistence.mappings.DatabaseMapping', 
+  'org.eclipse.persistence.mappings.converters.TypeConversionConverter', 
+  'org.eclipse.persistence.mappings.foundation.AbstractCompositeDirectCollectionMapping', 
+  'org.eclipse.persistence.oxm.XMLContext', 
+  'org.eclipse.persistence.oxm.XMLDescriptor', 
+  'org.eclipse.persistence.oxm.XMLField', 
+  'org.eclipse.persistence.oxm.mappings.XMLCompositeCollectionMapping', 
+  'org.eclipse.persistence.sessions.DatabaseSession', 
+  'org.jvnet.fastinfoset.VocabularyApplicationData', 
+  'org.jvnet.staxex.Base64Data', 
+  'org.jvnet.staxex.XMLStreamReaderEx', 
+  'org.jvnet.staxex.XMLStreamWriterEx', 
+  'org.osgi.framework.Bundle', 
+  'org.osgi.framework.BundleActivator', 
+  'org.osgi.framework.BundleContext', 
+  'org.osgi.framework.BundleEvent', 
+  'org.osgi.framework.SynchronousBundleListener',
+  'com.sun.xml.fastinfoset.stax.StAXDocumentParser', 
+  'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer',
 ]

plugins/discovery-ec2/build.gradle

@@ -49,11 +49,16 @@ test {
   systemProperty 'tests.artifact', project.name 
 }
 
-// classes are missing, e.g. org.apache.avalon.framework.logger.Logger
-thirdPartyAudit.missingClasses = true
 thirdPartyAudit.excludes = [
   // uses internal java api: com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
   // uses internal java api: com.sun.org.apache.xml.internal.dtm.ref.DTMManagerDefault
   // uses internal java api: com.sun.org.apache.xpath.internal.XPathContext
   'com.amazonaws.util.XpathUtils',
+
+  // classes are missing
+  'javax.servlet.ServletContextEvent', 
+  'javax.servlet.ServletContextListener', 
+  'org.apache.avalon.framework.logger.Logger', 
+  'org.apache.log.Hierarchy', 
+  'org.apache.log.Logger',
 ]

plugins/discovery-gce/build.gradle

@@ -32,5 +32,13 @@ test {
   systemProperty 'tests.artifact', project.name 
 }
 
-// classes are missing, e.g. org.apache.log.Logger
+thirdPartyAudit.excludes = [
-thirdPartyAudit.missingClasses = true
+  // classes are missing
+  'com.google.common.base.Splitter', 
+  'com.google.common.collect.Lists', 
+  'javax.servlet.ServletContextEvent', 
+  'javax.servlet.ServletContextListener', 
+  'org.apache.avalon.framework.logger.Logger', 
+  'org.apache.log.Hierarchy', 
+  'org.apache.log.Logger',
+]

plugins/lang-plan-a/build.gradle

@@ -28,14 +28,16 @@ dependencies {
   compile 'org.antlr:antlr4-runtime:4.5.1-1'
   compile 'org.ow2.asm:asm:5.0.4'
   compile 'org.ow2.asm:asm-commons:5.0.4'
+  compile 'org.ow2.asm:asm-tree:5.0.4'
+}
+
+dependencyLicenses {
+  mapping from: /asm-.*/, to: 'asm'
 }
 
 compileJava.options.compilerArgs << '-Xlint:-cast,-fallthrough,-rawtypes'
 compileTestJava.options.compilerArgs << '-Xlint:-unchecked'
 
-// classes are missing, e.g. org.objectweb.asm.tree.LabelNode
-thirdPartyAudit.missingClasses = true
-
 // regeneration logic, comes in via ant right now
 // don't port it to gradle, it works fine.
 

plugins/lang-plan-a/licenses/asm-commons-LICENSE.txt

@@ -1,26 +0,0 @@
-Copyright (c) 2012 France Télécom
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of the copyright holders nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
-THE POSSIBILITY OF SUCH DAMAGE.

plugins/lang-plan-a/licenses/asm-commons-NOTICE.txt

@@ -1 +0,0 @@
- 

plugins/lang-plan-a/licenses/asm-tree-5.0.4.jar.sha1

@@ -0,0 +1 @@
+396ce0c07ba2b481f25a70195c7c94922f0d1b0b

plugins/lang-python/build.gradle

@@ -36,8 +36,6 @@ integTest {
   }
 }
 
-// classes are missing, e.g. org.tukaani.xz.FilterOptions
-thirdPartyAudit.missingClasses = true
 thirdPartyAudit.excludes = [
   // uses internal java api: sun.security.x509 (X509CertInfo, X509CertImpl, X500Name)
   'org.python.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator',
@@ -412,4 +410,119 @@ thirdPartyAudit.excludes = [
   'org.xml.sax.helpers.XMLReaderAdapter$AttributesAdapter',
   'org.xml.sax.helpers.XMLReaderAdapter',
   'org.xml.sax.helpers.XMLReaderFactory',
+
+  // classes are missing
+  'com.jcraft.jzlib.Deflater', 
+  'com.jcraft.jzlib.Inflater', 
+  'com.jcraft.jzlib.JZlib$WrapperType', 
+  'com.jcraft.jzlib.JZlib', 
+  'javassist.ClassClassPath', 
+  'javassist.ClassPath', 
+  'javassist.ClassPool', 
+  'javassist.CtClass', 
+  'javassist.CtMethod', 
+  'javax.servlet.Filter', 
+  'javax.servlet.FilterChain', 
+  'javax.servlet.FilterConfig', 
+  'javax.servlet.ServletConfig', 
+  'javax.servlet.ServletContext', 
+  'javax.servlet.ServletContextEvent', 
+  'javax.servlet.ServletContextListener', 
+  'javax.servlet.ServletException', 
+  'javax.servlet.ServletRequest', 
+  'javax.servlet.ServletResponse', 
+  'javax.servlet.http.HttpServlet', 
+  'javax.servlet.http.HttpServletRequest', 
+  'javax.servlet.http.HttpServletResponse', 
+  'jnr.x86asm.Asm', 
+  'jnr.x86asm.Assembler', 
+  'jnr.x86asm.CPU', 
+  'jnr.x86asm.Mem', 
+  'jnr.x86asm.Register', 
+  'junit.framework.Assert', 
+  'junit.framework.TestCase', 
+  'org.antlr.stringtemplate.StringTemplate', 
+  'org.eclipse.jetty.alpn.ALPN$ClientProvider', 
+  'org.eclipse.jetty.alpn.ALPN$ServerProvider', 
+  'org.eclipse.jetty.alpn.ALPN', 
+  'org.eclipse.jetty.npn.NextProtoNego$ClientProvider', 
+  'org.eclipse.jetty.npn.NextProtoNego$ServerProvider', 
+  'org.eclipse.jetty.npn.NextProtoNego', 
+  'org.jboss.marshalling.ByteInput', 
+  'org.jboss.marshalling.ByteOutput', 
+  'org.jboss.marshalling.Marshaller', 
+  'org.jboss.marshalling.MarshallerFactory', 
+  'org.jboss.marshalling.MarshallingConfiguration', 
+  'org.jboss.marshalling.Unmarshaller', 
+  'org.junit.Assert', 
+  'org.junit.internal.matchers.CombinableMatcher', 
+  'org.junit.matchers.JUnitMatchers', 
+  'org.junit.runner.JUnitCore',
+  'org.python.apache.commons.logging.Log', 
+  'org.python.apache.commons.logging.LogFactory', 
+  'org.python.apache.log4j.Level', 
+  'org.python.apache.log4j.Logger', 
+  'org.python.apache.tomcat.jni.Buffer', 
+  'org.python.apache.tomcat.jni.CertificateVerifier', 
+  'org.python.apache.tomcat.jni.Library', 
+  'org.python.apache.tomcat.jni.Pool', 
+  'org.python.apache.tomcat.jni.SSL', 
+  'org.python.apache.tomcat.jni.SSLContext', 
+  'org.python.apache.tools.ant.BuildException', 
+  'org.python.apache.tools.ant.DirectoryScanner', 
+  'org.python.apache.tools.ant.Project', 
+  'org.python.apache.tools.ant.taskdefs.Execute', 
+  'org.python.apache.tools.ant.taskdefs.Java', 
+  'org.python.apache.tools.ant.taskdefs.MatchingTask', 
+  'org.python.apache.tools.ant.types.Commandline$Argument', 
+  'org.python.apache.tools.ant.types.Path', 
+  'org.python.apache.tools.ant.types.Resource', 
+  'org.python.apache.tools.ant.types.ResourceCollection', 
+  'org.python.apache.tools.ant.types.resources.BaseResourceCollectionContainer', 
+  'org.python.apache.tools.ant.util.GlobPatternMapper', 
+  'org.python.apache.tools.ant.util.SourceFileScanner', 
+  'org.python.apache.xml.resolver.Catalog', 
+  'org.python.apache.xml.resolver.CatalogManager', 
+  'org.python.apache.xml.resolver.readers.SAXCatalogReader', 
+  'org.python.google.protobuf.CodedInputStream', 
+  'org.python.google.protobuf.CodedOutputStream', 
+  'org.python.google.protobuf.ExtensionRegistry', 
+  'org.python.google.protobuf.ExtensionRegistryLite', 
+  'org.python.google.protobuf.MessageLite$Builder', 
+  'org.python.google.protobuf.MessageLite', 
+  'org.python.google.protobuf.MessageLiteOrBuilder', 
+  'org.python.google.protobuf.Parser', 
+  'org.python.objectweb.asm.tree.AbstractInsnNode', 
+  'org.python.objectweb.asm.tree.ClassNode', 
+  'org.python.objectweb.asm.tree.InsnList', 
+  'org.python.objectweb.asm.tree.InsnNode', 
+  'org.python.objectweb.asm.tree.JumpInsnNode', 
+  'org.python.objectweb.asm.tree.LabelNode', 
+  'org.python.objectweb.asm.tree.LocalVariableNode', 
+  'org.python.objectweb.asm.tree.LookupSwitchInsnNode', 
+  'org.python.objectweb.asm.tree.MethodNode', 
+  'org.python.objectweb.asm.tree.TableSwitchInsnNode', 
+  'org.python.objectweb.asm.tree.TryCatchBlockNode', 
+  'org.python.objectweb.asm.tree.analysis.Analyzer', 
+  'org.python.objectweb.asm.tree.analysis.BasicValue', 
+  'org.python.objectweb.asm.tree.analysis.BasicVerifier', 
+  'org.python.objectweb.asm.tree.analysis.Frame', 
+  'org.python.objectweb.asm.tree.analysis.SimpleVerifier', 
+  'org.tukaani.xz.ARMOptions', 
+  'org.tukaani.xz.ARMThumbOptions', 
+  'org.tukaani.xz.DeltaOptions', 
+  'org.tukaani.xz.FilterOptions', 
+  'org.tukaani.xz.FinishableWrapperOutputStream', 
+  'org.tukaani.xz.IA64Options', 
+  'org.tukaani.xz.LZMA2InputStream', 
+  'org.tukaani.xz.LZMA2Options', 
+  'org.tukaani.xz.LZMAInputStream', 
+  'org.tukaani.xz.PowerPCOptions', 
+  'org.tukaani.xz.SPARCOptions', 
+  'org.tukaani.xz.SingleXZInputStream', 
+  'org.tukaani.xz.UnsupportedOptionsException', 
+  'org.tukaani.xz.X86Options', 
+  'org.tukaani.xz.XZ', 
+  'org.tukaani.xz.XZInputStream', 
+  'org.tukaani.xz.XZOutputStream',
 ]

plugins/repository-hdfs/build.gradle

@@ -17,8 +17,6 @@
  * under the License.
  */
 
-//apply plugin: 'nebula.provided-base'
-
 import org.apache.tools.ant.taskdefs.condition.Os
 import java.nio.file.Files
 import java.nio.file.Path
@@ -100,34 +98,243 @@ integTest {
 
 compileJava.options.compilerArgs << '-Xlint:-deprecation,-rawtypes'
 
-thirdPartyAudit.missingClasses = true
 thirdPartyAudit.excludes = [
-  // note: the jersey ones may be bogus, see my bug report at forbidden-apis!
+  // classes are missing, because we added hadoop jars one by one until tests pass.
-  // internal java api: com.sun.jersey.server.impl.inject.AbstractHttpContextInjectable
+  'com.google.gson.stream.JsonReader', 
-  // internal java api: com.sun.jersey.api.core.HttpContext
+  'com.google.gson.stream.JsonWriter', 
-  // internal java api: com.sun.jersey.core.spi.component.ComponentScope
+  'com.jcraft.jsch.ChannelExec', 
-  // internal java api: com.sun.jersey.spi.inject.Injectable
+  'com.jcraft.jsch.JSch', 
-  // internal java api: com.sun.jersey.core.spi.component.ComponentContext
+  'com.jcraft.jsch.Logger', 
-  'org.apache.hadoop.hdfs.web.resources.UserProvider',
+  'com.jcraft.jsch.Session', 
-
+  'com.sun.jersey.api.ParamException', 
-  // internal java api: com.sun.jersey.spi.container.ResourceFilters
+  'com.sun.jersey.api.core.HttpContext', 
-  'org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods',
+  'com.sun.jersey.core.spi.component.ComponentContext', 
-  // internal java api: com.sun.jersey.spi.container.servlet.ServletContainer
+  'com.sun.jersey.core.spi.component.ComponentScope', 
-  'org.apache.hadoop.http.HttpServer', 
+  'com.sun.jersey.server.impl.inject.AbstractHttpContextInjectable', 
-  'org.apache.hadoop.http.HttpServer2',
+  'com.sun.jersey.spi.container.ContainerRequest', 
-
+  'com.sun.jersey.spi.container.ContainerRequestFilter', 
-  // internal java api: com.sun.jersey.api.ParamException
+  'com.sun.jersey.spi.container.ContainerResponseFilter', 
-  'org.apache.hadoop.hdfs.web.resources.ExceptionHandler',
+  'com.sun.jersey.spi.container.ResourceFilter', 
-  'org.apache.hadoop.hdfs.server.datanode.web.webhdfs.ExceptionHandler',
+  'com.sun.jersey.spi.container.servlet.ServletContainer', 
-  'org.apache.hadoop.hdfs.web.ParamFilter',
+  'com.sun.jersey.spi.inject.Injectable', 
-
+  'com.sun.jersey.spi.inject.InjectableProvider',
-  // internal java api: com.sun.jersey.spi.container.ContainerRequestFilter
+  'io.netty.bootstrap.Bootstrap', 
-  // internal java api: com.sun.jersey.spi.container.ContainerRequest
+  'io.netty.bootstrap.ChannelFactory', 
-  'org.apache.hadoop.hdfs.web.ParamFilter',
+  'io.netty.bootstrap.ServerBootstrap', 
-  'org.apache.hadoop.hdfs.web.ParamFilter$1',
+  'io.netty.buffer.ByteBuf', 
-
+  'io.netty.buffer.Unpooled', 
-  // internal java api: com.sun.jndi.ldap.LdapCtxFactory
+  'io.netty.channel.Channel', 
-  'org.apache.hadoop.security.LdapGroupsMapping',
+  'io.netty.channel.ChannelFuture', 
+  'io.netty.channel.ChannelFutureListener', 
+  'io.netty.channel.ChannelHandler', 
+  'io.netty.channel.ChannelHandlerContext', 
+  'io.netty.channel.ChannelInboundHandlerAdapter', 
+  'io.netty.channel.ChannelInitializer', 
+  'io.netty.channel.ChannelPipeline', 
+  'io.netty.channel.EventLoopGroup', 
+  'io.netty.channel.SimpleChannelInboundHandler', 
+  'io.netty.channel.group.ChannelGroup', 
+  'io.netty.channel.group.ChannelGroupFuture', 
+  'io.netty.channel.group.DefaultChannelGroup', 
+  'io.netty.channel.nio.NioEventLoopGroup', 
+  'io.netty.channel.socket.SocketChannel', 
+  'io.netty.channel.socket.nio.NioServerSocketChannel', 
+  'io.netty.channel.socket.nio.NioSocketChannel', 
+  'io.netty.handler.codec.http.DefaultFullHttpRequest', 
+  'io.netty.handler.codec.http.DefaultFullHttpResponse', 
+  'io.netty.handler.codec.http.DefaultHttpResponse', 
+  'io.netty.handler.codec.http.HttpContent', 
+  'io.netty.handler.codec.http.HttpHeaders', 
+  'io.netty.handler.codec.http.HttpMethod', 
+  'io.netty.handler.codec.http.HttpRequest', 
+  'io.netty.handler.codec.http.HttpRequestDecoder', 
+  'io.netty.handler.codec.http.HttpRequestEncoder', 
+  'io.netty.handler.codec.http.HttpResponseEncoder', 
+  'io.netty.handler.codec.http.HttpResponseStatus', 
+  'io.netty.handler.codec.http.HttpVersion', 
+  'io.netty.handler.codec.http.QueryStringDecoder', 
+  'io.netty.handler.codec.string.StringEncoder', 
+  'io.netty.handler.ssl.SslHandler', 
+  'io.netty.handler.stream.ChunkedStream', 
+  'io.netty.handler.stream.ChunkedWriteHandler', 
+  'io.netty.util.concurrent.GlobalEventExecutor', 
+  'javax.ws.rs.core.Context', 
+  'javax.ws.rs.core.MediaType', 
+  'javax.ws.rs.core.MultivaluedMap', 
+  'javax.ws.rs.core.Response$ResponseBuilder', 
+  'javax.ws.rs.core.Response$Status', 
+  'javax.ws.rs.core.Response', 
+  'javax.ws.rs.core.StreamingOutput', 
+  'javax.ws.rs.core.UriBuilder', 
+  'javax.ws.rs.ext.ExceptionMapper', 
+  'jdiff.JDiff', 
+  'org.apache.avalon.framework.logger.Logger', 
+  'org.apache.avro.Schema', 
+  'org.apache.avro.file.DataFileReader', 
+  'org.apache.avro.file.FileReader', 
+  'org.apache.avro.file.SeekableInput', 
+  'org.apache.avro.generic.GenericDatumReader', 
+  'org.apache.avro.generic.GenericDatumWriter', 
+  'org.apache.avro.io.BinaryDecoder', 
+  'org.apache.avro.io.BinaryEncoder', 
+  'org.apache.avro.io.DatumReader', 
+  'org.apache.avro.io.DatumWriter', 
+  'org.apache.avro.io.DecoderFactory', 
+  'org.apache.avro.io.EncoderFactory', 
+  'org.apache.avro.io.JsonEncoder', 
+  'org.apache.avro.reflect.ReflectData', 
+  'org.apache.avro.reflect.ReflectDatumReader', 
+  'org.apache.avro.reflect.ReflectDatumWriter', 
+  'org.apache.avro.specific.SpecificDatumReader', 
+  'org.apache.avro.specific.SpecificDatumWriter', 
+  'org.apache.avro.specific.SpecificRecord', 
+  'org.apache.commons.beanutils.BeanUtils', 
+  'org.apache.commons.beanutils.DynaBean', 
+  'org.apache.commons.beanutils.DynaClass', 
+  'org.apache.commons.beanutils.DynaProperty', 
+  'org.apache.commons.beanutils.PropertyUtils', 
+  'org.apache.commons.compress.archivers.tar.TarArchiveEntry', 
+  'org.apache.commons.compress.archivers.tar.TarArchiveInputStream', 
+  'org.apache.commons.codec.DecoderException', 
+  'org.apache.commons.codec.binary.Base64', 
+  'org.apache.commons.codec.binary.Hex', 
+  'org.apache.commons.codec.digest.DigestUtils', 
+  'org.apache.commons.daemon.Daemon', 
+  'org.apache.commons.daemon.DaemonContext', 
+  'org.apache.commons.digester.AbstractObjectCreationFactory', 
+  'org.apache.commons.digester.CallMethodRule', 
+  'org.apache.commons.digester.Digester', 
+  'org.apache.commons.digester.ObjectCreationFactory', 
+  'org.apache.commons.digester.substitution.MultiVariableExpander', 
+  'org.apache.commons.digester.substitution.VariableSubstitutor', 
+  'org.apache.commons.digester.xmlrules.DigesterLoader', 
+  'org.apache.commons.httpclient.util.URIUtil', 
+  'org.apache.commons.jxpath.JXPathContext', 
+  'org.apache.commons.jxpath.ri.JXPathContextReferenceImpl', 
+  'org.apache.commons.jxpath.ri.QName', 
+  'org.apache.commons.jxpath.ri.compiler.NodeNameTest', 
+  'org.apache.commons.jxpath.ri.compiler.NodeTest', 
+  'org.apache.commons.jxpath.ri.compiler.NodeTypeTest', 
+  'org.apache.commons.jxpath.ri.model.NodeIterator', 
+  'org.apache.commons.jxpath.ri.model.NodePointer', 
+  'org.apache.commons.jxpath.ri.model.NodePointerFactory', 
+  'org.apache.commons.math3.util.ArithmeticUtils', 
+  'org.apache.commons.net.ftp.FTPClient', 
+  'org.apache.commons.net.ftp.FTPFile', 
+  'org.apache.commons.net.ftp.FTPReply', 
+  'org.apache.commons.net.util.SubnetUtils$SubnetInfo', 
+  'org.apache.commons.net.util.SubnetUtils', 
+  'org.apache.curator.ensemble.fixed.FixedEnsembleProvider', 
+  'org.apache.curator.framework.CuratorFramework', 
+  'org.apache.curator.framework.CuratorFrameworkFactory$Builder', 
+  'org.apache.curator.framework.CuratorFrameworkFactory', 
+  'org.apache.curator.framework.api.ACLBackgroundPathAndBytesable', 
+  'org.apache.curator.framework.api.ACLProvider', 
+  'org.apache.curator.framework.api.BackgroundPathAndBytesable', 
+  'org.apache.curator.framework.api.ChildrenDeletable', 
+  'org.apache.curator.framework.api.CreateBuilder', 
+  'org.apache.curator.framework.api.DeleteBuilder', 
+  'org.apache.curator.framework.api.ExistsBuilder', 
+  'org.apache.curator.framework.api.GetChildrenBuilder', 
+  'org.apache.curator.framework.api.GetDataBuilder', 
+  'org.apache.curator.framework.api.ProtectACLCreateModePathAndBytesable', 
+  'org.apache.curator.framework.api.SetDataBuilder', 
+  'org.apache.curator.framework.api.WatchPathable', 
+  'org.apache.curator.framework.imps.DefaultACLProvider', 
+  'org.apache.curator.framework.listen.ListenerContainer', 
+  'org.apache.curator.framework.recipes.cache.ChildData', 
+  'org.apache.curator.framework.recipes.cache.PathChildrenCache$StartMode', 
+  'org.apache.curator.framework.recipes.cache.PathChildrenCache', 
+  'org.apache.curator.framework.recipes.cache.PathChildrenCacheEvent$Type', 
+  'org.apache.curator.framework.recipes.cache.PathChildrenCacheEvent', 
+  'org.apache.curator.framework.recipes.cache.PathChildrenCacheListener', 
+  'org.apache.curator.framework.recipes.locks.Reaper$Mode', 
+  'org.apache.curator.framework.recipes.locks.Reaper', 
+  'org.apache.curator.framework.recipes.shared.SharedCount', 
+  'org.apache.curator.framework.recipes.shared.VersionedValue', 
+  'org.apache.curator.retry.ExponentialBackoffRetry', 
+  'org.apache.curator.retry.RetryNTimes', 
+  'org.apache.curator.utils.CloseableScheduledExecutorService', 
+  'org.apache.curator.utils.CloseableUtils', 
+  'org.apache.curator.utils.EnsurePath', 
+  'org.apache.curator.utils.PathUtils', 
+  'org.apache.curator.utils.ThreadUtils', 
+  'org.apache.curator.utils.ZKPaths', 
+  'org.apache.directory.server.kerberos.shared.keytab.Keytab', 
+  'org.apache.directory.server.kerberos.shared.keytab.KeytabEntry', 
+  'org.apache.http.NameValuePair', 
+  'org.apache.http.client.utils.URIBuilder', 
+  'org.apache.http.client.utils.URLEncodedUtils',
+  'org.apache.log.Hierarchy', 
+  'org.apache.log.Logger', 
+  'org.apache.tools.ant.BuildException', 
+  'org.apache.tools.ant.DirectoryScanner', 
+  'org.apache.tools.ant.Task', 
+  'org.apache.tools.ant.taskdefs.Execute', 
+  'org.apache.tools.ant.types.FileSet', 
+  'org.apache.xml.serialize.OutputFormat', 
+  'org.apache.xml.serialize.XMLSerializer', 
+  'org.apache.zookeeper.AsyncCallback$StatCallback', 
+  'org.apache.zookeeper.AsyncCallback$StringCallback', 
+  'org.apache.zookeeper.CreateMode', 
+  'org.apache.zookeeper.KeeperException$Code', 
+  'org.apache.zookeeper.KeeperException', 
+  'org.apache.zookeeper.WatchedEvent', 
+  'org.apache.zookeeper.Watcher$Event$EventType', 
+  'org.apache.zookeeper.Watcher$Event$KeeperState', 
+  'org.apache.zookeeper.Watcher', 
+  'org.apache.zookeeper.ZKUtil', 
+  'org.apache.zookeeper.ZooDefs$Ids', 
+  'org.apache.zookeeper.ZooKeeper', 
+  'org.apache.zookeeper.data.ACL', 
+  'org.apache.zookeeper.data.Id', 
+  'org.apache.zookeeper.data.Stat', 
+  'org.codehaus.jackson.JsonEncoding', 
+  'org.codehaus.jackson.JsonFactory', 
+  'org.codehaus.jackson.JsonGenerator', 
+  'org.codehaus.jackson.JsonGenerator$Feature', 
+  'org.codehaus.jackson.JsonNode', 
+  'org.codehaus.jackson.map.MappingJsonFactory', 
+  'org.codehaus.jackson.map.ObjectMapper', 
+  'org.codehaus.jackson.map.ObjectReader', 
+  'org.codehaus.jackson.map.ObjectWriter', 
+  'org.codehaus.jackson.node.ContainerNode', 
+  'org.codehaus.jackson.type.TypeReference', 
+  'org.codehaus.jackson.util.MinimalPrettyPrinter', 
+  'org.fusesource.leveldbjni.JniDBFactory', 
+  'org.iq80.leveldb.DB', 
+  'org.iq80.leveldb.Options', 
+  'org.iq80.leveldb.WriteBatch', 
+  'org.mortbay.jetty.Connector', 
+  'org.mortbay.jetty.Handler', 
+  'org.mortbay.jetty.InclusiveByteRange', 
+  'org.mortbay.jetty.MimeTypes', 
+  'org.mortbay.jetty.NCSARequestLog', 
+  'org.mortbay.jetty.RequestLog', 
+  'org.mortbay.jetty.Server', 
+  'org.mortbay.jetty.handler.ContextHandler$SContext', 
+  'org.mortbay.jetty.handler.ContextHandler', 
+  'org.mortbay.jetty.handler.ContextHandlerCollection', 
+  'org.mortbay.jetty.handler.HandlerCollection', 
+  'org.mortbay.jetty.handler.RequestLogHandler', 
+  'org.mortbay.jetty.nio.SelectChannelConnector', 
+  'org.mortbay.jetty.security.SslSocketConnector', 
+  'org.mortbay.jetty.servlet.AbstractSessionManager', 
+  'org.mortbay.jetty.servlet.Context', 
+  'org.mortbay.jetty.servlet.DefaultServlet', 
+  'org.mortbay.jetty.servlet.FilterHolder', 
+  'org.mortbay.jetty.servlet.FilterMapping', 
+  'org.mortbay.jetty.servlet.ServletHandler', 
+  'org.mortbay.jetty.servlet.ServletHolder', 
+  'org.mortbay.jetty.servlet.SessionHandler', 
+  'org.mortbay.jetty.webapp.WebAppContext', 
+  'org.mortbay.log.Log', 
+  'org.mortbay.thread.QueuedThreadPool', 
+  'org.mortbay.util.MultiException', 
+  'org.mortbay.util.ajax.JSON$Convertible', 
+  'org.mortbay.util.ajax.JSON$Output', 
+  'org.mortbay.util.ajax.JSON', 
+  'org.znerd.xmlenc.XMLOutputter',
 
   // internal java api: sun.net.dns.ResolverConfiguration
   // internal java api: sun.net.util.IPAddressUtil

plugins/repository-s3/build.gradle

@@ -50,11 +50,16 @@ test {
   systemProperty 'tests.artifact', project.name 
 }
 
-// classes are missing, e.g. org.apache.log.Logger
-thirdPartyAudit.missingClasses = true
 thirdPartyAudit.excludes = [
   // uses internal java api: com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
   // uses internal java api: com.sun.org.apache.xml.internal.dtm.ref.DTMManagerDefault
   // uses internal java api: com.sun.org.apache.xpath.internal.XPathContext
   'com.amazonaws.util.XpathUtils',
+
+  // classes are missing
+  'javax.servlet.ServletContextEvent', 
+  'javax.servlet.ServletContextListener', 
+  'org.apache.avalon.framework.logger.Logger', 
+  'org.apache.log.Hierarchy', 
+  'org.apache.log.Logger',
 ]

qa/evil-tests/build.gradle

@@ -35,8 +35,6 @@ test {
   systemProperty 'tests.security.manager', 'false'
 }
 
-// classes are missing, com.ibm.icu.lang.UCharacter
-thirdPartyAudit.missingClasses = true
 thirdPartyAudit.excludes = [
   // uses internal java api: sun.misc.Unsafe
   'com.google.common.cache.Striped64',
@@ -44,4 +42,7 @@ thirdPartyAudit.excludes = [
   'com.google.common.cache.Striped64$Cell',
   'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator',
   'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1',
+  
+  // missing class
+  'com.ibm.icu.lang.UCharacter',
 ]

test/framework/build.gradle

@@ -17,6 +17,8 @@
  * under the License.
  */
 
+import org.elasticsearch.gradle.precommit.PrecommitTasks;
+
 dependencies {
   compile "org.elasticsearch:elasticsearch:${version}"
   compile "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
@@ -33,5 +35,29 @@ dependencies {
 compileJava.options.compilerArgs << '-Xlint:-cast,-deprecation,-fallthrough,-overrides,-rawtypes,-serial,-try,-unchecked'
 compileTestJava.options.compilerArgs << '-Xlint:-rawtypes'
 
-// we intentionally exclude the ant tasks because people were depending on them from their tests!!!!!!!
+// the main files are actually test files, so use the appopriate forbidden api sigs
-thirdPartyAudit.missingClasses = true
+forbiddenApisMain {
+  bundledSignatures = ['jdk-unsafe', 'jdk-deprecated']
+  signaturesURLs = [PrecommitTasks.getResource('/forbidden/all-signatures.txt'),
+                    PrecommitTasks.getResource('/forbidden/test-signatures.txt')]
+}
+
+// TODO: should we have licenses for our test deps?
+dependencyLicenses.enabled = false
+
+thirdPartyAudit.excludes = [
+  // classes are missing
+  'javax.servlet.ServletContextEvent', 
+  'javax.servlet.ServletContextListener', 
+  'org.apache.avalon.framework.logger.Logger', 
+  'org.apache.log.Hierarchy', 
+  'org.apache.log.Logger', 
+   // we intentionally exclude the ant tasks because people were depending on them from their tests!!!!!!!
+  'org.apache.tools.ant.BuildException', 
+  'org.apache.tools.ant.DirectoryScanner', 
+  'org.apache.tools.ant.Task', 
+  'org.apache.tools.ant.types.FileSet', 
+  'org.easymock.EasyMock', 
+  'org.easymock.IArgumentMatcher', 
+  'org.jmock.core.Constraint',
+]