The product interface org.apache.jackrabbit.api.security.user.Query annotated with @ProviderType should not be implemented by custom code

[manuel-sanchez-vilt]

AEM Version, including Service Packs, Cumulative Fix Packs, etc: AEM 2023.7.12874.20230726T072051Z
Access Control Tool version: 3.0.8

When I launch a non-production code quality pipeline in Cloud Manager I get the following critical bugs:

File Location	Line Number	Issue	Type	Severity	Effort	Rule	Tags	Documentation
Netcentric:accesscontroltool-package:3.0.8	0	The product interface org.apache.jackrabbit.api.security.user.Query annotated with @ProviderType should not be implemented by custom code. Detected in biz.netcentric.cq.tools.actool.dumpservice.impl.DumpServiceImpl$1 contained in /apps/netcentric/actool/install/accesscontroltool-bundle-3.0.8.jar.	Bug	Critical	30m	CQRules:CQBP-84	cqsoftwarequality	https://www.adobe.com/go/aem_cmcq_cqbp-84_en
Netcentric:accesscontroltool-package:3.0.8	0	The product interface org.apache.jackrabbit.api.security.user.Query annotated with @ProviderType should not be implemented by custom code. Detected in biz.netcentric.cq.tools.actool.authorizableinstaller.impl.AuthInstallerUserManagerPrefetchingImpl$1 contained in /apps/netcentric/actool/install/accesscontroltool-bundle-3.0.8.jar.	Bug	Critical	30m	CQRules:CQBP-84	cqsoftwarequality	https://www.adobe.com/go/aem_cmcq_cqbp-84_en

[teropikala]

I'm seeing the same with version 3.0.9 and AEM Release 2023.9.13420.20230907T185228Z

[teropikala]

It looks like this relatively recent change has added @ProviderType to Query class:

https://issues.apache.org/jira/browse/OAK-10252
apache/jackrabbit-oak#948

[kwin]

Thanks for the report and the pointers towards https://issues.apache.org/jira/browse/OAK-10252. I consider this a false positive and therefore raised https://issues.apache.org/jira/browse/OAK-10448. Until this is fixed in a newer Oak version please just ignore that issue in your Cloud Manager build.

[teropikala]

I had a quick look at the code and if I'm not mistaken it would be easy to address on accesscontroltool.

Those two classes define their own version of Query instead of building it with QueryBuilder.

[kwin]

QueryBuilder(https://github.com/apache/jackrabbit-oak/blob/dcd46825e21f373fda8dbfe61cdaeac522fe15eb/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/QueryBuilder.java) does not expose a method which returns a Query. Also AFAIK there is no Query implementation exposed by Oak/Jackrabbit which could be used with https://github.com/apache/jackrabbit-oak/blob/dcd46825e21f373fda8dbfe61cdaeac522fe15eb/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/UserManager.java#L167

[teropikala]

Indeed. I confused com.day.cq.search.Query and org.apache.jackrabbit.api.security.user.Query

@ProviderType annotation doesn't make any sense if correct way to use the Query/QueryBuilder is to define new class according to JavaDoc: https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/api/security/user/Query.html

[thcharan]

@kwin - the same issue reported for ACS Commons was resolved . FYI.
Adobe-Consulting-Services/acs-aem-commons#3185

[kwin]

@thcharan A similar one was reported for ACS AEM Commons but in this case it is really false positive while for ACS AEM Commons it was a correctly classified provider type interface which was implemented (JackrabbitSession).

[tech-arch-forum]

We also face the same critical issue in the Cloud Manager pipeline with version 6.0.6 is that getting resolve in next release?

[kwin]

No, as you can see in comments above this is a bug in Oak and requires a fix there.

[adellanegra]

Hi,
any update about the issue fix?
for deploying the code we are forced to "hide" the netcentric dependencies and it means that the tool is not available anymore so if we need urgently to be fixed.

Thanks

[kwin]

I think this has been fixed in newer versions of AEMaaCS meanwhile.