Separate /model into its own module

[chirag-ghosh]

Which problem is this PR solving?

• Resolves feat: Separate /model into its own module #4899

Description of the changes

• Created go module at /model. Used replace in go.mod at / and /model
• Updated /scripts/check-go-version.sh to check /model/go.mod as well.
• Added support in dependabot (opentelemetry moved from dependabot to renovate-bot here. We can use dependabot for multiple modules though.)
• For releases, we can use multimod by opentelemetry. A versions.yaml will define the different versions of different modules. (I have not implemented this yet.)
• Code coverage should not be affected I feel. Although let's see the codecov report.

How was this change tested?

• make lint test

Checklist

• I have read https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
• I have signed all commits
• I have added unit tests for the new functionality
• I have run lint and test steps successfully
  • for jaeger: make lint test
  • for jaeger-ui: yarn lint and yarn test

[yurishkuro]

Does this mean we have circular dependency? Because in that case the whole exercise is pointless, the whole reason for separating model was so that OTEL contrib could import it with the rest of jaeger deps. I think model should have very minimal deps, we can probably separate them.

[chirag-ghosh]

i think we can remove this. this was automatically added when i ran go mod tidy.

[chirag-ghosh]

The only dependency of jaeger in /model is in tests like here. I think we need to have the testutils inside /model as well to remove the dependency.

[mmorel-35]

I see model/adjuster/package_test.go
Pointing to pkg/utils, which can explain the circular dependency.
There might be more that this one

Edit. There is also an import from thrift-gen and proto-gen packages.

[chirag-ghosh]

to remove the circular dependency we will need to either copy the same things inside /model or make them separate packages as well

[yurishkuro]

What is the significance of this weird version? Is dependabot going to try to change it? Did you try on a separate repo?

[chirag-ghosh]

I will try in my repository and see what happens

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (8183d12) 95.62% compared to head (7dd56dd) 95.34%.
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5144      +/-   ##
==========================================
- Coverage   95.62%   95.34%   -0.28%     
==========================================
  Files         324      324              
  Lines       18590    18590              
==========================================
- Hits        17776    17725      -51     
- Misses        653      707      +54     
+ Partials      161      158       -3     

Flag	Coverage Δ
cassandra-3.x	25.58% <ø> (ø)
cassandra-4.x	25.58% <ø> (ø)
elasticsearch-5.x	19.86% <ø> (ø)
elasticsearch-6.x	19.86% <ø> (ø)
elasticsearch-7.x	19.98% <ø> (-0.02%)	⬇️
elasticsearch-8.x	20.08% <ø> (ø)
grpc-badger	19.48% <ø> (-0.02%)	⬇️
kafka	3.92% <ø> (-10.17%)	⬇️
opensearch-1.x	20.00% <ø> (ø)
opensearch-2.x	19.98% <ø> (-0.02%)	⬇️
unittests	93.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[chirag-ghosh]

@yurishkuro Can you please help me figure out why the code coverage went down?

[yurishkuro]

Can you please help me figure out why the code coverage went down?

In the report I see that all /model/ files are down to 0% coverage. I suspect go test ./... does not include sub-modules - this is one of the things that needs to be figured out.

[yurishkuro]

another issue - the vulnerability checker flagged /model/ as vulnerable dependency, I suspect because of 0.x version number. What is the story with this version number? In OTEL collector I see that their versions are in sync across modules, so they must have some mechanism for managing/updating those after release.

Vulnerabilities
  model/go.mod » github.com/jaegertracing/[email protected] – A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries (moderate severity)
    ↪ https://github.com/advisories/GHSA-2w[8](https://github.com/jaegertracing/jaeger/actions/runs/7656173413/job/20863882760?pr=5144#step:5:9)w-qhg4-f78j
  model/go.mod » github.com/jaegertracing/[email protected] – Information Exposure in jaeger (moderate severity)
    ↪ https://github.com/advisories/GHSA-gh32-pc56-4c[9](https://github.com/jaegertracing/jaeger/actions/runs/7656173413/job/20863882760?pr=5144#step:5:10)6
  Error: Dependency review detected vulnerable packages.

[chirag-ghosh]

The wierd versioning happended after I aded the replace lines and ran go mod tidy. Here is a StackOverflow question regarding it.

[yurishkuro]

closing #4899 (comment)