From 15f2edfe15b0f1197c558e44e895d620c5064adf Mon Sep 17 00:00:00 2001
From: Devin Smith <devinsmith@deephaven.io>
Date: Tue, 30 Dec 2025 10:53:29 -0800
Subject: [PATCH] feat: DH-21198: publish deephaven-bom-third-party for
 constraints

---
 bom-third-party/build.gradle                        | 13 +++++++++++++
 bom-third-party/gradle.properties                   |  1 +
 bom/build.gradle                                    |  9 +++++++++
 .../io.deephaven.java-test-conventions.gradle       |  5 +++++
 .../io.deephaven.project.java-application.gradle    |  5 +++++
 .../groovy/io.deephaven.project.java-local.gradle   |  6 ++++++
 .../groovy/io.deephaven.project.java-public.gradle  | 10 ++++++++++
 extensions/flight-sql/build.gradle                  | 11 ++++++-----
 gradle/libs.versions.toml                           |  6 +-----
 settings.gradle                                     |  1 +
 sql/build.gradle                                    |  5 -----
 11 files changed, 57 insertions(+), 15 deletions(-)
 create mode 100644 bom-third-party/build.gradle
 create mode 100644 bom-third-party/gradle.properties

diff --git a/bom-third-party/build.gradle b/bom-third-party/build.gradle
new file mode 100644
index 00000000000..a7bf12adb8c
--- /dev/null
+++ b/bom-third-party/build.gradle
@@ -0,0 +1,13 @@
+plugins {
+    id 'io.deephaven.project.register'
+}
+
+description = 'Deephaven Bill of Materials for Third Party dependencies'
+
+dependencies {
+    constraints {
+        runtime('net.minidev:json-smart:2.5.2') {
+            because 'fixes CVE-2024-57699'
+        }
+    }
+}
diff --git a/bom-third-party/gradle.properties b/bom-third-party/gradle.properties
new file mode 100644
index 00000000000..314ee538445
--- /dev/null
+++ b/bom-third-party/gradle.properties
@@ -0,0 +1 @@
+io.deephaven.project.ProjectType=BOM_PUBLIC
diff --git a/bom/build.gradle b/bom/build.gradle
index 7b3d454be6a..02eaf93a6b9 100644
--- a/bom/build.gradle
+++ b/bom/build.gradle
@@ -4,7 +4,12 @@ plugins {
 
 description = 'Deephaven Bill of Materials'
 
+javaPlatform {
+    allowDependencies()
+}
+
 dependencies {
+    // List out all of the public Deephaven projects with their version
     constraints { constraint ->
         project.rootProject
             .subprojects
@@ -14,4 +19,8 @@ dependencies {
                 constraint.api p
             }
     }
+
+    // When downstream consumer inherit the Deephaven BOM, they will also inherit our 3rd party constraints BOM. They
+    // can choose to exclude this if they prefer.
+    api platform(project(':bom-third-party'))
 }
diff --git a/buildSrc/src/main/groovy/io.deephaven.java-test-conventions.gradle b/buildSrc/src/main/groovy/io.deephaven.java-test-conventions.gradle
index 4f274286623..420b3e461af 100644
--- a/buildSrc/src/main/groovy/io.deephaven.java-test-conventions.gradle
+++ b/buildSrc/src/main/groovy/io.deephaven.java-test-conventions.gradle
@@ -8,6 +8,11 @@ def testJar = project.tasks.register 'testJar', Jar, { Jar jar ->
     jar.archiveClassifier = 'test'
 }
 
+dependencies {
+    // All tests should be assembled with adherence to our third-party constraints
+    testImplementation platform(project(':bom-third-party'))
+}
+
 configurations {
     testOutput.extendsFrom testRuntimeClasspath
 }
diff --git a/buildSrc/src/main/groovy/io.deephaven.project.java-application.gradle b/buildSrc/src/main/groovy/io.deephaven.project.java-application.gradle
index 55700971079..602d05e8895 100644
--- a/buildSrc/src/main/groovy/io.deephaven.project.java-application.gradle
+++ b/buildSrc/src/main/groovy/io.deephaven.project.java-application.gradle
@@ -10,6 +10,11 @@ plugins {
     id 'io.deephaven.java-coding-conventions'
 }
 
+dependencies {
+    // All application should be assembled with adherence to our third-party constraints
+    implementation platform(project(':bom-third-party'))
+}
+
 def quickTask = project.tasks.getByName('quick')
 
 // We need to make sure that all JAVA_APPLICATION dependencies are public
diff --git a/buildSrc/src/main/groovy/io.deephaven.project.java-local.gradle b/buildSrc/src/main/groovy/io.deephaven.project.java-local.gradle
index 78995a00174..f22c7434c7f 100644
--- a/buildSrc/src/main/groovy/io.deephaven.project.java-local.gradle
+++ b/buildSrc/src/main/groovy/io.deephaven.project.java-local.gradle
@@ -4,3 +4,9 @@ plugins {
     id 'io.deephaven.java-test-conventions'
     id 'io.deephaven.java-coding-conventions'
 }
+
+dependencies {
+    // All local applications (which includes how we package of deephaven-server classpath for the wheel) should be
+    // assembled with adherence to our third-party constraints
+    implementation platform(project(':bom-third-party'))
+}
diff --git a/buildSrc/src/main/groovy/io.deephaven.project.java-public.gradle b/buildSrc/src/main/groovy/io.deephaven.project.java-public.gradle
index 5cabd3a14cd..9e62ff8ccf8 100644
--- a/buildSrc/src/main/groovy/io.deephaven.project.java-public.gradle
+++ b/buildSrc/src/main/groovy/io.deephaven.project.java-public.gradle
@@ -9,6 +9,16 @@ plugins {
     id 'io.deephaven.default-description'
 }
 
+dependencies {
+    // This would make all of our public POMs have a dependencyManagement block on our 3rd party constraints. This is
+    // excessive most of the time, since the majority of our projects don't depend on the constraints in question. In
+    // addition, this might make it harder for downstream consumers to exclude as they would need to do it in a generic
+    // way or for each dependency individually. Instead, `deephaven-bom-third-party` will be published so that downstream
+    // consumers can depend on it directly; or, if they are already depending on `deephaven-bom`, they will inherit it.
+    //
+    // implementation platform(project(':bom-third-party'))
+}
+
 def quickTask = project.tasks.getByName('quick')
 
 // We need to make sure that all JAVA_PUBLIC dependencies are public
diff --git a/extensions/flight-sql/build.gradle b/extensions/flight-sql/build.gradle
index 881ec839003..accf8c73c57 100644
--- a/extensions/flight-sql/build.gradle
+++ b/extensions/flight-sql/build.gradle
@@ -32,11 +32,6 @@ dependencies {
     // :sql does not expose calcite as a dependency (maybe it should?); in the meantime, we want to make sure we can
     // provide reasonable error messages to the client
     implementation libs.calcite.core
-    constraints {
-        implementation(libs.json.smart) {
-            because 'CVE-2024-57699'
-        }
-    }
 
     implementation libs.dagger
     implementation libs.arrow.flight.sql
@@ -55,6 +50,9 @@ dependencies {
     testRuntimeOnly project(':log-to-slf4j')
     testRuntimeOnly libs.slf4j.simple
 
+    // The ADBC test classpath should be assembled with adherence to our third-party constraints.
+    // (It does not inherit it by default since jdbcTestImplementation does not extend testImplementation.)
+    adbcTestImplementation platform(project(':bom-third-party'))
     // ADBC testing needs an actually server instance bound to a port because it can only connect over ADBC URIs like
     // grpc://localhost:10000
     adbcTestImplementation project(':server-jetty')
@@ -70,6 +68,9 @@ dependencies {
     adbcTestRuntimeOnly project(':log-to-slf4j')
     adbcTestRuntimeOnly libs.slf4j.simple
 
+    // The JDBC test classpath should be assembled with adherence to our third-party constraints.
+    // (It does not inherit it by default since jdbcTestImplementation does not extend testImplementation.)
+    jdbcTestImplementation platform(project(':bom-third-party'))
     // JDBC testing needs an actually server instance bound to a port because it can only connect over JDBC URIs like
     // jdbc:arrow-flight-sql://localhost:10000.
     jdbcTestImplementation project(':server-jetty')
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 14d8d9d9d6e..9522427d76a 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -8,11 +8,8 @@ awssdk = "2.29.52"
 aws-s3-tables-catalog-for-iceberg = "0.1.8"
 # See dependency matrix for particular gRPC versions at https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty
 boringssl = "2.0.61.Final"
-
-# Note: when bumping Calcite version, see if we still need the version constraint for json-smart
+# Note: when bumping Calcite version, see if we still need the version constraint for json-smart (see bom-third-party project)
 calcite = "1.39.0"
-json-smart = "2.5.2"
-
 classgraph = "4.8.180"
 commons-compress = "1.28.0"
 commons-io = "2.21.0"
@@ -135,7 +132,6 @@ s3-tables-catalog-for-iceberg = { module = "software.amazon.s3tables:s3-tables-c
 boringssl = { module = "io.netty:netty-tcnative-boringssl-static", version.ref = "boringssl" }
 
 calcite-core = { module = "org.apache.calcite:calcite-core", version.ref = "calcite" }
-json-smart = { module = "net.minidev:json-smart", version.ref = "json-smart" }
 
 classgraph = { module = "io.github.classgraph:classgraph", version.ref = "classgraph" }
 
diff --git a/settings.gradle b/settings.gradle
index 493387dd5eb..d9f4ab8b8e1 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -44,6 +44,7 @@ include webMods
 include mods
 
 include 'bom'
+include 'bom-third-party'
 
 include(':configs')
 project(':configs').projectDir = file('props/configs')
diff --git a/sql/build.gradle b/sql/build.gradle
index 4f58b2a49aa..a37bc9b4f6b 100644
--- a/sql/build.gradle
+++ b/sql/build.gradle
@@ -9,11 +9,6 @@ description = 'The Deephaven SQL parser'
 dependencies {
     api project(':qst')
     implementation libs.calcite.core
-    constraints {
-        implementation(libs.json.smart) {
-            because 'CVE-2024-57699'
-        }
-    }
 
     compileOnly project(':util-immutables')
     annotationProcessor libs.immutables.value