Currently Stratos components do not properly import/export packages to/from OSGi bundles. This might lead to unexpected behaviors in an OSGi runtime. Also dependency versions in pom files are currently hard-coded which is less maintainable.
Following is a summary of changes done;
- Removed hard-coded maven dependency versions and moved everything to parent pom
- Parameterized dependency versions with maven properties
- Added OSGi import ranges for external dependencies which are set from parent pom as a maven property
- Added OSGi import version for Stratos internal dependencies as project.version. This will ensure only intended component will always
- Upgraded commons-collections dependency to version 3.2.2 to mitigate the security vulnerability as reported in 
While working on this I found several issues in the code base. I've summarized the issues and fixes done below.
- Incorrect import of Arrays class in 
Changed the import to java.util.Arrays
- CloudController imports a private package of StratosCommon component 
Changed the import to CC's service holder class
- Incorrect dependency to org.wso2.carbon.identity.oauth.stub component at [4,5] resulting unrunnable code at [6, 7]
This is because actual identity.oauth.stub bundle version packed into the distribution is 4.2.3 and the dependency version defined in the Stratos component is 4.2.0. Changed the dependency version to 4.2.3 and updated code to be compatible with newer version.
- Metadata service webapp imports a private package of StratosCommon component 
- Stratos rest endpoint webapp imports a private package of StratosManager component 
Removed the private package import and used PrivilegedCarbonContext->getOSGiService method in the Carbon kernel to retrieve the ComponentStartUpSynchronizer OSGi service.
- Unnecessary Activator class in Autoscaler component .
Removed the class and reference in maven-bundle-plugin Bundle-Activator directive.
- Embedded dependencies are not added as maven dependencies in the pom for fabric8/kubernetes-api 
Added all relevant maven dependencies to the parent pom (with versions) and sub-module (without versions).