Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: document scanning dependency-check with dependency-check #5095

Merged
merged 9 commits into from
Dec 9, 2022
Merged

fix: document scanning dependency-check with dependency-check #5095

merged 9 commits into from
Dec 9, 2022

Conversation

jeremylong
Copy link
Owner

  • upgrade and exclude dependencies.
  • move optional, test dependencies to a profile called test-dependencies.
  • document how to run dependency-check on dependency-check by excluding the test-dependencies profile.

@boring-cyborg boring-cyborg bot added core changes to core maven changes to the maven plugin labels Nov 27, 2022
@boring-cyborg boring-cyborg bot added the tests test cases label Nov 27, 2022
aikebah
aikebah reviewed Dec 3, 2022
View reviewed changes
maven/pom.xml Show resolved Hide resolved
aikebah
aikebah approved these changes Dec 4, 2022
View reviewed changes
Copy link
Collaborator

@aikebah aikebah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Checking the output of mvn dependency:tree -Dincludes=org.apache.maven -DreleaseTesting I did spot a dependency that we currently do not govern by the maven API version that I think we should (it's even more modern at 3.8.6): org.apache.maven:maven-compat:jar:3.8.6:provided

@aikebah
Copy link
Collaborator

aikebah commented Dec 4, 2022

LGTM

Checking the output of mvn dependency:tree -Dincludes=org.apache.maven -DreleaseTesting I did spot a dependency that we currently do not govern by the maven API version that I think we should (it's even more modern at 3.8.6): org.apache.maven:maven-compat:jar:3.8.6:provided

Given its purpose it would be even better if we could do without it (its a maven 2.x compatibility layer to ease the transition from 2 to 3, nowadays we're close to reaching the 3 to 4 transition)

@aikebah
Copy link
Collaborator

aikebah commented Dec 4, 2022

LGTM
Checking the output of mvn dependency:tree -Dincludes=org.apache.maven -DreleaseTesting I did spot a dependency that we currently do not govern by the maven API version that I think we should (it's even more modern at 3.8.6): org.apache.maven:maven-compat:jar:3.8.6:provided

Given its purpose it would be even better if we could do without it (its a maven 2.x compatibility layer to ease the transition from 2 to 3, nowadays we're close to reaching the 3 to 4 transition)

According to the maven dependency plugin it appears we can....

[INFO] --- maven-dependency-plugin:3.3.0:analyze (default-cli) @ dependency-check-maven ---
[WARNING] Used undeclared dependencies found:
[WARNING]    org.slf4j:slf4j-api:jar:1.7.36:compile
[WARNING]    org.apache.maven.doxia:doxia-sink-api:jar:1.11.1:compile
[WARNING]    org.hamcrest:hamcrest:jar:2.2:test
[WARNING]    org.apache.maven.resolver:maven-resolver-api:jar:1.6.2:provided
[WARNING]    org.apache.commons:commons-lang3:jar:3.12.0:compile
[WARNING]    com.github.package-url:packageurl-java:jar:1.4.1:compile
[WARNING]    org.apache.maven.shared:maven-common-artifact-filters:jar:3.1.0:compile
[WARNING] Unused declared dependencies found:
[WARNING]    org.apache.maven:maven-model-builder:jar:3.8.1:provided
[WARNING]    org.apache.maven:maven-compat:jar:3.8.6:provided
[WARNING]    org.hamcrest:hamcrest-core:jar:2.2:test
[WARNING]    org.jetbrains:annotations:jar:23.0.0:compile

@jeremylong
Copy link
Owner Author

Can we just remove maven-compat?

BTW - I'm planning on releasing 7.4.1 tomorrow (Friday) - and i'll hopefully get the gradle release correct this time.

@aikebah
Copy link
Collaborator

aikebah commented Dec 8, 2022

@jeremylong I'll run a check today on a build without maven-compat to be fully sure, but fairly certain that it's really unused.

@aikebah
Copy link
Collaborator

aikebah commented Dec 8, 2022

Awaiting the outcome of a final local test and then I'll file a PR onto this branch for the removal of the obsolete dependencies

@jeremylong jeremylong added this to the 7.4.1 milestone Dec 9, 2022
@jeremylong
Copy link
Owner Author

@aikebah Thanks!

@jeremylong jeremylong merged commit 0e83491 into main Dec 9, 2022
@jeremylong jeremylong deleted the fix-scan branch December 9, 2022 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aikebah aikebah aikebah approved these changes

Assignees
No one assigned
Labels
core changes to core maven changes to the maven plugin tests test cases
Projects
None yet
Milestone
7.4.1
Development

Successfully merging this pull request may close these issues.
2 participants
@jeremylong @aikebah