Improve ignoreDependencyManagement handling
sslavic opened this issue · 6 comments
I'm not sure what was the rationale to introduce ignoreDependencyManagement.
Anyway, IMO how versioneye maven plugin works, with ignoreDependencyManagement set to either true or false, is suboptimal.
Fox example try creating a Maven project and declare in it that it's parent is
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.3.RELEASE</version>
</parent>
With ignoreDependencyManagement set to false I get in versioneye project version/licensing information about all of the dependencies which are just declared in dependencyManagement of final pom even if they are not actually used in project in either scope. So e.g. even unused optional dependency listed in dependencyManagement from parent pom will be listed.
On the other hand with ignoreDependencyManagement set to true version information coming from pluginManagement of parent pom, for plugins which are used in the project - versioneye project says that the version of plugin is not known. E.g. just add
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
I'd like
- dependencyManagement version information not to be ignored (so keep it on false by default)
- change, only list in versioneye project the dependencies which are used in some scope (runtime, compile, test, ...), so do not include dependencyManagement dependencies which are just declared but never used; maybe there can be extra flag to control this or ignoreDependencyManagement can be changed to allow more values, not only true/false
- if not already possible, provide ability in versioneye project to include/exclude transitive dependencies
I have created a GitHub project that shows some of the points of these issues.
Especially it's a problem we don't get the transitive dependencies in the report.
I would expect a 1-1 match between what files are in a build WAR project and the listing on the report. :)
Hi @kyuff Many Thanks for creating the repo. I just have read through it and will try to reproduce it. For right now this plugin is build for direct dependencies only. Transitive dependencies can be resolved on the VersionEye server. But I will work on it to support transitive dependencies directly in the plugin. That could be another option in the configuration section.
@kyuff I just pushed version 3.10.0 to Maven central. This version has a new configuration option. Just add this to the plugin configuration:
<transitiveDependencies>true</transitiveDependencies>
That will resolve and send the transitive dependencies to the VersionEye API. Please test it and give me feedback. It might take 2 hours until version 3.10.0 is available via Maven central but you can fetch the code from here.
@sslavic This might fix your problem as well because it's resolving only artifacts which are used in the project. Please try out and give me feedback.
@kyuff I saw this note here in your bug report repo: Twice in the report. That's not a bug. As your project is a multi module project VersionEye is creating for the parent pom a parent project and for each module a child project inside of VerisonEye. Some dependencies might show up more then one time because they are used in multiple files. The summary report in VersionEye is grouped by child projects, so you should be able to see that the dependency is used in 2 files. Right?
Checked, with 3.10.0 looks good to me.
Cool :)