fix: resolve overridden plugin dependencies correctly (#8570)#8567
fix: resolve overridden plugin dependencies correctly (#8570)#8567bjansen wants to merge 1 commit into
Conversation
bjansen
changed the title
bjansen
force-pushed
the
bugfix/gh-7566-plugin-deps
branch
from
f077517 to
ba3833c
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates the Maven plugin’s plugin-dependency scanning to account for dependency overrides declared on plugins in the project POM (so overridden plugin dependency versions are resolved correctly and don’t produce false positives).
Changes:
- Look up the matching
Pluginin theMavenProjectwhen resolving a plugin artifact’s transitive dependencies. - Add the plugin’s declared dependencies to the Aether
CollectRequestso they participate in dependency mediation during resolution.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| protected Set<Artifact> resolveArtifactDependencies(final org.eclipse.aether.artifact.Artifact rootArtifact, MavenProject project) | ||
| throws DependencyResolutionException { | ||
| final CollectRequest collectRequest = new CollectRequest(); | ||
| collectRequest.setRoot(new org.eclipse.aether.graph.Dependency(rootArtifact, null)); | ||
| collectRequest.setRepositories(project.getRemoteProjectRepositories()); |
|
@jeremylong before I polish this PR, do you think this approach looks sensible and is worth working on? |
bjansen
force-pushed
the
bugfix/gh-7566-plugin-deps
branch
from
ba3833c to
1a616ff
Compare
|
Without a test to demonstrate what is wrong about the previous behaviour and how this change actually alters that behaviour, it's a bit difficult to understand why this works or whether it actually works. Also - any reason for merging into the I also am finding it difficult to correlate the change to the discussions in #7566 - the root of the issue seems to be that it is including irrelevant |
From what I can see, the branch was updated 2 days ago and
Fair point, I ran the plugin on my machine and it fixed my problem but you have no way to verify that :). I just wanted a quick feedback from you guys before taking more time to work on tests etc. I don't want to waste your time nor mine if this PR is silly and won't be accepted. Consider it a draft for now. I'm not entirely sure it's the same root cause as #7566, in my case dependency-check is reporting FPs on plugins, not on |
|
FYI I created a separate issue for my problem: #8570 |
bjansen
force-pushed
the
bugfix/gh-7566-plugin-deps
branch
from
1a616ff to
f476b6d
Compare
bjansen
changed the title
|
Ahh, my bad, I hadn’t realized #8560 was only merged into a branch, as that’s unusual for the project. That would also explain why using SNAPSHOTs would make no difference for you 😓 |
|
I checked out the How do tests work in the |
|
Canonical published snapshots only come from There are some kind of unit tests there (possibly limited, haven’t paid much attention to the maven plugin), but the integration tests can be run with DependencyCheck/.github/workflows/build-pull-requests.yml Lines 144 to 146 in 6ab9d08 If your fix is not dependent on using the maven resolver it would be better to not be building on top of WIP from a separate experimental draft branch though. I imagine there’s no guarantee that branch will be merged, or when? |
Description of Change
When a pom.xml overrides a plugin's dependencies like this, dependency-check does not take the overrides into account, which might lead to false positives:
In this particular case, dependency-check reports the following error:
The idea in this PR is to mimic what's done in
mvn dependency:resolve-plugins, that is to say to enhance theCollectRequestwith a list of plugin dependencies declared in the pom.xml being scanned:CollectRequesthereRelated issues
This should fix #8570
Have test cases been added to cover the new functionality?
Not yet, I'm just making sure I'm heading towards the right fix for now.