[
https://issues.apache.org/jira/browse/MENFORCER-432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marcono1234 updated MENFORCER-432:
----------------------------------
Description:
For projects which are either used as parent by other projects, or which are
used as Bill of Materials (BOM) and which declare dependencies in the
{{dependencyManagement}} it would be useful if {{requireUpperBoundDeps}} was
able to check the dependencies in the {{dependencyManagement}}. This would
allow verifying that the versions of these managed dependencies are correct and
do not cause any issues for consuming projects.
Currently {{requireUpperBoundDeps}} seems to only check regular dependencies;
this prevents it from being used directly on the parent / BOM project, but
requires applying it on all consuming projects.
It would be quite useful to already detect conflicting dependency versions
directly in the parent / BOM project.
Maybe a separate option for this (e.g. {{checkDependencyManagement}}) would be
useful to allow enabling / disabling this check.
It appears maven-dependency-tree already determines those managed dependencies
in {{DefaultDependencyCollectorBuilder}} respectively
{{Maven31DependencyCollectorBuilder}} (in older versions), but does not expose
this information.
h3. Example
{code:xml|title=pom.xml}
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>my-bom</artifactId>
<version>1</version>
<packaging>pom</packaging>
<dependencyManagement>
<!-- Example from
https://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html -->
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>0.9.9</version>
<!-- Depends on org.slf4j:slf4j-api:1.5.0 -->
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.2.1</version>
<executions>
<execution>
<id>enforce</id>
<configuration>
<rules>
<requireUpperBoundDeps>
</requireUpperBoundDeps>
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
{code}
Running {{mvn validate}} passes. Only when changing the
{{dependencyManagement}} to regular dependencies Maven Enforcer detects the
rule violation.
was:
For projects which are either used as parent by other projects, or which are
used as Bill of Materials (BOM) and which declare dependencies in the
{{dependencyManagement}} it would be useful if {{requireUpperBoundDeps}} was
able to check the dependencies in the {{dependencyManagement}}. This would
allow verifying that the versions of these managed dependencies are correct and
do not cause any issues for consuming projects.
Currently {{requireUpperBoundDeps}} seems to only check regular dependencies;
this prevents it from being used directly on the parent / BOM project, but
requires applying it on all consuming projects.
It would be quite useful to already detect conflicting dependency versions
directly in the parent / BOM project.
Maybe a separate option for this (e.g. {{checkDependencyManagement}}) would be
useful to allow enabling / disabling this check.
It appears maven-dependency-tree already determines those managed dependencies
in {{DefaultDependencyCollectorBuilder}} respectively
{{Maven31DependencyCollectorBuilder}} (in older versions), but does not expose
this information.
h3. Example
{code:xml}
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>my-bom</artifactId>
<version>1</version>
<packaging>pom</packaging>
<dependencyManagement>
<!-- Example from
https://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html -->
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>0.9.9</version>
<!-- Depends on org.slf4j:slf4j-api:1.5.0 -->
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.2.1</version>
<executions>
<execution>
<id>enforce</id>
<configuration>
<rules>
<requireUpperBoundDeps>
</requireUpperBoundDeps>
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
{code}
Running {{mvn validate}} passes. Only when changing the
{{dependencyManagement}} to regular dependencies Maven Enforcer detects the
rule violation.
> requireUpperBoundDeps support for checking dependencyManagement
> ---------------------------------------------------------------
>
> Key: MENFORCER-432
> URL: https://issues.apache.org/jira/browse/MENFORCER-432
> Project: Maven Enforcer Plugin
> Issue Type: Improvement
> Components: Standard Rules
> Affects Versions: 3.1.0, 3.2.1
> Reporter: Marcono1234
> Priority: Minor
> Fix For: waiting-for-feedback
>
>
> For projects which are either used as parent by other projects, or which are
> used as Bill of Materials (BOM) and which declare dependencies in the
> {{dependencyManagement}} it would be useful if {{requireUpperBoundDeps}} was
> able to check the dependencies in the {{dependencyManagement}}. This would
> allow verifying that the versions of these managed dependencies are correct
> and do not cause any issues for consuming projects.
> Currently {{requireUpperBoundDeps}} seems to only check regular dependencies;
> this prevents it from being used directly on the parent / BOM project, but
> requires applying it on all consuming projects.
> It would be quite useful to already detect conflicting dependency versions
> directly in the parent / BOM project.
> Maybe a separate option for this (e.g. {{checkDependencyManagement}}) would
> be useful to allow enabling / disabling this check.
> It appears maven-dependency-tree already determines those managed
> dependencies in {{DefaultDependencyCollectorBuilder}} respectively
> {{Maven31DependencyCollectorBuilder}} (in older versions), but does not
> expose this information.
> h3. Example
> {code:xml|title=pom.xml}
> <project>
> <modelVersion>4.0.0</modelVersion>
> <groupId>com.example</groupId>
> <artifactId>my-bom</artifactId>
> <version>1</version>
> <packaging>pom</packaging>
> <dependencyManagement>
> <!-- Example from
> https://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html
> -->
> <dependencies>
> <dependency>
> <groupId>org.slf4j</groupId>
> <artifactId>slf4j-api</artifactId>
> <version>1.4.0</version>
> </dependency>
> <dependency>
> <groupId>ch.qos.logback</groupId>
> <artifactId>logback-classic</artifactId>
> <version>0.9.9</version>
> <!-- Depends on org.slf4j:slf4j-api:1.5.0 -->
> </dependency>
> </dependencies>
> </dependencyManagement>
> <build>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.2.1</version>
> <executions>
> <execution>
> <id>enforce</id>
> <configuration>
> <rules>
> <requireUpperBoundDeps>
> </requireUpperBoundDeps>
> </rules>
> </configuration>
> <goals>
> <goal>enforce</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
> </project>
> {code}
> Running {{mvn validate}} passes. Only when changing the
> {{dependencyManagement}} to regular dependencies Maven Enforcer detects the
> rule violation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
