[MDEP-808] restrict dependency analysis by group

[chadwick00]

Full write up of the use case on MDEP-808. Short version is that I've added a new {{includeDependencies}} parameter to allow the scope of the warnings from the analyze goal to be limited to the include dependencies.

Following this checklist to help us incorporate your
contribution quickly and easily:

• Make sure there is a JIRA issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a JIRA issue. Your pull request should address just this issue, without
  pulling in other changes.
• Each commit in the pull request should have a meaningful subject line and body.
• Format the pull request title like [MDEP-XXX] - Fixes bug in ApproximateQuantiles,
  where you replace MDEP-XXX with the appropriate JIRA issue. Best practice
  is to use the JIRA issue title in the pull request title and in the first line of the
  commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Run mvn clean verify to make sure basic checks pass. A more thorough check will
  be performed on your pull request automatically.
• You have run the integration tests successfully (mvn -Prun-its clean verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004

• In any other case, please file an Apache Individual Contributor License Agreement.

[slawekjaranowski]

Pleas add assertions for IT test

[slawekjaranowski]

Please don't use final for Mojo parameters. It can be inline by compiler ...

[chadwick00]

Done.

[chadwick00]

Although looking back through the code again, I probably did this to remind myself that these aren't mutated by the code. Presumably only a mad-man would write code that would change the contents of a Mojo parameter, even if the compiler allowed them to?

[elharo]

What happens if the same artifact matches both includes and excludes? This needs to be clearly documented.

Also, this PR should include the necessary changes to the project docs, not just the code.

[elharo]

why so old?

[chadwick00]

I think it was just that I wanted to valid project and didn't particularly care about the versions within the project. I can search for a substitution variable to keep in current if having this always lag behind is an eye-sore come review time.

[chadwick00]

I've tried to update the version of the all the dependencies @mavenVersion@, but at least one of the dependencies doesn't like it. I can try harder by choosing alternative dependencies, but I suppose the benefit of keeping these at an old version is that the referenced classes within dependency won't deprecated, as has been done elsewhere.

[elharo]

will match --> matches (tech writing lives in the eternal present)

[elharo]

This is confusing. Try using an example of an unrelated library instead like JodaTime.

[chadwick00]

Done by copying the example Javadoc above. Decided the purpose of this section of the Javadoc is to explain the Maven co-ordinate and wildcard combination rather than the specific behaviour of the parameter.

[elharo]

This isn't clear that everything is included by default when this isn't set.

[chadwick00]

Yes, I've been musing on this point. The default behaviour prior to this change is that everything is included. That can't change without requiring a pom changes downstream. So this is strictly:

"an override to the ignore"

That's a bit mind-bending if you don't have the context. I think the best we can do is to provide a recipe in the Javadoc describing an example use case, such as the one we're going to use it for. Broadly, everything ignored, but this one Maven co-ordinate in.

It doesn't feel like if we were designing this anew we'd start from here, but without a brain-wave on how to prevent a backward incompatible change, this will be the approach.

[chadwick00]

Thinking through some of the use-cases further and wanting more fine-grained control, we're essentially building sub-graphs in the dependency graph. I think that is expressible using Maven co-ordinates, but would be good to back these thoughts with some tests.

[chadwick00]

Decided that building sub-graphs was way too complicated, so sticking with the original approach and updating the Javadoc as requested, which is consistent with the standard Maven filters.... include then exclude.

[elharo]

why are these logged? I thought the point of this PR was to avoid reporting on these.

[chadwick00]

These are logged in the verbose section only. Mirroring the existing verbose section for the explicitly ignored dependencies, I think you'd also want to understand what was ignored implicitly by not being covered within the includes.

[elharo]

exclude or excludes? You have both.

[elharo]

!isEmpty()

[chadwick00]

Not a Collection. Happy to call Arrays.asList (includes) earlier if you prefer.

[elharo]

why the remove call? Doesn't seem needed.

[chadwick00]

The original filterDependencies method both mutates the artifacts argument and indicates what is has removed in the result. I didn't want to change the stateful nature of this methods because that would be a pretty serious overhaul to the code. So the remove call is needed to remove artifacts that don't match the include argument.

[elharo]

I'm still skeptical of this feature. What is the problem solved by not warning on all unused dependencies? Unused dependencies don't break the build. If someone can't fix them all right now, so what?

[elharo]

comma after viable

[elharo]

includeDependency --> groupId

Instead of a pattern here,= separate groupId and artifactId elements are simpler.

Maybe includeDependencies --> analyze or check. I'm not sure.

[elharo]

This needs to be expanded. Based solely on this text — that is, without reading the code or the JIRA — I do not know which dependencies are and are not checked.