-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MDEP-808] restrict dependency analysis by group #218
base: master
Are you sure you want to change the base?
[MDEP-808] restrict dependency analysis by group #218
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pleas add assertions for IT test
@@ -215,7 +216,7 @@ | |||
* @since 2.10 | |||
*/ | |||
@Parameter | |||
private String[] ignoredUsedUndeclaredDependencies = new String[0]; | |||
private final String[] ignoredUsedUndeclaredDependencies = new String[0]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use final
for Mojo parameters. It can be inline by compiler ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although looking back through the code again, I probably did this to remind myself that these aren't mutated by the code. Presumably only a mad-man would write code that would change the contents of a Mojo parameter, even if the compiler allowed them to?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if the same artifact matches both includes and excludes? This needs to be clearly documented.
Also, this PR should include the necessary changes to the project docs, not just the code.
<dependencies> | ||
<dependency> | ||
<groupId>org.apache.maven</groupId> | ||
<artifactId>maven-project</artifactId> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why so old?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it was just that I wanted to valid project and didn't particularly care about the versions within the project. I can search for a substitution variable to keep in current if having this always lag behind is an eye-sore come review time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried to update the version of the all the dependencies @mavenVersion@, but at least one of the dependencies doesn't like it. I can try harder by choosing alternative dependencies, but I suppose the benefit of keeping these at an old version is that the referenced classes within dependency won't deprecated, as has been done elsewhere.
* where each pattern segment is optional and supports full and partial <code>*</code> wildcards. An empty pattern | ||
* segment is treated as an implicit wildcard. * | ||
* <p> | ||
* For example, <code>org.apache.*</code> will match all artifacts whose group id starts with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will match --> matches (tech writing lives in the eternal present)
* segment is treated as an implicit wildcard. * | ||
* <p> | ||
* For example, <code>org.apache.*</code> will match all artifacts whose group id starts with | ||
* <code>org.apache.</code>, and <code>:maven-dependency-plugin</code> will result in the analysis being applied |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is confusing. Try using an example of an unrelated library instead like JodaTime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done by copying the example Javadoc above. Decided the purpose of this section of the Javadoc is to explain the Maven co-ordinate and wildcard combination rather than the specific behaviour of the parameter.
|
||
|
||
/** | ||
* List of dependencies to be included. The result of this list is then applied to the ignore parameters. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't clear that everything is included by default when this isn't set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I've been musing on this point. The default behaviour prior to this change is that everything is included. That can't change without requiring a pom changes downstream. So this is strictly:
"an override to the ignore"
That's a bit mind-bending if you don't have the context. I think the best we can do is to provide a recipe in the Javadoc describing an example use case, such as the one we're going to use it for. Broadly, everything ignored, but this one Maven co-ordinate in.
It doesn't feel like if we were designing this anew we'd start from here, but without a brain-wave on how to prevent a backward incompatible change, this will be the approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking through some of the use-cases further and wanting more fine-grained control, we're essentially building sub-graphs in the dependency graph. I think that is expressible using Maven co-ordinates, but would be good to back these thoughts with some tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Decided that building sub-graphs was way too complicated, so sticking with the original approach and updating the Javadoc as requested, which is consistent with the standard Maven filters.... include then exclude.
@@ -438,6 +478,40 @@ private boolean checkDependencies() | |||
warning = true; | |||
} | |||
|
|||
// log dependencies that weren't included | |||
if ( verbose && !notIncludedUsedDeclared.isEmpty() ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are these logged? I thought the point of this PR was to avoid reporting on these.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are logged in the verbose section only. Mirroring the existing verbose section for the explicitly ignored dependencies, I think you'd also want to understand what was ignored implicitly by not being covered within the includes.
/** | ||
* Filter for artifacts that don't match the <code>exclude</code> criteria. | ||
* | ||
* @param artifacts filtered by elements that don't match the <code>excludes</code> argument |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exclude or excludes? You have both.
{ | ||
List<Artifact> result = new ArrayList<>(); | ||
|
||
if ( includes.length > 0 ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!isEmpty()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a Collection. Happy to call Arrays.asList (includes) earlier if you prefer.
Artifact artifact = it.next(); | ||
if ( !filter.include( artifact ) ) | ||
{ | ||
it.remove(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why the remove call? Doesn't seem needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original filterDependencies
method both mutates the artifacts
argument and indicates what is has removed in the result
. I didn't want to change the stateful nature of this methods because that would be a pretty serious overhaul to the code. So the remove call is needed to remove artifacts
that don't match the include argument.
…id' of https://github.com/chadwick00/maven-dependency-plugin into feature/MDEP-808-Restrict-dependency-analysis-by-group-id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still skeptical of this feature. What is the problem solved by not warning on all unused dependencies? Unused dependencies don't break the build. If someone can't fix them all right now, so what?
|
||
Another case is when mature projects have accumulated superfluous dependencies or | ||
relied upon transitivity for their dependencies. Where fixing all the dependency | ||
problems up-front is not viable the plugin can be configured to only raise |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comma after viable
|
||
<!-- limit warnings to dependencies for group com.google.code.findbugs --> | ||
<includeDependencies> | ||
<includeDependency>com.google.code.findbugs</includeDependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
includeDependency --> groupId
Instead of a pattern here,= separate groupId and artifactId elements are simpler.
Maybe includeDependencies --> analyze or check. I'm not sure.
Another case is when mature projects have accumulated superfluous dependencies or | ||
relied upon transitivity for their dependencies. Where fixing all the dependency | ||
problems up-front is not viable the plugin can be configured to only raise | ||
warnings for dependencies meeting "include" criteria. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be expanded. Based solely on this text — that is, without reading the code or the JIRA — I do not know which dependencies are and are not checked.
Full write up of the use case on MDEP-808. Short version is that I've added a new {{includeDependencies}} parameter to allow the scope of the warnings from the analyze goal to be limited to the include dependencies.
Following this checklist to help us incorporate your
contribution quickly and easily:
for the change (usually before you start working on it). Trivial changes like typos do not
require a JIRA issue. Your pull request should address just this issue, without
pulling in other changes.
[MDEP-XXX] - Fixes bug in ApproximateQuantiles
,where you replace
MDEP-XXX
with the appropriate JIRA issue. Best practiceis to use the JIRA issue title in the pull request title and in the first line of the
commit message.
mvn clean verify
to make sure basic checks pass. A more thorough check willbe performed on your pull request automatically.
mvn -Prun-its clean verify
).If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.
To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.
I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
In any other case, please file an Apache Individual Contributor License Agreement.