You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Paul Gier (JIRA)" <ji...@codehaus.org> on 2012/08/06 03:32:23 UTC
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Paul Gier created MENFORCER-138:
-----------------------------------
Summary: Rule to ban all transitive dependencies
Key: MENFORCER-138
URL: https://jira.codehaus.org/browse/MENFORCER-138
Project: Maven 2.x Enforcer Plugin
Issue Type: New Feature
Components: Standard Rules
Reporter: Paul Gier
In some projects it's necessary (or at least desirable) to have all dependencies specified in pom. It would be nice to have an enforcer rule that would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency.
The rule should also have an option to ignore certain transitive dependencies, possibly using a similar syntax to other rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Jakub Senko (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=307656#comment-307656 ]
Jakub Senko commented on MENFORCER-138:
---------------------------------------
Thanks, I have pulled your changes, fixed the bug and created the site.
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Paul Gier (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Gier closed MENFORCER-138.
-------------------------------
Resolution: Fixed
Looks great, I applied the patch.
Thanks!
[r1395797|http://svn.apache.org/viewvc?view=revision&revision=1395797]
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
> Fix For: 1.2
>
>
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Jakub Senko (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=307166#comment-307166 ]
Jakub Senko commented on MENFORCER-138:
---------------------------------------
I've started a pull request: https://github.com/apache/maven-enforcer/pull/2
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all dependencies specified in pom. It would be nice to have an enforcer rule that would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency.
> The rule should also have an option to ignore certain transitive dependencies, possibly using a similar syntax to other rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Jakub Senko (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=306670#comment-306670 ]
Jakub Senko commented on MENFORCER-138:
---------------------------------------
Hi,
I have created crude implementation of this rule.
Rule will fail the build if it detects any transitive dependencies.
I have also added an option to exclude certain artifacts from being checked.
This works the same as <exclude> and <include> here: http://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html
I have also added an option to write a custom message to user if the rule fails.
Code is here https://github.com/jsenko/enforcer-rule, but it needs some polishing.
I would welcome any suggestions.
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all dependencies specified in pom. It would be nice to have an enforcer rule that would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency.
> The rule should also have an option to ignore certain transitive dependencies, possibly using a similar syntax to other rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Paul Gier (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Gier updated MENFORCER-138:
--------------------------------
Description:
In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.
was:
In some projects it's necessary (or at least desirable) to have all dependencies specified in pom. It would be nice to have an enforcer rule that would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency.
The rule should also have an option to ignore certain transitive dependencies, possibly using a similar syntax to other rules.
Assignee: Paul Gier
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Paul Gier (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=307411#comment-307411 ]
Paul Gier commented on MENFORCER-138:
-------------------------------------
This looks good. I updated the formatting based on the Maven code style conventions [1], and I added two simple integration tests which you can pull from my branch [2]. One of the integration tests exposes what I think is a minor bug, where you can exclude two level-3 dependencies and then the plugin ignores the level-2 dependency that is the parent of these deps.
Can you also add some site documentation similar to the other rules under src/site/apt?
[1]http://maven.apache.org/developers/committer-environment.html
[2]https://github.com/pgier/maven-enforcer/tree/MENFORCER-138
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Paul Gier (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Gier updated MENFORCER-138:
--------------------------------
Fix Version/s: 1.2
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
> Fix For: 1.2
>
>
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MENFORCER-138) Rule to ban all transitive dependencies
Posted by "Paul Gier (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=306864#comment-306864 ]
Paul Gier commented on MENFORCER-138:
-------------------------------------
Thanks, this is a good start. I'd like this to be part of the standard set of enforcer rules, can you add it to the enforcer code as a standard rule? You can use the git repo of the enforcer from here: https://github.com/apache/maven-enforcer
Here are a couple of suggestions for improvement:
If the enforcer rule fails, it should print out all the dependencies that failed instead of just failing on the first one. This way if there are multiple failures they can all be fixed without runnning the build again.
Also, I think the excludes should specify the transitive dependency to be ignored instead of specifying the direct dependency that brings in the transitive dependencies. For example, this allows you to configure that a direct dependency is allowed to have one or more specific transitive, but not allowed to bring in any other transitive deps.
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all dependencies specified in pom. It would be nice to have an enforcer rule that would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency.
> The rule should also have an option to ignore certain transitive dependencies, possibly using a similar syntax to other rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira