New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow dependencies to appear in graph multiple times #187
Conversation
The existing POM has been updated with a different set of dependencies that reproduce the problem, however don't cause errors in the console Signed-off-by: Thomas Gaskell <tgegaskell@gmail.com>
The DependencyCollectorBuilder is what maven uses when in a verbose mode, so it has more information. Most noteably the duplicate nodes in the tree when something is a depenedncy of multiple parents. Signed-off-by: Thomas Gaskell <tgegaskell@gmail.com>
Addresses MSHARED-994, which prevents building the graph for WARs Signed-off-by: Thomas Gaskell <tgegaskell@gmail.com>
Hello, I just want to warn that to my knowledge dependency:tree -Dverbose has been deprecated for a long time and it is stated to "may give wrong results when used with Maven 3". See the comment in the code: https://github.com/apache/maven-dependency-plugin/blob/master/src/main/java/org/apache/maven/plugins/dependency/tree/TreeMojo.java#L160 Sorry I may be off topic but I thought I better add this warning. |
Cheers @fmarot Looking into some of the history, it seems this has come full circle. apache/maven-dependency-plugin@1852329 The warning in the JavaDoc there links to https://issues.apache.org/jira/browse/MDEP-443, which specifies the inconsistency with the move to Maven 3. In the current version of the dependency however, all the actual console warnings have been removed. https://issues.apache.org/jira/browse/MDEP-644 then seems to imply the issue has been fixed and just needed to be released, which is actually the ticket Steve was previously talking about in the original issue #116. It looks like whatever the issue was may have been fixed, but the JavaDoc was never updated. I'll have to look into it more tomorrow unless anybody else knows more |
I'm back on a new morn, and it looks like my hunch was right. The Interestingly, that incarnation of the builder is different from what is currently used: apache/maven-dependency-plugin@d9d34c6#diff-fff95abc51baf25ef97506144eaf80d4c07ec4f598eb0110491897850504ac1aR272 The latest logic uses the The It seems to me like breaking the |
Thanks you very much for this deep investigation. I have been stuck thinking I should not use -Dverbose for a looooong time. If you do not submit a PR to correct the javadoc, I'll do it. |
PR submitted to correct the javadoc: fmarot/maven-dependency-plugin#1 |
Thank you so much for the investigation and PR for this @ThomGeG 🎉 |
Resolves #116 by updating the CycloneDX MOJOs to use the same mechanism
mvn dependency:tree -Dverbose
does when building the dependency graph.This PR also moves to the latest version of
maven-dependency-tree
to address a bug the previous version contained that would otherwise result in this change breaking the graphs for WARs.