Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for dependency report to include artifact publish date #398

Closed
krishna81m opened this issue May 27, 2020 · 7 comments
Closed

support for dependency report to include artifact publish date #398

krishna81m opened this issue May 27, 2020 · 7 comments

Comments

@krishna81m
Copy link

Just completed writing a script for our legacy Monolith that basically uses artifact publish date to get an idea how old a library is from current version date as well as how many releases behind it is. Then came across this plugin on stackoverflow and wondered if it would be a great addition to include current version release date and the latest release version date in the report.

https://repo.maven.apache.org/maven2/org/springframework/spring-aop/
https://mvnrepository.com/artifact/org.springframework/spring-aop/latest

Can try and submit a PR as well.
@ben-manes
Copy link
Owner

Sure, PRs are very much appreciated.

@krishna81m
Copy link
Author

krishna81m commented Jun 2, 2020
edited

@ben-manes, took a few hours to write up my first draft of groovy script to do this.

Now, I see why you did not do this :), there is no way to get a project artifact publish timestamp, I ended up using a maven SOLR search API to get what I wanted. Can get similar info to find how many releases were done since current release.

If this approach looks okay, I can clean up and send a PR with some tests.

krishna81m@6ec715d#diff-fc7f993a4dcd591abca59fe0914bf71cR371

@ben-manes
Copy link
Owner

Unfortunately that's problematic since publishing to alternative repositories is quite common. Sometimes artifacts migrate from Central to JCenter, or similar, so it becomes error prone. If maven included the timestamps as part of its metadata then maybe we could extract that, but otherwise I think this be too brittle.

What do you think of breadcrumbs (#69) instead? That could be obtained much simpler, e.g. split the version string into parts of as x.y.z => +, x.+, x.y.+ and removing duplicate results. It would require more plumbing into the report and output, though. This would offer you an idea of the version's age rather than absolute age.

@krishna81m
Copy link
Author

Completely agree not sticking to a repo, this was just a POC, this could be a list of repositories that user can choose in the order of preference and enabling this slow feature based on a property. AFAIK, checking maven repository files again, there is nothing other than lastUpdated timestamps https://repository.membrane-soa.org/content/groups/public/.lastUpdated=1587873698040.

Whatever maven metadata gives you should be coming from here once they are cached locally. Let me check if other repositories have something similar like maven central search.

Right now, I wrote a script that already does dates and total versions in between, something like below to find versions and dates using mvnrepository.com html parsing which is worse than official maven central search APIs that can give all of this information.

Sure, a modified breadcrumb that can adjust to a fixed width if there are too many would be a great idea.
x.y.z => +, x.+ ... x.y.+ [10 total versions]

Current script:

        MVNREPO_URL="https://mvnrepository.com/artifact/"
        ...
        MVN_REPO_GET_URL=$MVNREPO_URL$GROUP"/"$NAME"/$OLD_VER"
        mvn_repo_download $MVN_REPO_GET_URL
        ...
        OLD_VER_FROM_REPO=$(ggrep -oP '(?<=\»\s)(\d.*)(?=</title>)' $MVN_REPO_OUTPUT 2>/dev/null)
        OLD_VER_DATE=$(ggrep -oP '(?<=Date</th><td>\()(.*)(?=\) </td>)' $MVN_REPO_OUTPUT 2>/dev/null)

@ben-manes
Copy link
Owner

Any direct http call will get messy. For example,

  • repositories may require authentication
  • repositories do not have to be http based
  • repositories may have restrictive file access (e.g. no directory listing)
  • repositories can be filtered with include / exclude patterns for artifact resolution

There is also a quirk in lastUpdate being unreliable due to using local time or not being updated by the deployer.

The POC is a really nice idee, but I'm afraid its hard to generalize

@krishna81m
Copy link
Author

krishna81m commented Jun 2, 2020
edited

yep agreed, cannot find publish timestamp, just versioning and build timestamps, in the maven-artifact artifact.

Did grep its source code for anything of interest: https://github.com/apache/maven-plugins
find . -name "*.java" -exec grep -iR 'timestamp' {} \; | grep -v 'src/test' find . -name "*.java" -exec grep -R 'Date' {} \; | grep -v 'src/test'

Nothing in the core artifact classes either:
https://maven.apache.org/ref/3.5.4/maven-artifact/apidocs/org/apache/maven/artifact/metadata/ArtifactMetadata.html
https://maven.apache.org/ref/3.5.4/maven-artifact/apidocs/org/apache/maven/artifact/versioning/ArtifactVersion.html

@ben-manes
Copy link
Owner

Closing since this seems too tricky to capture reliably.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ben-manes @krishna81m