Java Maven Artifact Migration

[davidgoate]

When running my build, spotbugs appears to have suggested:

[WARNING] The artifact org.apache.commons:commons-io:jar:1.3.2 has been relocated to commons-io:commons-io:jar:1.3.2

I'm not sure internally how spotbugs knows this, but I think it'd be awesome if dependabot were able to handle this type of PR. We were using:

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-io</artifactId>
    <version>1.3.2</version>
</dependency>

and now we can use instead

<dependency>
    <groupId>commons-io</groupId>
    <artifactId>commons-io</artifactId>
    <version>2.6</version>
</dependency>

[evenh]

This would be awesome!

[greysteil]

Agreed - need to look into how spotbugs does that!

[bmuskalla]

Spotbugs and others can figure this out using the relocation metadata that maven artifacts can provide in their pom.xml. Example:

<distributionManagement>
    <relocation>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
      <message>https://issues.sonatype.org/browse/MVNCENTRAL-244</message>
    </relocation>
</distributionManagement>

See Maven documentation for more details. I started to dig a little into this but soon realized this might be bigger than expected. Not only would we need to fetch the latest dependency metadata (which isn't too bad but it does break a lot of the tests), the bigger issue I see is in actually rewriting the dependency coordinates. The maven UpdateChecker mostly deals with versions whereas we'd need to rewrite group_id and artifact_id of the maven dependency as well. This already challenges a lot of assumptions in the current version_finder (see bmuskalla/dependabot-core@7553704 for a rough approach; actually a lot of the existing code would better be refactored as it currently assumes the maven coordinates are stable).

@greysteil and @hmarr, any thoughts on whether this is worth the effort before I spent any more time on this? Or is there maybe a better way to introduce such a dependency rewrite?

[rebelagentm]

@feelepxyz Thoughts on @bmuskalla's comment?

[feelepxyz]

@rebelagentm @bmuskalla thanks for starting a fix for this! 🙇I think you're right, sounds like this will be a non-trivial change given our current architecture. Also haven't looked into how our maven setup works in detail but wondering if we could set the new group id and artifact id in requirement metadata for the updated dependencies and then read these out when updating, we already do something like this here:

dependabot-core/maven/lib/dependabot/maven/file_updater.rb

Line 61 in e94f2e1

if new_req.dig(:metadata, :property_name)

[jeffwidman]

Duplicate of:

• Add support for Maven relocation feature #1947