New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a maven plugin for the dash license tool #44
Conversation
Signed-off-by: Mat Booth <mat.booth@redhat.com>
The maven plugin is fully configurable and has feature parity with the command line tool. Also allows maven-dependency-plugin style artifact filtering which allows users to ignore deps that are not interesting (e.g. test deps or deps from the Eclipse Foundation itself.) Fixes eclipse#7 Signed-off-by: Mat Booth <mat.booth@redhat.com>
This is awesome, Matt. I'll try to review it over the weekend. |
We do the best that we can with the information available (that is, none). Given that Maven knows the identity of the repositories that it's pulling from, you're right that we should be able to do better. Note that there are some larger questions that we'll have to address with regard to ClearlyDefined. Can we, for example, assume that the same GAV coming from Maven Central and Maven Repository represent the exact same content? I'm thinking that the answer to this question is probably yes, but we'll have to do some due diligence to confirm (FWIW, we're basically making this assumption now by guessing "mavencentral").
This is actually a limitation of ClearlyDefined. I've been meaning to open an issue with them to sort out how to best deal with this information. My assumption is that they'll consider it part of the name. Whatever we decide to do, we'll need to coordinate with them if we're to be able to leverage their data set.
Bear in mind that we need to support non-Maven use cases as well. I'd also rather not assume that all Maven builds will necessarily use the Maven plugin. |
The names are wrong. "Dash" is the name of the Eclipse open source project that owns this code; the tool itself is just called "License Tool". So, the artifactid should be something like "license-tool-core" as in "org.eclipse.dash:license-tool-core:0.1.0" and "org.eclipse.dash:license-tool-plugin:0.1.0" (I don't love having "maven" or "plugin" in the artifactid; is there a convention that we can adopt?) |
I'm going to merge the pull request, but follow it up immediately with a commit that changes the "dash-core" and "dash-maven-plugin" directory names and tweaks other project metadata. |
The classworlds hit was bogus, so I fixed it in the backend data. It's flagging two other libraries as "restricted". I'm confident that both are actually okay, and will investigate why they're being flagged by the backend. |
@waynebeaton Sorry I was AFK for more than 2 weeks and missed these questions!
The answer is almost certainly "no" -- There are other maven repositories that are not Maven Central and there are projects that publish artifacts to those repos instead of Maven Central. The biggest other repo is probably JFrog/Bintray and if a project has this repo configured, then Dash will incorrectly say that all dep artifacts are from Maven Central when the artifact may not be found in Maven Central at all!
I don't suggest removing non-Maven use-cases, but I'd argue maven-based projects should always use the maven plugin -- if only because avoiding parsing maven coords ourselves is likely to be much more reliable in the long term.
Sure, I just made choices :-) The de-facto convention for naming maven plugins is that plugins supplied by the Apache Maven project have artifactIds of the form |
This PR contains two changes:
The maven plugin is fully configurable and has feature parity with the command line tool. Also allows maven-dependency-plugin style artifact filtering which allows users to ignore deps that are not interesting (e.g. test deps or deps from the Eclipse Foundation
itself.)
Still to do:
Invoking the plugin:
For a trivial, fully-compliant project you might get output like this:
For a more complex multi-module project like tycho itself:
Because this project is not fully compliant, you also get a review file this time: