Fix maven pom parent child relationships #1218
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… a module-submodule relationship.
…t-child-relationships
…t-child-relationships
…t-child-relationships
csasarak
added a commit
that referenced
this pull request
Jun 14, 2023
This reverts commit 0cca671. The changelog has only been appended to.
csasarak
added a commit
that referenced
this pull request
Jun 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
When scanning a directory with a package (A) that declares another package (B) to be its parent, if the parent (B) is also detected in the POM closure code we wouldn't report (A) as a target because it is no longer a root package - it's a child POM of (B).
This is confusing to users because it's possible for the top-level maven package in a directory to not be found as a target if its parent is included in a local subdirectory. This was discovered in a project where the
.m2directory was a subdirectory of the scanned directory. If.m2weren't present, the top-level would be a target (maven@./) but if it were present it would not be.This code changes the CLI so what we only establish that parent-child relationship if (A) has (B) as a parent and (B) also declares (A) as a submodule. The consequences of this for existing projects are that we may list more targets for analysis than we did before in the case described above.
Acceptance criteria
We should consider a maven package a target even if its parent also exists in the scanned directory unless the parent declares that package as a submodule.
Testing plan
I have attached a minimal example which demonstrates the problem. The example uses
.m2as the directory, but it could be named anything or located anywhere in the project.You can also create an example by finding a minimal spring boot project, running
mvn compileto make sure it has all deps and then copying~/.m2into the project root.Risks
The only risk I can think of is that some customers may see the number of scanned targets increased, though the conditions that this bug appeared in are probably uncommon.
Metrics
None
References
Checklist
docs/.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.json. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).