-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix maven pom parent child relationships #1218
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… a module-submodule relationship.
…t-child-relationships
spatten
approved these changes
Jun 12, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me!
…t-child-relationships
…t-child-relationships
csasarak
added a commit
that referenced
this pull request
Jun 14, 2023
This reverts commit 0cca671. The changelog has only been appended to.
csasarak
added a commit
that referenced
this pull request
Jun 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
When scanning a directory with a package (A) that declares another package (B) to be its parent, if the parent (B) is also detected in the POM closure code we wouldn't report (A) as a target because it is no longer a root package - it's a child POM of (B).
This is confusing to users because it's possible for the top-level maven package in a directory to not be found as a target if its parent is included in a local subdirectory. This was discovered in a project where the
.m2
directory was a subdirectory of the scanned directory. If.m2
weren't present, the top-level would be a target (maven@./
) but if it were present it would not be.This code changes the CLI so what we only establish that parent-child relationship if (A) has (B) as a parent and (B) also declares (A) as a submodule. The consequences of this for existing projects are that we may list more targets for analysis than we did before in the case described above.
Acceptance criteria
We should consider a maven package a target even if its parent also exists in the scanned directory unless the parent declares that package as a submodule.
Testing plan
I have attached a minimal example which demonstrates the problem. The example uses
.m2
as the directory, but it could be named anything or located anywhere in the project.You can also create an example by finding a minimal spring boot project, running
mvn compile
to make sure it has all deps and then copying~/.m2
into the project root.Risks
The only risk I can think of is that some customers may see the number of scanned targets increased, though the conditions that this bug appeared in are probably uncommon.
Metrics
None
References
Checklist
docs/
.Changelog.md
. If this PR did not mark a release, I added my changes into an# Unreleased
section at the top..fossa.yml
orfossa-deps.{json.yml}
, I updateddocs/references/files/*.schema.json
. You may also need to update these if you have added/removed new dependency type (e.g.pip
) or analysis target type (e.g.poetry
).