Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maven scopes - additional "AND" filter logic #1427

Closed
wants to merge 9 commits into from
Closed

Conversation

jssblck
Copy link
Member

@jssblck jssblck commented May 7, 2024

Overview

Updates the Maven scope filtering functionality so that users can specify "AND" relationships for excluding dependencies.

The existing functionality is as follows:

When a dependency is multi-scope (i.e. [compile, runtime]), by default if ANY of the scopes are contained in scope-exclude it will be excluded from the scan results:

version: 3

maven:
  scope-exclude: # Excludes dependencies that contain any of 'provided', 'system', or 'test' scopes.
    - provided
    - system
    - test

For example, using the above setting:

Dependency { name: "A", scopes: [ "compile" ]}           <- reported, because it doesn't match any excluded scope.
Dependency { name: "B", scopes: [ "test" ]}              <- not reported, because the scope "test" is excluded.
Dependency { name: "C", scopes: [ "compile", "system" ]} <- not reported, because the scope "system" is excluded.

The new functionality added is as follows:

For more control, the items provided to scope-exclude can be arrays; when this is done it only filters the dependency if ALL of the scopes in that item are contained in the dependency.

version: 3

maven:
  scope-exclude: # Excludes dependencies that contain the 'system' scope, or if they include both 'provided' and 'test' scopes.
    - [provided, test]
    - system

For example, using the above setting:

Dependency { name: "A", scopes: [ "compile" ]}                     <- reported, because it doesn't have any excluded scope.
Dependency { name: "B", scopes: [ "test" ]}                        <- reported, because it doesn't have "provided" scope.
Dependency { name: "C", scopes: [ "provided", "test", "compile" ]} <- not reported, because it has both "test" and "provided" scopes.
Dependency { name: "B", scopes: [ "system" ]}                      <- not reported, because it has the "system" scope.

Rendered documentation here.

Acceptance criteria

Users are able to exclude scopes more granularly.

Testing plan

Relying on automated tests.

Risks

This further complicates the config file.

Metrics

None

References

Resolves: https://fossa.atlassian.net/browse/ANE-1724

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@jssblck jssblck closed this May 16, 2024
@jssblck jssblck deleted the fix/ane1724 branch May 16, 2024 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant