Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that actual dependencies are compared rather than listed #1

Open
gary-rowe opened this issue Dec 16, 2013 · 10 comments
Open

Ensure that actual dependencies are compared rather than listed #1

gary-rowe opened this issue Dec 16, 2013 · 10 comments
Assignees
@gary-rowe
Labels
bug
Milestone
0.0.2 Enhancements

Comments

@gary-rowe
Copy link
Owner

Spotted by Andreas Shildbach:

At present if dependencies are changed without a fresh snapshot being taken then the enforcer rules will only be applied against the whitelist.

The enforcer needs to be stricter to avoid a false sense of security
@ghost ghost assigned gary-rowe Dec 16, 2013
@ST-DDT
Copy link

ST-DDT commented Aug 19, 2016

Could you please fix this?

@gary-rowe
Copy link
Owner Author

I've added it to my list. I should visit it in the next week or so.

gary-rowe added a commit that referenced this issue Sep 6, 2016
@gary-rowe
#1 General updates for Maven 3 and Java 8
d0d1f8c
gary-rowe added a commit that referenced this issue Sep 6, 2016
@gary-rowe
#1 Reject build if whitelist does not reflect project dependencies (e…
7e70d8c 
….g. is stale)
gary-rowe added a commit that referenced this issue Sep 6, 2016
@gary-rowe
#1 Ensure rule-tester has valid build by default
24431ae
@gary-rowe
Copy link
Owner Author

OK, done a first draft on the develop branch. Apologies for the extreme delay on this.

Can I ask @ST-DDT to take a look at this and verify that it does detect a stale/incorrect URN whitelist by modifying the values in the rule-tester module pom.xml.

@gary-rowe gary-rowe modified the milestone: 0.0.2 Enhancements Sep 6, 2016
gary-rowe added a commit that referenced this issue Sep 6, 2016
@gary-rowe
#1 Support for Java 8 builds only
2f2a12d
gary-rowe added a commit that referenced this issue Sep 6, 2016
@gary-rowe
#1 Reduce the URN set to exclude plugins in rule-tester to allow alte…
9e073e4 
…rnative versions of Maven
@ST-DDT
Copy link

ST-DDT commented Sep 6, 2016
edited

Testresults for commit 9e073e4:

  • Build success
  • Missing dependencies - Build failure => not fixed
  • Missing plugin - Build failure => not fixed
  • Wrong dependency version - Build failure
  • Wrong plugin version - Build failure
  • Wrong dependency hash - Build failure
  • Wrong plugin hash - Build failure
  • Wrong dependency scope - Info/Warning shown
  • Wrong plugin scope - Info/Warning shown
  • Detect dependencies
  • Detect transitive dependencies
  • Detect plugins
  • Detect additional dependencies for plugins (ex: this plugin itself)

@gary-rowe
Copy link
Owner Author

This is a great test report :-)

I'll do some more commits to cover the missing items.

@gary-rowe
Copy link
Owner Author

Missing dependencies - Build failure => not fixed

This is confusing. Commenting out the Bouncy Castle test dependency from the rule-tester module and rebuilding leads to a failure due to missing dependency. Removing the antlr dependency either causes a correct download, or if sneakily removed just before SHA1 testing, results in a build failure due to an exception.

@ST-DDT could you clarify this situation?

gary-rowe added a commit that referenced this issue Sep 7, 2016
@gary-rowe
#1 Stricter testing of scope, classifier and type
bc3db3b
@gary-rowe
Copy link
Owner Author

gary-rowe commented Sep 7, 2016
edited

Wrong dependency/plugin scope is now covered.

gary-rowe added a commit that referenced this issue Sep 7, 2016
@gary-rowe
#1 Re-use Maven URN generation code for improved compatibility
e7c6d76
@gary-rowe
Copy link
Owner Author

Exploring the Maven tree to locate the enforcer/digest rules is proving unreliable and possibly unnecessarily complex. I'm going to leave this out from this version.

@ST-DDT
Copy link

ST-DDT commented Sep 7, 2016

@ST-DDT could you clarify this situation?

Well I just build/installed your plugin and added it in one of my test projects and tested those cases.

Maybe I can write a JUnit like test for this.

Wrong dependency/plugin scope is now covered.

Nice

Exploring the Maven tree to locate the enforcer/digest rules is proving unreliable and possibly unnecessarily complex. I'm going to leave this out from this version.

Okay. I will have a look at this too. Maybe I can find a solution for this. But not today.

gary-rowe added a commit that referenced this issue Sep 9, 2016
@gary-rowe
#1 Revert to Java 6 target to allow maximum compatibility with curren…
51e5196 
…t build environments
@ST-DDT ST-DDT mentioned this issue Sep 10, 2016
Merged
@schildbach schildbach mentioned this issue Mar 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gary-rowe gary-rowe

Labels
bug
Projects
None yet
Milestone
0.0.2 Enhancements
Development

No branches or pull requests
3 participants
@gary-rowe @ST-DDT and others