-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stale dependencies in Dependency graph #131
Comments
The duplicated dependency your showing is Assuming you find only
If you are able to share the complete dependency-graph file I can take a look. Otherwise, just search the file for occurrences of |
@bigdaz Sorry for the screenshot not showing the same dependency as the log, I screenshot the actuator dependency because they happened to be next to each other but the issue is the same for all. When resolving things from cache it find the previous version:
Or:
But once it "detect dependency" only the 2.7.18 is visible:
The file generated by {
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2024-04-16T07:35:45Z",
"creators": [
"Tool: GitHub.com-Dependency-Graph",
"Tool: GitHub Dependency Graph Gradle Plugin"
]
},
[...],
"relationship": [
...
{
"relationshipType": "DEPENDS_ON",
"spdxElementId": "SPDXRef-com.github.MY-PROJECT",
"relatedSpdxElement": "SPDXRef-maven-org.springframework.boot-spring-boot-actuator-2.2.2.RELEASE"
},
{
"relationshipType": "DEPENDS_ON",
"spdxElementId": "SPDXRef-com.github.MY_PROJECT",
"relatedSpdxElement": "SPDXRef-maven-org.springframework.boot-spring-boot-actuator-2.7.18"
},
...
]
} I'll try to find some time to try & submit the SBOM manually using Github API see if the API returns something useful (does not seems to have the Github API response in debug mode) and/or try to submit an empty list, see if I can somehow "reset" the state 🤷🏻 |
Thanks for checking. A few things to note:
|
@bigdaz Thanks you for those little nuggets of knowledge. I missed the part around the correlator. I tried this: name: Clear Dependency Submission
on:
workflow_dispatch:
permissions:
contents: write
jobs:
dependency-submission:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
env:
GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR: 'dependency_submission-dependency-submission'
with:
dependency-graph: clear And now I'm left with the stale dependencies. So I might had the dependencies submitted under a different correlator at some point (I did not successfully setup the whole thing first try on all my projects). The question is how can I know what was the correlator to clean it 🤔 Does not seems to clean itself after "hours" though since it's still here, and it seems to have been updated: I guess I'll sit and wait a little while and see if it gets resolved by itself. And cleanup Github Actions caches just for the peace of mind that it will stop finding the whole dependencies in gradle cache. |
You don't need to worry about the dependencies found in To work out the correlator that was used previously, you should be able to look back at the workflow runs to see what the dependency-graph file name was. Failing that, I think you may need to raise an issue with GitHub about this. After you've raised an issue let me know and I can ping the GitHub dependency graph team directly. |
@bigdaz I finally found the culprit, I have another flow that I did not talk about that is used only for dependency review during PR: name: Dependency review
on:
pull_request:
permissions:
contents: write
pull-requests: write
jobs:
dependency-submission:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
dependency-review:
needs: dependency-submission
runs-on: ubuntu-latest
steps:
- name: Perform dependency review
uses: actions/dependency-review-action@v4
with:
config-file: XXX
external-repo-token: XXX And I did not think much of it because it always says:
But it turns out that in the very first run (we are talking 2 months ago) while I was iterating on the subject it did run on the default branch. I was able to clean its mess and all is in order. I'm not quite sure why the stale dependencies appeared as "up to date" in the list of dependents but I have other more pressing issues to attend to 😅 Thanks you very much for your help! |
Glad you got it sorted! |
@bigdaz Thanks for the hint and you overall help 🙏🏻 |
Hi there 👋🏻
Sorry if this is the wrong place, I could not find anything useful anywhere else.
I have a simple Gradle project (not a multi project build) with the following workflow to submit the dependencies:
I bumped a dependency - spring-boot - from
2.2.2.RELEASE
to2.7.18
but when I look at the dependency graph I still see both version of the dependency, with the same date:When I re-run the action with debug log I can see that:
Both version are found from the cache:
Only the
2.7.18
get logged inDetected dependency
:At my level I'm not sure whether the issue reside in the gradle action, or in Github. If you have any pointer I'd be grateful.
The text was updated successfully, but these errors were encountered: