Add ability to set parent project (#345) #346
Conversation
* Added ability to set project parent. Cannot merge until [DT 2401](DependencyTrack/dependency-track#2401) is fixed. * Clarified behaviour of setParent * Tested against a 4.8.0 Snapshot and added handling of `null` version --------- Co-authored-by: jason <jason.irwin@idoxgroup.com>
|
Kudos, SonarCloud Quality Gate passed! |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| ProjectInfo info = null; | ||
| if (updateReq.hasBomLocation()) { | ||
| logger.info("Project info will be updated"); | ||
| Optional<ProjectInfo> optInfo = bomParser.getProjectInfo(new File(updateReq.getBomLocation())); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/io/File.(Ljava/lang/String;)V) reads a file whose location might be specified by user input
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
There was a problem hiding this comment.
@sonatype-lift ignoreall
There was a problem hiding this comment.
The ignoreall command is active on this PR, all the existing Lift issues are ignored.
| @@ -61,22 +73,55 @@ public UploadBomMojo(UploadBomAction uploadBomAction, MetricsAction metricsActio | |||
| @Override | |||
| public void performAction() throws MojoExecutionException, MojoFailureException { | |||
| try { | |||
| logger.info("Update Project Parent: %s", updateParent); | |||
|
|
|||
| Project parent = null; | |||
There was a problem hiding this comment.
💬 2 similar findings have been found in this PR
Var: Non-constant variable missing @var annotation
| Project parent = null; | |
| @Var Project parent = null; |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/io/github/pmckeown/dependencytrack/project/ProjectAction.java | 62 |
| src/main/java/io/github/pmckeown/dependencytrack/upload/UploadBomMojo.java | 96 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
🛠 Lift Auto-fixSome of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1 # Download the patch
curl https://lift.sonatype.com/api/patch/github.com/pmckeown/dependency-track-maven-plugin/346.diff -o lift-autofixes.diff
# Apply the patch with git
git apply lift-autofixes.diff
# Review the changes
git diffWant it all in a single command? Open a terminal in your project's directory and copy and paste the following command: curl https://lift.sonatype.com/api/patch/github.com/pmckeown/dependency-track-maven-plugin/346.diff | git applyOnce you're satisfied commit and push your changes in your project. Footnotes |
|
@roadSurfer - I'm a bit reluctant to release a new feature into the plugin that operates against a snapshot of the target system. In general the feature looks fine and allows alignment between the project model in Maven and Dependency Track. So keen to add the feature, just not against the main branch code. Are you OK to wait until 4.8.0 is released before revisiting? |
|
Yes of course! Wasn't sure how you wanted to handle it or what your release plans were. |
OK cool - will wait until 4.8.0 is released then test this out properly. |
| From Dependency-Track server 4.8.0 onwards, you can set the project parent by setting `updateParent` to `true`. The | ||
| parent name will be defaulted to that POM's project parent name. If you wish to override that value, or there is | ||
| no parent set within the `pom.xml`, then explicitly set `parentName` and `parentVersion`. | ||
|
|
||
| Dependency Track doesn't require a project version to be set which means this will fail if there is no version set on | ||
| the project in Dependency Track that matches the name of the parent of the maven project or the overridden parentName | ||
| value. | ||
|
|
||
| **Note:** If the parent cannot be found on the Dependency-Track server, the BOM upload will not be attempted in order to | ||
| prevent a project being incorrectly created or updated the server. | ||
|
|
||
| | Property | Required | Default Value | Example Values | | ||
| |-------------------|----------|---------------------------|-----------------------| | ||
| | bomLocation | false | target/bom.xml | target/custom-bom.xml | | ||
| | updateProjectInfo | false | false | false | | ||
| | updateParent | false | false | true | | ||
| | parentName | false | ${project.parent.name} | my-name-override | | ||
| | parentVersion | false | ${project.parent.version} | my-version-override | |
There was a problem hiding this comment.
@roadSurfer I've made some behaviour tweaks from your original PR best documented here.
In my view not defaulting the parent version to that of the maven parent pom seemed counter-intuitive. I see where you are coming from in that DT doesn't mandate a version on a project. However if that project was created by the plugin, then the version will be set. If the project wasn't created by this plugin and is missing a version, it can be added in the DT UI and then set as the parentVersion property in the use of this plugin to link it up.
Does that sound reasonable to you and not too far from your original intent?
There was a problem hiding this comment.
Seems totally fine to me.
| metricsAction.refreshMetrics(project); | ||
| } catch (DependencyTrackException ex) { | ||
| handleFailure("Error occurred during upload", ex); | ||
| } | ||
| } | ||
|
|
||
| private Project getProjectParent(String parentName, String parentVersion) | ||
| throws DependencyTrackException { |
There was a problem hiding this comment.
I've made some tweaks the implementation of setting the parent too.
During testing, the error messages were not being displayed and due to my original implementation of error handling that you followed, the mvn -e was only showing a generic error so nothing useful for the user.
There was a problem hiding this comment.
Oops, sorry. I didn't spot this in my testing.
|
Tests are failing at the minute on this branch and I'd like to tidy up a bit. So will be delayed a few days on getting this all tidied up. |
|
Kudos, SonarCloud Quality Gate passed! |
Added ability to set project parent. Cannot merge until DT 2401 is fixed.
Clarified behaviour of setParent
Tested against a 4.8.0 Snapshot and added handling of
nullversionCo-authored-by: jason jason.irwin@idoxgroup.com