dash-licenses icon indicating copy to clipboard operation
dash-licenses copied to clipboard
verified publisher icon eclipse

Document how to ignore certain dependencies

Open sbernard31 opened this issue 4 years ago • 5 comments

I imagine a use case where you are using license-tool-plugin and want your project failed if dependencies are not checked.

Now imagine that you add a new dependency which is not trusted, you need to create a CQ (or take any action like this).
But waiting it is approved, I understand that the project are allowed to use the component anyway (as soon as it does not release it, so just for development phase)

So we need parameter to skip waiting for approval dependencies. (Maybe pretty much same feature than how to handle work-with : https://github.com/eclipse/dash-licenses/issues/13)

There is maybe a difference because work-with should always skip the dependency check
but waiting for approval should failed on release.

sbernard31 avatar Oct 08 '21 13:10 sbernard31

There is. But it's not documented. I'll fix that.

You can exclude specific groups, artifacts, scopes, classifiers, etc.

e.g.,

$ mvn -DexcludeGroupIds=org.eclipse org.eclipse.dash:license-tool-plugin:license-check -Ddash.summary=DEPENDENCIES

It uses built-in Maven features, so groupids are actually excluded using a startsWith comparison, so excluding org.eclipse will exclude groups like org.eclipse.leshan. Excluded artifactIds work on exact match (I've been tinkering with a wildcard match, but am quickly starting to understand why the build-in features don't support this).

I've only just started tinkering with a solution for this myself. Getting the documentation updated will be a good start. There's related discussion on #13.

waynebeaton avatar Oct 08 '21 15:10 waynebeaton

I don't know if filter should be done at maven layer (I mean filtering artifacts) or at dash-licenses layer (I mean filtering by content ID) or both.

I asked this because if one day we use Dash Licenses Maven Plugin not only for maven dependencies (see #111) we could rather want to filter at ContentID level. :thinking:

sbernard31 avatar Oct 12 '21 16:10 sbernard31

Reading https://github.com/eclipse/dash-licenses/issues/13#issuecomment-774154372, I understand the benefits to filter by artifacts too.

So maybe we need both.

(Uups I should maybe add this kind of comment at #13 instead of here)

sbernard31 avatar Oct 12 '21 16:10 sbernard31

I don't know if filter should be done at maven layer (I mean filtering artifacts) or at dash-licenses layer (I mean filtering by content ID) or both.

I asked this because if one day we use Dash Licenses Maven Plugin not only for maven dependencies (see #111) we could rather want to filter at ContentID level. thinking

If you're using the CLI, you can filter out content before delivering it to the tool.

$ cat dependencies.txt | grep -v "org\.blah\.blah" | java -jar license-tool.jar -

waynebeaton avatar Jan 05 '22 21:01 waynebeaton

Thx for the tips. :pray:

(Just in case of possible misunderstanding , the issue is relative to the maven plugin)

sbernard31 avatar Jan 07 '22 10:01 sbernard31