DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Transitive RELEASE or LATEST dependencies do not properly resolve

Open aikebah opened this issue 3 years ago • 1 comments

Hello

It seems the problem still occurs when checking for a dependency declaring a sub-dependency with a RELEASE or LATEST metaversion.

Exemple, for project AAAA having dependency BBBB with RELEASE metaversion referencing dependency YYYY also with RELEASE metaversion we get the error :

DependencyNotFoundException: Expected dependency not found in resolved artifacts for dependency XXXX:YYYY:jar:RELEASE:compile of project-artifact AAAA

When the sub-dependency BBBB is declared directly in the project AAAA (for exemple with scope provided) there is no more error thrown, so it clearly doesn't fail anymore for dependencies with RELEASE metaversion but still fail on subdependencies with RELEASE metaversion.

So today we are referencing all RELEASE subdependencies directly in our project pom.xml with scope set to provided as a palliative measure to make things work.

Thank you very much.

Originally posted by @YSavanier in https://github.com/jeremylong/DependencyCheck/issues/3721#issuecomment-1102784752

aikebah avatar Apr 22 '22 13:04 aikebah

+1

skalimer0 avatar Jul 08 '22 12:07 skalimer0

Hello, any update on this issue ?

YSavanier avatar Jan 03 '23 16:01 YSavanier

No updates, but based on your check I did some further checking.

We're not going to solve this, unless maven dependency plugin will also solve it.

Proof that it doesn't work like it used to back in the day when maven-dependency-plugin was at 2.8:

mvn org.apache.maven.plugins:maven-dependency-plugin:3.4.0:tree will yield you the same results - unchanged LATEST and RELEASE transitive dependencies, whereas mvn dependency:tree falls back to an ancient version of the dependency-plugin (2.8)

I suspect that the Maven team decided to finally partially follow up on their warning "For this reason, future Maven versions might no longer support building such malformed projects." and removed some crucial legacy code that made maven-dependency-plugin 2.8 still able to resolve the RELEASE/LATEST versions.

As current iterations of the maven-dependency-plugin (maintained by Maven Community) no longer resolves LATEST/RELEASE I have no way to reference how to use the public APIs of Maven to properly find out what the resolved dependency versions of the transitive dependencies are.

aikebah avatar Jan 03 '23 18:01 aikebah

However... feel free to deep-dive into all of maven dependency-resolution and propose a PR that fixes it for transitive dependencies.

aikebah avatar Jan 03 '23 18:01 aikebah

Think I've found a way to make these work as well.... need to do some further testing

aikebah avatar Jan 03 '23 21:01 aikebah

OMG thank you very much I didn't checked github in a day an yet it is already resolved XD

Again many thanks, we will t last be able to upgrade our dependency check from the last working version 6.3.1 ^^

Cheers

YSavanier avatar Jan 05 '23 16:01 YSavanier