maveniverse
Provide an example for reading a `pom.xml` and resolving all dependencies transitively
As this sounds like an awesome project to simplify the Maven dependency analysis in the OSS Review Toolkit (ORT), I'm interested in an example on how to use the MIMA API to get metadata about all dependencies in a Maven project as given by a specific pom.xml file.
In essence, what ORT does it to search in input directory recursively for pom.xml files (or files from other package managers), resolves all dependencies, and records metadata about all found dependencies. Represented in YAML, metadata looks like this:
- id: "Maven:org.apache.beam:beam-parent:2.3.0"
purl: "pkg:maven/org.apache.beam/[email protected]"
authors:
- "Apache Software Foundation"
- "The Apache Software Foundation"
declared_licenses:
- "Apache License, Version 2.0"
declared_licenses_processed:
spdx_expression: "Apache-2.0"
mapped:
Apache License, Version 2.0: "Apache-2.0"
description: "Apache Beam provides a simple, Java-based interface\n for processing\
\ virtually any size data. This artifact includes the parent POM\n for other\
\ Beam artifacts."
homepage_url: "http://beam.apache.org/"
binary_artifact:
url: "https://repo.maven.apache.org/maven2/org/apache/beam/beam-parent/2.3.0/beam-parent-2.3.0.pom"
hash:
value: "9e1ed0d1f714b13d0625fc9feb1410a7a2250424"
algorithm: "SHA-1"
source_artifact:
url: "https://repo.maven.apache.org/maven2/org/apache/beam/beam-parent/2.3.0/beam-parent-2.3.0.pom"
hash:
value: "9e1ed0d1f714b13d0625fc9feb1410a7a2250424"
algorithm: "SHA-1"
vcs:
type: "Git"
url: "https://gitbox.apache.org/repos/asf/beam.git"
revision: "v2.3.0-RC3"
path: ""
vcs_processed:
type: "Git"
url: "https://gitbox.apache.org/repos/asf/beam.git"
revision: "v2.3.0-RC3"
path: ""
is_metadata_only: true
So that's the amount / detail of data we expect to get. Is this something that MIMA supports in its API?
Definitely MIMA supports something like that... Toolbox that is a "MIMA showcase" (is a Maven plugin and CLI) has abilities that look similar to this, here are some examples:
- as Maven plugin: https://gist.github.com/cstamas/d0661a59be2c6ee0bfd47dbe550f51db
- as CLI (JBang): https://gist.github.com/cstamas/a0cc90a20292709144bd0bf6a71b5b0f
Yes, that looks useful from the output perspective, but on the input side it seems to only accept concrete GAV coordinates for a single artifact. What I'd be interested in would be the same for a whole pom.yml file, respecting any custom repository declarations in there etc., just like mvn would.
Yes, but MIMA is not Maven. So it helps you in these areas:
- get "effective model" (POM) of a resolvable artifact
- can resolve artifacts from any (user defined) repositories
But the basic "crawling" is not part of it, it should be done by you. Basically a flow like this:
- point MIMA to GAV, it gives you POM
- using that POM model, extract dependencies, repositories
- using extracted repositories and dependencies (GAVs) GOTO 1
So in short, yes, but you need to provide some "glue code".
Also, a warning: the "mmr" README explains: https://github.com/maveniverse/mima/blob/main/extensions/mmr/README.md
It will give you effective models of resolvable artifacts (so those deployed). It does not build models, ie. if you have a source checkout, building effective model for that POM requires Maven (as there are much more in play, like extensions may modify model etc).
I see, thanks. So I guess requesting such an example as I did is out of scope, as it would probably need to contain more "glue code" than code for MIMA API calls, correct?