vscode-maven
vscode-maven copied to clipboard
microsoft
Feature request: Enable filtering of dependency tree, so one can quickly track down vulnerabilities or conflicts
Suggestion
As a developer, I would like to filter the maven dependency tree based on a specific dependency, so that I can see which parts of the dependency tree include a dependency, in order to locate a vulnerability or see conflicting versions being used.
Visually, there should be a filter widget and palette to search for a dependency and just show the part of the tree which includes that dependency.
Use Cases
I would like to see all the dependencies in my tree which may have a log4j vulnerability. Right now I have to manually search through the tree to find log4j. The command line version of maven supports this feature, so there's no need to reinvent the wheel. This is documented at https://maven.apache.org/plugins/maven-dependency-plugin/examples/filtering-the-dependency-tree.html
Examples
Example of using the command line version of dependency tree to look for log4j vulnerabilities. I would like to see an filtered tree in the maven dependency UI similar to the command line output below:
mvn dependency:tree -Dincludes=log4j:log4j
provides the output:
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ modular-automation-framework ---
[INFO] com.ntrs.maf:modular-automation-framework:jar:0.0.1-SNAPSHOT
[INFO] \- net.sourceforge.jexcelapi:jxl:jar:2.6.12:compile
[INFO] \- log4j:log4j:jar:1.2.14:compile
Hi @Eskibear . In the picture you provided of maven explorer, no filtering is implemented. In a large project there could be many conflicts with many different libraries.
Here is an example of a maven dependency tree filter feature implemented on Eclipse: https://books.sonatype.com/m2eclipse-book/reference/dependencies-sect-analyze-depend.html#fig-dependencies-pom-editor-locate-depend
no filtering is implemented
FYI VS Code itself implements basic filtering for all tree views, you can type some keywords when focusing on it.
But I agree it would be great if we can explicitly filter the libraries we want to inspect. See if we can improve the experience e.g. by adding a button to apply filters.
Note that VS Code is an editor instead of IDE, with limited UI component and ways of interaction, it's not trivial to implement complicated visualization like dependency graph.
no filtering is implemented
FYI VS Code itself implements basic filtering for all tree views, you can type some keywords when focusing on it.
But I agree it would be great if we can explicitly filter the libraries we want to inspect. See if we can improve the experience e.g. by adding a button to apply filters.
Note that VS Code is an editor instead of IDE, with limited UI component and ways of interaction, it's not trivial to implement complicated visualization like dependency graph.
I agree implementing a dependency graph visualization is not simple, and there are simpler ways to fulfill the original request.
If it's a matter of simply surfacing the underlying tree filtering logic that would be fantastic!