macaron icon indicating copy to clipboard operation
macaron copied to clipboard
verified publisher icon oracle

Prioritise using project's mvnw/gradlew over Macaron's built-in mvnw/gradlew

Open nathanwn opened this issue 2 years ago • 1 comments

In general, a repository has its own mvnw/gradlew, we should prioritize using it over Macaron's built-in mvnw/gradlew. Macaron's built-in mvnw/gradlew should still be used as a fallback option.

At the moment, our dependency analyzers running on top of the CycloneDX Maven and Gradle plugins are using Macaron's built-in mvnw/gradlew. This is known to cause compatibility issues while analyzing some repositories in the past.

nathanwn avatar Jul 05 '23 00:07 nathanwn

One concern with this prioritization is the download overhead. gradlew downloads the relevant Gradle version if it does not exist, which can cause unexpected overhead simple tasks, such as determining the group ID of an artifact using gradlew properties.

behnazh-w avatar Aug 27 '23 23:08 behnazh-w

We have decided to avoid running project's mvnw and gradlew for security and performance reasons.

behnazh-w avatar Aug 19 '24 06:08 behnazh-w