Maven 2.x Enforcer Plugin

Rule to ban all transitive dependencies

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.2
  • Component/s: Standard Rules
  • Labels:
    None
  • Number of attachments :
    0

Description

In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom. We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved. In order to meet this requirement, each new dependency in the build much be reviewed before each release. This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined. The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management. Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.

It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored. This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jakub Senko added a comment -

Hi,
I have created crude implementation of this rule.
Rule will fail the build if it detects any transitive dependencies.
I have also added an option to exclude certain artifacts from being checked.
This works the same as <exclude> and <include> here: http://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html
I have also added an option to write a custom message to user if the rule fails.
Code is here https://github.com/jsenko/enforcer-rule, but it needs some polishing.
I would welcome any suggestions.

Show
Jakub Senko added a comment - Hi, I have created crude implementation of this rule. Rule will fail the build if it detects any transitive dependencies. I have also added an option to exclude certain artifacts from being checked. This works the same as <exclude> and <include> here: http://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html I have also added an option to write a custom message to user if the rule fails. Code is here https://github.com/jsenko/enforcer-rule , but it needs some polishing. I would welcome any suggestions.
Hide
Permalink
Paul Gier added a comment -

Thanks, this is a good start. I'd like this to be part of the standard set of enforcer rules, can you add it to the enforcer code as a standard rule? You can use the git repo of the enforcer from here: https://github.com/apache/maven-enforcer

Here are a couple of suggestions for improvement:
If the enforcer rule fails, it should print out all the dependencies that failed instead of just failing on the first one. This way if there are multiple failures they can all be fixed without runnning the build again.

Also, I think the excludes should specify the transitive dependency to be ignored instead of specifying the direct dependency that brings in the transitive dependencies. For example, this allows you to configure that a direct dependency is allowed to have one or more specific transitive, but not allowed to bring in any other transitive deps.

Show
Paul Gier added a comment - Thanks, this is a good start. I'd like this to be part of the standard set of enforcer rules, can you add it to the enforcer code as a standard rule? You can use the git repo of the enforcer from here: https://github.com/apache/maven-enforcer Here are a couple of suggestions for improvement: If the enforcer rule fails, it should print out all the dependencies that failed instead of just failing on the first one. This way if there are multiple failures they can all be fixed without runnning the build again. Also, I think the excludes should specify the transitive dependency to be ignored instead of specifying the direct dependency that brings in the transitive dependencies. For example, this allows you to configure that a direct dependency is allowed to have one or more specific transitive, but not allowed to bring in any other transitive deps.
Hide
Permalink
Jakub Senko added a comment -

I've started a pull request: https://github.com/apache/maven-enforcer/pull/2

Show
Jakub Senko added a comment - I've started a pull request: https://github.com/apache/maven-enforcer/pull/2
Hide
Permalink
Paul Gier added a comment -

This looks good. I updated the formatting based on the Maven code style conventions [1], and I added two simple integration tests which you can pull from my branch [2]. One of the integration tests exposes what I think is a minor bug, where you can exclude two level-3 dependencies and then the plugin ignores the level-2 dependency that is the parent of these deps.

Can you also add some site documentation similar to the other rules under src/site/apt?

[1]http://maven.apache.org/developers/committer-environment.html
[2]https://github.com/pgier/maven-enforcer/tree/MENFORCER-138

Show
Paul Gier added a comment - This looks good. I updated the formatting based on the Maven code style conventions [1] , and I added two simple integration tests which you can pull from my branch [2] . One of the integration tests exposes what I think is a minor bug, where you can exclude two level-3 dependencies and then the plugin ignores the level-2 dependency that is the parent of these deps. Can you also add some site documentation similar to the other rules under src/site/apt? [1] http://maven.apache.org/developers/committer-environment.html [2] https://github.com/pgier/maven-enforcer/tree/MENFORCER-138
Hide
Permalink
Jakub Senko added a comment -

Thanks, I have pulled your changes, fixed the bug and created the site.

Show
Jakub Senko added a comment - Thanks, I have pulled your changes, fixed the bug and created the site.
Hide
Permalink
Paul Gier added a comment -

Looks great, I applied the patch.
Thanks!

r1395797

Show
Paul Gier added a comment - Looks great, I applied the patch. Thanks! r1395797

People

  • Assignee:
    Paul Gier
    Reporter:
    Paul Gier
Vote (2)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: