Tool to generate BOM file

[pallavit]

The tool generates the BOM in the following way:

1. Picks up all the eligible SDK dependencies from the versioning_client.txt file.
2. Create a map of all dependencies these libraries bring in (non-transitively) and flatten them as a tree map of dependency name (groupid:artifactId) ->version ->(parent dependencies that brought in this dependency i.e. all the ancestors).
3. For all the libraries with multiple versions (conflicting situations) picks the latest version as the winner, and removes the other versions and their respective parent dependencies as non-eligible dependencies.
4. Gets the new list of eligible dependencies from step(3) and step(1).
5. And rerun step(2) to get the complete set to be put in the BOM.
6. Run the validation step to ensure BOM resolution results in no conflicts.
7. Write the new BOM.

TODO:

1. Have better reporting\logging. Currently it logs to the console, all the libraries that had to be dropped and the reason why they were dropped.
2. Have a better algo to pick the winner in the conflicting list. As of now, this algo picks the highest version which may be the right choice for core libraries but may not be true for say libraries like communication-common etc.

[pallavit]

While creating dependency tree for the external BOMs - I came across - https://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.11.3/jackson-bom-2.11.3.pom - which uses properties to version control the different dependencies - and it made me think that this is a good way to automatically move all our SDK dependencies to latest core (have the core library version defined as properties in parent POM, and then make all SDKs use that property as the version, shipping core would then entail updating the property and all libraries will automatically pick that up). Any reason - why this approach won't work, should not be used?

/cc: @srnagar , @alzimmermsft , @JonathanGiles

---

In reply to: 875680300

---

In reply to: 875680300

[pallavit]

Discussed offline with @srnagar. We tried a similar approach in the past where we added dependencyManagement to the parent POM but soon got into trouble because of it. Multiple hierarchial dependency - so what we have is what we stay with!

---

In reply to: 875680300

[weshaggard]

Out of curiosity is there a reason you decided to write a java based tool for generating this? Not that it matters too much but most of the other versioning tools are written in python so this would need to duplicate a chunk of that logic. Do we think we should move more of the versioning tooling to java? #Resolved

[pallavit]

There were three main reasons 1. I rely on a library shrinkwrap that basically emulates maven assembly resolution to create the dependency map for each library. I also depend on maven reader and writer library which is again available for java. (I believe there are solutions that can call java methods from python directly but I did not delve into that much) 2. This can in future become a plug-in and be part of a build step. 3. My vested interest in getting more comfy in Java.

When you say duplication of code - do you mean parsing the files and versions etc, or other things too?

[pallavit]

Do we think we should move more of the versioning tooling to java?

This is a tough one. I see why python is the language of choice here? But at the same time for scenarios like BOM having things in java and reuse library\solutions from the ecosystem is beneficial.

[weshaggard]

Thanks for the context. I don't have an issue with this, especially if this becomes a plugin and produced as part of the maven build.

The duplication I was thinking about is the parsing and understanding of our version files. It isn't overly complicated but there are some interesting rules in there to understand dependency vs current versions as well as our unreleased/beta versions.

One of the biggest reason we use things like python and powershell scripts for our versioning and other engsys tasks is to avoid needing to do a restore and build step before using the tool. Interpreted languages are much better suited for those type of tasks. For that reason it might be kind of difficult to implement all the versioning rules in a java based tool, at least one that lives in this repo. If we did use a java tool for these type of things I'd suggest we move the building/publishing of that tool into another repo.

[pallavit]

I think @srnagar also said having a plugin which lived in a repo like azure-sdk would be a better place to put this. How about I make this the first step and use it to polish the tool a little and once it is mature and ready to be turned into a plugin, I can move it a more suited location.

[pallavit]

One of the biggest reason we use things like python and powershell scripts for our versioning and other engsys tasks is to avoid needing to do a restore and build step before using the tool. Interpreted languages are much better suited for those type of tasks.

I did not think of this .. thanks!

[weshaggard]

If you do end up putting this in another repo the right place for it would be https://github.com/Azure/azure-sdk-tools/tree/main/tools.

[pallavit]

Thanks :)

[srnagar]

This can be removed #Resolved

[srnagar]

Add logs to indicate why dependencies are marked as ineligible. #Pending

[pallavit]

Yes, I have a work-item to add better logging\reporting in the system.

[alzimmermsft]

Why does this return Boolean when the method call value it is returning is boolean?

[check-enforcer]

This pull request is protected by Check Enforcer.

What is Check Enforcer?

Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass.

Why am I getting this message?

You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged.

What should I do now?

If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows:
/check-enforcer evaluate
Typically evaulation only takes a few seconds. If you know that your pull request is not covered by a pipeline and this is expected you can override Check Enforcer using the following command:
/check-enforcer override
Note that using the override command triggers alerts so that follow-up investigations can occur (PRs still need to be approved as normal).

What if I am onboarding a new service?

Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment:
/azp run prepare-pipelines
This will run a pipeline that analyzes the source tree and creates the pipelines necessary to build and validate your pull request. Once the pipeline has been created you can trigger the pipeline using the following comment:
/azp run java - [service] - ci

[pallavit]

Thank you for the feedback,