Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different dash workflows produce different DEPENDENCIE files between plugin and mvn verify #245

Closed
Siegfriedk opened this issue Jun 13, 2023 · 4 comments
Closed

Different dash workflows produce different DEPENDENCIE files between plugin and mvn verify #245

Siegfriedk opened this issue Jun 13, 2023 · 4 comments

Comments

@Siegfriedk
Copy link

In our current Tractus-x Project we have lots of pull requests from teams and when i verified if one Team generated/updated their dependencies correct, we had a mix of results.

They were using
mvn verify dependency:list -DskipTests -Dmaven.javadoc.skip=true -DappendOutput=true -DoutputFile=maven.deps java -jar ~/Desktop/org.eclipse.dash.licenses-0.0.1-20220928.055031-560.jar maven.deps -summary DEPENDENCIES

I used the maven plugin approach described here https://blog.waynebeaton.ca/posts/ip/dash-license-tool-maven-plugin/

The https://github.com/eclipse/dash-licenses website mentions another tool: The Maven Reactor

I personally find it slightly confusing to have multiply maven based workflows and would suggest to provide/document a golden path.
@Siegfriedk
Copy link
Author

FYI: This repository is seeing the difference between the manual maven call vs. the maven plugin https://github.com/eclipse-tractusx/managed-service-orchestrator

@waynebeaton
Copy link
Collaborator

I made some documentation updates that highlights the Maven plugin as the preferred option. There's multiple ways to use the the tool because there are multitude of ways that folks do builds. In some cases, one option is better than other.

FWIW, the Maven reactor is part of Maven. The Eclipse Dash License Tool's Maven plugin uses the Maven Reactor. It's not something separate.

Based on quick look, it looks like the difference between the CLI and Maven results are because the Maven plugin skips dependencies that are not in Maven's compile scope. The CLI option is using the results of the dependency:list plugin which shows everything. I'll update the documentation to highlight this.

There is no "golden path" that works in every case. Ultimately, we depend on committers understanding what their builds are doing and using the tool (or not) to assist with their engagement in the IP due diligence process.

@tom-rm-meyer-ISST
Copy link

We noticed this problem within the tractus-x repository. For this repository, we should clarify whether test dependencies are in scope or not. Therefore, we raised this discussion. Maybe the description also helps to understand anyone reading this issue.

@waynebeaton
Copy link
Collaborator

They were using mvn verify dependency:list -DskipTests -Dmaven.javadoc.skip=true -DappendOutput=true -DoutputFile=maven.deps java -jar ~/Desktop/org.eclipse.dash.licenses-0.0.1-20220928.055031-560.jar maven.deps -summary DEPENDENCIES

There is a 1.0.0 release that is more current than that build.

I think that we're done here, so I'm going to close the issue. Feel free to reopen if you feel that my assertion that we're done is incorrect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@waynebeaton @Siegfriedk @tom-rm-meyer-ISST