-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use spotbugs from bom #152
Conversation
$ mvn dependency:tree | grep spotbugs [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.0.3:provided (optional)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that findsecbugs
is standard in the parent POM now.
pom.xml
Outdated
@@ -22,15 +22,14 @@ | |||
</description> | |||
|
|||
<properties> | |||
<jenkins.baseline>2.204</jenkins.baseline> | |||
<jenkins.version>${jenkins.baseline}.6</jenkins.version> | |||
<jenkins.baseline>2.249</jenkins.baseline> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be too new? From our dev documentation:
At the moment, the Jenkins releases 2.222.1 and 2.235.1 make good core dependencies unless there are specific reasons, like new features, to choose a different release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alternatively we would need to downgrade spotbugs to 3.x (by pulling from the bom on an older line) but that has the negative side affect of using 3.x which has the edu nonnull annotations deprecated.
but that might be a better option?
unless there are specific reasons, like new features, to choose a different release.
^^
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO this counts as a “specific reason”.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well SpotBugs adds no functionality - it is a dev lib to improve static analysis. It should never be a reason to lose a lot of users by using the latest LTS as baseline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've downgraded the baseline, and also raised a PR against core to update it's version to the latest spotbugs: jenkinsci/jenkins#4982
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I test the new pom in one of my plugins I get a lot of enforcer errors now:
[INFO] Adding ignore: **/ModuleUtils*
[WARNING] Rule 5: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for com.github.spotbugs:spotbugs-annotations:3.1.11 paths to dependency are:
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-com.github.spotbugs:spotbugs-annotations:3.1.11
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:plugin-util-api:1.2.5
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:font-awesome-api:5.14.0-1
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:bootstrap4-api:4.5.2-1
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:jquery3-api:3.5.1-1
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:echarts-api:4.9.0-1
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:data-tables-api:1.10.21-2
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:plugin-util-api:1.2.5
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:plugin-util-api:1.2.5
+-edu.hm.hafner:codingstyle:1.4.0
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:bootstrap4-api:4.5.2-1
+-io.jenkins.plugins:popper-api:1.16.0-6
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.0
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
+-io.jenkins.plugins:echarts-api:4.9.0-1
+-edu.hm.hafner:echarts-build-trends:2.0.0
+-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It’s because of cross dependencies on a lot of them as far as I can tell
Once this is released then it needs to go to the more meta ones first like plugin util api and it should sort itself out
feel free to ping me on any dependabot PRs that fail on this. |
$ mvn dependency:tree | grep spotbugs
[INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.0.3:provided (optional)
One of the PRs required for jenkinsci/bom#322
Pulls in jenkinsci/jenkins#4689 which bumps spotbugs to 4.x
First LTS with it in is 2.249.1
Tested with bootstrap api plugin, no upper bounds issues