Uploaded image for project: 'Maven Enforcer Plugin'
  1. Maven Enforcer Plugin
  2. MENFORCER-432

requireUpperBoundDeps support for checking dependencyManagement

    XMLWordPrintableJSON

Details

    Description

      For projects which are either used as parent by other projects, or which are used as Bill of Materials (BOM) and which declare dependencies in the dependencyManagement it would be useful if requireUpperBoundDeps was able to check the dependencies in the dependencyManagement. This would allow verifying that the versions of these managed dependencies are correct and do not cause any issues for consuming projects.

      Currently requireUpperBoundDeps seems to only check regular dependencies; this prevents it from being used directly on the parent / BOM project, but requires applying it on all consuming projects.
      It would be quite useful to already detect conflicting dependency versions directly in the parent / BOM project.

      Maybe a separate option for this (e.g. checkDependencyManagement) would be useful to allow enabling / disabling this check.

      It appears maven-dependency-tree already determines those managed dependencies in DefaultDependencyCollectorBuilder respectively Maven31DependencyCollectorBuilder (in older versions), but does not expose this information.

      Example

      pom.xml
      <project>
          <modelVersion>4.0.0</modelVersion>
      
          <groupId>com.example</groupId>
          <artifactId>my-bom</artifactId>
          <version>1</version>
          <packaging>pom</packaging>
      
          <dependencyManagement>
              <!-- Example from https://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html -->
              <dependencies>
                  <dependency>
                      <groupId>org.slf4j</groupId>
                      <artifactId>slf4j-api</artifactId>
                      <version>1.4.0</version>
                  </dependency>
                  <dependency>
                      <groupId>ch.qos.logback</groupId>
                      <artifactId>logback-classic</artifactId>
                      <version>0.9.9</version>
                      <!-- Depends on org.slf4j:slf4j-api:1.5.0 -->
                  </dependency>
              </dependencies>
          </dependencyManagement>
      
          <build>
              <plugins>
                  <plugin>
                      <groupId>org.apache.maven.plugins</groupId>
                      <artifactId>maven-enforcer-plugin</artifactId>
                      <version>3.2.1</version>
                      <executions>
                          <execution>
                              <id>enforce</id>
                              <configuration>
                                  <rules>
                                      <requireUpperBoundDeps>
                                      </requireUpperBoundDeps>
                                  </rules>
                              </configuration>
                              <goals>
                                  <goal>enforce</goal>
                              </goals>
                          </execution>
                      </executions>
                  </plugin>
              </plugins>
          </build>
      </project>
      

      Running mvn validate passes. Only when changing the dependencyManagement to regular dependencies Maven Enforcer detects the rule violation.

      Attachments

        Activity

          People

            Unassigned Unassigned
            Marcono1234 Marcono1234
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: