Conversation
| @Produces(MediaType.APPLICATION_JSON) | ||
| public Response analyzeDependencyTreeFromArtifactDependenciesMaven(@ApiParam("projectDependencies") List<ArtifactDependency> projectDependencies) | ||
| { | ||
| return handleResponse(GET_PROJECT_DEPENDENCY_TREE, () -> this.projectApi.getProjectDependencyReportMaven(projectDependencies)); |
There was a problem hiding this comment.
| return handleResponse(GET_PROJECT_DEPENDENCY_TREE, () -> this.projectApi.getProjectDependencyReportMaven(projectDependencies)); | |
| return handleResponse(GET_PROJECT_DEPENDENCY_TREE_FROM_MAVEN, () -> this.projectApi.getProjectDependencyReportMaven(projectDependencies)); |
|
|
||
| @POST | ||
| @Path("/projects/analyzeDependencyTreeFromArtifactDependenciesMaven") | ||
| @ApiOperation(GET_PROJECT_DEPENDENCY_TREE) |
There was a problem hiding this comment.
| @ApiOperation(GET_PROJECT_DEPENDENCY_TREE) | |
| @ApiOperation(GET_PROJECT_DEPENDENCY_TREE_FROM_MAVEN) |
There was a problem hiding this comment.
also can we probably point the old API to using this
| } | ||
|
|
||
| @Override | ||
| public Set<ProjectVersion> getDependenciesMaven(List<ArtifactDependency> artifactDependencies, boolean transitive) |
There was a problem hiding this comment.
few pieces missing here:
- we calculate transitive dependencies for projects when we store a project in metadata, we need to use the same resolution to store those pieces as well
- this should probably not be in project services (look into DependencyUtils)
| @Path("/projects/dependenciesFromArtifactDependenciesMaven") | ||
| @ApiOperation(GET_VERSIONS_DEPENDENCY_ENTITIES_MAVEN) | ||
| @Produces(MediaType.APPLICATION_JSON) | ||
| public Response getAllEntitiesFromArtifactDependenciesMaven(@ApiParam("projectDependencies") List<ArtifactDependency> projectDependencies, |
There was a problem hiding this comment.
Maybe don't need another API for this, we could get the existing API to point to using this resolution
| RepositorySystem system = newRepositorySystem(); | ||
| DefaultRepositorySystemSession session = newSession(system); | ||
|
|
||
| InMemoryArtifactDescriptorReader reader = new InMemoryArtifactDescriptorReader(this); |
There was a problem hiding this comment.
comment by GitHub copilot:
This looks like there's a potential bug here. In both getDependenciesMaven() and getProjectDependencyReportMaven() methods, you're creating two separate instances of InMemoryArtifactDescriptorReader:
- First instance - Created inside
newRepositorySystem()at line ~205 and registered with the locator - Second instance - Created at line ~381 (in
getDependenciesMaven()) where exclusions are actually set viareader.setExclusions()
The Problem: Maven's resolver uses the first reader instance (which has no exclusions), while the second reader (which has the exclusions) is never used by the resolver.
Result: Dependency exclusions will be silently ignored.
Suggested Fix: Either:
- Pass
artifactDependenciestonewRepositorySystem()so it can set exclusions on its reader instance before returning, OR - Create the reader once before calling
newRepositorySystem()and reuse the same instance
The same issue exists in getProjectDependencyReportMaven() at line ~495.
| @@ -325,6 +490,111 @@ public ProjectDependencyReport getProjectDependencyReportFromProjectVersionList( | |||
| return getProjectDependencyReport(artifactDependencies); | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
also do we need to cleanup old code for resolution (which has exclusions)?
2 participants
Add Maven Endpoints to Shift to Using Maven Repo System in resolving dependencies