Excluded transitive dependencies of WAR overlays are still scanned #667
Comments
|
Excluding a file from a package doesn't relieve the project dependency, probably you should be using scope on your dependencies or you should be using some other way to exclude dependencies |
|
One way to accomplish what you are looking for is to declare the dependencies as Does that work? |
|
Ah. I'd already tried It does make me think, though, since WAR dependencies will usually be overlays, should they be handled specially? Eg checking for exclusions of this kind in the WAR plugin, or defaulting to ignoring |
|
Grand Admiral Thrawn is a star wars Empire general. He's blue.
… On Feb 24, 2017, at 3:08 AM, ThrawnCA ***@***.***> wrote:
Ah. I'd already tried provided scope, but didn't notice that flag. Yes, it works.
It does make me think, though, since WAR dependencies will usually be overlays, should they be handled specially? Eg checking for exclusions of this kind in the WAR plugin, or defaulting to ignoring them if provided?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@ThrawnCA I can definitely see the use case for excluding the transitive dependencies of a WAR overlay that are excluded. However, the implementation could be tricky. If I am thinking about this correctly (having never directly worked with WAR overlays) one would need to resolve all dependencies (primary, transitive) of the main project being scanned, build a dependency tree, read the exclusion list from the dependent WAR overlay, and then exclude dependencies that are in the exclusion list that only exist in the dependency-tree where the only parent is from the WAR overlay. One then also needs to consider nested (is this even possible?) or multiple WAR overlays. While I can see the value, this one will be a bit lower on my priority list. |
Yes? I'm pretty sure Github doesn't have a policy requiring real names.
I haven't really looked into how the dependencies are presented to plugins. What you really want is to ignore the fact that an excluded library is a transitive dependency of the WAR, when resolving the dependency tree - but still take notice if the same library was included by a different source. I agree that it seems like it could be tricky.
I...guess it's possible to nest overlays? Although I'm not sure what transitive dependencies would show up in that case. Multiple overlays is probably also possible, but probably a pretty low priority. People can always handle those ridiculous cases manually if they need to. Thanks for responding. |
|
In a war overlay the dependency on the overlay-war(s) is declared implicitly, as part of that declaration any exclusions can be added to dependency node, excluding like done above is just wrong (also because if the resulting war is overlain again it will still have all those deps as a transitive dependency. |
You mean defining exclusions within the WAR overlay? What alternative do you propose? If you don't define the exclusion, but you declare an updated version of the dependency, then the resulting WAR file will have both JARs in it. Not good at all. |
<dependency>
<scope>provided</scope>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>3.5.3</version>
<type>war</type>
<exclusions>
<exclusion>....<exclusion>
</exclusions>
</dependency>
should exclude the dependency from the dependency tree |
|
Nope, the excluded dependencies still show up in the dependency checker report. Probably because they're not being pulled in via the dependency resolution mechanism; they're actually contained in the WAR file that we're overlaying. |
Transitive dependencies of a WAR overlay that are excluded within the WAR plugin are still showing up in the scan, despite not being in the resulting WAR file.
Eg the following POM snippets:
will result in:
The text was updated successfully, but these errors were encountered: