Possibly conflicting information regarding gradle subprojects

[mgroth0]

I am using this for the very first time, and I have been reading through the documentation. While reading, I found some seemingly contradictory information.

In the Analyze Task Configuration Docs it says that there is a scanProjects property for this plugin with this description:

A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: scanProjects = [':app']. This is mutually exclusive with the skipProjects property.

And the default value described in the docs is:

[] which implicitly means all projects get scanned.

Then, moving to the README FAQ for this repository, we see What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?

Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:

Here is the contradiction. Let's say I ask the question, "does this plugin by default scan all projects, or just the project it is applied on"?

If I only read the docs, I might assume it scans all projects. The basic example both in the docs and the readme only show this plugin being applied to one project. And if I saw that, and then I saw that there was a scanProjects property in which the default value is described as meaning "all projects get scanned".

But if I only read the README, I would assume the opposite. The README implies that if we want all projects to be scaned, we have to apply this plugin to each project.

[jeremylong]

The plugin will scan only the projects it is applied to. If you apply it to the root it will scan everything - but each project will get its own report unless you use the aggregate task

[jeremylong]

There is no contradiction. You can apply the plugin to an entire multi-project build and only scan a specific project by specifying scanProjects

[jeremylong]

Or you can only apply the plugin to a specific build. Multiple ways to achieve the same goal.

[guai]

this line in the docs is totally misleading "scanProjects - A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: scanProjects = [':app']. This is mutually exclusive with the skipProjects property."
and in reality this is a filter, what projects to include from the list of subprojects
killed half-a-day on it, then looked into sources

[mgroth0]

Thank you for clarifying, @jeremylong

The plugin will scan only the projects it is applied to. If you apply it to the root it will scan everything

I think this breaks idiomatic Gradle norms and is not future-proof. Gradle plugins applied to the root do not typically have a direct effect on subprojects. Also, the newset gradle versions are moving towards project isolation, which means that no projects (including the root project) should be configuring other projects like this. Sharing build logic between projects is meant to be done through plugins.

So I think there are two issues

1. The documentation can be more clear. I can offer a documentation PR addressing where I was confused if that is helpful. I would just add a couple of sentances providing the answers you did here.
2. Remove the ability for the root project to configure sub projects; this is needed for compatibility with project isolation in future gradle versions. Shall I create a new issue for this?

[jeremylong]

Sharing build logic between projects is meant to be done through plugins.

Do you mean conventions?

Also - if you don't mind I would love a PR to update the documentation.