Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-info-extractor-gradle build-info.json inconsistent when direct and transitive dependencies exist #746

Open
georgenicoll opened this issue Jul 5, 2023 · 0 comments
Open

build-info-extractor-gradle build-info.json inconsistent when direct and transitive dependencies exist #746

georgenicoll opened this issue Jul 5, 2023 · 0 comments
Labels
bug Create a report to help us improve

Comments

@georgenicoll
Copy link

Describe the bug
extractor gradle: requestedBy in modules.dependencies.requestedBy for dependencies that are both direct and transitive is populated with only the first requester according to the ordering of the dependencies in build.gradle. This means that if the transitive dependency is defined first, we miss the direct dependency (and vice-versa, if the direct is defined first then the transitive is missed).

There is specific code in org/jfrog/gradle/plugin/artifactory/extractor/listener/ArtifactoryDependencyResolutionListener.groovy that ignores a resolved dependency if that dependency has been seen before which is the cause of this.

Without the curDependents check, The code is able to handle multiple requestedBy paths so I see 2 possible solutions to this:

  1. remove the check on curDependents == null
  2. if there is already a dependency and the new resolved dependency is for the project/module then replace the existing (so always take the direct dependency, if it is found)

I don't mind attempting to fix this, but wanted your thoughts on the solution. Without any other info, I would go for the first: it records the true state of the dependencies as requestedBy can accept multiple dependency paths.
However, the check looks to be quite deliberate so there may be constraints that I am unaware of that mean requestedBy should be limited to a single path only (a single path would satisfy my use-case if requestedBy always contained the direct dependency when found).

To Reproduce
Compare the generated build-info.json when running against:

apply plugin: 'java'
group 'cut.down.gradle'

sourceCompatibility = 17
targetCompatibility = 17

repositories {
    mavenLocal()
    mavenCentral()
}

dependencies {
    implementation "org.slf4j:slf4j-api:$slf4j_version"
    implementation "org.slf4j:slf4j-simple:$slf4j_version"
}

which gives:

{
      "id" : "org.slf4j:slf4j-api:1.7.36",
      "requestedBy" : [ [ "cut.down.gradle:gradle-jvm-cutdown:unspecified" ] ]
}

vs

apply plugin: 'java'
group 'cut.down.gradle'

sourceCompatibility = 17
targetCompatibility = 17

repositories {
    mavenLocal()
    mavenCentral()
}

dependencies {
    implementation "org.slf4j:slf4j-simple:$slf4j_version"
    implementation "org.slf4j:slf4j-api:$slf4j_version"
}

which gives:

{
      "id" : "org.slf4j:slf4j-api:1.7.36",
      "requestedBy" : [ [ "org.slf4j:slf4j-simple:1.7.36", "cut.down.gradle:gradle-jvm-cutdown:unspecified" ] ]
}

Expected behavior
One of the following:

  1. Both paths to the dependency are represented in the requestedBy lists, OR
  2. The direct dependency path is always shown in requestedBy

Screenshots
N/A

Versions

  • Extractor version: (via build-info-go 1.8.9) 4.31.5
  • Operating system: Ubuntu Linux
  • Artifactory Version: 7.38.10

Additional context
@georgenicoll georgenicoll added the bug Create a report to help us improve label Jul 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Create a report to help us improve
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@georgenicoll