add a BOM to our generated pom.xml files

[elharo]

@chanseokoh fix #2923 for Maven projects

[briandealwis]

googleCloudJavaBomVersion?

[briandealwis]

This would be simplified using XPath as in PomXmlValidator?

[briandealwis]

I think it's worth pulling these artifact constants (including the BOM artifact too) out into explicit constants rather than have them scattered in the code.

[elharo]

Makes sense. Can you file an issue for that?

[briandealwis]

#2958

[codecov]

Codecov Report

Merging #2956 into master will decrease coverage by 0.01%.
The diff coverage is 74.71%.

@@             Coverage Diff              @@
##             master    #2956      +/-   ##
============================================
- Coverage      69.2%   69.18%   -0.02%     
- Complexity     2648     2657       +9     
============================================
  Files           356      358       +2     
  Lines         12428    12482      +54     
  Branches       1474     1483       +9     
============================================
+ Hits           8601     8636      +35     
- Misses         3220     3233      +13     
- Partials        607      613       +6

Impacted Files	Coverage Δ	Complexity Δ
...oogle/cloud/tools/eclipse/util/CloudToolsInfo.java	85.71% <ø> (ø)	7 <0> (ø)	⬇️
...d/tools/eclipse/appengine/libraries/BuildPath.java	71.79% <0%> (ø)	22 <0> (ø)	⬇️
...ls/eclipse/appengine/newproject/CodeTemplates.java	93.26% <100%> (+0.13%)	21 <1> (ø)	⬇️
...se/appengine/libraries/Maven4NamespaceContext.java	50% <50%> (ø)	2 <2> (?)
...e/cloud/tools/eclipse/appengine/libraries/Bom.java	70% <70%> (ø)	6 <6> (?)
...e/cloud/tools/eclipse/appengine/libraries/Pom.java	86% <79.59%> (-4.16%)	35 <15> (+1)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 86bd279...ac9cb01. Read the comment docs.

[briandealwis]

You can reuse com.google.cloud.tools.eclipse.appengine.validation.MavenContext

[elharo]

I'd forgotten about that class. Looking at it now, it has the same issues this class does. That is, it works only for very limited code and is actively broken for all other uses. Given that, I don't feels safe exposing it as part of the public API. We could look for or build a more correct namespace context that fully satisfies the interface's contract.

[chanseokoh]

Trying to understand the direction of this BOM stuff. So, with a BOM, I believe eventually we will get rid of the <version> element of Cloud libraries we add to pom.xml through the library page, right? Just checking, as this isn't happening in this PR.

[elharo]

With the BOM we can remove explicit versions from the google-cloud-java dependencies. However this may require splitting our library addition code into two: one for google-cloud-java dependencies and one for everything else.

[elharo]

There's a bug where our code is expecting there to be only one dependencies element but gets confused when there's more than one in the document:

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>com.google.cloud</groupId>
        <artifactId>google-cloud</artifactId>
        <version>0.40.0-alpha</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    <dependency>
<groupId>com.google.endpoints</groupId>
<artifactId>endpoints-framework</artifactId>
<version>2.0.13</version>
</dependency>
<dependency>
<groupId>com.googlecode.objectify</groupId>
<artifactId>objectify</artifactId>
<version>5.1.22</version>
</dependency>
</dependencies>
  </dependencyManagement>

I'm surprised tests didn't catch this.

[elharo]

FYI, this PR now fixes bugs that occur when adding libraries to any existing pom.xml files that have a dependencyManagement element.
It's not only about adding bom support.

[elharo]

Ping. This is now ready for review.

[chanseokoh]

No period after "LLC".

[elharo]

done

[chanseokoh]

Should end with "LLC" with no period.

[elharo]

done

[chanseokoh]

Is this dependencyManager or dependencyManagement? (I'm confused.)

[elharo]

management, done

[chanseokoh]

Is this dependencyManager or dependencyManagement? (I'm confused.)

[elharo]

dependencyManagement

[chanseokoh]

Remove?

[elharo]

done

[chanseokoh]

How about artifactIds?

[chanseokoh]

This doesn't seem it will happen. RuntimeException?

[elharo]

since we can return a status here, that's safer. But your'e right, it shouldn't happen.

[chanseokoh]

Let's say users include another 3rd-party BOM in addition to ours. I guess this code may not work, since it could return the group ID and artifact ID of the other 3rd-party POM?

[elharo]

Good point. Let me think about that.
FYI, right now in prod the code is broken with any dependencyManagement section including ours.

[chanseokoh]

To confirm: so we simply assume here our Cloud BOM includes all the libraries that appengine-plugins-core returns, and a future work is to read the actual content of the BOM?

[elharo]

yes

[briandealwis]

No All Rights Reserved, right?

[elharo]

right

[briandealwis]

I think it's worth keeping asserting length == 2

[elharo]

done

[briandealwis]

Remove the introduced space

[elharo]

Google style is officially not to worry about trailing whitespace

[briandealwis]

Do you think it's worth a comment here saying item 0 is from the <dependencyManagement> section? (Or would it be clearer to rewrite this section using XPath too to ensure the depMgmt section is never seen?)

[elharo]

added comment

[briandealwis]

Class comment? This class might be better named to indicate that it's specific to the Google Cloud BOM. (Need to remember that users may use other BOMs, like the Spring BOM, and the bom project defines BOMs for all sorts of projects.)

[elharo]

I expect it's going to become more generic. For now it's package private.

[briandealwis]

Is there a reason for the FQCN?

[chanseokoh]

We have a same-name class, so I think it's good to signify that this is from appengine-plugins-core.

[briandealwis]

Wouldn't you want to get with type=pom and scope=import?

[elharo]

not necessary

[briandealwis]

Worth checking that there is a single <dependencies> element?

[elharo]

No, we're not. We're getting the first top-level dependencies element.

[chanseokoh]

Things seem to work fine. Only one minor problem:

"Duplicating managed version 4.12 for junit" in pom.xml. BOM seems to pull in the JUnit version too. Removing the <version> element clears the warning. Not sure why the BOM exposes a test dependency version. Will there be a way to exclude it?

[elharo]

The ultimate fix to the JUnit warning is to expand the dependency checking code to actually query the BOM. For now, though, it's just a low priority warning with no actual effect on the user's code.

[patflynn]

I don't see junit in the https://github.com/GoogleCloudPlatform/google-cloud-java/blob/master/google-cloud-bom/pom.xml (and wouldn't expect it there)

…

On Fri, Mar 23, 2018 at 6:53 PM Elliotte Rusty Harold < ***@***.***> wrote: Merged #2956 <#2956>. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2956 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHf5HfYDXItT0d7qn2Wm87IraCiSVoR0ks5thXzvgaJpZM4SypUT> .

[elharo]

The BOM pulls in transitive dependencies, not just the immediate declarations. It's a lot broader and deeper than it looks.

[chanseokoh]

Yeah, it pulls in guava too. The <version> element is not needed when importing the BOM.

[patflynn]

Did you guys trace which dep is pulling in junit? We should file a bug.

…

On Mon, Mar 26, 2018 at 10:41 AM Chanseok Oh ***@***.***> wrote: Yeah, it pulls in guava too. The <version> element is not needed when importing the BOM. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2956 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHf5Hdb6856jS5uLgNLmRQHelrgocZE4ks5tiP4mgaJpZM4SypUT> .

[briandealwis]

Aha. This should be google-cloud-bom.

[chanseokoh]

Did you guys trace which dep is pulling in junit? We should file a bug.

@patflynn turns out we were not pulling in a BOM.