Skip to content

Files

Latest commit

 

History

History
90 lines (74 loc) · 3.92 KB

README.md

File metadata and controls

90 lines (74 loc) · 3.92 KB

Dependency Tracker Maven Plugin

A maven plugin that tracks project dependencies excluding transitive dependencies and then writes them to a file as an artifact in the build directory.

By default, the plugin executes at the compile phase and is the earliest phase at which it can be configured to run to discover dependencies, for packaging types where compile phase might not apply, usually prepare-package or packaging should be good to use otherwise you will have to determine the appropriate one.

The generated dependency report artifact can be found in the build directory(target) and will have a name ending with -dependencies.txt i.e. ${project.build.finalName}-dependencies.txt

The contents of the generated artifact file are interpreted as, each line is a key value pair separated by the equals sign for each dependency where the key is of the form groupId:artifactId:type:version or groupId:artifactId:type:classifier:version for dependencies with a classifier, then the value is the SHA-1 hash for the actual dependency file e.g. a jar file, the entries are always sorted by their keys alphabetically.

Below is an example of the artifact file's contents for a project with only 3 dependencies

org.slf4j:slf4j-api:jar:2.0.6=88c40d8b4f33326f19a7d3c0aaf2c7e8721d4953
org.slf4j:slf4j-api:test-jar:tests:2.0.6=88c40d8b4f33326f19a7d3c0aaf2c7e8721d4953
org.slf4j:slf4j-nop:jar:1.0.0-SNAPSHOT=bd0a88459dd8c99bb9d2474965c1aa36c7d66fb

Dependency Report Comparison

The plugin is also capable of comparing the generated dependency report of the current build with the most recent one deployed to a remote repository, this repository would be the one defined in the dependencyManagement section of the project's POM file. To enable comparison of reports, you set the plugin's compare configuration option to true in the POM file.

The result of the comparison is written to a report in the build directorytarget) and will have a name ending with -comparison.txt i.e. ${project.build.finalName}-comparison.txt. The contents of the comparison artifact file are interpreted as; 0 for identical reports, 1 for reports that are not identical and -1 when no report is found in the remote repository, a result of -1 typically happens upon the first build of the project.

ATTENTION!!

It's highly recommended to run your builds with update-snapshots flag set to true, that way the latest snapshot dependency builds are downloaded and used to generate the dependency report artifact. For builds that run in a 'clean' environment everytime e.g. on a CI server where a new container is used for every build then this might not be necessary.

Usage

In A Maven Project

Add the configuration below to your project POM file

<plugin>
    <groupId>net.mekomsolutions.maven.plugin</groupId>
    <artifactId>dependency-tracker-maven-plugin</artifactId>
    <version>${pluginVersion}</version>
    <executions>
        <execution>
            <goals>
                <goal>track</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Replace ${pluginVersion} with an actual plugin version, and then build your project.

To compare dependency reports, the configuration would be as below,

<plugin>
    <groupId>net.mekomsolutions.maven.plugin</groupId>
    <artifactId>dependency-tracker-maven-plugin</artifactId>
    <version>${pluginVersion}</version>
    <configuration>
        <compare>true</compare>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>track</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Command Line

Example command to run from the root of your project

mvn clean compile net.mekomsolutions.maven.plugin:dependency-tracker-maven-plugin:track -U

Note that we set the U flag which forces snapshot updates, you can replace the compile goal with any other appropriate goal depending on your packaging type.