[BUILD-166] Use SupplementalModel mechanism to correct information in third-party dependency POMs Created: 20/Oct/14  Updated: 13/Apr/17  Resolved: 30/Oct/14

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: Build Resources 1.6, POMs 30

Type: Improvement Priority: Neutral
Reporter: Zak Greant Assignee: Magnolia International
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: XML File sample-supplemental-data-models.xml     XML File supplemental-models.xml    
Issue Links:
Relates
relates to BUILD-217 Update SupplementalModel and informat... Closed
dependency
is depended upon by BUILD-185 Update site plugin to use supplementa... Open
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

Many of the POMs for our dependencies contain incorrect information.

This matters because we rely on the information in the POMs to generate reports of what licenses we use. Assembling the same information by hand is a long, tedious process.

While we can't fix the POMs, we can use Maven's supplemental model mechanism (http://maven.apache.org/plugins/maven-remote-resources-plugin/supplemental-models.html) to inject the correct information.

Attached is a sample SupplementalDataModel file. If this works, then Zak will create the remaining entries.



 Comments   
Comment by Magnolia International [ 23/Oct/14 ]

Seems to work !
I had to do a couple of adjustments to the file:

  • <license> tags need to be enclosed within <licenses> (a project can have multiple licenses)
  • the <comments> tag in <license> is plural.
  • reordered each <project> to have <groupId>, <artifactId> and <version>, in this order. (same as for our dependencies, and more readable, these are the "coordinates" of each dependency.

Every single element that we add in supp-models should behave exactly like in a "real" POM file, thus follow this XSD: http://maven.apache.org/xsd/maven-4.0.0.xsd (it's actually validated) - the comments tag that you've been using, documented as "Addendum information pertaining to this license." might thus not be 100% adequate – if you want to use this for documenting our own changes, perhaps a simple <!-- --> would do.

I also suspect the <version> tags would work with ranges, which might make this a little more maintainable in the long term. See http://docs.codehaus.org/display/MAVEN/Dependency+Mediation+and+Conflict+Resolution#DependencyMediationandConflictResolution-DependencyVersionRanges (didn't try, but should be easy to verify).

Attached a "corrected" version of the file, but it's also on git: https://git.magnolia-cms.com/gitweb/?p=build/poms.git;a=blob;f=build-resources/src/main/resources/supplemental-models.xml;;hb=HEAD

Comment by Zak Greant [ 23/Oct/14 ]

Yeehaw! I'll make the changes.

As for the comments tag, I thought that came from the schema – but I must be mistaken. Ideally, I'd like a report-visible way to show extra information about the license. I'll do some reading when I get a moment.

Comment by Magnolia International [ 24/Oct/14 ]

Yes the <comments> is in the schema, but plural form. If you want this addition to be visible then, yeah we could use it (and eventually display that in the .txt file too) - keep in mind there might be existing comments in those poms we're overriding too (it seems to be used in a couple of projects, for stuff like "A business-friendly OSS license" or "Mockrunner is released under the terms of an Apache style license, i.e. it's free for commercial and non-commercial use. The release comes with complete source code.")

Comment by Magnolia International [ 27/Oct/14 ]

Just checked and this is currently not used by site reports; see BUILD-185 for followup.

Comment by Magnolia International [ 30/Oct/14 ]

Added a first round of overrides, generated via SYS-659.

Generated at Sun Feb 11 23:39:24 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.