[BUILD-818] Store suppressions on S3 to avoid frequent releases of poms Created: 31/May/22  Updated: 07/Jun/22  Resolved: 07/Jun/22

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: POMs 47

Type: Task Priority: Neutral
Reporter: Maxime Michel Assignee: Maxime Michel
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: Release automation

 Description   

Although poms currently have a release process that's different from the rest of other modules, they are a dependency that often prevents us from staging a full release on any given day. If any module depends on the newer poms SNAPSHOT and it's not been manually released, we are blocked.

We should therefore adapt poms so the project adopts the same release process as the rest of other modules.

I guess that, as long as all modules in the reactor have the same version, one could release the whole thing, regardless of which modules have actual changes.
However, atm, build-resources, maven-bundle-assemblies, maven-plugins, maven-site-skin and  poms all have different versions.

Implementation suggestion #1

  • keep the same structure but use Groovy linters to make sure submodule versions are appropriate
    • prompting somebody making a change to one of them to update the version accordingly
      • and also cut a release?
  • when performing, release the parent exclusively (is that even doable?)
  • discard Wiki release notes and let people browse the CHANGELOG?

Implementation suggestion #2

Implementation suggestion #3

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>7.1.0</version>
  <configuration>
    <suppressionFiles>
      <suppressionFile>http://example.org/suppression.xml</suppressionFile>
      <suppressionFile>project-suppression.xml</suppressionFile>
    </suppressionFiles> 

https://jeremylong.github.io/DependencyCheck/dependency-check-maven/


Generated at Sun Feb 11 23:45:28 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.