This changeset addresses the issues recently discovered in relation to our own artifacts, and to the list of dependencies we compose.
dependencies.md
Previously, when composing a list of third-party dependencies (a.k.a. dependencies.md) we were filtering out Spine artifacts—since we aren't a third party to ourselves. However, as time goes by, more artifacts were introduced. And this changeset filters them out by their group IDs, as well.
It was also found that dependencies.md contained a list of artifact versions, some of which were NOT used in real life, because someone could be forcing another version instead. Our previous utilities ignored that fact, which also caused false-alarm reports on using several versions of the same dependency.
This changeset addresses the issue by taking the forced versions into account.
pom.xml and our license
We generate pom.xml for each Maven artifact we publish. However, previously we were not mentioning the software version under which Spine is distributed. Now, we explicitly include this content into pom.xml:
Similarly to pom.xml, starting now the MANIFEST.mf files also bring the mention of the license, under which a particular JAR is distributed. Previously, there was no such content. Here is an example:
:warning: Not all Spine artifacts customise writing of their MANIFEST.mf. So the changes made apply only to those Gradle modules, which apply our write-manifest plugin-script.
The measures taken will now allow third-party license detectors, such as Gradle-License-Report plugin fetch the license for Spine artifacts.
Version updates
Lastly, Gradle-License-Report plugin was updated to 2.7, its latest release.
It is already noted they have improved the license detection for some third-party dependencies, so we expect less "license unknown" entries in our dependency reports.
armiol
commented
1 month ago
This changeset addresses the issues recently discovered in relation to our own artifacts, and to the list of dependencies we compose.
dependencies.mdPreviously, when composing a list of third-party dependencies (a.k.a.
dependencies.md) we were filtering out Spine artifacts—since we aren't a third party to ourselves. However, as time goes by, more artifacts were introduced. And this changeset filters them out by their group IDs, as well.It was also found that
dependencies.mdcontained a list of artifact versions, some of which were NOT used in real life, because someone could be forcing another version instead. Our previous utilities ignored that fact, which also caused false-alarm reports on using several versions of the same dependency.This changeset addresses the issue by taking the forced versions into account.
pom.xmland our licenseWe generate
pom.xmlfor each Maven artifact we publish. However, previously we were not mentioning the software version under which Spine is distributed. Now, we explicitly include this content intopom.xml:MANIFEST.mfand our license, againSimilarly to
pom.xml, starting now theMANIFEST.mffiles also bring the mention of the license, under which a particular JAR is distributed. Previously, there was no such content. Here is an example::warning: Not all Spine artifacts customise writing of their
MANIFEST.mf. So the changes made apply only to those Gradle modules, which apply ourwrite-manifestplugin-script.The measures taken will now allow third-party license detectors, such as Gradle-License-Report plugin fetch the license for Spine artifacts.
Version updates
Lastly, Gradle-License-Report plugin was updated to 2.7, its latest release. It is already noted they have improved the license detection for some third-party dependencies, so we expect less "license unknown" entries in our dependency reports.