The reason for this PR is to allow for Dependabot scanning on JVM repositories that use Bazel. Dependabot is used to scan repositories for vulnerable dependencies. However, the tool only checks dependencies listed in pom.xml files.
An initial design was to add this functionality as its own command. Since the Generate command already parses the dependencies.yaml and resolves versions for transitive dependencies, the Generate command was extended. When a pomFile option is passed to Generate, apom.xml file will be created alongside bazel targets.
The reason for this PR is to allow for Dependabot scanning on JVM repositories that use Bazel. Dependabot is used to scan repositories for vulnerable dependencies. However, the tool only checks dependencies listed in pom.xml files.
An initial design was to add this functionality as its own command. Since the Generate command already parses the
dependencies.yaml
and resolves versions for transitive dependencies, the Generate command was extended. When apomFile
option is passed to Generate, apom.xml
file will be created alongside bazel targets.Example