The reason for this PR is to allow for Dependabot scanning on JVM repositories that use Bazel. Dependabot is used to scan repositories for vulnerable dependencies. However, the tool only checks dependencies listed in pom.xml files.
An initial design was to add this functionality as its own command. Since the Generate command already parses the dependencies.yaml and resolves versions for transitive dependencies, the Generate command was extended. When a pomFile option is passed to Generate, apom.xml file will be created alongside bazel targets.
leanne-stripe
commented
2 years ago
The reason for this PR is to allow for Dependabot scanning on JVM repositories that use Bazel. Dependabot is used to scan repositories for vulnerable dependencies. However, the tool only checks dependencies listed in pom.xml files.
An initial design was to add this functionality as its own command. Since the Generate command already parses the
dependencies.yamland resolves versions for transitive dependencies, the Generate command was extended. When apomFileoption is passed to Generate, apom.xmlfile will be created alongside bazel targets.Example