Disable dependency verification on created configurations

[sb-software]

When using Gradle dependency verification on projects I believe it is quite common to ignore pom files by setting verify-metadata to false in verification-metadata.xml This means no POM files gets listed in this XML file. However, when running the licensee plugin it adds pom file dependencies which then gets included in dependency verification, causing builds to fail verification. Since the plugin is not adding any dependencies for real to the project I believe it would make sense for it to disable verification on its created, detached configuration as outlined in 1:

val pomCoordinates = with(id) { "$group:$artifact:$version@pom" } val pomDependency = project.dependencies.create(pomCoordinates) val detachedConfiguration = project.configurations .detachedConfiguration(pomDependency) detachedConfiguration.resolutionStrategy.disableDependencyVerification() val pomConfiguration = detachedConfiguration.resolvedConfiguration .lenientConfiguration

[JakeWharton]

Seems logical! Do you want to send a PR? If not, I can make the change.

[JakeWharton]

I tried writing a test for this and I am unable to get it to fail. Can you take a look and see if I'm missing anything?

https://github.com/cashapp/licensee/pull/80

I have disabled metadata verification but doing so means that the task no longer fails despite omitting the API call to disable verification on our configuration.

[sb-software]

Sorry for not responding previously. I gave it a try and I can see that the pom shows up in verification-metadata.xml file if allowing dependency verification. I need to take a closer look at why it doesn't trigger an actual checksum failure though, but I seem to recall it was some special tasks that made us aware of this in the first place.

One option could perhaps be to actually execute the --write-verification-metadata sha256 command in the test and verify that no example-1.0.0.pom shows up?

[sb-software]

Ok, looks like I've narrowed it down now at least, and working on a tweak to the test to replicate. Seems the issue happens when we execute something like:

./gradlew :licensee :other:compileJava

and the root project and 'other' have the same external dependency (I'm currently using androidx.annotation:annotation:1.3.0). In such case the 'compileJava' task will fail with the verification error unless we disable it on the detached configuration. One strange thing about this is that I can't make it fail when using a local maven repo dependency, such as ':example' in the suggested test, which makes me think there might be some odd Gradle bug/behavior in play here as well.

Reason we got this in the first place was when running a 'check' task which both want to run Licensee and Lint, and the later includes some compilation of homemade lint rules.

[sb-software]

Ended up looking like this (based on your initial commit): https://github.com/sb-software/licensee/commit/5c25ee936e400644695eeddadb1f403760c7cc29

At least for me this test fails (as expected) if I comment out resolutionStrategy.disableDependencyVerification() again.

[JakeWharton]

Thanks. I'll adapt it so that it does not depend on external repositories and land the change/fix.

[JakeWharton]

Your test does not fail for me when I comment out disableDependencyVerification.