gabrielrussoc
commented
3 years ago Not sure if relevant, but if I used another scope for one of the dependencies, it does not merge:
Open gabrielrussoc opened 3 years ago
gabrielrussoc
commented
3 years ago Not sure if relevant, but if I used another scope for one of the dependencies, it does not merge:
ferstl
commented
3 years ago Hi @gabrielrussoc
The versions are indeed ignored in the aggregated graphs. My intention for that was to mimic an overall dependency graph on a multi-module maven project. Choosing only the first occurrence of a dependency during graph traversal reflects the nearest-first approach of Maven's dependency resolution. I used this mechanism since the very first version of aggregated graphs. In later releases of the plugin I added parameters to merge dependencies with different scopes, types or classifiers into one single node of the graph. If I were to re-implement the aggregated graphs again, I would now probably provide a similar option for versions instead of using the version of the first occurrence.
glianeric
commented
2 years ago Hello,
I came here after running depgraph in an aggregate project. I can give more details later but basically my project has several WARs each of which has their own dependencies. While I understand what you intended to do, would you be able to provide an option to get the raw dependency tree of each component as it is, rather than as maven would like it to be?
The use case is that I wish to see the exact dependencies that will be included by each subcomponent: I have a POM which packages (but it not a parent of and does not affect the build of) a bunch of WARs. Each WAR has its own dependencies I need to see the separate versions of components of each WAR. In other words, I'm ok with identical dependencies being merged in the graph, but if they are different in version I really need to know.
This came up with this entire log4shell debacle, where I wanted to check the version of all log4j libraries by using depgraph ... unfortunately depgraph only showed the version it picked from one of the WARs (I ended up checking the WARs by hand, and I also tested depgraph by deliberately including WARs with different versions of log4j as dependencies of the package POM)
ferstl
commented
2 years ago Hi @glianeric, Would the {{graph}} goal help in your case? It creates a dependency graph for each individual module.
I have a very simple project that has a parent module with two children.
Module A depends on
aws-java-sdk-coreversion1.11.844:Module B depends on
aws-java-sdk-coreversion1.11.655:(I got both graphs by running
mvn com.github.ferstl:depgraph-maven-plugin:3.3.0:graph -DgraphFormat=dot -DoutputFileName=graph.dot -DshowVersions=trueand then looking at thetarget/directory of each module for thegraph.dotfile).However, when I use the aggregate goal, I get:
(by running
mvn com.github.ferstl:depgraph-maven-plugin:3.3.0:aggregate -DgraphFormat=dot -DoutputFileName=graph.dot -DshowVersions=true)It is merging the versions from both modules in the graph. Is this expected? Docs say: "The goals depgraph:aggregate and depgraph:aggregate-by-groupid create aggregated dependency graphs on the root of a multi-module project. They show the union of all the modules' dependencies by omitting redundant edges." It is only the union if versions are deliberately ignored.
If I swap the versions between modules A and B, the aggregate output changes.
Repro is here: https://github.com/gabrielrussoc/maven-enforcer-cross-dep