ferstl / depgraph-maven-plugin

A Maven plugin that generates dependency graphs in various formats (DOT, GML, PlantUML, JSON and Text)
Apache License 2.0
561 stars 85 forks source link

targetIncludes from ossindex report #146

Open delanym opened 2 years ago

delanym commented 2 years ago

I use the ossindex-maven-plugin to produce a report of dependencies with vulnerabilities. I run xpath -q -e '/componentReportExport/vulnerable/entry/key/text()' target/ossindex-audit.xml over the output to get a list of insecure dependencies. Now I want to take that list and produce a graph using targetIncludes, but the form of the coordinates are quite different depgraph-maven-plugin: groupId:artifactId:type:classifier ossindex-maven-plugin: groupId:artifactId:type:version:scope

It would be useful to specify the version. Do you have any suggestions?

ferstl commented 2 years ago

The plugin uses Maven's default notation for single-line artifact IDs and the standard filtering mechanisms. I just took a look at the implementation and possibly you can use a version after the :classifier. Could you try this? In case you don't have a classifier, you can leave it empty like groupId:artifactId:type::version. It looks like you can't omit the type but you can simply use jar for it.

If this works, I'll change the documentation accordingly.

delanym commented 2 years ago

It works with groupId:artifactId:type:version and not groupId:artifactId:type::version