ferstl / depgraph-maven-plugin

A Maven plugin that generates dependency graphs in various formats (DOT, GML, PlantUML, JSON and Text)
Apache License 2.0
561 stars 85 forks source link

Incorrect result with multiple versions of transitive dependency? #157

Closed rolodato closed 2 years ago

rolodato commented 2 years ago

I think I've found a bug relating to multiple versions of the same transitive dependency. Consider this POM:

<?xml version="1.0" encoding="UTF-8"?>
<project
    xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>example</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <dependencies>
        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-kms</artifactId>
            <version>1.11.415</version>
        </dependency>
        <dependency>
            <groupId>com.jayway.restassured</groupId>
            <artifactId>rest-assured</artifactId>
            <version>2.9.0</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
</project>

This is the resulting dependency graph:

$ mvn com.github.ferstl:depgraph-maven-plugin:4.0.1:aggregate -DgraphFormat=text -DmergeScopes -DreduceEdges=false -DshowVersions=true -DshowGroupIds=true -DrepeatTransitiveDependenciesInTextGraph=true
[...]
[INFO] Dependency graph:
com.example:example:0.0.1-SNAPSHOT:compile
+- com.amazonaws:aws-java-sdk-kms:1.11.415:compile
|  +- com.amazonaws:aws-java-sdk-core:1.11.415:compile
|  |  +- commons-logging:commons-logging:1.1.3:compile
|  |  +- software.amazon.ion:ion-java:1.0.2:compile
|  |  +- com.fasterxml.jackson.core:jackson-databind:2.6.7.1:compile
|  |  |  +- com.fasterxml.jackson.core:jackson-annotations:2.6.0:compile
|  |  |  \- com.fasterxml.jackson.core:jackson-core:2.6.7:compile
|  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.6.7:compile
|  |  \- joda-time:joda-time:2.8.1:compile
|  \- com.amazonaws:jmespath-java:1.11.415:compile
\- com.jayway.restassured:rest-assured:2.9.0:test
   +- org.codehaus.groovy:groovy:2.4.4:test
   +- org.codehaus.groovy:groovy-xml:2.4.4:test
   +- org.apache.httpcomponents:httpclient:4.5.1:compile   πŸ‘ˆ note these dependencies have compile scope, not test
   |  +- org.apache.httpcomponents:httpcore:4.4.3:compile  πŸ‘ˆ
   |  \- commons-codec:commons-codec:1.9:compile
   +- org.apache.httpcomponents:httpmime:4.5.1:test
   +- org.hamcrest:hamcrest-core:1.3:test
   +- org.hamcrest:hamcrest-library:1.3:test
   +- org.ccil.cowan.tagsoup:tagsoup:1.2.1:test
   +- com.jayway.restassured:json-path:2.9.0:test
   |  +- org.codehaus.groovy:groovy-json:2.4.4:test
   |  \- com.jayway.restassured:rest-assured-common:2.9.0:test
   \- com.jayway.restassured:xml-path:2.9.0:test
      \- org.apache.commons:commons-lang3:3.3.2:test

If we modify the POM to only include each dependency individually, we get different results:

$ mvn com.github.ferstl:depgraph-maven-plugin:4.0.1:aggregate -DgraphFormat=text -DmergeScopes -DreduceEdges=false -DshowVersions=true -DshowGroupIds=true -DrepeatTransitiveDependenciesInTextGraph=true
[...]
[INFO] Dependency graph:
com.example:example:0.0.1-SNAPSHOT:compile
\- com.amazonaws:aws-java-sdk-kms:1.11.415:compile
   +- com.amazonaws:aws-java-sdk-core:1.11.415:compile
   |  +- commons-logging:commons-logging:1.1.3:compile
   |  +- org.apache.httpcomponents:httpclient:4.5.5:compile     πŸ‘ˆ this version is not included in the tree above
   |  |  +- org.apache.httpcomponents:httpcore:4.4.9:compile
   |  |  \- commons-codec:commons-codec:1.10:compile
   |  +- software.amazon.ion:ion-java:1.0.2:compile
   |  +- com.fasterxml.jackson.core:jackson-databind:2.6.7.1:compile
   |  |  +- com.fasterxml.jackson.core:jackson-annotations:2.6.0:compile
   |  |  \- com.fasterxml.jackson.core:jackson-core:2.6.7:compile
   |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.6.7:compile
   |  \- joda-time:joda-time:2.8.1:compile
   \- com.amazonaws:jmespath-java:1.11.415:compile
$ mvn com.github.ferstl:depgraph-maven-plugin:4.0.1:aggregate -DgraphFormat=text -DmergeScopes -DreduceEdges=false -DshowVersions=true -DshowGroupIds=true -DrepeatTransitiveDependenciesInTextGraph=true
[...]
[INFO] Dependency graph:
com.example:example:0.0.1-SNAPSHOT:compile
\- com.jayway.restassured:rest-assured:2.9.0:test
   +- org.codehaus.groovy:groovy:2.4.4:test
   +- org.codehaus.groovy:groovy-xml:2.4.4:test
   +- org.apache.httpcomponents:httpclient:4.5.1:test    πŸ‘ˆ test scope is correct here
   |  +- org.apache.httpcomponents:httpcore:4.4.3:test
   |  +- commons-logging:commons-logging:1.2:test
   |  \- commons-codec:commons-codec:1.9:test
   +- org.apache.httpcomponents:httpmime:4.5.1:test
   +- org.hamcrest:hamcrest-core:1.3:test
   +- org.hamcrest:hamcrest-library:1.3:test
   +- org.ccil.cowan.tagsoup:tagsoup:1.2.1:test
   +- com.jayway.restassured:json-path:2.9.0:test
   |  +- org.codehaus.groovy:groovy-json:2.4.4:test
   |  \- com.jayway.restassured:rest-assured-common:2.9.0:test
   \- com.jayway.restassured:xml-path:2.9.0:test
      \- org.apache.commons:commons-lang3:3.3.2:test

When analyzing both dependencies together, I would expect to see a result similar to this:

$ mvn com.github.ferstl:depgraph-maven-plugin:4.0.1:aggregate -DgraphFormat=text -DmergeScopes -DreduceEdges=false -DshowVersions=true -DshowGroupIds=true -DrepeatTransitiveDependenciesInTextGraph=true
[...]
[INFO] Dependency graph:
com.example:example:0.0.1-SNAPSHOT:compile
+- com.amazonaws:aws-java-sdk-kms:1.11.415:compile
|  +- com.amazonaws:aws-java-sdk-core:1.11.415:compile
|  |  +- org.apache.httpcomponents:httpclient:4.5.5:compile     πŸ‘ˆ 
|  |  |  +- org.apache.httpcomponents:httpcore:4.4.9:compile    πŸ‘ˆ 
|  |  +- commons-logging:commons-logging:1.1.3:compile
|  |  +- software.amazon.ion:ion-java:1.0.2:compile
|  |  +- com.fasterxml.jackson.core:jackson-databind:2.6.7.1:compile
|  |  |  +- com.fasterxml.jackson.core:jackson-annotations:2.6.0:compile
|  |  |  \- com.fasterxml.jackson.core:jackson-core:2.6.7:compile
|  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.6.7:compile
|  |  \- joda-time:joda-time:2.8.1:compile
|  \- com.amazonaws:jmespath-java:1.11.415:compile
\- com.jayway.restassured:rest-assured:2.9.0:test
   +- org.codehaus.groovy:groovy:2.4.4:test
   +- org.codehaus.groovy:groovy-xml:2.4.4:test
   +- org.apache.httpcomponents:httpclient:4.5.1:test   πŸ‘ˆ 
   |  +- org.apache.httpcomponents:httpcore:4.4.3:test  πŸ‘ˆ 
   |  \- commons-codec:commons-codec:1.9:compile
   +- org.apache.httpcomponents:httpmime:4.5.1:test
   +- org.hamcrest:hamcrest-core:1.3:test
   +- org.hamcrest:hamcrest-library:1.3:test
   +- org.ccil.cowan.tagsoup:tagsoup:1.2.1:test
   +- com.jayway.restassured:json-path:2.9.0:test
   |  +- org.codehaus.groovy:groovy-json:2.4.4:test
   |  \- com.jayway.restassured:rest-assured-common:2.9.0:test
   \- com.jayway.restassured:xml-path:2.9.0:test
      \- org.apache.commons:commons-lang3:3.3.2:test

Thanks for your work and support!

rolodato commented 2 years ago

Seems this might not be a bug specific to depgraph, as mvn dependency:tree shows very similar output:

$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------< com.example:example >-------------------------
[INFO] Building example 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ example ---
[INFO] com.example:example:jar:0.0.1-SNAPSHOT
[INFO] +- com.amazonaws:aws-java-sdk-kms:jar:1.11.415:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-core:jar:1.11.415:compile  <-- no dependency on httpclient:4.5.5 shown
[INFO] |  |  +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] |  |  +- software.amazon.ion:ion-java:jar:1.0.2:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.7.1:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.6.7:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.6.7:compile
[INFO] |  |  \- joda-time:joda-time:jar:2.8.1:compile
[INFO] |  \- com.amazonaws:jmespath-java:jar:1.11.415:compile
[INFO] \- com.jayway.restassured:rest-assured:jar:2.9.0:test
[INFO]    +- org.codehaus.groovy:groovy:jar:2.4.4:test
[INFO]    +- org.codehaus.groovy:groovy-xml:jar:2.4.4:test
[INFO]    +- org.apache.httpcomponents:httpclient:jar:4.5.1:compile  <-- compile instead of test scope
[INFO]    |  +- org.apache.httpcomponents:httpcore:jar:4.4.3:compile
[INFO]    |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO]    +- org.apache.httpcomponents:httpmime:jar:4.5.1:test
[INFO]    +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO]    +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO]    +- org.ccil.cowan.tagsoup:tagsoup:jar:1.2.1:test
[INFO]    +- com.jayway.restassured:json-path:jar:2.9.0:test
[INFO]    |  +- org.codehaus.groovy:groovy-json:jar:2.4.4:test
[INFO]    |  \- com.jayway.restassured:rest-assured-common:jar:2.9.0:test
[INFO]    \- com.jayway.restassured:xml-path:jar:2.9.0:test
[INFO]       \- org.apache.commons:commons-lang3:jar:3.3.2:test
rolodato commented 2 years ago

The graph goal also has similar behavior:

$ mvn com.github.ferstl:depgraph-maven-plugin:4.0.1:graph -DgraphFormat=text -DshowVersions=true -DshowGroupIds=true
[...]
[INFO] Dependency graph:
com.example:example:0.0.1-SNAPSHOT:compile
+- com.amazonaws:aws-java-sdk-kms:1.11.415:compile
|  +- com.amazonaws:aws-java-sdk-core:1.11.415:compile
|  |  +- commons-logging:commons-logging:1.1.3:compile
|  |  +- software.amazon.ion:ion-java:1.0.2:compile
|  |  +- com.fasterxml.jackson.core:jackson-databind:2.6.7.1:compile
|  |  |  +- com.fasterxml.jackson.core:jackson-annotations:2.6.0:compile
|  |  |  \- com.fasterxml.jackson.core:jackson-core:2.6.7:compile
|  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.6.7:compile
|  |  \- joda-time:joda-time:2.8.1:compile
|  \- com.amazonaws:jmespath-java:1.11.415:compile
\- com.jayway.restassured:rest-assured:2.9.0:test
   +- org.codehaus.groovy:groovy:2.4.4:test
   +- org.codehaus.groovy:groovy-xml:2.4.4:test
   +- org.apache.httpcomponents:httpclient:4.5.1:compile     <--
   |  +- org.apache.httpcomponents:httpcore:4.4.3:compile    <--
   |  \- commons-codec:commons-codec:1.9:compile
   +- org.apache.httpcomponents:httpmime:4.5.1:test
   +- org.hamcrest:hamcrest-core:1.3:test
   +- org.hamcrest:hamcrest-library:1.3:test
   +- org.ccil.cowan.tagsoup:tagsoup:1.2.1:test
   +- com.jayway.restassured:json-path:2.9.0:test
   |  +- org.codehaus.groovy:groovy-json:2.4.4:test
   |  \- com.jayway.restassured:rest-assured-common:2.9.0:test
   \- com.jayway.restassured:xml-path:2.9.0:test
      \- org.apache.commons:commons-lang3:3.3.2:test
rolodato commented 2 years ago

I hadn't seen the options showConflicts and showDuplicates, I think those will get me closer to what I'm looking for. Closing this issue for now while I research :)