When using jf audit with the JFrog CLI, versions newer than 2.51.1 require a minumum Maven version of 3.6.3 due to the inclusion of maven-dep-tree. This results in an the following error when attempting to run the jf audit command using an older version of Maven if using a JFrog CLI version newer than 2.51.1.
The plugin com.jfrog:maven-dep-tree:1.0.2 requires Maven 3.6.3
The plugin com.jfrog:maven-dep-tree:1.0.10 requires Maven 3.6.3
It appears this impacts any Frog CLI version released after November 19th 2023 when PR #1023 was merged. That is, any jfrog-cli version newer than 2.51.1 as it includes the breaking change. Based on this, the first impacted version of jfrog-cli is 2.52.0.
The dependency version was also bumped in PR #1097 from 1.0.2 to 1.0.10.
jf audit produces the following error when running on a version of Maven less than 3.6.3 (two different examples as dependency version has been bumped)
The plugin com.jfrog:maven-dep-tree:1.0.2 requires Maven 3.6.3
The plugin com.jfrog:maven-dep-tree:1.0.10 requires Maven 3.6.3
Reproduction steps
Install JFrog CLI newer than 2.51.1 on a system with Maven older than 3.6.3 (eg. Red Hat Enterprise Linux 8)
Execute the JFrog CLI jf audit command with correct options/parameters
Command will fail due to Maven not being at required 3.6.3 version for maven-dep-tree dependency
Expected behavior
Expected behaviour and potential actions to resolve the issue:
That the command executes correctly on older versions of Maven.
Although the official Maven support states that versions older than 3.6.3 are now out of support, there may be Enterprise customers using RHEL and derivatives which still ship with OS included 3.5.4 that is actively supported via backports by the OS vendor. It may also be unfeasible so support versions this old, which could be documented.
That the version requirement in maven-dep-tree is determined to be higher than technically necessary, and it is lowered to match the core JFrog CLI components so that it doesn't increase the minimum Maven requirement, and new versions of JFrog CLI will continue to work on older Maven versions until there is a technical requirement pushing the Maven version up.
That the requirement for minimum version of Maven 3.6.3 is documented and defined in the JFrog CLI dependencies so that it doesn't surface to the end user through a plugin install error, but instead presents as a requirement for JFrog CLI at installation/execution time.
Describe the bug
When using
jf auditwith the JFrog CLI, versions newer than2.51.1require a minumum Maven version of3.6.3due to the inclusion ofmaven-dep-tree. This results in an the following error when attempting to run thejf auditcommand using an older version of Maven if using a JFrog CLI version newer than2.51.1.It appears this impacts any Frog CLI version released after November 19th 2023 when PR #1023 was merged. That is, any jfrog-cli version newer than
2.51.1as it includes the breaking change. Based on this, the first impacted version of jfrog-cli is2.52.0.The dependency version was also bumped in PR #1097 from 1.0.2 to 1.0.10.
The
maven.min.versiondefinition in the pom.xml file that specifies Maven 3.6.3 is in the plugin repository here https://github.com/jfrog/maven-dep-tree/blob/main/pom.xml#L19Current behavior
jf auditproduces the following error when running on a version of Maven less than3.6.3(two different examples as dependency version has been bumped)Reproduction steps
jf auditcommand with correct options/parameters3.6.3version for maven-dep-tree dependencyExpected behavior
Expected behaviour and potential actions to resolve the issue:
That the command executes correctly on older versions of Maven. Although the official Maven support states that versions older than
3.6.3are now out of support, there may be Enterprise customers using RHEL and derivatives which still ship with OS included3.5.4that is actively supported via backports by the OS vendor. It may also be unfeasible so support versions this old, which could be documented.That the version requirement in maven-dep-tree is determined to be higher than technically necessary, and it is lowered to match the core JFrog CLI components so that it doesn't increase the minimum Maven requirement, and new versions of JFrog CLI will continue to work on older Maven versions until there is a technical requirement pushing the Maven version up.
That the requirement for minimum version of Maven
3.6.3is documented and defined in the JFrog CLI dependencies so that it doesn't surface to the end user through a plugin install error, but instead presents as a requirement for JFrog CLI at installation/execution time.JFrog CLI-Core version
Version included in JFrog CLI > 2.51.1
JFrog CLI version (if applicable)
> 2.51.1Operating system type and version
Red Hat Enterprise Linux
JFrog Artifactory version
N/A
JFrog Xray version
N/A