Maven dependancy difference

[joeynaor]

When scanning the exact same Maven project, different results/vulnerabilities are shown in the JFrog-supported IDEs. It appears that Eclipse has the most accurate data and number of dependancies, and that IntelliJ (and VSCode) provide different results, likely due to certain dependancies not showing up.

As the JFrog IntelliJ plugin is limited to what the IDE (IntelliJ) allows it to view/use, the purpose of this ticket is to investigate if anything can be done (on the plugin level) to improve this behavior and achieve uniformity across all JFrog-supported IDEs.

Screenshot

Versions

• JFrog IDEA plugin version: 1.7.0
• Operating system: Windows Server 2019
• Xray version: 3.x

[yahavi]

@joeynaor, To get the best performance for the dependency scanning, we extract the Maven dependencies from the IDE Maven plugins in Eclipse and IntelliJ. Using this method allows us to avoid redundant Maven dependency resolution.

For example, in IntelliJ, to see the dependencies resolved by the Maven plugin, open the Maven tab -> dependencies:

There are more differences caused by the different attitudes of the Maven plugins in Intellij and Eclipse. One difference I've found is that the Eclipse plugin shows transitive optional dependencies and the Intellij plugin does not. This is not an issue, since optional transitive dependency is ignored if not mentioned specifically as a direct dependency. For example see the guice-plexus-shim under maven-compat -> sisu-inject-plexus.

Notwithstanding, I did find something something we can change in the Intellij plugin whereby dependencies deduped if they are appearing twice in the same module.