NoSnapshotsInDependencyManagementRule: check version for scope:import

[barthel]

The version of dependency with scope import should be checked also.

[...]
  <properties>
    <tld.company.product.shared-dependencies.version>1.0.1-SNAPSHOT</tld.company.product.shared-dependencies.version>
  </properties>
[...]
  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>tld.company.product</groupId>
        <artifactId>tld.company.product.shared-dependencies</artifactId>
        <version>${tld.company.product.shared-dependencies.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>
[...]

[RobertReiner]

Correct: We just check if the resolved dependencies contain a snapshot dependencies. So we fail to detect a BOM that is a snapshot, but contains itself no snapshots.

I'd add a property to control whether or not a snapshot BOM without snapshot dependencies should raise an issue or not. It will default to 'true' since this seems to be the natural use case.

[RobertReiner]

@barthel : I've deployed the 1.0.1-SNAPSHOT to Maven Central.

If the fix works for you, I'd close this issue. Please let me know ...

[barthel]

For several reasons it is not allowed to me to fetch artifacts from Maven Central as SNAPSHOT. I have cloned this repo and build myself the version 1.0.1-SNAPSHOT.

I tried that version and it fails with onlyWhenRelease is false.

The POM looks like the example above. The rule is configured like:

[...]
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <dependencies>
          <dependency>
            <groupId>de.smartics.rules</groupId>
            <artifactId>smartics-enforcer-rules</artifactId>
            <version>1.0.1-SNAPSHOT</version>
          </dependency>
        </dependencies>
        <executions>
          <execution>
            <id>enforce: dependency management version compliance</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <!-- @see: https://www.smartics.eu/confluence/display/SERFM/No+SNAPSHOTs+in+Dependency+Management+Rule -->
                <NoSnapshotDependenciesInDependencyManagementRule implementation="de.smartics.maven.enforcer.rule.NoSnapshotsInDependencyManagementRule">
                  <onlyWhenRelease>false</onlyWhenRelease>
                </NoSnapshotDependenciesInDependencyManagementRule>
              </rules>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
[...]

The execution returned successfully but should fail with BOM SNAPSHOT version.

$ mvn clean verify
[...]
[INFO] --- maven-enforcer-plugin:1.4.1:enforce (enforce: dependency management version compliance) @ de.icongmbh.dopix.document.serialization.api ---
[INFO] 
[INFO] --- buildnumber-maven-plugin:1.4:create (default) @ de.icongmbh.dopix.document.serialization.api ---
[...]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

[RobertReiner]

Getting the version information from the model requires resolving. The test case is now also using a property.

If the fix works for you, I'd close this issue. Please let me know ...

[barthel]

@RobertReiner: onlyWhenRelease and checkOnlyResolvedDependencies not working anymore. See comments at commit (https://github.com/smartics/smartics-enforcer-rules/commit/aeec26463aa6176a2a085cfdd277dd0700296194).

It works, if you remove the final keywords. :+1:

[RobertReiner]

Sorry: autoformat

Fixed it.

[barthel]

:+1: Now it works. :-) I'm looking forward to the next release.

[RobertReiner]

Released 1.0.1 to Maven Central.

@barthel Thank you for your support!