search

spotbugs / spotbugs-maven-plugin

Maven Mojo Plug-In to generate reports based on the SpotBugs Analyzer
https://spotbugs.github.io/spotbugs-maven-plugin/
Apache License 2.0
69 stars 50 forks source link

Uses deprecated maven components #589

Closed Bananeweizen closed 10 months ago

Bananeweizen commented 11 months ago

Use Maven 3.9.2. Run mvn help:help -Dmaven.plugin.validation=VERBOSE on any project using the spotbugs-maven-plugin to see these warnings:

[WARNING]  * com.github.spotbugs:spotbugs-maven-plugin:4.7.3.4
...
[WARNING]   Plugin issue(s):
[WARNING]    * Plugin depends on plexus-container-default, which is EOL

For reference, please check the last item of https://maven.apache.org/docs/3.9.2/release-notes.html#notable-new-features

hazendaz commented 11 months ago

Thanks! I plan to look at this as soon as possible. If you or anyone reading this knows how to fix the issue, would love to get a PR :)

basil commented 11 months ago

Suggest the following patch:

diff --git a/pom.xml b/pom.xml
index b1d326b..4931f85 100644
--- a/pom.xml
+++ b/pom.xml
@@ -363,12 +363,6 @@
       <groupId>org.apache.maven.reporting</groupId>
       <artifactId>maven-reporting-impl</artifactId>
       <version>${mavenReportingVersion}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>org.codehaus.plexus</groupId>
-          <artifactId>plexus-container-default</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>

     <dependency>
@@ -443,6 +437,10 @@
           <groupId>commons-logging</groupId>
           <artifactId>commons-logging</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.codehaus.plexus</groupId>
+          <artifactId>plexus-container-default</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -494,6 +492,12 @@
       <groupId>org.apache.maven.doxia</groupId>
       <artifactId>doxia-integration-tools</artifactId>
       <version>${doxiaSiteToolsVersion}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.codehaus.plexus</groupId>
+          <artifactId>plexus-container-default</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>

     <!-- Commons -->
@@ -551,27 +555,10 @@
     </dependency>

     <!-- plexus -->
-    <dependency>
-      <groupId>org.codehaus.plexus</groupId>
-      <artifactId>plexus-container-default</artifactId>
-      <version>${plexusContainerVersion}</version>
-      <exclusions>
-          <exclusion>
-              <groupId>com.google.collections</groupId>
-              <artifactId>google-collections</artifactId>
-          </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-resources</artifactId>
       <version>${plexusResourcesVersion}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>org.codehaus.plexus</groupId>
-          <artifactId>plexus-container-default</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
-- 
2.34.1
acearth commented 10 months ago

Same warning message got , hope you can solve it ASAP

hazendaz commented 10 months ago

its more complicated than expected. maven also has this same problem on many of their own plugins still. Its a warning for now and nothing to be overtly concerned on yet. It will only matter when maven 4.0 lands which I sort of doubt is this year. The warnings themselves will go away by default with maven 3.9.3 (at least current plan) so that users are not being hit with warnings they cannot do anything about. I think for the most part all the various plugins getting these issues already got notified.

If anyone wants to try to tackle this and raise PR great! If not, it may be a while as I don't have the time right now as I'm also restoring long dead plugins that are still in use to work with maven 4 as well as other project work and this isn't that critical.

hazendaz commented 10 months ago

@basil If you think that works, please raise a PR to confirm. I doubt that will resolve the issue though given physical code actually has to change and that seems to be trying to rig it if the code doesn't matter. There is deprecated code in this from maven standpoint that actually has to change. You may get slightly newer items in use possibly that way but still...needs coding.

basil commented 10 months ago

I tested the suggested patch, and I know that it works. Sorry, but I am not interested in submitting a pull request.

hazendaz commented 10 months ago

@basil Suggested fix only allowed same library to be used. I've entirely removed it. I had nothing direct on it and after reviewing maven internals, it appears to all have come from the logging api and the logging api doesn't appear to use it at all and parts of doxia that do appear to inject to get a logger during tests. All integration tests without it seem to have no issues. I've also built an additional github actions to run maven 4. I have not merged this up yet but will be shortly and will close after done.

My other reference to deprecated items that need replaced while accurate, are from a separate problem. I've further cleaned up exclusions and fixed a number of CVEs since spotbugs has yet to release for some time. As long as all my builds go ok, I will be also shortly releasing this as it is for now. For the most part if doxia really needs the portion of code, version 4 would not and its possible more of this needs in a provided based scope but did so much here I think its worth getting out and see how this goes.

hazendaz commented 10 months ago

resolved, closing.