Skip to content

Ignore org.eclipse.m2e:lifecycle-mapping in Maven dependency checks #15138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yeikel wants to merge 1 commit into
base: main
Choose a base branch
from
+48 −0
Open

Ignore org.eclipse.m2e:lifecycle-mapping in Maven dependency checks #15138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions maven/lib/dependabot/maven/file_parser.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ class FileParser < Dependabot::FileParsers::Base
PLUGIN_ARTIFACT_ITEMS_SELECTOR = "plugins > plugin > executions > execution > " \
"configuration > artifactItems > artifactItem"

# Packages that are virtual/IDE-only and do not exist in any Maven repository.
VIRTUAL_PACKAGES = T.let(["org.eclipse.m2e:lifecycle-mapping"].freeze, T::Array[String])

# Regex to get the property name from a declaration that uses a property
PROPERTY_REGEX = /\$\{(?<property>.*?)\}/

Expand Down Expand Up @@ -223,6 +226,7 @@ def dependency_from_dependency_node(pom, dependency_node, plugin_names)
def dependency_from_plugin_node(pom, dependency_node)
return unless (name = plugin_name(dependency_node, pom))
return if internal_dependency_names.include?(name)
return if VIRTUAL_PACKAGES.include?(name)

build_dependency(pom, dependency_node, name, is_plugin: true)
end
Expand Down
15 changes: 15 additions & 0 deletions maven/spec/dependabot/maven/file_parser_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,21 @@
end
end

context "when the pom includes org.eclipse.m2e:lifecycle-mapping" do
let(:pom_body) { fixture("poms", "lifecycle_mapping_pom.xml") }

it "skips org.eclipse.m2e:lifecycle-mapping" do
expect(dependencies.map(&:name)).not_to include("org.eclipse.m2e:lifecycle-mapping")
end

it "still includes other plugins" do
expect(dependencies.map(&:name))
.to include("org.apache.maven.plugins:maven-compiler-plugin")
end

its(:length) { is_expected.to eq(1) }
end

context "when dealing with versions defined by a property" do
let(:pom_body) { fixture("poms", "property_pom.xml") }

Expand Down
29 changes: 29 additions & 0 deletions maven/spec/fixtures/poms/lifecycle_mapping_pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>com.dependabot</groupId>
<artifactId>lifecycle-mapping-test</artifactId>
<version>0.0.1</version>

<packaging>pom</packaging>

<build>
<pluginManagement>
<plugins>
<!-- Virtual Eclipse IDE plugin -- not in any Maven repository -->
<plugin>
<groupId>org.eclipse.m2e</groupId>
<artifactId>lifecycle-mapping</artifactId>
<version>1.0.0</version>
</plugin>
<!-- Real plugin that should still be updated -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.11.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
Loading