[QFJ-992] quickfixj 2.1.1 has dependency convergence error for org.apache.maven:maven-artifact:3.5.0 Created: 06/Mar/20 Updated: 09/Mar/20 |
|
Status: | Open |
Project: | QuickFIX/J |
Component/s: | Engine |
Affects Version/s: | 2.1.1 |
Fix Version/s: | None |
Type: | Bug | Priority: | Default |
Reporter: | Andrew Peter Marlow | Assignee: | Unassigned |
Resolution: | Unresolved | Votes: | 0 |
Labels: | QuickfixJ |
Description |
the maven plugin enforcer shows that quickfixj has a dependency convergence error for org.apache.maven:maven-artifact:3.5.0. Here is the output: Dependency convergence error for org.apache.maven:maven-artifact:3.5.0 paths to dependency are: |
Comments |
Comment by Christoph John [ 06/Mar/20 ] |
Thanks for the report. Under which cicrumstances does this cause an issue? |
Comment by Andrew Peter Marlow [ 07/Mar/20 ] |
The maven enforcer plugin is being used to report on inconsistent component versions. By default the plugin treats all such inconsistencies as errors, so by default such inconsistencies would make the build fail. This behaviour is configurable so it is possible just to get a report of the issues without making the build fail. But I want such inconsistencies to be flagged as serious issues because some of these inconsistencies involve components that show up on Black Duck security scans. The software I am working on is subject to a corporate decree that the software gets through Black Duck without raising any flags. This job is made harder when the number of flags raised is larger due to the same component appearing multiple times at different versions due to these dependency convergence errors. My aim is to report any such dependency convergence errors that I find via enforcer. If they are then all fixed (there are only a few) then we could set the flag such that any such errors are fatal, so as to detect any regressions as soon as they occur. Without such fixes I will have to write a script that processes the enforcer output and checks any issues against a list of exceptions. This quickfixj issue would have to be such as exception. It just makes ultimate the job of dealing with Black Duck scans harder. |
Comment by Christoph John [ 09/Mar/20 ] |
Understood. If you would like you could also open a pull request on the quickfixj project on github. https://github.com/quickfix-j/quickfixj |