[Bug 514270] Include the Maven Coordinates (when applicable) for third-party libraries
Bugzilla Link | 514270 |
Status | NEW |
Importance | P3 normal |
Reported | Mar 27, 2017 13:13 EDT |
Modified | Aug 07, 2020 14:31 EDT |
Depends on | 534722 |
Description
The way that we specify the name of a third party library varies greatly from CQ to CQ. In some cases, the CQ summary is the package name, sometimes it is the last segment of the package name, sometimes it is the human-readable name, sometimes it's a combination (it depends on how the committer enters the information, which is oftentimes based on precedents that have been established by other committers). This makes searches challenging.
I propose that we consider associating Maven identifiers ("::" with CQs where appropriate.
e.g.
org.apache.httpcomponents:httpcomponents-client:4.5.3
org.apache.commons:commons-compress:1.13
Note that this format could be useful in automated dependency scans. e.g. Maven generates compatible output:
$ mvn dependency:list
...
[INFO] The following files have been resolved:
[INFO] net.jcip:jcip-annotations:jar:1.0:compile
[INFO] org.eclipse.collections:eclipse-collections-testutils:jar:8.1.0-RC:compile
[INFO] org.eclipse.collections:unit-tests:jar:8.1.0-RC:test
[INFO] org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] org.eclipse.collections:eclipse-collections-api:jar:8.1.0-RC:compile
[INFO] org.eclipse.collections:unit-tests-java8:jar:8.1.0-RC:test
[INFO] commons-codec:commons-codec:jar:1.10:compile
[INFO] junit:junit:jar:4.12:test
[INFO] org.eclipse.collections:eclipse-collections:jar:8.1.0-RC:compile
...
The last piece segment above is, I believe the Maven goal that requires the dependency (which at least theoretically allows us to distinguish between project "compile" dependencies and those required only for testing).
We should investigate how appropriate it would be to use Maven Identifiers for non-Java (e.g. JavaScript) resources.
We can't really use the summary to capture this information. Libraries are the level of granularity for CQs, and a library may render as multiple JAR files. Rather, we need to find some other means of specifying zero or more Maven identifiers with a single CQ. Denis suggested that we might be able to leverage the "see also" functionality for this.
Ideally, we should update the search feature for creating CQs to consider Maven identifiers.