Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] ClearlyDefined Now Supported

I believe that this could work.

For anybody else who might be listening... transitive dependencies are generally considered to be prerequisite dependencies and so must be taken through the due diligence process as described in the handbook. That we are (likely) able to exclude them in this case is a specific quirk of the Eclipse Orbit project's nature.

Wayne

On Wed, Aug 19, 2020 at 12:55 PM Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:
On Wed, 2020-08-19 at 12:28 -0400, Wayne Beaton wrote:
> > I think I just need to find a way to exclude such false positives.
>
> I experimented with using diff and an exclude file with some success.
> You may also be able to do something filtering on Maven scope (i.e.
> put false positives into the provided or test scope).
>
> It's also worth noting that you may not *need* to do anything. The
> tool is intended to help with the process of identifying content that
> needs IP review. If you can explain away a hit, then you may be done.
>
> Wayne

Yeah, an exclusion file for special cases is possible.

It turns out mvn dependency:list -DexcludeTransitive also gets us
closer. ebr-maven-plugin only bundles artifacts explicitly stated in
the module's dependencies tag so if it isn't there, it's safe to
ignore.

This takes us down to about 13 artifacts to look through.

--
Roland Grunberg



--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Join us at our virtual event: EclipseCon 2020 - October 20-22


Back to the top