-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incomplete manifest generated in case of intermediate issues in resolving artifacts #583
Comments
being tolerant or strict, a common question: yes, perhaps we could add such a flag I'd be interested to learn more about why this edge case happened to you: can you share (eventually in private) more details? |
Sure, we had an intermediate problem with our setup a after on of our Maven repositories moved to an updated domain name which resulted in requests not being successful for some period of time, until we fixed the config. |
does it mean we should close this issue as "invalid"? |
I would say: definitely not. Having an incomplete manifest is not a solution. Generated manifest is not valid and never should be offered as a full manifest of a given project. It contains just a fraction of components. The warning makes it very hard to understand whether the generation was valid or in fact the output is broken. We are very strict about our manifests. These are full or simply broken and need intervention. |
ok, ok |
We do execute it from the command line. What you see in the logs is a wrapper around the |
We observed an issue with one of our generations recently which resulted in an incomplete manifest. Generated manifest had 63 components, but we expected 378. The only thing we found in the logs was this:
This points us to this:
cyclonedx-maven-plugin/src/main/java/org/cyclonedx/maven/DefaultProjectDependenciesConverter.java
Lines 98 to 102 in db2a35b
This was introduced as part of #55 in this commit 0666338 by @stevespringett.
For the record, here is a complete run:
I think this is a wrong approach. If we cannot build the dependency graph, we should not attempt to generate a partial manifest silently. If there is really a use case for it, it should be at least exposed via flag, but I still think continuing with manifest generation should be disabled by default.
The text was updated successfully, but these errors were encountered: