Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate dependencies of build plug-ins #54

Closed
cobratbq opened this issue Dec 10, 2019 · 1 comment
Closed

Validate dependencies of build plug-ins #54

cobratbq opened this issue Dec 10, 2019 · 1 comment
Milestone

Comments

@cobratbq
Copy link
Contributor

cobratbq commented Dec 10, 2019

One significant missing aspect is that dependencies of build plug-ins are not yet validated.

The difficulty is that these dependencies are not resolved in the dependency resolution, or the resolved versions are not exposed through the API. It's not exactly clear. Hence, in case of version range specifications, we don't know which exact version we need to verify.

Solutions:

  • Download and validate all versions that satisfy the version range specification. Version ranges are not allowed for build plug-ins. Therefore, this will never be an option and we can simply acquire the dependencies from the obvious locations in the Maven API.
  • Simply access plug-in dependencies, resolve and validate.

@cobratbq I intend to look into this soon.

@cobratbq
Copy link
Contributor Author

I'm closing this issue: direct dependencies are now validated. Indirect dependencies are tackled as part of #59, but that issue is broader.

@slawekjaranowski slawekjaranowski added this to the v1.6.0 milestone Jan 14, 2020
pzygielo pushed a commit to pzygielo/pgpverify-maven-plugin that referenced this issue May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants