You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
This is a new type of Java lockfile (think: requirements.txt produced by something like pip-compile).
Describe the solution you'd like
It would be nice if DependencyCheck supported it. Since all dependencies are fully transitively resolved,
I believe that all that needs to be done is creating a virtual dependency corresponding to each dependency.
Describe alternatives you've considered
I thought about:
producing a bundle jar, and scanning that. Seems heavyweight and relies on the bundling process not to lose any versions.
auto-generating another manifest (pom.xml?). If DependencyCheck supports scanning a pom.xml in isolation, great. But if not, we recurse. Either way, seems simpler to support this format.
Is your feature request related to a problem? Please describe.
This is a new type of Java lockfile (think:
requirements.txt
produced by something likepip-compile
).Describe the solution you'd like
It would be nice if DependencyCheck supported it. Since all dependencies are fully transitively resolved,
I believe that all that needs to be done is creating a virtual dependency corresponding to each dependency.
Describe alternatives you've considered
I thought about:
producing a bundle jar, and scanning that. Seems heavyweight and relies on the bundling process not to lose any versions.
auto-generating another manifest (
pom.xml
?). If DependencyCheck supports scanning a pom.xml in isolation, great. But if not, we recurse. Either way, seems simpler to support this format.Additional context
For more info, see: https://github.com/bazelbuild/rules_jvm_external/#pinning-artifacts-and-integration-with-bazels-downloader
Note: This is not a niche homegrown thing, but a standard used in increasingly many projects. GitHub search of a sentinel used in the pinned file finds 175 repos at the time of writing: https://github.com/search?q=THERE_IS_NO_DATA_ONLY_ZUUL&type=code
The text was updated successfully, but these errors were encountered: