Tamas, Thanks for your idea. If I wanted to resolve from reading a pom file from scratch, where you'd point me at (thinking MavenXpp3Reader and friends perhaps?).
-- -- Aldrin Leal, <ald...@leal.eng.br> / https://aldrinleal.link On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák <ta...@cservenak.net> wrote: > You can write a simple app, using resolver. There are demo that perform > fully functional things, for example > > > https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java > > Hth > T > > On Fri, Dec 16, 2022, 22:12 Aldrin Leal <ald...@leal.eng.br> wrote: > > > Thanks Michael, indeed this can be better worded What about? > > > > How to programatically list a poms dependencies (incl transitive) without > > the risk of running untrusted/unauthorized code? > > > > -- > > -- Aldrin Leal, <ald...@leal.eng.br> / https://aldrinleal.link > > > > > > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov <micha...@apache.org> > > wrote: > > > > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal: > > > > Hello, > > > > > > > > Just a question I'd like to confirm with you guys: How "safe" is to > run > > > > `dependency:tree` on a given arbitrary pom? > > > > > > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe" > > > code? > > > > > > > > And how would you do this in (listing all the required runtime jar > > files > > > > for a given project) the most secure way if you were given this task? > > > > > > Safety and security are two different things. What are you striving > for? > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > >