Hello,
While looking at differences in generated CycloneDX SBOMs[1] I
stumbled upon an incoherence in the way Maven builds models of a
project's dependencies.
On one hand the properties defined in a project have no effect on the
effective models of dependencies. For example in:
<properties>
<log4j2.version>3.0.0-beta1</log4j2.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.2.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
the `log4j2.version` property will have no effect on the resolved
effective model of `spring-boot-dependencies`, even if the POM also
uses a `log4j2.version` variable[2].
On the other hand profiles change the effective model of a dependency.
E.g. using:
<dependencies>
<dependency>
<groupId>commons-pool</groupId>
<artifactId>commons-pool</artifactId>
<version>1.5.4</version>
</dependency>
</dependencies>
the effective model of `commons-pool` will have a different
`<distributionManagement>` element if I run the project with
`-Prelease` or without it.
Is this an intentional choice or is it a bug? I suppose that profiles
might influence the other artifacts in a Maven reactor, but I am not
sure external dependencies should be influenced as well.
Piotr
[1] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/432
[2]
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.2.0/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
