What do the colors mean in the spreadsheet? I have updated the spreadsheet, but green is depends on free version and red is direct dependency on non-free version.
With regards to the analysis, I'm not confident in my understanding of the specific details of the analysis. Maybe you can help me understand more clearly. I maintain the elastic axis plugin and it is on the list as having a transitive dependency on an older version of the json library. The elastic axis plugin depends on the matrix project plugin. The matrix project plugin depends on the junit plugin. The junit plugin depends on the jackson2 api plugin. The jackson2 api plugin bundles the jackson2 api jar file and the json-20230227.jar inside its hpi file. I think that would cause jackson2 api calls to use the the json-20230227.jar that is bundled in the hpi file. However, the analysis indicates that there is a dependency on json-20190722. Is the analysis not detecting that the jackson2 api plugin already includes a newer version of the json library? Am I misunderstanding how libraries are resolved? I only looked into the tree provided by Maven, with the dependency plugin, taking the pom.xml file embedded in the hpi file. I know that at runtime Jenkins may use updated versions, but that would complicate the analysis for me. So, for the elastic-axis: wget --quiet https://updates.jenkins.io/download/plugins/elastic-axis/464.va_7ed499b_9d75/elastic-axis.hpi unzip -q elastic-axis.hpi -d elastic-axis /opt/maven/apache-maven-3.8.4/bin/mvn \ -s /tmp/tmp.VLcrje6TDb/settings.xml \ -f elastic-axis/META-INF/maven/org.jenkins-ci.plugins/elastic-axis/pom.xml \ --quiet \ org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree \ -Dincludes=org.json \ -DoutputFile=tree.txt cat elastic-axis/META-INF/maven/org.jenkins-ci.plugins/elastic-axis/tree.txt org.jenkins-ci.plugins:elastic-axis:hpi:464.va_7ed499b_9d75 \- org.jenkins-ci.plugins:matrix-project:jar:789.v57a_725b_63c79:compile \- org.jenkins-ci.plugins:junit:jar:1189.v1b_e593637fa_e:compile \- org.jenkins-ci.plugins:jackson2-api:jar:2.14.2-319.v37853346a_229:compile \- com.fasterxml.jackson.datatype:jackson-datatype-json-org:jar:2.14.2:compile \- org.json:json:jar:20190722:compile Filipe Roque -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/DB8PR04MB66490FC5F452F3757EEEAA30D300A%40DB8PR04MB6649.eurprd04.prod.outlook.com.
