If you are obtaining the pom from the hpi, then as you have the hpi why not just see what version if any is in the plugin (WEB-INF/lib/)?
Transitive or not if the jar is provided by another plugin then it really doesn't matter and as you said maven doesn't understand the Jenkins plugin dependent chain. Either the library is bundled in the plugin or we don't care, unless maven shading is going on, but shading wouldn't show in a dependency tree either. On Wed, 26 Jul 2023, 19:55 'Filipe Roque' via Jenkins Developers, < jenkinsci-dev@googlegroups.com> wrote: > > What do the colors mean in the spreadsheet? > > I have updated the spreadsheet, but green is depends on free version and > red is direct dependency on non-free version. > > With regards to the analysis, I'm not confident in my understanding of the > specific details of the analysis. Maybe you can help me understand more > clearly. > > I maintain the elastic axis plugin and it is on the list as having a > transitive dependency on an older version of the json library. The elastic > axis plugin depends on the matrix project plugin. The matrix project > plugin depends on the junit plugin. The junit plugin depends on the > jackson2 api plugin. The jackson2 api plugin bundles the jackson2 api jar > file and the json-20230227.jar inside its hpi file. I think that would > cause jackson2 api calls to use the the json-20230227.jar that is bundled > in the hpi file. > > However, the analysis indicates that there is a dependency on > json-20190722. Is the analysis not detecting that the jackson2 api plugin > already includes a newer version of the json library? Am I > misunderstanding how libraries are resolved? > > I only looked into the tree provided by Maven, with the dependency plugin, > taking the pom.xml file embedded in the hpi file. > > I know that at runtime Jenkins may use updated versions, but that would > complicate the analysis for me. > > So, for the elastic-axis: > > wget --quiet > https://updates.jenkins.io/download/plugins/elastic-axis/464.va_7ed499b_9d75/elastic-axis.hpi > unzip -q elastic-axis.hpi -d elastic-axis > /opt/maven/apache-maven-3.8.4/bin/mvn \ > -s /tmp/tmp.VLcrje6TDb/settings.xml \ > -f > elastic-axis/META-INF/maven/org.jenkins-ci.plugins/elastic-axis/pom.xml \ > --quiet \ > org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree \ > -Dincludes=org.json \ > -DoutputFile=tree.txt > cat > elastic-axis/META-INF/maven/org.jenkins-ci.plugins/elastic-axis/tree.txt > org.jenkins-ci.plugins:elastic-axis:hpi:464.va_7ed499b_9d75 > \- org.jenkins-ci.plugins:matrix-project:jar:789.v57a_725b_63c79:compile > \- org.jenkins-ci.plugins:junit:jar:1189.v1b_e593637fa_e:compile > \- > org.jenkins-ci.plugins:jackson2-api:jar:2.14.2-319.v37853346a_229:compile > \- > com.fasterxml.jackson.datatype:jackson-datatype-json-org:jar:2.14.2:compile > \- org.json:json:jar:20190722:compile > > Filipe Roque > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/DB8PR04MB66490FC5F452F3757EEEAA30D300A%40DB8PR04MB6649.eurprd04.prod.outlook.com > <https://groups.google.com/d/msgid/jenkinsci-dev/DB8PR04MB66490FC5F452F3757EEEAA30D300A%40DB8PR04MB6649.eurprd04.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPzq3pfMbEOFbzFe2hWeWEZUSkDkQaKFOLUEpd7gw70dKR7NQQ%40mail.gmail.com.
