Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inclusion of maven-dep-tree has indirectly increased minimum Maven version requirement for jfrog-cli #1141

Open
pixdrift opened this issue Feb 27, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@pixdrift
Copy link

pixdrift commented Feb 27, 2024

Describe the bug

When using jf audit with the JFrog CLI, versions newer than 2.51.1 require a minumum Maven version of 3.6.3 due to the inclusion of maven-dep-tree. This results in an the following error when attempting to run the jf audit command using an older version of Maven if using a JFrog CLI version newer than 2.51.1.

The plugin com.jfrog:maven-dep-tree:1.0.2 requires Maven 3.6.3
The plugin com.jfrog:maven-dep-tree:1.0.10 requires Maven 3.6.3

It appears this impacts any Frog CLI version released after November 19th 2023 when PR #1023 was merged. That is, any jfrog-cli version newer than 2.51.1 as it includes the breaking change. Based on this, the first impacted version of jfrog-cli is 2.52.0.

The dependency version was also bumped in PR #1097 from 1.0.2 to 1.0.10.

The maven.min.version definition in the pom.xml file that specifies Maven 3.6.3 is in the plugin repository here
https://github.com/jfrog/maven-dep-tree/blob/main/pom.xml#L19

Current behavior

jf audit produces the following error when running on a version of Maven less than 3.6.3 (two different examples as dependency version has been bumped)

The plugin com.jfrog:maven-dep-tree:1.0.2 requires Maven 3.6.3
The plugin com.jfrog:maven-dep-tree:1.0.10 requires Maven 3.6.3

Reproduction steps

  1. Install JFrog CLI newer than 2.51.1 on a system with Maven older than 3.6.3 (eg. Red Hat Enterprise Linux 8)
  2. Execute the JFrog CLI jf audit command with correct options/parameters
  3. Command will fail due to Maven not being at required 3.6.3 version for maven-dep-tree dependency

Expected behavior

Expected behaviour and potential actions to resolve the issue:

  1. That the command executes correctly on older versions of Maven.
    Although the official Maven support states that versions older than 3.6.3 are now out of support, there may be Enterprise customers using RHEL and derivatives which still ship with OS included 3.5.4 that is actively supported via backports by the OS vendor. It may also be unfeasible so support versions this old, which could be documented.

  2. That the version requirement in maven-dep-tree is determined to be higher than technically necessary, and it is lowered to match the core JFrog CLI components so that it doesn't increase the minimum Maven requirement, and new versions of JFrog CLI will continue to work on older Maven versions until there is a technical requirement pushing the Maven version up.

  3. That the requirement for minimum version of Maven 3.6.3 is documented and defined in the JFrog CLI dependencies so that it doesn't surface to the end user through a plugin install error, but instead presents as a requirement for JFrog CLI at installation/execution time.

JFrog CLI-Core version

Version included in JFrog CLI > 2.51.1

JFrog CLI version (if applicable)

> 2.51.1

Operating system type and version

Red Hat Enterprise Linux

JFrog Artifactory version

N/A

JFrog Xray version

N/A

@pixdrift pixdrift added the bug Something isn't working label Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant