Transitive RELEASE or LATEST dependencies do not properly resolve

[aikebah]

Hello

It seems the problem still occurs when checking for a dependency declaring a sub-dependency with a RELEASE or LATEST metaversion.

Exemple, for project AAAA having dependency BBBB with RELEASE metaversion referencing dependency YYYY also with RELEASE metaversion we get the error :

DependencyNotFoundException: Expected dependency not found in resolved artifacts for dependency XXXX:YYYY:jar:RELEASE:compile of project-artifact AAAA

When the sub-dependency BBBB is declared directly in the project AAAA (for exemple with scope provided) there is no more error thrown, so it clearly doesn't fail anymore for dependencies with RELEASE metaversion but still fail on subdependencies with RELEASE metaversion.

So today we are referencing all RELEASE subdependencies directly in our project pom.xml with scope set to provided as a palliative measure to make things work.

Thank you very much.

Originally posted by @YSavanier in jeremylong/DependencyCheck#3721 (comment)

[skalimer0]

+1

[YSavanier]

Hello, any update on this issue ?

[aikebah]

No updates, but based on your check I did some further checking.

We're not going to solve this, unless maven dependency plugin will also solve it.

Proof that it doesn't work like it used to back in the day when maven-dependency-plugin was at 2.8:

mvn org.apache.maven.plugins:maven-dependency-plugin:3.4.0:tree will yield you the same results - unchanged LATEST and RELEASE transitive dependencies, whereas mvn dependency:tree falls back to an ancient version of the dependency-plugin (2.8)

I suspect that the Maven team decided to finally partially follow up on their warning "For this reason, future Maven versions might no longer support building such malformed projects." and removed some crucial legacy code that made maven-dependency-plugin 2.8 still able to resolve the RELEASE/LATEST versions.

As current iterations of the maven-dependency-plugin (maintained by Maven Community) no longer resolves LATEST/RELEASE I have no way to reference how to use the public APIs of Maven to properly find out what the resolved dependency versions of the transitive dependencies are.

[aikebah]

However... feel free to deep-dive into all of maven dependency-resolution and propose a PR that fixes it for transitive dependencies.

[aikebah]

Think I've found a way to make these work as well.... need to do some further testing

[YSavanier]

OMG thank you very much I didn't checked github in a day an yet it is already resolved XD

Again many thanks, we will t last be able to upgrade our dependency check from the last working version 6.3.1 ^^

Cheers