Skip to main content
Jump to: navigation, search

IP Log/Automatic Dependency Identification

Warning2.png
Work in progress.


We're using this page to capture various scenarios for automatically identifying the use of previously-approved third-party dependencies by our projects.

Note that project teams are ultimately responsible for ensuring that project code only uses approved third-party libraries and that the use of those libraries is properly tracked.

Scenarios

OSGi

For OSGi-based projects, the bundle manifests should give us what we need in many cases.

  • Project uses OSGi
  • All third-party bundles come from Orbit

Challenges:

  • We will likely need to use p2 to do the actual resolution (e.g. package imports don't give us enough information statically).
  • When do we run the scan? Do we scan the file system for bundles, or is this done as part of a build.
  • Is this really just the Maven scenario (with Tycho)?

Maven-based Builds

Maven does dependency resolution as part of the build, can we somehow feed the output of that build into our system?

e.g. create a Maven plugin that just automatically feeds the information as an automatic part of a specific builds (e.g. integration or milestone).

  • EF-provided HIPP used for builds
  • Builds are Maven-based

Challenges:

  • How do we ensure that the plugin is actually included in the build?
  • Can we actually capture and push library use from a Maven plugin?
  • Can we detect when a third-party library is used indirectly through Eclipse project code (and ignore)?

Manual

There's nothing automatic about this. If none of the other scenarios are able to automatically detect and resolve the use of a third-party library, a project team member must create a "piggyback CQ".

Back to the top