IP Log/Automatic Dependency Identification
We're using this page to capture various scenarios for automatically identifying the use of previously-approved third-party dependencies by our projects.
Note that project teams are ultimately responsible for ensuring that project code only uses approved third-party libraries and that the use of those libraries is properly tracked.
For OSGi-based projects, the bundle manifests should give us what we need in many cases.
- Project uses OSGi
- All third-party bundles come from Orbit
- We will likely need to use p2 to do the actual resolution (e.g. package imports don't give us enough information statically).
- When do we run the scan? Do we scan the file system for bundles, or is this done as part of a build.
- Is this really just the Maven scenario (with Tycho)?
Maven does dependency resolution as part of the build, can we somehow feed the output of that build into our system?
e.g. create a Maven plugin that just automatically feeds the information as an automatic part of a specific builds (e.g. integration or milestone).
- EF-provided HIPP used for builds
- Builds are Maven-based
- How do we ensure that the plugin is actually included in the build?
- Can we actually capture and push library use from a Maven plugin?
- Can we detect when a third-party library is used indirectly through Eclipse project code (and ignore)?
There's nothing automatic about this. If none of the other scenarios are able to automatically detect and resolve the use of a third-party library, a project team member must create a "piggyback CQ".