Skip to content

[ANE-2718] fix(scala): prefer MiniDependencyTreePlugin over explicit DependencyTreePlugin #1627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
saramaebee merged 3 commits into from
Jan 12, 2026
Merged

[ANE-2718] fix(scala): prefer MiniDependencyTreePlugin over explicit DependencyTreePlugin #1627

saramaebee merged 3 commits into from
Jan 12, 2026

Conversation

@saramaebee
Copy link
Contributor

@saramaebee saramaebee commented Jan 12, 2026

Summary

This PR fixes an issue where fossa analyze fails to detect deep (transitive) dependencies on sbt 1.4+ projects that have an explicit addDependencyTreePlugin in their plugins.sbt.

Changes:

  • Reorder pattern matching in findProjects to prefer MiniDependencyTreePlugin (sbt 1.4+ built-in) over explicitly configured DependencyTreePlugin
  • Extract pure detectDependencyPlugins function for testability
  • Add comprehensive unit tests for plugin detection scenarios

Root Cause

The sbt dependencyBrowseTreeHTML command has different casing requirements across versions:

  • sbt < 1.4: Uses lowercase dependencyBrowseTreeHtml
  • sbt >= 1.4: Uses uppercase dependencyBrowseTreeHTML

When a project has both the built-in MiniDependencyTreePlugin (sbt 1.4+) AND an explicit DependencyTreePlugin (via addDependencyTreePlugin), FOSSA was prioritizing the explicit plugin path, which uses the lowercase command - causing failures on sbt 1.4+.

Reproduction

Environment:

  • sbt: 1.11.5 (or any sbt 1.4+)
  • Plugin: addDependencyTreePlugin explicitly in plugins.sbt

Steps to reproduce the issue:

# 1. Create a simple sbt project with explicit plugin
mkdir repro && cd repro
echo 'addDependencyTreePlugin' > project/plugins.sbt
echo 'scalaVersion := "3.3.4"
libraryDependencies += "org.typelevel" %% "cats-core" % "2.12.0"' > build.sbt

# 2. Verify the casing issue exists
sbt "dependencyBrowseTreeHtml"   # FAILS on sbt 1.4+
sbt "dependencyBrowseTreeHTML"   # WORKS on sbt 1.4+
sbt "dependencyTree"             # WORKS (what the fix uses)

# 3. Run fossa analyze and observe partial results
fossa analyze -o --debug 2>&1 | grep -i "GraphBreadth"
# Shows: GraphBreadth: Partial (missing transitive deps)

Test Plan

1. Confirm broken behavior on master

git checkout master
cabal build
fossa analyze -o --debug  # in a sbt 1.4+ project with explicit addDependencyTreePlugin
# Observe: GraphBreadth: Partial, ~7 direct deps only

2. Checkout PR branch and rebuild

git checkout fix/sbt-dependency-tree-plugin-priority
cabal build

3. Verify fix

fossa analyze -o --debug  # same sbt project
# Observe: GraphBreadth: complete, 26+ deps with transitives

4. Unit tests

cabal test unit-tests --test-option="--match=Scala"
# All 5 plugin detection tests pass

Expected results comparison:

Metric Before (master) After (this PR)
GraphBreadth Partial complete
Dependencies ~7 direct only 26+ with transitives
Status Warnings Succeeded

@saramaebee
fix(scala): prefer MiniDependencyTreePlugin over explicit DependencyT…
6de50be 
…reePlugin

When both plugins are present (sbt 1.4+ with explicit addDependencyTreePlugin),
prefer the built-in MiniDependencyTreePlugin which uses the `dependencyTree`
command. This avoids command casing issues where sbt >= 1.4 expects uppercase
`dependencyBrowseTreeHTML` but the code uses lowercase `dependencyBrowseTreeHtml`.

Previously, explicit DependencyTreePlugin took priority regardless of sbt version,
causing analysis to fail with "Not a valid command: dependencyBrowseTreeHtml" on
sbt 1.4+ projects that had addDependencyTreePlugin in their plugins.sbt.

Fixes: ANE-2718
@saramaebee
test(scala): add unit tests for plugin detection
837a839 
Extract pure detectDependencyPlugins function from Plugin.hs for
testability and add comprehensive test coverage for all plugin
detection scenarios including the TKT-14742 case where both
MiniDependencyTreePlugin and explicit DependencyTreePlugin are present.
@saramaebee saramaebee requested a review from a team as a code owner January 12, 2026 17:04
@saramaebee saramaebee requested a review from tjugdev January 12, 2026 17:04
@saramaebee saramaebee marked this pull request as draft January 12, 2026 22:42
@saramaebee saramaebee marked this pull request as ready for review January 12, 2026 22:42
@saramaebee saramaebee enabled auto-merge (squash) January 12, 2026 22:43
@saramaebee saramaebee merged commit 9e6ee66 into master Jan 12, 2026
19 checks passed
@saramaebee saramaebee deleted the fix/sbt-dependency-tree-plugin-priority branch January 12, 2026 23:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tjugdev tjugdev tjugdev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@saramaebee @tjugdev