Skip to content

Inclusion of maven-dep-tree has indirectly increased minimum Maven version requirement for jfrog-cli #1141

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Inclusion of maven-dep-tree has indirectly increased minimum Maven version requirement for jfrog-cli#1141
Labels
bugSomething isn't working
@pixdrift

Description

@pixdrift
pixdrift
opened on Feb 27, 2024

Describe the bug

When using jf audit with the JFrog CLI, versions newer than 2.51.1 require a minumum Maven version of 3.6.3 due to the inclusion of maven-dep-tree. This results in an the following error when attempting to run the jf audit command using an older version of Maven if using a JFrog CLI version newer than 2.51.1.

The plugin com.jfrog:maven-dep-tree:1.0.2 requires Maven 3.6.3
The plugin com.jfrog:maven-dep-tree:1.0.10 requires Maven 3.6.3

It appears this impacts any Frog CLI version released after November 19th 2023 when PR #1023 was merged. That is, any jfrog-cli version newer than 2.51.1 as it includes the breaking change. Based on this, the first impacted version of jfrog-cli is 2.52.0.

The dependency version was also bumped in PR #1097 from 1.0.2 to 1.0.10.

The maven.min.version definition in the pom.xml file that specifies Maven 3.6.3 is in the plugin repository here
https://github.com/jfrog/maven-dep-tree/blob/main/pom.xml#L19

Current behavior

jf audit produces the following error when running on a version of Maven less than 3.6.3 (two different examples as dependency version has been bumped)

The plugin com.jfrog:maven-dep-tree:1.0.2 requires Maven 3.6.3
The plugin com.jfrog:maven-dep-tree:1.0.10 requires Maven 3.6.3

Reproduction steps

  1. Install JFrog CLI newer than 2.51.1 on a system with Maven older than 3.6.3 (eg. Red Hat Enterprise Linux 8)
  2. Execute the JFrog CLI jf audit command with correct options/parameters
  3. Command will fail due to Maven not being at required 3.6.3 version for maven-dep-tree dependency

Expected behavior

Expected behaviour and potential actions to resolve the issue:

  1. That the command executes correctly on older versions of Maven.
    Although the official Maven support states that versions older than 3.6.3 are now out of support, there may be Enterprise customers using RHEL and derivatives which still ship with OS included 3.5.4 that is actively supported via backports by the OS vendor. It may also be unfeasible so support versions this old, which could be documented.

  2. That the version requirement in maven-dep-tree is determined to be higher than technically necessary, and it is lowered to match the core JFrog CLI components so that it doesn't increase the minimum Maven requirement, and new versions of JFrog CLI will continue to work on older Maven versions until there is a technical requirement pushing the Maven version up.

  3. That the requirement for minimum version of Maven 3.6.3 is documented and defined in the JFrog CLI dependencies so that it doesn't surface to the end user through a plugin install error, but instead presents as a requirement for JFrog CLI at installation/execution time.

JFrog CLI-Core version

Version included in JFrog CLI > 2.51.1

JFrog CLI version (if applicable)

> 2.51.1

Operating system type and version

Red Hat Enterprise Linux

JFrog Artifactory version

N/A

JFrog Xray version

N/A

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions