-
Notifications
You must be signed in to change notification settings - Fork 66
Provided scope dependencies picked up in some cases but not others #4208
Comments
@GeorgeActon @samuzzal-choudhury Please stop changing the priorities. These are defined by/for the business and it looks like you are confusing then with severity. This particular defect has no significant bearing on the business so it is a P4 |
@stevengutz I understand that a bug's priority has to be set to P2 if the team thinks that it has a business impact and requires a fix for that during a sprint. Whereas, I see severity as the parameter that defines the impact of the bug on an application's functionality and user experience. Correct me if I am wrong. |
@samuzzal-choudhury I don't think anyone is wrong - your definitions for severity and priority are right on target. So my apologies. In fact, I spoke to @GeorgeActon and he convinced me that your assessment is probably "right-er" than mine. My suggestion to George was that priority values (except for a default P4 when the bug is created) should probably be adjusted by he and @sivaavkd just so it's clear that someone who maps closer to the business need was the one making the change. Makes me nervous when engineers are deciding business priorities ;-) |
This issue is produced due to mercator giving empty results for the dependencies included inside On the other hand, on the build side and while generating stack report on workspace level we use What are your thoughts @samuzzal-choudhury @msrb @miteshvp @invincibleJai ? |
I am no java expert, I'll suggest validate it even with effective pom generated in IDEs like eclipse and take a decision. Will work based on that. As it's recommended in docs as well https://maven.apache.org/plugins/maven-help-plugin/effective-pom-mojo.html try stack-analyses on both and validate the difference i.e are we happy with all info provided in stack report. |
As discussed on mattermost, poms which start with I'd suggest switching to Note there is a reason why we use |
@invincibleJai can you make the necessary changes in VS code extension? |
@abs51295 this is an enhancement we need to plan for it, am not sure about 154. We can accommodate if it's really urgent. And it would be good if we can make it (
|
@invincibleJai - sounds good. |
Issue Overview
I am getting conflicting behavior around dependency resolution for the "provided" scope packages.
Expected Behaviour
Either the "provided" scope packages should be ignored in all cases or picked in all cases.
Current Behaviour
"Provided" scope packages are picked in some cases and ignored in others.
Steps To Reproduce
The "provided" scope dependency
javax.servlet:javax.servlet-api
is analyzedThe "provided" scope dependency
com.google.android:android
is not analyzed and neither unknown/cc @samuzzal-choudhury
The text was updated successfully, but these errors were encountered: