The idea

Charles wrote this blog post about how he thinks maven dependencies should work. And some of it looked liked it could be done via a maven plugin:

• When maven calculates a product's dependencies, it writes the result out to a file in the same directory as pom.xml. For example:
  org.apache.log4j:log4j:jar:1.4|org.springframework:spring-core,org.hibernate:hibernate|cab4659835e983c500f22755adf5697f
  • Meaning of the above line: log4j-1.4.jar is required by spring-core and hibernate, and has this md5 sum
  • This file gets checked in with the code
  • This file is sorted and designed to be diff-friendly (i.e. not XML) so it's easy for developers to track exactly how the dependency tree has changed from version to version
• Whenever the calculated dependencies (from pom.xml) don't match the ones in the generated file, maven prints a nice big warning message that things have changed
• Where the md5 sum of a dependency in the local repository does not match the one recorded in the file, the build fails.

This is what I implemented, sort of.

How it works

Configuring the plugin

What does it do?

The plugins will look for a file named dependencies.txt read it, resolve the actual dependencies and compare the two. If there is any difference the build will fail. And the actual dependencies report will be written to dependencies.txt.tmp.

[INFO] [atlassian:validate-dependencies {execution: default}]
[ERROR] The following dependencies are not present in the report:
[ERROR] 	jdom:jdom:1.0:runtime|com.atlassian.confluence:confluence:jar:3.0-SNAPSHOT|0b8f97de82fc9529b1028a77125ce4f8
[ERROR] The following dependencies are present in the report but no longer calculated:
[ERROR] 	jdom:jdom:1.0:runtime|com.atlassian.confluence:confluence:jar:3.0-SNAPSHOT|3548f41cdb2ec9104480aded15c53dd8
[INFO] ------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] The dependency report and your resolved dependencies are not in sync. An updated report has been written to </Users/.../confluence/trunk/conf-webapp/dependencies.txt.tmp>

If the file doesn't exist a simple warning will be raised.

[INFO] [atlassian:validate-dependencies {execution: default}]
[WARNING] /Users/sleberrigaud/src/atlassian/products/confluence/trunk/conf-webapp/dependencies.txt doesn't exists, won't validate dependencies

How do I generate a report?

It is as simple as running mvn atlassian:dependency-report. It will run the report against all modules of the current project.

What's in the report?

Each line of the report define a dependency (direct and transitive). Each line of the report looks like this:

biz.aQute:bndlib:0.0.255:runtime|com.atlassian.confluence:confluence:jar:3.0-SNAPSHOT,com.atlassian.plugins:atlassian-plugins-osgi:jar:2.2.0.beta6-1|618b8db2531c4ecca9ceb54cc3c6ea01

• The first part (before the first |) is the actual dependency, in the format groupId:artifactId:version:scope.
• The second part is the dependency trail. In the example bndlib is a dependency of atlassian-plugins-osgi which is a dependency of confluence. confluence being a direct dependency of the module.
• The third part is the md5 of the dependency artifact (jar, war, etc.). For SNAPSHOT dependencies the report doesn't store the md5 but rather just says SNAPSHOT.