Commits on Apr 23, 2025

1. feat: module artifacts with classifier (#299) …

   BREAKING CHANGE: node IDs changed to uniquely identify all
   dependencies.
   
   There can be multiple module artifacts. At the moment we assume
   there can only by one artifact per resolved dependency. This
   is the most common arrangement, however there can be multiple
   artifacts when several 'classifiers' or different 'types' are
   referenced. For example if both the test and sources jar files
   are required.
   
   Loop over each module artifact and use the classifier in the
   node id, always appending ':type' where 'jar' is the default
   type and optionally appending ':classifier'.
   
   In order to find vulnerabilities against the resolved dependency
   the package identity remains the same,
   'groupid:artifactid@version'.
   
   The net effect here is that we now correctly identify artifacts
   and create a node per artifact.
   
   One fix that has occurred by only considering those dependencies
   with an artifact is that those dependencies without artifacts
   are excluded. This can happen when using 'platform' dependencies.
   These are constraints that don't require dependencies but control
   the versions of dependencies required either directly or
   transitively. They are analogous to maven boms and
   dependencyManagement.

   

   gitphill authored Apr 23, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 77ef7ec
   • Browse repository at this point

   Copy the full SHA

   77ef7ec View commit details

   Browse the repository at this point in the history