Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: improved error message when pom dependency version not found #253

Merged
merged 2 commits into from
Mar 7, 2023
Merged

feat: improved error message when pom dependency version not found #253

merged 2 commits into from
Mar 7, 2023

Conversation

raboof
Copy link
Contributor

@raboof raboof commented Mar 1, 2023

No description provided.

@G-Rath
Copy link
Collaborator

G-Rath commented Mar 2, 2023

I'm not sure how useful this change is? shouldn't you be able to figure out the pom based on the dependency name and the property name that is being accessed?

I'm not a heavy Java user, so would appreciate if you could expand on the situation you're dealing with where the current warning is not sufficient.

(also @oliverchang or @another-rex could you approve the CI workflows to run?)

@raboof
Copy link
Contributor Author

raboof commented Mar 2, 2023

I'm not sure how useful this change is? shouldn't you be able to figure out the pom based on the dependency name and the property name that is being accessed?

I'm not a heavy Java user, so would appreciate if you could expand on the situation you're dealing with where the current warning is not sufficient.

I guess it depends on how the library is being used. I came to this from scorecard, and there for example you would currently see:

$ scorecard --repo=github.com/apache/camel-examples
Starting [SAST]
Starting [License]
Starting [Code-Review]
Starting [CII-Best-Practices]
Starting [Maintained]
Starting [Fuzzing]
Starting [Dangerous-Workflow]
Starting [Pinned-Dependencies]
Starting [Security-Policy]
Starting [CI-Tests]
Starting [Dependency-Update-Tool]
Starting [Contributors]
Starting [Binary-Artifacts]
Starting [Vulnerabilities]
Starting [Packaging]
Starting [Signed-Releases]
Starting [Branch-Protection]
Starting [Token-Permissions]
Failed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.derby:derby: property "derby-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.junit.jupiter:junit-jupiter: property "junit-jupiter-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of ch.qos.logback:logback-core: property "logback-version" could not be foundFailed to resolve version of ch.qos.logback:logback-classic: property "logback-version" could not be foundFailed to resolve version of ch.qos.logback:logback-core: property "logback-version" could not be foundFailed to resolve version of ch.qos.logback:logback-classic: property "logback-version" could not be foundFailed to resolve version of ch.qos.logback:logback-core: property "logback-version" could not be foundFailed to resolve version of ch.qos.logback:logback-classic: property "logback-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-kafka: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-kafka: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-kafka: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-test-main-junit5: property "camel.version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-aws-v2: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of com.fasterxml.woodstox:woodstox-core: property "woodstox-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.commons:commons-lang3: property "commons-lang3-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-couchbase: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-aws-v2: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-postgres: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-cassandra: property "project.version" could not be foundFailed to resolve version of org.awaitility:awaitility: property "awaitility-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.junit.jupiter:junit-jupiter: property "junit-jupiter-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.ftpserver:ftpserver-core: property "ftpserver-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.commons:commons-lang3: property "commons-lang3-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-jul: property "log4j2-version" could not be foundFailed to resolve version of org.springframework:spring-jdbc: property "spring-version" could not be foundFailed to resolve version of org.apache.derby:derby: property "derby-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of junit:junit: property "junit-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.hsqldb:hsqldb: property "hsqldb-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-kafka: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of io.rest-assured:kotlin-extensions: property "rest-assured-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-minio: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-mongodb: property "project.version" could not be foundFailed to resolve version of io.rest-assured:rest-assured: property "rest-assured-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-log: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-caffeine: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-aws2-kinesis: property "project.version" could not be foundFailed to resolve version of org.apache.camel.example:resume-api-common: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-aws-v2: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-caffeine: property "project.version" could not be foundFailed to resolve version of org.apache.camel:camel-cassandraql: property "project.version" could not be foundFailed to resolve version of org.apache.camel.example:resume-api-common: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel.example:resume-api-common: property "project.version" could not be foundFailed to resolve version of org.apache.camel.example:resume-api-common: property "project.version" could not be foundFailed to resolve version of org.apache.camel.example:resume-api-common: property "project.version" could not be foundFailed to resolve version of org.apache.camel.example:resume-api-common: property "project.version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.activemq:activemq-broker: property "activemq-version" could not be foundFailed to resolve version of org.apache.activemq:activemq-client: property "activemq-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.junit.jupiter:junit-jupiter-api: property "junit-jupiter-version" could not be foundFailed to resolve version of org.junit.jupiter:junit-jupiter-engine: property "junit-jupiter-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.camel:camel-test-infra-pulsar: property "project.version" could not be foundFailed to resolve version of org.springframework.security:spring-security-web: property "spring-security-version" could not be foundFailed to resolve version of org.springframework:spring-web: property "spring-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.jboss.arquillian.container:arquillian-tomcat-embedded-9: property "arquillian-tomcat-version" could not be foundFailed to resolve version of org.apache.tomcat.embed:tomcat-embed-jasper: property "tomcat-version" could not be foundFailed to resolve version of org.junit.jupiter:junit-jupiter: property "junit-jupiter-version" could not be foundFailed to resolve version of org.jboss.arquillian.junit5:arquillian-junit5-container: property "arquillian-version" could not be foundFailed to resolve version of io.rest-assured:rest-assured: property "rest-assured-version" could not be foundFailed to resolve version of org.apache.activemq:activemq-broker: property "activemq-version" could not be foundFailed to resolve version of org.apache.activemq:activemq-client: property "activemq-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.springframework:spring-context: property "spring-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-core: property "log4j2-version" could not be foundFailed to resolve version of org.apache.logging.log4j:log4j-slf4j2-impl: property "log4j2-version" could not be foundFinished [Vulnerabilities]
Finished [Packaging]
Finished [Signed-Releases]
Finished [Branch-Protection]
Finished [Token-Permissions]
Finished [SAST]
Finished [License]
Finished [Code-Review]
Finished [CII-Best-Practices]
Finished [Maintained]
Finished [Fuzzing]
Finished [Dangerous-Workflow]
Finished [Binary-Artifacts]
Finished [Pinned-Dependencies]
Finished [Security-Policy]
Finished [CI-Tests]
Finished [Dependency-Update-Tool]
Finished [Contributors]

It's not super obvious those messages have anything to do with pom.xml's in that repo in the first place, let alone which ones. While there's of course only so much you can do from the osv-scanner side, and ultimately perhaps something should change on the scorecard side, I'd say the change in this PR would be a nice improvement already.

@G-Rath
Copy link
Collaborator

G-Rath commented Mar 2, 2023
edited
Loading

(on an aside, I am annoyed I forgot to add the \n at the end of that output 🙄🤦)

Yeah I agree that output is not the best, though I think the problem is more with these outputs being done inefficiently because at the time I didn't want to commit to a specific way to surface them given it would impact the library function signatures and be just a whole "thing"...

(I've explored a solution to this in #186 - any thoughts you'd have would be appreciated!)

My concern with this change is that we're now expecting and promising more info out of the file, and that typically means more cases to handle (i.e. what happens if it's not there) - however I assume these two properties are always present in a pom.xml anyway (+ the way we're using them shouldn't actually cause a panic) and I agree that this is an improvement at least until something like #186 is landed (which'll allow scorecard to actually handle these warnings)

@raboof
Copy link
Contributor Author

raboof commented Mar 2, 2023

(on an aside, I am annoying I forgot to add the \n at the end of that output roll_eyesfacepalm)

:)

Yeah I agree that output is not the best, though I think the problem is more with these outputs being done inefficiently because at the time I didn't want to commit to a specific way to surface them given it would impact the library function signatures and be just a whole "thing"...

(I've explored a solution to this in #186 - any thoughts you'd have would be appreciated!)

Yeah, something more 'controlled' like that would be great long-term, but coming up with what exactly that should look like is indeed not so easy :) .

My concern with this change is that we're now expecting and promising more info out of the file, and that typically means more cases to handle (i.e. what happens if it's not there) - however I assume these two properties are always present in a pom.xml anyway (+ the way we're using them shouldn't actually cause a panic)

I actually tested this with some poms that didn't have a GroupID and that indeed looked pretty OK.

I agree that this is an improvement at least until something like #186 is landed (which'll allow scorecard to actually handle these warnings)

Jup - it should probably still print it, but for example prefixing it with the "check" it belongs to and perhaps the file it's processing would be really useful to be able to do, and looks like it might be fairly easy to plug into that structure (Famous Last Words).

another-rex
another-rex approved these changes Mar 5, 2023
View reviewed changes
Copy link
Collaborator

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good to me as a middle ground before #186 is landed.

@another-rex another-rex added this pull request to the merge queue Mar 5, 2023
@another-rex another-rex removed this pull request from the merge queue due to the queue being cleared Mar 5, 2023
@raboof
Copy link
Contributor Author

raboof commented Mar 6, 2023

another-rex removed this pull request from the merge queue due to the queue being cleared

Does this mean there is action required on my part?

@another-rex
Copy link
Collaborator

another-rex removed this pull request from the merge queue due to the queue being cleared

Does this mean there is action required on my part?

Ah no, was just trying out the merge queue, turns out still doesn't quite work for our repo. Going to merge this in soon.

@another-rex another-rex merged commit 2f90916 into google:main Mar 7, 2023
hayleycd pushed a commit that referenced this pull request Mar 9, 2023
@raboof @another-rex @hayleycd
feat: improved error message when pom dependency version not found (#253
23a7498 
)

Co-authored-by: Rex P <[email protected]>
@chenrui333 chenrui333 mentioned this pull request Mar 28, 2023
Merged
julieqiu pushed a commit to julieqiu/osv-scanner that referenced this pull request May 2, 2023
@raboof @another-rex @julieqiu
feat: improved error message when pom dependency version not found (g…
0d30f17 
…oogle#253)

Co-authored-by: Rex P <[email protected]>
julieqiu pushed a commit to julieqiu/osv-scanner that referenced this pull request May 2, 2023
@raboof @another-rex @julieqiu
feat: improved error message when pom dependency version not found (g…
b8dd9ce 
…oogle#253)

Co-authored-by: Rex P <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@another-rex another-rex another-rex approved these changes

@G-Rath G-Rath Awaiting requested review from G-Rath

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@raboof @G-Rath @another-rex