For maven projects, we offer a more-accurate strategy (mavenplugin), and a strategy with zero requirements (pomxml).
| Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning |
|---|---|---|---|---|
| mavenplugin | ✅ | ✅ | ✅ | ❌ |
| treecmd | ✅ | ✅ | ✅ | ❌ |
| pomxml | ✅ | ❌ | ❌ | ✅ |
Maven analysis attempts these analysis methods in order:
- Run the maven plugin command version 4.0.1.
- Run the maven tree command.
- Run the maven plugin command version 3.3.0.
- Scan
pom.xmlfiles located in the file tree.
FOSSA CLI uses strategy command selection for Maven commands:
- Maven candidate commands are:
- If present, the command specified by the
FOSSA_MAVEN_CMDenvironment variable. - If present, the
mvnwormvnw.batscript in the project directory or any ancestor directory. - Finally, the
mvncommand, which is searched for in$PATH.
- If present, the command specified by the
- To choose a command from the candidates, FOSSA CLI runs each candidate with
-vand selects the first one that succeeds.
The mavenplugin and treecmd tactic can result in transitive dependencies which do not display paths to parents. This example graph shows how that can happen:
+- com.amazonaws:aws-java-sdk-kms:1.11.415:compile
| +- com.amazonaws:aws-java-sdk-core:1.11.415:compile
\- com.jayway.restassured:rest-assured:2.9.0:test
+- org.apache.httpcomponents:httpclient:4.5.1:compile 👈
httpclient will appear as a transitive dependency in the FOSSA UI, but it will not have any paths. There are a few things that contribute to this happening. httpclient's only listed parent is restassured which is a test dependency, however, httpclient is a compile. This tells us that httpclient has another parent in the graph, but we are unable to determine where.
You can use configuration file to provide maven dependency scopes that you would like to filter. You can filter by either inclusion or exclusion. When both scope-only and scope-exclude are provided, scope-only will take precedence and be used for filtering.
version: 3
maven:
scope-only:
- compile
- runtime
## OR
scope-exclude:
- provided
- system
- testIf you have maven project which has one or more subprojects, you may only want to analyze a specific set of subprojects in some cases.
In fossa-cli, this can be achieved by using exclusion filtering.
- Run
fossa list-targets, to identify project directory and identifier of subprojects.
[ INFO] Found project: maven@./
[ INFO] Found target: maven@./:com.fossa:app
[ INFO] Found target: maven@./:com.fossa:list
[ INFO] Found target: maven@./:com.fossa:utilitiesNote that, targets are denoted in following format type@path:target. For example maven@./:com.fossa:utilities:
Note: maven submodules targets are composed of <groupId>:<artifactId>, so the utilities submodule here is referenced by "com.fossa:utilities"
maven @ ./ : com.fossa:utilities
------ --- --- --- -----------
Type Path Path Target Target
separator separator
- Now to analyze only
utilities, use a.fossa.ymlfile in the project root.
# filename: .fossa.yml
#
# analyze only maven@./:com.fossa:utilities
version: 3
targets:
only:
- type: maven
path: ./
target: 'com.fossa:utilities'Likewise, if you want to exclude specific set of subprojects, you can do following:
# filename: .fossa.yml
#
# do not analyze maven@./:com.fossa:app, and maven@./:com.fossa:utilities
version: 3
targets:
only:
- type: maven
exclude:
- type: maven
path: ./
target: 'com.fossa:app'
- type: gradle
path: ./
target: 'com.fossa:utilities'- Running
fossa analyzewill only analyzelistsubmodule.