Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use spotbugs from bom #152

Merged
merged 3 commits into from
Oct 13, 2020
Merged

Use spotbugs from bom #152

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ae77082
Use spotbugs from bom
timja Oct 8, 2020
14d8e30
Downgrade baseline
timja Oct 9, 2020
efdc19e
Merge branch 'master' into use-spotbugs-from-bom
timja Oct 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 3 additions & 11 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>4.9</version>
<version>4.10</version>
<relativePath />
</parent>

Expand All @@ -22,15 +22,14 @@
</description>

<properties>
<jenkins.baseline>2.204</jenkins.baseline>
<jenkins.version>${jenkins.baseline}.6</jenkins.version>
<jenkins.baseline>2.249</jenkins.baseline>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be too new? From our dev documentation:

At the moment, the Jenkins releases 2.222.1 and 2.235.1 make good core dependencies unless there are specific reasons, like new features, to choose a different release.

Copy link
Member Author

@timja timja Oct 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alternatively we would need to downgrade spotbugs to 3.x (by pulling from the bom on an older line) but that has the negative side affect of using 3.x which has the edu nonnull annotations deprecated.

but that might be a better option?

unless there are specific reasons, like new features, to choose a different release.

^^

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO this counts as a “specific reason”.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well SpotBugs adds no functionality - it is a dev lib to improve static analysis. It should never be a reason to lose a lot of users by using the latest LTS as baseline.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've downgraded the baseline, and also raised a PR against core to update it's version to the latest spotbugs: jenkinsci/jenkins#4982

Copy link
Member

@uhafner uhafner Oct 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I test the new pom in one of my plugins I get a lot of enforcer errors now:

[INFO] Adding ignore: **/ModuleUtils*
[WARNING] Rule 5: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for com.github.spotbugs:spotbugs-annotations:3.1.11 paths to dependency are:
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-com.github.spotbugs:spotbugs-annotations:3.1.11
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:plugin-util-api:1.2.5
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:font-awesome-api:5.14.0-1
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:bootstrap4-api:4.5.2-1
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:jquery3-api:3.5.1-1
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:echarts-api:4.9.0-1
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:data-tables-api:1.10.21-2
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:plugin-util-api:1.2.5
    +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:plugin-util-api:1.2.5
    +-edu.hm.hafner:codingstyle:1.4.0
      +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.1.2
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:bootstrap4-api:4.5.2-1
    +-io.jenkins.plugins:popper-api:1.16.0-6
      +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.0
and
+-io.jenkins.plugins:forensics-api:0.8.0-SNAPSHOT
  +-io.jenkins.plugins:echarts-api:4.9.0-1
    +-edu.hm.hafner:echarts-build-trends:2.0.0
      +-com.github.spotbugs:spotbugs-annotations:3.1.11 (managed) <-- com.github.spotbugs:spotbugs-annotations:4.0.2
]

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It’s because of cross dependencies on a lot of them as far as I can tell

Once this is released then it needs to go to the more meta ones first like plugin util api and it should sort itself out

<jenkins.version>${jenkins.baseline}.2</jenkins.version>
<java.level>8</java.level>
<spotbugs.failOnError>false</spotbugs.failOnError>
<codingstyle.config.version>1.6.0</codingstyle.config.version>

<!-- Library Dependencies Versions -->
<error-prone.version>2.4.0</error-prone.version>
<spotbugs.annotations>4.1.3</spotbugs.annotations>
<slf4j.version>1.7.30</slf4j.version>

<!-- Test Library Dependencies Versions -->
Expand All @@ -46,7 +45,6 @@
<pmd.version>6.28.0</pmd.version>
<maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
<checkstyle.version>8.36.2</checkstyle.version>
<spotbugs-maven-plugin.version>4.1.3</spotbugs-maven-plugin.version>
<findsecbugs-plugin.version>1.10.1</findsecbugs-plugin.version>
<jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
<maven-surefire.plugin>3.0.0-M4</maven-surefire.plugin>
Expand Down Expand Up @@ -120,11 +118,6 @@
<dependencies>

<!-- Project Dependencies -->
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<version>${spotbugs.annotations}</version>
</dependency>
<dependency>
<groupId>com.google.errorprone</groupId>
<artifactId>error_prone_annotations</artifactId>
Expand Down Expand Up @@ -413,7 +406,6 @@
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>${spotbugs-maven-plugin.version}</version>
<executions>
<execution>
<id>run-spotbugs</id>
Expand Down