gemnasium maven should not trigger a full maven build
Problem to solve
gemnasium-maven for scanning maven dependencies currently executes a maven install command as it is required by the gemansium-maven-plugin for multi-module maven projects.
- This creates a hard requirement on the scanner image (jdk version, ...) as it must be able to build the application code.
- This slows down the dependency scanning process.
- This wastes resources for compiling, packaging
- This might requires users to set options to disable tests executions
Proposal
The proposal is to decouple the maven dependency scanning from the application build by removing any build requirement during the scan. This can be achieved by a change in the gemnasium-maven-plugin and omitting the maven install command before the scan.
Related issues
Availability & testing
There should be no need for additional tests.
Documentation
The behavior remains the same and the documentation doesn't need to change.
Implementation plan
-
Update gemnasium-maven-plugin to use requiresDependencyCollection
. #432921 (closed) -
Bump plugin version in gemnasium project. <= This very issue.
Edited by Fabien Catteau