Dependency scanning fails for projects using parent POM not in Maven Central
The dependency scanning phase of Auto Devops fails for maven projects if a project pom uses a parent pom not found in Maven Central.
A reproduction of the bug can be found in this repository - https://gitlab.com/fcbrooks/maven-dependency-scan-bug.
The resolution of issue #11166 (closed) introduced the ability to define additional maven opts via the MAVEN_CLI_OPTS environment variable, but it only applies those options to the command that does the build of the project. The dependency scan is failing at the prior step when the gemnasium plugin is resolved. A project that uses a pom outside of Central will fail at this point, I suspect because Maven is trying to build the effective pom for the current build context and cannot do so without the parent pom.
I will be submitting a MR for consideration that applies the maven options provided via the MAVEN_CLI_OPTS env var to all invocations of maven.
Additionally, it was brought up that it is often difficult to tell what the defaults are for the MAVEN_CLI_OPTS
and that specifying these may be overriding a default (such as -DskipTest
).
Implementation plan
-
add MAVEN_CLI_OPTS
to gemnasium-maven-plugin invocations (gemnasium-maven/!21) -
document MAVEN_CLI_OPTS
defaults as per #37963 (comment 263109514) (!22126 (merged)) -
tag new version (v2.7.0) of gemnasium-maven