Gradle 中的 Maven BOM 依赖项
[英]Maven BOM dependencies in Gradle
问题描述
Given that there is a BOM listed in the dependency management of a Maven project Foo like this:
鉴于在 Maven 项目Foo的依赖项管理中列出了一个 BOM,如下所示:
<groupId>someGroup</groupId>
<artifactId>someArtifact-bom</artifactId>
<version>1.0-SNAPSHOT</version>
<type>pom</type>
<scope>import</scope>
but this BOM comes only into play for a test dependency in a sub-module.但是这个 BOM 只对子模块中的测试依赖起作用。
<dependency>
<groupId>someGroup</groupId>
<artifactId>someArtifact</artifactId>
<scope>test</scope>
</dependency>
The artifact declared in the BOM and BOM itself are only available by declaring an additional repository.在 BOM 中声明的工件和 BOM 本身只能通过声明额外的存储库来使用。
If I create a new Maven project and declare the dependency to Foo it gets resolved.如果我创建一个新的 Maven 项目并声明对Foo的依赖,它就会得到解决。
In case I define the very same dependency to Foo in a Groovy project如果我在 Groovy 项目中定义了对Foo 的完全相同的依赖
repositories {
mavenCentral()
}
dependencies {
implementation("myOrg:Foo:1.0")
}
The resolve fails with解决失败
- Could not resolve myOrg:Foo-parent:1.0.
- Could not parse POM <mvn-central>/myOrg/Foo-parent-1.0.pom:
- Could not find someGroup:someArtifact-bom:1.0-SNAPSHOT.
...because it does not exist on central. ...因为它不存在于中央。
Of course it can get easily solved by adding the repository, if accessible from the user's project, or putting the BOM and its declared artifacts on central.当然,它可以通过添加存储库(如果可从用户的项目访问)或将 BOM 及其声明的工件放在中央来轻松解决。
I wonder if there are another approach that I couldn't come up with to avoid this problem in the future.我想知道是否有另一种方法是我无法想出的来避免将来出现此问题。 An exclude on the dependency definition does not work for BOMs.依赖项定义上的排除不适用于 BOM。 I can understand this behaviour because a BOM is not a real module.我可以理解这种行为,因为 BOM 不是真正的模块。
Just for completeness: After a correct resolve there is no dependency regarding the BOM or its artifact in my project.只是为了完整性:在正确解析后,我的项目中不再依赖 BOM 或其工件。 It is really not needed at all.真的根本不需要。
2 个解决方案
解决方案1
3 2020-01-24 15:08:13
To be complete, what you experienced with Gradle looks like the expected behaviour to me.完整地说,您在 Gradle 中的体验对我来说似乎是预期的行为。
Gradle will not dynamically add repositories defined by dependencies. Gradle不会动态添加依赖项定义的存储库。 This is because it can become a security risk where an added repository could attempt to shadow popular packages with poisoned artifacts.这是因为它可能成为一个安全风险,其中添加的存储库可能会尝试隐藏带有中毒工件的流行包。 So the right solution in Gradle is to add the extra repository when required .所以 Gradle 中正确的解决方案是在需要时添加额外的存储库。
With a number of changes that went into how Gradle interprets BOMs and loads Maven POM files, it could very well be that since the BOM is not required, more recent Gradle version will happily ignore it.随着 Gradle 解释 BOM 和加载 Maven POM 文件的方式发生了许多变化,很可能因为不需要 BOM,更新的 Gradle 版本会很乐意忽略它。
But the root problem, transitively adding random repositories, will not be done by any Gradle version.但是根本问题,传递性地添加随机存储库,不会由任何 Gradle 版本完成。
解决方案2
1 2020-01-24 14:41:51
Thanks to the comment of Corneil du Plessis I took a deeper look in trying out different Gradle versions and a newer one fixed the problem.感谢 Corneil du Plessis 的评论,我在尝试不同的 Gradle 版本时进行了更深入的研究,而一个更新的版本解决了这个问题。 Going back later to the original version that made me aware of the problem (5.2.1) it kept resolving the dependency without any error.稍后回到让我意识到问题的原始版本(5.2.1),它一直在解决依赖关系,没有任何错误。
To be really sure I cleared the local Gradle caches and re-ran the build with success.可以肯定的是,我清除了本地 Gradle 缓存并成功地重新运行了构建。
Since I cannot reproduce the issue anymore with either 5.x nor 6.x I am pretty sure that this was related to the cache and the history of Gradle on my machine.由于我无法再使用 5.x 或 6.x 重现该问题,因此我很确定这与我机器上的缓存和 Gradle 的历史记录有关。
I think it makes sense to answer my question by myself instead of just closing it to leave the information here.我认为自己回答我的问题而不是关闭它以将信息留在这里是有意义的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.