Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properties used in Maven dependencyManagement not picked up correctly #2025

Closed
wollefitz opened this issue Feb 24, 2020 · 4 comments · Fixed by #6581
Closed

Properties used in Maven dependencyManagement not picked up correctly #2025

wollefitz opened this issue Feb 24, 2020 · 4 comments · Fixed by #6581
Labels
L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working

Comments

@wollefitz
Copy link

Dependabot doesn't correctly pick up versions that are stored in Maven properties and used in dependencyManagement sections. I created a sample repository to analyze the issue a little more in-depth.

  • When letting Dependabot run on the repository's master branch (no effective dependencies, just a dependencyManagement block) I'm getting the following error:
Dependabot can't evaluate your Java dependency files.

As a result, Dependabot couldn't check whether any of your dependencies are out-of-date.

The error Dependabot encountered was:

Property not found: project.version.spring-boot

See also this issue Dependabot created

updater | INFO <job_24269133> Checking if org.springframework.boot:spring-boot-starter-web  needs updating
  proxy | 2020/02/24 11:41:40 GET https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/maven-metadata.xml
  proxy | 2020/02/24 11:41:40 200 https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/maven-metadata.xml
  proxy | 2020/02/24 11:41:40 GET https://repo.maven.apache.org:443/maven2/org/springframework/boot/spring-boot-starter-web/maven-metadata.xml
  proxy | 2020/02/24 11:41:40 200 https://repo.maven.apache.org:443/maven2/org/springframework/boot/spring-boot-starter-web/maven-metadata.xml
  proxy | 2020/02/24 11:41:40 HEAD https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/2.2.4.RELEASE/spring-boot-starter-web-2.2.4.RELEASE.jar
  proxy | 2020/02/24 11:41:40 200 https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/2.2.4.RELEASE/spring-boot-starter-web-2.2.4.RELEASE.jar
updater | INFO <job_24269133> Latest version is 2.2.4.RELEASE
updater | INFO <job_24269133> No update needed for org.springframework.boot:spring-boot-starter-web
  • I first suspected that using spring-boot-dependencies was the reason for Dependabot not picking up the latest version. But when letting Dependabot run against a branch where I added an effective dependency to lombok that could be picked up directly from the dependencyManagement block I'm still getting the same error:
updater | INFO <job_24269470> Checking if org.projectlombok:lombok  needs updating
  proxy | 2020/02/24 11:57:02 GET https://repo1.maven.org:443/maven2/org/projectlombok/lombok/maven-metadata.xml
  proxy | 2020/02/24 11:57:02 200 https://repo1.maven.org:443/maven2/org/projectlombok/lombok/maven-metadata.xml
  proxy | 2020/02/24 11:57:02 GET https://repo.maven.apache.org:443/maven2/org/projectlombok/lombok/maven-metadata.xml
  proxy | 2020/02/24 11:57:02 200 https://repo.maven.apache.org:443/maven2/org/projectlombok/lombok/maven-metadata.xml
  proxy | 2020/02/24 11:57:02 HEAD https://repo1.maven.org:443/maven2/org/projectlombok/lombok/1.18.12/lombok-1.18.12.jar
  proxy | 2020/02/24 11:57:02 200 https://repo1.maven.org:443/maven2/org/projectlombok/lombok/1.18.12/lombok-1.18.12.jar
updater | INFO <job_24269470> Latest version is 1.18.12
updater | INFO <job_24269470> No update needed for org.projectlombok:lombok
@wollefitz wollefitz changed the title Maven Properties not picked up correctly in dependencyManagement Properties used in dependencyManagement not picked up correctly (Maven) Feb 24, 2020
@wollefitz wollefitz changed the title Properties used in dependencyManagement not picked up correctly (Maven) Properties used in Maven dependencyManagement not picked up correctly Feb 24, 2020
@infin8x infin8x transferred this issue from dependabot/feedback Jun 29, 2020
@jurre jurre added L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working labels Nov 26, 2021
@jurre
Copy link
Member

jurre commented Nov 26, 2021

It looks like this issue has been open for a while and we’ve made a bunch of improvements to Dependabot since, is this still happening, or has this problem been resolved and can we close this issue?

@jeffwidman
Copy link
Member

Closing due to lack of user response.

@jeffwidman jeffwidman closed this as not planned Won't fix, can't repro, duplicate, stale Feb 2, 2023
@wollefitz
Copy link
Author

wollefitz commented Feb 2, 2023
edited
Loading

@jeffwidman Sorry for the late response, I missed the last comment. I just checked the above-mentioned sample repo again and can confirm that the issue still persists, see this log:


updater | INFO <job_594304459> Starting job processing
updater | INFO <job_594304459> Starting update job for wollefitz/dependabot-maven-properties
updater | INFO <job_594304459> Checking if org.projectlombok:lombok  needs updating
  proxy | 2023/02/01 17:02:46 [010] GET https://repo1.maven.org:443/maven2/org/projectlombok/lombok/maven-metadata.xml
  proxy | 2023/02/01 17:02:46 [010] 200 https://repo1.maven.org:443/maven2/org/projectlombok/lombok/maven-metadata.xml
  proxy | 2023/02/01 17:02:46 [012] HEAD https://repo1.maven.org:443/maven2/org/projectlombok/lombok/1.18.24/lombok-1.18.24.jar
  proxy | 2023/02/01 17:02:46 [012] 200 https://repo1.maven.org:443/maven2/org/projectlombok/lombok/1.18.24/lombok-1.18.24.jar
updater | INFO <job_594304459> Latest version is 1.18.24
updater | INFO <job_594304459> No update needed for org.projectlombok:lombok 
updater | INFO <job_594304459> Checking if org.springframework.boot:spring-boot-starter-web  needs updating
  proxy | 2023/02/01 17:02:46 [014] GET https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/maven-metadata.xml
  proxy | 2023/02/01 17:02:46 [014] 200 https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/maven-metadata.xml
  proxy | 2023/02/01 17:02:46 [016] HEAD https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/3.0.2/spring-boot-starter-web-3.0.2.jar
  proxy | 2023/02/01 17:02:46 [016] 200 https://repo1.maven.org:443/maven2/org/springframework/boot/spring-boot-starter-web/3.0.2/spring-boot-starter-web-3.0.2.jar
updater | INFO <job_594304459> Latest version is 3.0.2
updater | INFO <job_594304459> No update needed for org.springframework.boot:spring-boot-starter-web 
updater | INFO <job_594304459> Finished job processing

Dependabot is able to deduct the latest versions of the used dependencies but fails to compare them against the version that are actually used (see https://github.com/wollefitz/dependabot-maven-properties/network/dependencies).

@jeffwidman jeffwidman reopened this Feb 2, 2023
@deivid-rodriguez deivid-rodriguez mentioned this issue Feb 3, 2023
Merged
@deivid-rodriguez
Copy link
Contributor

Just checked #6581 against your sample project and it also fixes this issue 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: java:maven Maven packages via Maven T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix updating properties with name starting with "project" dependabot/dependabot-core
4 participants
@jeffwidman @jurre @deivid-rodriguez @wollefitz