Dependency Management

Each code library that we introduce into the Egeria stack needs to be maintained so that it is using the most current (and hopefully most secure) version. In addition, the Egeria code needs to be embedded in many different environments and an unnecessary dependency may not be available in a certain environment.

For these reasons, the Egeria maintainers keep a very close watch on the project’s dependencies. This page covers the way dependencies are managed in Egeria.

General rules

Understanding dependencies

Running mvn dependency:tree is a useful way to understand what dependencies (direct and transitive) a module has.

Adding a new Dependency

Now build with mvn clean install which will include some checks for correct usage of dependencies - see below.

More on scopes

Many dependencies will be of scope ‘compile’ (used for build and runtime), or ‘test’ (for test tools). Refer to https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope .

Build time checks

The top level pom defines checks that are run in reference to dependencies

If any of these checks fail an appropriate message will be displayed and the build will fail.

In some cases where incompatible versions are reported, it may be due to transitive dependencies - for example a component the egeria code doesn’t depend on directly, but only indirectly. The path to resolve the version could result in different versions being used - or at least attempted, then failing. To resolve this a reference can be added in <dependencyManagement> to specify the version to use.

Security scans

Egeria dependencies are scanned for potential CVEs automatically in two main ways:

The maintainers will review these regularly and action any required changes through issues and pull requests.

Egeria code itself is also scanned for vulnerabilities using Sonar.

Additionally any developer can perform similar checks by running:

mvn clean install -DfindBugs

This will run (and create a file for each module)

Note that the scan may take a long time - an hour or more for all checks.

If running against ALL components (ie from the root) an invocation like

MAVEN_OPTS="-Xmx5000M -Xss512M -XX:MaxPermSize=2048M -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC" mvn clean install -DfindBugs 

may be needed due to the memory requirements of a security scan.

For more information on how potential security issues are handled, see Security Hardening.


License: CC BY 4.0, Copyright Contributors to the ODPi Egeria project.