BOMs should be locked

[maximeq95]

In the holy quest of the hermetic/offline build started with :

• feat: Include <parent> data in lockfile #1439
• No "resolved" field in <parent> #1477
  the BOMs should be locked (with a resolved field).

Those dependencies are typically in a <parent> pom under the dependencyManagement, they have type<type>pom</type> and scope <scope>import</scope> :

 <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.somegroup</groupId>
        <artifactId>someartefact</artifactId>
        <version>1.0.0</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
  </dependencies>
</dependencyManagement>

Even though a child project does not use the dependency, maven will check if the BOMs are present in the .m2 directory (mvn package -o -nsu -Dmaven.repo.local=.m2) and currenty, it fails.

[LogFlames]

Hi @maximeq95 ,

Thank you for the issue! (And huge apologies for my late response!)

I fully agree these should be recorded in the lockfile. I think hermetic builds is a good benchmark that everything that affects the build is (or hopefully will be) included.

Does maven check specifically for Pom and/or import? Or could these be of any type and scope? That is, would the whole decency tree of the parent Pom need to be locked?

We also need to design how to implement this in the lockfile. Maybe each POM should get its own dependency list? Or we start the decency tree from the root Pom, however, the child poms are not necessarily dependencies of the parent Poms. The goal would be to create an intuitive layout of all dependencies. Any input/suggestion is very welcome!

[maximeq95]

Hi,

Thank you for your answer :)

To build a project, maven builds an effective pom, it is a requirement.
The documentation is here : https://maven.apache.org/ref/3.9.12/maven-model-builder/

It is written that it needs dependency management import (for dependencies of type pom and scope import in the <dependencyManagement> section) and it does it for all the parent chain ( parent resolution until super-pom )

Let's say you have a parent pom that contains

 <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.random</groupId>
        <artifactId>my-useless-bom</artifactId>
        <version>1.0.0</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
  </dependencies>
</dependencyManagement>

In your useless bom's pom you have

 <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.evenmorerandom</groupId>
        <artifactId>my-random-lib</artifactId>
        <version>3.1.4</version>
      </dependency>
  </dependencies>
</dependencyManagement>

In your child project depending on the parent pom, you don't have dependencies on any of those random things.

You can do what maven will do in a maven build : mvn help:effective-pom -Doutput=effective-pom.xml

You will see appear in effective-pom.xml (although you never asked for it and don't need it)

 <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.evenmorerandom</groupId>
        <artifactId>my-random-lib</artifactId>
        <version>3.1.4</version>
      </dependency>
  </dependencies>
</dependencyManagement>

If you do mvn clean install on your project, and you check :
.m2/repository/org/random/ you will see the bom which is a .pom file (because it is necesary for building the effective pom).
.m2/repository/org/evenmorerandom/ you won't see this dependency because you don't need it, it is just that it appears in the effective pom because your parent pom references a bom that references it.

So, I think we just need to lock :

• all the boms of the parent, and its parent and so on.
• the boms imported by boms.

A bom is :

• in the dependency management section
• of type pom
• of scope import

I couldn't find any bom with a parent.

We don't need to lock the dependencies of the boms, we just need their names to appear in the dependencyManagement of our effective pom.

So for the layout I think that we should add boms in the lockfile.
boms would contain :

• resolvedUrl
• groupId
• artifactId
• version
• checksumAlgorithm
• checksum
• boms

boms can be located only in pom or in parent or in boms

I think this field makes sense because with maven 4 there is a new field <packaging>bom</packaging> : https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms (As for now I never worked with maven 4).

In the end we would just lock pom files : the boms.