Missing support for DependencyManagement in EnforceVersionsMojo #118
Description
The EnforceVersionsMojo currently provides no/insufficient support for the POM's DependencyManagement section. This leads to (at least) two different issues with this plugin that still allow projects/modules to depend on SNAPSHOT versions when this Mojo is executed:
-
POM files that are effectively a Bill of Materials (BOM) and only list dependencies using DependencyManagement, can still point to SNAPSHOT versions. Therefore, when depending on a released version of a BOM, one cannot simply assume that all underlying dependencies are also released.
-
Projects that refer a BOM with scope import using DependencyManagement, may refer to a SNAPSHOT version of that BOM (although the BOM itself may refer to released versions).
The former can be solved by evaluating the project's DependencyManagement section by calling getDependencyManagement() on the project and its collected projects.
The latter requires evaluating the pom file using an XML parser as the BOM is translated by Maven before the plugins are invoked. Therefore the Mojo only has access to its resolved dependencies.