Pro / Con of using pom.xml vs. central.mvn files for maintaining dependencies in bndtools (MavenBndRepository vs BndPomRepository)

GENERAL
1

Hi,
I would like to use GIthub’s dependabot for analysing our dependencies to get suggestions for updates. (Disclaimer: Newbie here. Just getting started reading into dependabot… not yet tried anything.)

Currently we are using a simple central.mvn text file with MavenBndRepository.

I think about changing to BndPomRepository and maintain the same dependencies in a pom.xml file

Why?

Because, Dependabot seems to understand pom.xml files and is able to updaate them.

Thoughts

Is there any problem with maintaining the same stuff in a pom.xml instead of the flat .mvn file?
Although I like the .mvn format because it is simple and slim. But having a tool like dependabot automatically be able to read a pom.xml would make me prefer the more verbose pom.xml.

I just want to have a single source (file) for the dependencies containing GAV coordinates.

How is MavenBndRepository different from BndPomRepository?
Or would it even be a valid thought to extend MavenBndRepository to support the pom.xml format?

Other ideas?

There also seem to be other options to tell Github the dependencies like submitting your SBOM via an API. A bit overkill IMHO. I’d prefer the simple file we have.

Would be glad to get ideas what you think, how to approach this topic.

Thanks
Christoph

2

I contacted dependabot a couple of years ago to see if I could provide the same framework for the mvn files. They responded but said they could not handle that.

I then added lots of support to the bnd command line with the bnd mbr command to check and update the mvn files.

Your approach to use the pom files would work, it is what IBM does. I’d prefer to spend a bit of effort and provide a bnd Github Action that would work very similar to dependabot. The logic is already in bnd, it would just require a bit of git code. I already made the bnd command line a github action.

If there is a wider interest in this support I can take a look how much work it would be. Contact me if you’d like to expedite this.

3

Thanks a lot. Ah yes the bnd mbr command. You mentioned it recently and I played around with it.
Ok, I guess I play around with pom.xml approach first and see how it feels and then try to familarize with GH Actions.

4

For those interested here is a quick outline using the pom.xml approach with a BndPomRepository to get Github dependabot working.

  1. Please the following file in .github/dependabot.yml
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "maven" # See documentation for possible values
    directory: "/cnf/pom.xml" # Location of package manifests
    schedule:
      interval: "weekly"

  1. place a pom.xml into your bnd workspace at cnf/pom.xml

  2. Optional: Configure your repository in cnf/build.bnd to use pom.xml instead of central.mvn

-plugin.5.Central: \
	aQute.bnd.repository.maven.pom.provider.BndPomRepository; \
		snapshotUrl=http://repository.apache.org/snapshots/; \
		releaseUrl=https://repo.maven.apache.org/maven2/; \
		pom=${.}/pom.xml; \
		readOnly=true; \
		name="Maven Central"
instead of previously: 
-plugin.5.Central: \
	aQute.bnd.repository.maven.provider.MavenBndRepository; \
		snapshotUrl=http://repository.apache.org/snapshots/; \
		releaseUrl=https://repo.maven.apache.org/maven2/; \
		index=${.}/central.mvn; \
		readOnly=true; \
		name="Maven Central"

To create the pom.xml from my central.mvn file I used the following

quickly hacked Java programm: 

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;

public class MavenDependenciesToPomConverter {

    public static void main(String[] args) {
        String inputFile = "/myproject/cnf/central.maven"; // Replace with your input file path
        String outputFile = "/myproject/cnf/pom.xml"; // Replace with your desired output file path

        try (BufferedReader reader = new BufferedReader(new FileReader(inputFile));
             BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile))) {

            writePomHeader(writer);

            String line;
            while ((line = reader.readLine()) != null) {
                if (!line.trim().startsWith("#") && !line.trim().isEmpty()) {
                    String[] parts = line.split(":");
                    if (parts.length == 3) {
                        writeDependency(writer, parts[0], parts[1], parts[2]);
                    }
                    else if (parts.length == 4) {
                        // e.g. com.zaxxer:SparseBitSet:jar:1.2
                        writeDependency(writer, parts[0], parts[1], parts[3]);
                    }
                    else if (parts.length == 5) {
                        // e.g. org.jacoco:org.jacoco.agent:jar:runtime:0.8.10
                        writeDependency(writer, parts[0], parts[1], parts[4]);
                    }
                }
            }

            writePomFooter(writer);

        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    private static void writePomHeader(BufferedWriter writer) throws IOException {
        writer.write("<project xmlns=\"http://maven.apache.org/POM/4.0.0\"\n");
        writer.write("         xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n");
        writer.write("         xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\">\n");
        writer.write("    <modelVersion>4.0.0</modelVersion>\n");
        writer.write("    <groupId>your.groupid</groupId>\n");
        writer.write("    <artifactId>your-artifactid</artifactId>\n");
        writer.write("    <version>1.0-SNAPSHOT</version>\n");
        writer.write("    <dependencies>\n");
    }

    private static void writeDependency(BufferedWriter writer, String groupId, String artifactId, String version) throws IOException {
        writer.write("        <dependency>\n");
        writer.write("            <groupId>" + groupId + "</groupId>\n");
        writer.write("            <artifactId>" + artifactId + "</artifactId>\n");
        writer.write("            <version>" + version + "</version>\n");
        writer.write("        </dependency>\n");
    }

    private static void writePomFooter(BufferedWriter writer) throws IOException {
        writer.write("    </dependencies>\n");
        writer.write("</project>\n");
    }
}

  1. push that to github and merge to main branch

  2. once you enable e.g. Security Updates for Dependabot it starts doing its work and you can filter the alerts e.g. with is:open ecosystem:Maven

5

This would be cool…

I think the approach @chrisrueger is taking will work, but i really like the concise mvn format.

1 Like
6

@pkriens is it possible e.g. with the -generate or another instruction to execute a small java class (like my hack above) which takes the .mvn file and creates a pom.xml out of it and places it somewhere.
the resulting pom.xml we would just commit to git as well.

Why the heck?
This little workaround is what I am basically doing by hand right now. We are just feeding dependabot something it understands. Pretty useful just to do some dependency cleanup.
We then carefully take the bot suggestions and manually edit the .mvn file (since we needed to test the new deps anyway before they go to main branch).

Maybe not something people usually do but at the moment it fits our workflow.
So basically I would like to know if I could leverage bndtools to create the pom.xml by running the javacode I currently run manually in eclipse.

7

The -generate could work but it feels very roundabout.

I think the easiest solution is to switch to BndPomRepository. It should be mostly ok and it is not that hard to add the missing features. And the PR’s from Dependabot work immediately. I think your outline is a tad too complex for my comfort and seems quite fragile.

We could add your pom generation code to the MavenBndRepository so that it will automatically sync to a pom.xml file. However, the idea that the PR’s then need to be mapped back to the GAVs seems much more work than going for the BndPomRepository. Keep it simple.

8

Hehe thanks for your input… yeah I was still in “workaround mode” :slight_smile:

Yes I will try go the BndPomRepository route and help with PRs if possible.
Edit: Created PR