tags:

views:

92

answers:

5
+3  Q: 

How to find where a library is used across multiple pom files

We have multiple maven projects depending on on our own common libraries.

When we upgrade a library it would be useful to quickly find out which projects have a dependency on the library (and might need to use the new version)

Obviously I can manually look in all the pom files or write a script to do it but this is less than ideal.

Are there any tools that provide this functionality. e.g. a hudson plugin, Nexus, artifactory etc?

EDIT:

Some clarifications:

I don't want to upgrade all projects at once. The regression testing and release effort makes this impractical and often unnecessary (even with automated testing and releasing). I just want a report showing me what may projects may need to have the library upgraded...

Many answers focus around the project itself flagging what version is used. Ideally the solution would work so that for a given library I can ask what uses this. This looks like what the Nexus issue below is talking about.

Hudson does something similar with automated downstream maven builds. I may look into extending this with a hudson plugin.

+2  A: 

I know that albeit being a good tool for managing poms and jars, Artifactory has no such feature you're asking :(

You might want to check this StackOverflow question: http://stackoverflow.com/questions/431332/maven-look-for-new-versions-of-dependencies

Alternatively you might want to check Versions Maven Plugin. Among other things, it allows you to scan trough project's dependencies and produce a report of those dependencies which have newer versions available.

mindas  2010-04-08 10:00:15
+1  A: 

A quite usual practice is to declare all the versions in dependencyManagement of the parent module and reference dependencies without versions everywhere else. In this case you'll only need to update only one POM.

lexicore  2010-04-08 10:55:07
Good advice, and if you want to go a step further, considering putting these dependencies in a "corporate pom": http://www.sonatype.com/people/2008/05/misused-maven-terms-defined/I dislike the name but the technique is pretty darn good.
whaley  2010-04-08 18:48:18
We do not put version declaration to the corporate pom since we run a number of independent projects which use completely different dependencies. I generally won't agree that dependency management in corporate poms is a good practice.
lexicore  2010-04-08 19:19:13
We have a corporate pom - however the problem isn't having to upgrade the dependencies in many locations. In many cases I don't want to upgrade all together. See my edit.
Pablojim  2010-04-08 21:47:01
I understand now. We use dependency graphs (http://confluence.highsource.org/display/MSTP/User+Guide) for similar task. However it assumes that you have a "topmost" artifact (like a distribution) which "heads" the dependency graph.
lexicore  2010-04-08 22:15:23
A: 

Not exactly what you're asking for but the Dependency Convergence report might be helpful. Here are some examples.

Update: I'm aware that I'm not exactly answering the question with my suggestion but doing it the other way (finding all projects that reference a given artifact) would require gathering all POMs of all projects and I'm not aware of a solution currently offering such a referenced by feature (a corporate repository would be the perfect candidate to implement this though).

Pascal Thivent  2010-04-08 15:39:12
A: 

I solved this issue by using dependency version ranges to fetch the newest versions automatically.

  <dependency>
      <groupId>foo.xyzzy</groupId>
      <artifactId>bar</artifactId>
      <version>[1.0.0,2.0.0)</version>
  </dependency>

It might make sense to use a version range such as [1.0,) to include the newest version after 1.0.

The trick to make this work is to have dev and prod profiles that include and exclude the snapshot repos for your commons and to use hudson to automatically build projects when a dependency is re-built.

sal  2010-04-08 15:47:02
I find version ranges very harmful for build stability and reproducibility and consider them as a bad practice. Having a build that suddenly starts to to fail for an unknown reason is extremely annoying, I want control on dependencies. But that's a personal opinion of course.
Pascal Thivent  2010-04-08 17:24:30
@Pascal, I agree with you in general. I use them with one caveat; I set up profiles to restrict which repos are active to avoid the problem of builds _just breaking_ and I would only used them for internal components that will be published to a departmental or company wide repos. I remove the restriction when the dev profile is active.
sal  2010-04-08 19:01:59
Thanks for the answer - see the edit - I don't want upgrade automatically. Some changes will be breaking changes... others will be minor where there is no reason to immediately upgrade, regression test and release all dependencies.
Pablojim  2010-04-08 21:45:40
@sal Oh, I see. Adding explicitly a repository via a profile gives you some control indeed.
Pascal Thivent  2010-04-09 13:01:30
A: 

My search is over: http://www.sonarsource.org/sonar-2-1-in-screenshots/

Sonar now provides this.

Pablojim  2010-05-11 21:31:25

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java