unexpected behavior on scope

[zhaolida98]

Hi, I am trying to use -Dossindex.scope to filter the output, but I found the function behavior unexpected. So I made an example project which includes all scopes (except system and import).

com.sca.example:scope:jar:1.0
+- org.springframework:spring-web:jar:5.3.7:compile
|  +- org.springframework:spring-beans:jar:5.3.7:compile
|  \- org.springframework:spring-core:jar:5.3.7:compile
+- javax.servlet.jsp:jsp-api:jar:2.1:runtime
+- org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-core:jar:5.3.9_1:provided
|  \- org.springframework:spring-jcl:jar:5.3.9:compile
\- junit:junit:jar:3.8.1:test

I found that when I type the following command: mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -Dossindex.fail=false -Dossindex.reportFile=target/audit-report.json -Dossindex.scope=test
None of the components are filtered from the report. This is unexpected, because I think only "test" scope components should left.

I did one more test, when I change the command to mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -Dossindex.fail=false -Dossindex.reportFile=target/audit-report.json -Dossindex.scope=compile
only the following components are included

    "org.springframework:spring-beans:jar:5.3.7:compile"
    "org.springframework:spring-web:jar:5.3.7:compile"
    "org.springframework:spring-core:jar:5.3.7:compile"
    "org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-core:jar:5.3.9_1:provided"
    "org.springframework:spring-jcl:jar:5.3.9:compile"

This is also not expected, because "provided" component is inside. Why is that? How does this function work? Did I do it wrong?

[jdillon]

The ossindex.scope value, when present is used as input to the CumulativeScopeArtifactFilter which generates a filtering behavior as documented here:

• https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope

"allows the accumulation of multiple scopes and their associated implied scopes" where the "implied scopes" bits seem to what is causing confusion.

When you limit the scope to "compile" there is an implied "provided" scope, so -Dossindex.scope=compile would included dependencies with <scope>compile</scope> and <scope>provided</scope> and no other scopes.

More generally the ossindex.scope value is used to configure dependency resolution in the same way that Maven would normally to generate compile, test and runtime classpaths from dependencies.

[zhaolida98]

so you mean by "implied scopes", a scope name may actually contain multiple available scopes. Here's some findings:

• runtime include scope gives runtime and compile dependencies,
• compile include scope gives compile, provided, and system dependencies,
• test include scope gives all dependencies (equivalent to default),
• provided include scope just gives provided dependencies,
• system include scope just gives system dependencies.
  Is this the "implied scope" rule you are using?

[jdillon]

@zhaolida98 yes that sounds roughly about the same thing that is documented here:

• https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope

The ossindex.scope mechanism works just like the default scope mechanism used by Maven to compute class-paths for various use.

For example, when computing compile scope (ie. everything needed to compile the .java files into .class files for the main module output) would include <scope>compile and <scope>provided and <scope>system. It would not include <scope>test or <scope>runtime as neither of those are used to compile the main module classes.

Maybe this helps more than the official docs?

• https://www.baeldung.com/maven-dependency-scopes

[zhaolida98]

BTW, I would like to know if you provide any remediation or license information? I couldn't see relative terms in audit-report.json