AssertDepend Maven Plugin

Introduction

The AssertDepend plugin is a Maven extension to perform effective technology management. The plugin checks at build time against lifecycle states defined in metadata on remote repositories in order to inform the developer about inappropriate technology usage (dependency enforcement). Based on a flag the build would either fail or print a warning.

The plugin has been proposed to the Maven community: proposal .

Technology management benefits and means

The capability to manage dependencies and technologies on a mature level is essential for software organizations of a certain size. Technology management becomes a key discipline and must be introduced in a careful way to allow for mutual benefits among its stakeholder including developer, management, and customers.

Artifact lifecycle management

To perform effective technology management, you should keep the number of approved artifacts as small as possible. You cannot remove artifacts from the repository if you want to sustain reproducible builds. Therefore, each artifact in the repository should be marked with a corresponding lifecycle state.

The proposed main states are:

  • approved
  • prohibited
  • investigating

Use cases

Consider the following sample use cases:

Szenario 1: Flawed versions

It turns out that my-app-1.4.2.jar contains a serious security issue and is therefore flawed. Clients of this JAR should actually switch to a newer version my-app-1.4.3.jar which fixes the bug and which is safe to use.

Scenario 2: Decommissioning

Let's assume that my-app-1.4.2.jar is not supported anymore and projects should actually switch to a new release stream (my-app-2.x.y.jar ).

Scenario 3: Restricted usage

Consider a library which has a restricted set of client projects, e.g. only certain projects are allowed to depend on a specific artifact.

On one hand, this life cycle information could be used to manage a repository in a more restrictive way, which makes it actually possible to perform technology management. On the other hand, when developers try to depend on an artifact which is actually not allowed, Maven could perform checks during the build life cycle and warn the user about inappropriate technology usage (dependency enforcement). Based on a flag the build would either fail or print a warning.

Usage

Instructions on how to use the AssertDepend Plugin can be found here .