Linkage Monitor to work with repositories hosting BOMs included in google-cloud-bom

[suztomo]

Part of our OKR.

As of now, Linkage Monitor runs only in google-cloud-bom's repository (https://github.com/googleapis/java-cloud-bom).

Confirm the below:

• Can Linkage Monitor work for the repositories hosting other BOMs imported by google-cloud-bom
  Example: Add Linkage Monitor to google-cloud repositories #1041
  • Can Linkage Monitor detect a new bad entry in google-auth-library-bom?
    No, because Linkage Monitor does not use the BOM in the repository.
  • Can Linkage Monitor detect a new bad dependency in google-auth-library-credentials?
    Yes, LinkageMonitor.copyWithSnapshot takes care of replacing Maven artifact versions in an effective BOM.

Ideally, Linkage Monitor should detect a bad entry in google-auth-library-bom.

Challenge

Maven's ModelBuildingResult.getEffectiveModel() resolves imported pom altogether. The resulted model has dependencyManagement section with artifacts, such as google-auth-library-credentials, but not with google-auth-library-bom.

Pseudo code in Linkage Monitor:

Model librariesBomModel = buildModel("libraries-bom:3.4.0").getEffectiveModel()
librariesBomModel.getDependencyManagement()

The interface does not seem to give access to intermediate model. Is there a way to intercept the resolution of google-auth-library-bom?

[suztomo]

DefaultModelBuilder.build() takes care of 2nd build.

ModelBuildingResult resultPhase2 = modelBuilder.build(modelRequest, resultPhase1);

DefaultModelBuilder.importDependencyManagement() takes care of replacing BOMs with their content. This modelResolver is ProjectModelResolver.

                    importRequest.setModelResolver( modelResolver.newCopy() );

Try to create a subclass of ProjectModelResolver that takes ImmutableMap<String, String> localArtifacts? in the constructor?