From 4567c8319e95d58e258e9a8c2067ed9bbe01b58e Mon Sep 17 00:00:00 2001 From: Jason van Zyl Date: Thu, 30 Apr 2015 21:39:28 -0400 Subject: [PATCH] MNG-5818: Disallow the programmatic injection of project dependencies The first step here is deprecating the publicly accessible method that allows plugins to inject dependencies. The only plugin I currently know of that does this is the cobertura-maven-plugin. Looking at that plugin it appears the user can specify the cobertura dependency for the instrumentation process but if they do not the plugin attempts to inject the dependency. I believe the path forward here is making sure these types of plugins instruct their users to add the dependency explicitly. I'm going to try and create a call-graph for all of Maven Central with my first test to see if I can accurately detect all usages of MavenProject.setDependencyArtifacts of artifact in Maven Central. --- .../src/main/java/org/apache/maven/project/MavenProject.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/maven-core/src/main/java/org/apache/maven/project/MavenProject.java b/maven-core/src/main/java/org/apache/maven/project/MavenProject.java index 8587a5c330..32fcae19da 100644 --- a/maven-core/src/main/java/org/apache/maven/project/MavenProject.java +++ b/maven-core/src/main/java/org/apache/maven/project/MavenProject.java @@ -995,11 +995,13 @@ public class MavenProject * @return {@link Set} < {@link Artifact} > * @see #getArtifacts() to get all transitive dependencies */ + @Deprecated public Set getDependencyArtifacts() { return dependencyArtifacts; } + @Deprecated public void setDependencyArtifacts( Set dependencyArtifacts ) { this.dependencyArtifacts = dependencyArtifacts;