3

I'm currently using the maven-dependency-plugin like 

mvn -B dependency:copy-dependencies \
    -Dmdep.copyPom=true \
    -DoutputDirectory="$OUTDIR"

to download all POMs of all (transitive) dependencies. However, that is also downloading the JARs, which I don't want. I tried to use includeTypes / excludeTypes to limit to POM files only, but that didn't work as nothing is retrieved then.

Is there another option / command that really just retrieves the POMs?

Background: I only need the meta-data from all transitive POMs for compliance checks.

sschuberth
  • 28,386
  • 6
  • 101
  • 146
  • 1
    Curiosity and further context: why do you want only the poms? What are you trying to do? – Gimby Mar 03 '17 at 09:41
  • What kind of problem are you trying to solve? – khmarbaise Mar 03 '17 at 09:57
  • according to [doc](https://maven.apache.org/plugins/maven-dependency-plugin/copy-dependencies-mojo.html#copyPom) , it says _"Also copy the pom of each artifact."_ , looks like the main purpose of this plugin is to copy artifact not the pom. – Ömer Erden Mar 03 '17 at 10:39
  • Context: Ultimately I do want to download the source code of all transitive dependencies, but from SCM (for provenance analysis reasons), not from `-sources` artifacts. For that, I'm calling [scm:checkout](https://maven.apache.org/components/scm/maven-scm-plugin/checkout-mojo.html) in a post-processing step. – sschuberth Mar 03 '17 at 10:55

1 Answers1

1

I ended up creating an Open Source project that downloads and gathers metadata from Maven builds, and actually several other build systems, too. It's called OSS Review Toolkit (ORT for short) and programmatically uses the maven-resolver library to download only the POMs to analyze their contained metadata.

sschuberth
  • 28,386
  • 6
  • 101
  • 146