rspec/rules/S3417/xml/rule.adoc

== Why is this an issue?

Whether they are disallowed locally for security, license, or dependability reasons, forbidden dependencies should not be used. 


This rule raises an issue when the group or artifact id of a direct dependency matches the configured forbidden dependency pattern. 


=== Noncompliant code example

With a parameter of: ``++*:.*log4j.*++``

[source,xml]
----
<dependency> <!-- Noncompliant --> 
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId> 
    <version>1.2.17</version> 
</dependency> 
----


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Remove this forbidden dependency.


=== Parameters

.dependencyName
****

Pattern describing forbidden dependencies group and artifact ids. E.G. ``++*:.*log4j++``, or ``++x.y:*++``
****
.version
****

Dependency version pattern or dash-delimited range. Leave blank for all versions. E.G. ``++1.3.*++``, ``++1.0-3.1++``, ``++1.0-*++`` or ``++*-3.1++``
****


=== Highlighting

dependency name


'''
== Comments And Links
(visible only on this page)

=== deprecates: S1212

=== on 24 Nov 2015, 17:27:41 Ann Campbell wrote:
\[~michael.gumowski] it is possible that this should be a rule template (to allow customization of the message per dependency) rather than a rule with parameters. WDYT?

=== on 30 Nov 2015, 14:02:30 Michael Gumowski wrote:
I would also prefer a rule template [~ann.campbell.2]. 


Now, I'm just wondering about the best format of the parameters, and I really wonder what should be the best one to use. Maybe we need to define it a bit more explicitly, as usually, we define dependencies with a groupId and an artifactId (``++groupId:artifactId++``).


For instance you may want to allow all the dependencies from ``++X.Y.Z++``, but absolutely forbid ``++X.Y.Z:A++``, or forbid only a given version of an artifact, or more complex, a range of version!


I would then say that, by default, you are providing as parameter the groupId to forbid, if usage of column (``++:++``), then it's a given artifact, which can follow patterns (``++*:*.log4j++`` ?). For the versions, I have no idea how explicitly mention it however, but I'm pretty sure it's required. Any idea?

=== on 1 Dec 2015, 14:14:24 Ann Campbell wrote:
Check out the parameters now [~michael.gumowski]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Whether they are disallowed locally for security, license, or dependability reasons, forbidden dependencies should not be used.`


			`This rule raises an issue when the group or artifact id of a direct dependency matches the configured forbidden dependency pattern.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
			With a parameter of: ``++:.log4j.*++``

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,xml]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<dependency> <!-- Noncompliant -->`
			`<groupId>log4j</groupId>`
			`<artifactId>log4j</artifactId>`
			`<version>1.2.17</version>`
			`</dependency>`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Remove this forbidden dependency.`


			`=== Parameters`

			`.dependencyName`
			`****`

			Pattern describing forbidden dependencies group and artifact ids. E.G. ``++:.log4j++``, or ``++x.y:*++``
			`****`
			`.version`
			`****`

			Dependency version pattern or dash-delimited range. Leave blank for all versions. E.G. ``++1.3.++``, ``++1.0-3.1++``, ``++1.0-++`` or ``++*-3.1++``
			`****`


			`=== Highlighting`

			`dependency name`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== deprecates: S1212`

			`=== on 24 Nov 2015, 17:27:41 Ann Campbell wrote:`
			`\[~michael.gumowski] it is possible that this should be a rule template (to allow customization of the message per dependency) rather than a rule with parameters. WDYT?`

			`=== on 30 Nov 2015, 14:02:30 Michael Gumowski wrote:`
			`I would also prefer a rule template [~ann.campbell.2].`


			Now, I'm just wondering about the best format of the parameters, and I really wonder what should be the best one to use. Maybe we need to define it a bit more explicitly, as usually, we define dependencies with a groupId and an artifactId (``++groupId:artifactId++``).


			For instance you may want to allow all the dependencies from ``++X.Y.Z++``, but absolutely forbid ``++X.Y.Z:A++``, or forbid only a given version of an artifact, or more complex, a range of version!


			I would then say that, by default, you are providing as parameter the groupId to forbid, if usage of column (``++:++``), then it's a given artifact, which can follow patterns (``++:.log4j++`` ?). For the versions, I have no idea how explicitly mention it however, but I'm pretty sure it's required. Any idea?

			`=== on 1 Dec 2015, 14:14:24 Ann Campbell wrote:`
			`Check out the parameters now [~michael.gumowski]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`