Skip to content

Add NoSystemScopeDependencies cleanup recipe#7055

Merged
jkschneider merged 7 commits intomainfrom
tim/remove-system-scope-deps
Mar 22, 2026
Merged

Add NoSystemScopeDependencies cleanup recipe#7055
jkschneider merged 7 commits intomainfrom
tim/remove-system-scope-deps

Conversation

@timtebeek
Copy link
Copy Markdown
Member

@timtebeek timtebeek commented Mar 19, 2026

Summary

Adds a new cleanup recipe NoSystemScopeDependencies that fixes Sonar rule S3422 by removing system-scoped Maven dependencies when they are available in configured repositories.

System scope is problematic because it requires a machine-specific <systemPath>, is non-portable, and cannot be packaged in artifacts. The recipe verifies artifact availability before removing the scope, leaving truly local-only dependencies unchanged.

Changes

  • New recipe class: NoSystemScopeDependencies.java
  • Recipe only removes <scope>system</scope> and <systemPath> if the dependency version exists in configured repositories
  • Works for both <dependencies> and <dependencyManagement> sections
  • Comprehensive test suite with 6 test cases covering all scenarios

Test Plan

  • All 6 tests in NoSystemScopeDependenciesTest pass
  • Tests cover: artifact available in repo, no systemPath element, dependencyManagement section, artifact not in any repo, non-system scopes, and dependencies without scope

@timtebeek
Add recipe to fix Sonar rule S3422: remove system scope from Maven de…
0e4fa19 
…pendencies

This recipe removes <scope>system</scope> and <systemPath> from Maven
dependencies when the artifact is available in configured repositories.
System scope is deprecated, non-portable, and problematic because it
requires a machine-specific systemPath and is not packaged in artifacts.

The recipe only removes system scope if the dependency can be verified
to exist in a configured Maven repository by checking available versions.
Dependencies not found in any repository are left unchanged.

Fixes Sonar finding: 'Dependencies should not have "system" scope'
@github-project-automation github-project-automation Bot moved this to In Progress in OpenRewrite Mar 19, 2026
@timtebeek
Add NoSystemScopeDependencies to Maven best practices
ddc732c 
Include the new recipe in the BestPractices composite recipe and
add its entry to recipes.csv.
@timtebeek
Remove unused import and add null safety for metadata versioning
67040b1
@timtebeek timtebeek added recipe Requested Recipe maven labels Mar 19, 2026
timtebeek
timtebeek commented Mar 19, 2026
View reviewed changes
Comment thread rewrite-maven/src/main/java/org/openrewrite/maven/cleanup/NoSystemScopeDependencies.java
Comment on lines +34 to +35
final String description = "Replaces `<scope>system</scope>` with the default compile scope and removes " +
"`<systemPath>` for dependencies that are available in configured repositories.";
Copy link
Copy Markdown
Member Author

@timtebeek timtebeek Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we know this isn't a complete solution for all cases, but it allows folks to push that jar somewhere and then from there see the system scope dropped here.

@timtebeek timtebeek moved this from In Progress to Ready to Review in OpenRewrite Mar 21, 2026
@jkschneider jkschneider merged commit 03048dc into main Mar 22, 2026
1 check passed
@jkschneider jkschneider deleted the tim/remove-system-scope-deps branch March 22, 2026 17:00
@github-project-automation github-project-automation Bot moved this from Ready to Review to Done in OpenRewrite Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steve-aom-elliott steve-aom-elliott Awaiting requested review from steve-aom-elliott

Assignees

@timtebeek timtebeek

Labels

maven recipe Requested Recipe

Projects

OpenRewrite
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timtebeek @steve-aom-elliott @jkschneider