Make analysis of (transitive) dependencies optional

[ascheman]

Konveyor will be used (by us) to analyse and migrate existing projects towards the cloud.
For the analysis part, it should investigate our own sources and the dependencies of our project(s).
The analysis of our own sources and immediate dependencies (currently) has highest priority, as we expect the highest migration efforts on our side here.

For most dependencies (direct or transitive) we expect a library of known issues in the long run.
Such a library has already been provided in the past and will proceed in the future.
It resulted in analysis rules for WindUp and Konveyor.
We assume, more and more OSS libraries will be covered by those rules.
Hence, it should not be necessary to analyse those dependencies when they are used in source projects.
As a consequence, the analysis of dependencies should become smaller over time.

In particular for Java projects we see that dependency download and and analysis causes a lot of problems and requires a lot of efforts and complex design decisions.
As it has a lower priority (for us), we propose an option to skip these downloads and analysis when using Konveyor, so that we can concentrate on our own code.
We should not be stopped or even bothered with download/analysis issues of foreign code, or at least we should be able to avoid these process steps.

[rromannissen]

Hi @ascheman! The problems you are experiencing with the download of dependencies when analyzing in source mode have been identified as a bug and are being tracked in konveyor/analyzer-lsp#428. The Source analysis mode was designed to focus on the application source code and ignore dependencies completely, but apparently it is behaving like the Source + dependencies mode and retrieving dependencies even when they are not being analyzed. Please bear in mind that we are still adjusting the larger Konveyor platform to work with the new LSP-based analyzer in the same way it did with Windup in previous versions.

Regarding skipping the analysis of Open Source libraries, that is what the Scope configuration step is for. Konveyor is able to discriminate between Open Source libraries coming from public repositories like Maven Central and other internal dependencies via hash identification. The Scope configuration provides three values:

• Application and internal dependencies only: This scope sticks to the packages and artifacts that the analyzer doesn't recognize as known Open Source libraries. This means the analysis scope will cover application packages and all corporate libraries that might be used as dependencies, transitive or not.

• Application and all dependencies, including known Open Source libraries: This scope includes all the application related packages and corporate libraries from the previous option while adding all known Open Source dependencies as well.

• Select the list of packages to be analyzed manually: This option allows the user to set the analysis scope by manually selecting the list of packages to be analyzed. Only the selected packages will be analyzed.

This behavior for the Analysis Mode and Scope configurations has been tested on the field with Konveyor 0.2, and is currently being adjusted in beta versions for 0.3 for a seamless transition in terms of user experience. Anything that doesn't adjust to the behavior of the previous versions will be considered a bug and fixed before 0.3 GA is published.

Let me know if this addresses your concerns!