in my project, I am using monitoring-interceptors dependency from io.confluent version 7.2.2. This particular jar is using google protobuf jar but that is some old jar and it is not passing Aqua scan. I am trying to remove this protobuf jar from like below:
<dependency>
<groupId>io.confluent</groupId>
<artifactId>monitoring-interceptors</artifactId>
<version>7.2.2</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java-util</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>4.0.0-rc-2</version>
</dependency>
But my Aqua scan is still showing older version of protobuf jar coming from monitoring-interceptors-7.2.2 jar.
I tried to put above portion in dependency management tag also but it still not working. Any idea how to make it work?
Related
activemq not compatibale with spring 4.3.6. And i cant change spring version. I use following dependencies in pom.xml
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
<version>4.3.6.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<!-- ActiveMQ -->
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-all</artifactId>
<version>5.15.0</version>
</dependency>
Where activemq show dependency on 4.3.9 i also tried 5.14.4 which have dependency on 4.1.9.
How can i resolve this issue.
I used client dependency only and now its working.
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-client</artifactId>
<version>5.15.0</version>
</dependency>
This does not have spring dependencies. Either we can use exclusion if we are using all jar or can use specific dependencies needed for project. Thanks for help.
I have the following in my pom
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-all</artifactId>
<version>2.4.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.spockframework</groupId>
<artifactId>spock-core</artifactId>
<version>1.0-groovy-2.4</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>org.codehaus.groovy</artifactId>
<groupId>groovy-all</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.spockframework</groupId>
<artifactId>spock-spring</artifactId>
<version>1.0-groovy-2.4</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>org.codehaus.groovy</artifactId>
<groupId>groovy-all</groupId>
</exclusion>
</exclusions>
</dependency>
Basically, I want to force my second and third dependencies to use the version of groovy-all that I'm setting in my first dependency. Is there a better way to do this than setting an exclusion on each of them?
Since as a first dependency you're explicitly defining a version of the groovy-all dependency, this will override the version of this dependency for all transitive dependencies needing this exact dependency. Hence, you won't have to define explicit exclusions.
To validate this, you can run the following before and after the change:
mvn dependency:tree -Dverbose
And compare the output.
Fix is to lock down the version, either via a direct dependency, or a dependency-management section.
I have a local pom which uses mahout-0.8 dependency. Mahout pom includes hadoop-core dependency with 1.1.2 version. Link to mahout-0.8 pom
But in my project I need the latest hadoop-core, which is 2.2.0 version. As I have read hadoop-core-2.2.0 is built from these dependencies:
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
<version>2.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-mapreduce-client-core</artifactId>
<version>2.2.0</version>
</dependency>
So I need to exclude dependency from remote mahout-0.8 dependency. How to exclude this dependency (snipped) or it cannot be done remotely?
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-core</artifactId>
<version>${hadoop.version}</version>
...
</dependency>
If it cannot be done in such way, would like to know how to integrate mahout pom to my local project.
Many thanks!
Copy the hadoop-core dependency in your second snippet into the dependencyManagement section of your pom. This will manage it to whatever version you specify.
Or, if you really really want to stop it from coming from mahout all together, change your mahout dependency to something like the following:
<dependency>
<groupId>org.apache.mahout</groupId>
<artifactId>mahout</artifactId>
<version>0.8</version>
<exclusions>
<exclusion>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-core</artifactId>
</exclusion>
</exclusions>
</dependency>
I am using Maven 3.0.5 and I have the following in pom.xml
<dependency>
<groupId>antlr</groupId>
<artifactId>antlr</artifactId>
<version>2.7.7</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
<exclusion>
<groupId>janino</groupId>
<artifactId>janino</artifactId>
</exclusion>
</exclusions>
</dependency>
When I build war using mvn install, I can see that in war file xml-apis-1.0.b2.jar is also included although I have put xml-apis in exclusion list.
Why artifactId which is mentioned in exclusions is part of war file?
How can I make sure that xml-apis-1.0.b2.jar is not part of war the file?
Any help is highly appreciable.
Looking at maven dependency description in maven repo, I do not see any transitive dependency for antlr.
So this means the retrieved dependencies for xml-apis is coming from some other dependency in your project. Please check if this is the case.
I have a question about exclusion of maven dependencies. Consider the following
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring-security.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.0.RELEASE</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
I am trying to achieve a transition from Spring 3.0.6 to 3.1.0 . Spring security 3.1.0 had a dependency on spring-security-web version 3.0.6 which in turn had a dependency on spring-web 3.0.6. I need to bring it all to 3.1.0. So I exclude spring-security-web from Spring security, have a separate dependency for spring-security-web 3.1.0 which in turn excludes the spring-web 3.0.6 version and I provide a separate spring-web 3.1.0 version. This work but I feel there would be a much easier approach. I tried putting an exclusion for spring web under Spring security but it did not work.
You can utilize the dependency management mechanism.
If you create entries in the <dependencyManagement> section of your pom for spring-security-web and spring-web with the desired 3.1.0 version set the managed version of the artifact will override those specified in the transitive dependency tree.
I'm not sure if that really saves you any code, but it is a cleaner solution IMO.
Global exclusions look like they're being worked on, but until then...
From the Sonatype maven reference (bottom of the page):
Dependency management in a top-level POM is different from just
defining a dependency on a widely shared parent POM. For starters, all
dependencies are inherited. If mysql-connector-java were listed as a
dependency of the top-level parent project, every single project in
the hierarchy would have a reference to this dependency. Instead of
adding in unnecessary dependencies, using dependencyManagement allows
you to consolidate and centralize the management of dependency
versions without adding dependencies which are inherited by all
children. In other words, the dependencyManagement element is
equivalent to an environment variable which allows you to declare a
dependency anywhere below a project without specifying a version
number.
As an example:
<dependencies>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>3.0.5.RELEASE</version>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
It doesn't make the code less verbose overall, but it does make it less verbose where it counts. If you still want it less verbose you can follow these tips also from the Sonatype reference.