I have a maven build that fails on executing mvn go-offline, because it tries to download log4j-core:2.11.2 - a version which has been removed from my company's Artifactory due to the Log4Shell vulnerability.
But I can't figure out why my project is trying to download that specific version of log4j-core. I have explicitly defined a log4j-core:2.17.1 dependency in my pom, and log4j-core:2.11.2 is nowhere in my project's dependency tree. In addition, running mvn install works fine and doesn't require log4j-core:2.11.2: only the mvn go-offline command thinks it needs 2.11.2.
The project set up with a parent pom, like this:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.7</version>
<relativePath/>
</parent>
...
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
...
</dependencies>
Result of executing mvn -X dependency:go-offline:
[DEBUG] Resolving artifact org.apache.logging.log4j:log4j-core:pom:2.11.2 from [central (https://artifacts.mycompany.int/artifactory/maven-all, default, releases), snapshots (https://artifacts.mycompany.int/artifactory/maven-all, default, releases+snapshots), apache.snapshots (https://repository.apache.org/snapshots, default, snapshots)]
[INFO] Downloading from central: https://artifacts.mycompany.int/artifactory/maven-all/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.pom
[DEBUG] Writing tracking file /mybuilddir/.m2/repository/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.pom.lastUpdated
[WARNING] The POM for org.apache.logging.log4j:log4j-core:jar:2.11.2 is missing, no dependency information available
[DEBUG] Resolving artifact org.apache.logging.log4j:log4j-core:jar:2.11.2 from [central (https://artifacts.mycompany.int/artifactory/maven-all, default, releases), snapshots (https://artifacts.mycompany.int/artifactory/maven-all, default, releases+snapshots)]
[INFO] Downloading from central: https://artifacts.mycompany.int/artifactory/maven-all/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
[DEBUG] Writing tracking file /mybuilddir/.m2/repository/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar.lastUpdated
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.2.0:go-offline (default-cli) on project myproject: org.eclipse.aether.resolution.DependencyResolutionException: Could not find artifact org.apache.logging.log4j:log4j-core:jar:2.11.2 in central (https://artifacts.mycompany.int/artifactory/maven-all) -> [Help 1]
Result of executing mvn -X org.apache.maven.plugins:maven-dependency-plugin:3.3.0:tree -Dverbose=true (the only version of log4j-core that shows up is 2.17.1. Version 2.11.2 is not mentioned anywhere in this tree):
[DEBUG] com.mycompany:myproject:jar:1.7.0
...
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
...
I cannot understand why my pom is trying to download a dependency version not listed in the tree. Is it some sort of transitive dependency that is not being printed out in the tree? If so, how do I get the dependency tree to print it, as well as which artifact is bringing it in? Does anyone have any advice?
dependency:go-offline try to resolve and download all dependencies used in your project ... but also try to resolve all Maven plugins used in project and their dependencies
Also dependency:tree show what you use in project.
So even if your project have no dependencies to log4j-core:2.11.2 some of plugins used to build project can have it ...
Please examine output of:
mvn dependency:resolve-plugins
Related
I have the following project structure in Maven:
./
├─ app1/
│ ├─ pom.xml
├─ app2/
│ ├─ pom.xml
├─ core/
│ ├─ pom.xml
├─ pom.xml
My parent pom.xml contains the following:
<packaging>pom</packaging>
<modules>
<module>core</module>
<module>app1</module>
<module>app2</module>
</modules>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.9</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.acme</groupId>
<artifactId>parent</artifactId>
<version>1.0.0-SNAPSHOT</version>
<repositories>
<repository>
<id>Maven central</id>
<url>https://repo1.maven.org/maven2/</url>
</repository>
<repository>
<id>Confluent</id>
<url>https://packages.confluent.io/maven/</url>
</repository>
<repository>
<id>Local Maven</id>
<name>Local Maven Repository</name>
<url>file://${user.home}/.m2/repository/</url>
</repository>
</repositories>
My core pom.xml contains the following:
<parent>
<groupId>com.acme</groupId>
<artifactId>parent</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<packaging>jar</packaging>
<artifactId>core</artifactId>
<version>1.0.0-SNAPSHOT</version>
My app1 pom.xml contains the following:
<parent>
<groupId>com.acme</groupId>
<artifactId>parent</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>app1</artifactId>
<dependencies>
<dependency>
<groupId>com.acme</groupId>
<artifactId>core</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
<!-- ... -->
</dependencies>
If I try to build in the root project directory, via:
mvn package
it correctly builds all my modules.
If I try to build the core package (which does not have additional intra-project dependencies) via mvn package, it correctly builds.
But if I try to build the app1 package (which does contain a dependency on my core module), even while forcing updates:
user#dev:~/parent/app1$ mvn package -U
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------< com.acme:app1 >----------------
[INFO] Building app1 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from Local Maven: file:///home/user/.m2/repository/com/acme/core/1.0.0-SNAPSHOT/maven-metadata.xml
Downloading from Maven central: https://repo1.maven.org/maven2/com/acme/core/1.0.0-SNAPSHOT/maven-metadata.xml
Downloading from Confluent: https://packages.confluent.io/maven/com/acme/core/1.0.0-SNAPSHOT/maven-metadata.xml
Downloading from Confluent: https://packages.confluent.io/maven/com/acme/parent/1.0.0-SNAPSHOT/maven-metadata.xml
Downloading from Maven central: https://repo1.maven.org/maven2/com/acme/parent/1.0.0-SNAPSHOT/maven-metadata.xml
Downloading from Local Maven: file:///home/user/.m2/repository/com/acme/parent/1.0.0-SNAPSHOT/maven-metadata.xml
Downloading from Maven central: https://repo1.maven.org/maven2/com/acme/parent/1.0.0-SNAPSHOT/event-processor-1.0.0-SNAPSHOT.pom
Downloading from Confluent: https://packages.confluent.io/maven/com/acme/parent/1.0.0-SNAPSHOT/event-processor-1.0.0-SNAPSHOT.pom
Downloading from Local Maven: file:///home/user/.m2/repository/com/acme/parent/1.0.0-SNAPSHOT/event-processor-1.0.0-SNAPSHOT.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.324 s
[INFO] Finished at: 2023-01-06T11:54:58+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project app1: Could not resolve
dependencies for project com.acme:app1:jar:1.0.0-SNAPSHOT: Failed to
collect dependencies at com.acme:core:jar:1.0.0-SNAPSHOT: Failed to
read artifact descriptor for com.acme:core:jar:1.0.0-SNAPSHOT: Could
not find artifact com.acme:parent:pom:1.0.0-SNAPSHOT in Maven central
(https://repo1.maven.org/maven2/) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
I've read various docs (https://maven.apache.org/guides/introduction/introduction-to-the-pom.html) and some other questions and answers which seem a little dated.
These all state that if I run something like:
# In root project dir
mvn --projects app1 package --also-make
it correctly builds my single module and also any local dependencies, and it does.
However, I want to be able to use my IDE's (IntelliJ, in this case) Maven support and simply be able to run the module's Maven lifecycle task package from my IDE's Maven tool integration window.
Alternatively, at the very least, I'd like to just be able to go into the child module directory and do a mvn package and have it work. I expect that I can have a team member check out the repository and build a single module that they're working on instead of having to build everything (which may take a long time, especially if a core dependency or parent is changed).
How can I do this? Do I have to build from the parent context (i.e. from the root project dir)? If so, why doesn't Maven just tell me that instead of complaining that it can't find a pom.xml that is quite obviously there (and it knows where it is!)?
I know that dependency resolution is a hard problem, but I'm quite annoyed that such a common functionality such as building a child module is seemingly super hard to do with Maven...
All dependent packages need to be deployed in the local or distant repo before being resolved as dependencies in any of your module.
To deploy a module on which you depend (e.g core module) in the local repo use the mvn install command.
Then the mvn packages command should work in the app1 module.
Furthermore in your case you used
<relativePath/> <!-- lookup parent from repository -->
Which means that to be able to resolve the parent pom from any child module the parent-pom shall also be deployed in a local or distant repository. In your case you also have to mvn install the parent pom.
mvn package does not make your module "visible" to others, it just package everything by default in the target folder of the module. To make it visible locally use mvn install.
Finally for your team to be able to work as you wish you must deploy your jars including the parent pom in a remote / shared jar repository like Nexus for instance.
For that you use the mvn deploy command. But naturally, you need to set up all the deploy configuration and server beforehand... Then it would work as you expect
Our build server does not have access to the Maven central repositories.
When updating dependencies I typically create a backup of my repository and then do a diff, and copy the new dependencies to the build machine.
When updating my Log4j dependency to deal with the recent vulnerability this process seems to have broken down.
My dependency on log4j comes from:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
I set the log4j version property as such:
<properties>
<log4j2.version>2.16.0</log4j2.version>
</properties>
It builds fine on my machine. And I found the following new files in my local Maven repository which I copied to the Maven repository on the build machine.
But when the build runs on the build machine, it appears to go hunting for the new version of Log4j in the remote repository and fails as such:
161 [INFO] Scanning for projects...
162 Downloading from central: https://repo.maven.apache.org/maven2/org/apache/logging/logging-parent/3/logging-parent-3.pom
163 [ERROR] [ERROR] Some problems were encountered while processing the POMs:
164 [FATAL] Non-resolvable parent POM for org.apache.logging.log4j:log4j-bom:2.16.0: Could not transfer artifact org.apache.logging:logging-parent:pom:3 from/to central (https://repo.maven.apache.org/maven2): Transfer failed for https://repo.maven.apache.org/maven2/org/apache/logging/logging-parent/3/logging-parent-3.pom # org.apache.logging.log4j:log4j-bom:2.16.0, C:\Users\gitlab-runner.ate\.m2\repository\org\apache\logging\log4j\log4j-bom\2.16.0\log4j-bom-2.16.0.pom, line 19, column 11
I'm switching a maven project's db from MySQL to Oracle. I have this dependency in my pom.xml:
<!-- https://mvnrepository.com/artifact/com.oracle/ojdbc14 -->
<dependency>
<groupId>com.oracle</groupId>
<artifactId>ojdbc14</artifactId>
<version>10.2.0.4.0</version>
</dependency>
But IntelliJ's maven view shows red squigglies on that dependency and mvn clean install gives me:
Could not resolve dependencies for project com.example:polls:jar:0.0.1-SNAPSHOT: Failure to find com.oracle:ojdbc6:jar:11.2.0.1.0 in https://repo.maven.apache.org/maven2 was cached in the local repository,
resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]
So per this advice, I did a force (mvn clean install -U). But that gives me:
Downloading from central: https://repo.maven.apache.org/maven2/com/oracle/ojdbc6/11.2.0.1.0/ojdbc6-11.2.0.1.0.pom
[WARNING] The POM for com.oracle:ojdbc6:jar:11.2.0.1.0 is missing, no dependency information available
Downloading from central: https://repo.maven.apache.org/maven2/com/oracle/ojdbc6/11.2.0.1.0/ojdbc6-11.2.0.1.0.jar
... even though my .m2 does contain that dependency:
So why does my project not build? Is there some reason Oracle jars are not accessible via maven central?
It turns out Oracle JDBC drivers need to be obtained from the "Oracle Maven Repository". There's lots of guidance on that, which I guess I missed at first. They can also be downloaded directly.
In jenkins there are two project A and B both are maven project and both the projects are running fine when do clean and install from the STS.
However,when the same project is refered in jenkins as a maven project.Its not able to resolve the dependency of Project A.
When I put explicitly the Dependency in jenkins .m2 folder repository it works
Projects A jar is created here.
4.0.0
<groupId>com.XYZ.k</groupId>
<artifactId>abc</artifactId>
<version>1.0.0-SNAPSHOT</version>
<name>abc</name>
Referring in Project B POM like below.
<dependency>
<groupId>com.XYZ.k</groupId>
<artifactId>abc</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
Problem is coming like not able to resolve dependency:
enter code here
[ERROR] Failed to execute goal on project rpg4xref: Could not resolve dependencies for project com.xyz.xa:B:jar:13.2.00-SNAPSHOT: Failure to find com.xyz.abc:abc:jar:1.0.0-SNAPSHOT in file:/// was cached in the local repository, resolution will not be reattempted until the update interval of localRepsoitory has elapsed or updates are forced -> [Help 1]
I've got a Maven (3.2.5) project which is failing due to a missing dependency. The relevant part of the mvn clean install output:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-assembly-plugin:2.2-beta-5:single (package-jar-with-dependencies) on project splitter: Failed to create assembly: Failed to resolve dependencies for project: groupId1:splitter:jar:2.12.3: Missing:
[ERROR] ----------
[ERROR] 1) groupId2:location-service:jar:2.12.3
However, mvn depdency:tree claims that the 2.12.3 version is not necessary:
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # splitter ---
[INFO] groupId1:splitter:jar:2.12.3
[INFO] +- groupId2:location-service:jar:2.12.1:compile
There is no other location-service dependency listed.
The pom.xml explicitly calls out the 2.12.1 dependency:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd>
<parent>
<groupId>groupId2</groupId>
<artifactId>artifactId</artifactId>
<version>2.12.0</version>
</parent>
...
<groupId>groupId1</groupId>
<artifactId>splitter</artifactId>
<packaging>jar</packaging>
<version>2.12.3</version>
<name>splitter</name>
<url>http://maven.apache.org</url>
...
<dependencies>
<dependency>
<groupId>groupId2</groupId>
<artifactId>location-service</artifactId>
<version>2.12.1</version>
</dependency>
...
Interestingly, the parent pom.xml is not available in this directory structure (the person that created the SVN branch branched a portion of the repository that didn't include the parent pom.xml). However, Maven does not complain about it missing, so it's getting it from my~/.m2/repository directory.
Sorry reputation seekers, yet again I found the solution to my question while composing it. But it's complicated enough to go ahead and post the question and answer, in case anyone else runs into a similar problem.
The problem turned out to be that the parent pom.xml in my ~/.m2/repository directory set the location-service dependency to ${project.version}. Apparently this was enough for the maven-assembly-plugin to want to download it, despite the explicit dependency in the module pom.xml. This is a bug in maven-assembly-plugin:2.2-beta-5. Neither the module nor the parent pom.xml name an explicit version of the maven-assembly-plugin. I haven't the foggiest idea why maven is selecting the 2.2-beta-5 version to download, as it isn't even close to the latest version. mvn dependency:tree -Dverbose doesn't even mention maven-assembly-plugin. Explicitly using maven-assembly-plugin:2.5.5 solves the problem.