Maven enforcer plugin should honor dependency exclusions - maven

How can I ensure that in my pom certain dependecies do not occur, also transitively?
This doesn't work with the maven enforcer plugin.
I added the following new dependency
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>5.1.0</version>
</dependency>
After restarting the app, my logback logging no longer works. A quick search shows that the dependency mentioned above comes with log4j and this messes up my logback logging.
So I don't want the transitive log4j dependency to get into my target artifact and exclude it:
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>5.1.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
How can I check in the future whether a new dependency may also bring a transitive dependency for log4j with it?
With the maven enforcer plugin I can check this:
<bannedDependencies>
<excludes>
<exclude>org.apache.logging.log4j</exclude>
</excludes>
<searchTransitive>true</searchTransitive>
</bannedDependencies>
But it ALWAYS raises an alarm, although I have excluded it via <exlusion> mentioned above. However, if I switch to
<searchTransitive>false</searchTransitive>
then the log4j is no longer found, since I didn't declare it as a dependency directly in my pom and the enforcer check is pointless.
Now how do I get the maven enforcer plugin to honor dependency exclusions?

Related

Gradle dependency with test classifier

I've been trying to reference an artefact without luck.
With maven I have no problem doing this:
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka_2.13</artifactId>
<version>3.0.0</version>
<classifier>test</classifier>
</dependency>
Maven selects the correct artefact.
However, with gradle, it always seems to include the artefact without the classifier, no matter what I try:
implementation 'org.apache.kafka:kafka_2.13:3.0.0:test'
I have read the gradle documentation and it suggests this syntax, maybe it has something to do with this specific artefact?
Update
My goal is to use spring-kafka-test. Our internal artefact repository is not set up to use pom resolution, which is why I need to add transitives manually.
I've ruled out the fact that it might be our internal repository by only using maven central; and I get the same results.
I managed to include only the mentioned jar, with:
dependencies {
implementation ('org.apache.kafka:kafka_2.13:3.0.0:test') {
exclude group: 'org.apache.kafka' // or finer grained, if we like
}
...
}
See also: How to specify a classifier in a gradle dependency's dependency?
But
Your assumptions about maven were also wrong:
Maven pulls all! (In module-test-parents no dependencies defined.)
To achieve the same (and even more) in maven we'd also have to:
<dependencies>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka_2.13</artifactId>
<version>3.0.0</version>
<classifier>test</classifier>
<exclusions>
<exclusion> <!--sledge hammer -->
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
<!-- or selectively ... -->
</exclusions>
</dependency>
</dependencies>
In gradle the according would be (tested):
implementation ('org.apache.kafka:kafka_2.13:3.0.0:test'){
exclude group: '*'
}

Find all dependencies that include a given package

I excluded an artifact because it causes conflicts, namely the jsr311-api given below. Yet when I run the generated jar I'm still getting the java.lang.NoSuchMethodError error. I suspect that another dependency is also including this artifact. How can I find out which one? My dependency list is quite large. Which dependencies include the package javax.ws.rs.core?
<dependency>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-kernel</artifactId>
<version>1.7.3</version>
<exclusions>
<!-- Causes java.lang.NoSuchMethodError: javax.ws.rs.core.Response$Status$Family.familyOf(I)Ljavax/ws/rs/core/Response$Status$Family; -->
<exclusion>
<artifactId>jsr311-api</artifactId>
<groupId>javax.ws.rs</groupId>
</exclusion>
</exclusions>
</dependency>
Go to
http://search.maven.org/#advancedsearch%7Cgav
and use classname search to find
javax.ws.rs.core.Response
If you use a Nexus 2.x in your company, you can use classname search there as well.
If you want to find out where a given artifact (that you e.g. found by classnmae search) comes from, use dependency:tree in Maven.
In my case the mistake was that I had to manually add the javaee api and I set <scope>provided</scope> which was a mistake, fixing this solved the problem.
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>7.0</version>
<scope>provided</scope><!-- remove this -->
</dependency>

Excluding transitive dependency from Maven pom

I have a Maven dependency added where type is test-jar and scope is test. I want to remove a transitive dependency from this (because in the Nexus prod repo this dependency is missing which leads to Jenkins build failure). I have added a exclusion tag but still the dependency is not removed i.e. Jenkins build still fails and complains about this dependency. Any clue why?
<dependency>
<groupId>com.xxx</groupId>
<artifactId>xxx</artifactId>
<type>test-jar</type>
<version>${xxx.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>jamon</artifactId>
<groupId>com.jamonapi</groupId>
<!-- <scope>compile</scope> -->
</exclusion>
</exclusions>
</dependency>
You can use the following command to find out the transitive dependency details and then you can exclude the dependency:
mvn dependency:tree -Dverbose -Dincludes=<artifact_name>

Exclude package from being pulled in from an external jar in maven assembly

We had a bug whereby our logger stopped doing anything. In the end, we tracked it down to an external dependency, say:
<dependency>
<groupId>com.bob</groupId>
<artifactId>alice</artifactId>
<version>1.2.3</version>
</dependency>
which has it's own slf4j implementation. I had changed our pom so this dependency was listed first, which is what triggered the bug. Moving the dependency back to being listed last fixed the issue (so that the usual log4j implementation was used).
This seems like a very fragile fix. The "correct" fix would seem to be to get the maven assembly plugin to exclude importing, from the alice.jar file, any file in the org.slf4j package. We tried adding something to our custom assembly xml file, like:
<dependencySets>
<dependencySet>
<unpack>true</unpack>
<unpackOptions>
<excludes>
<exclude>com.bob:alice:org/slf4j/*</exclude>
However, this didn't work. The best I could do was:
<exclude>org/slf4j/*</exclude>
But this excludes all copies of that package, which obviously breaks everything.
What is the correct way to do this exclusion?
try this :
<dependency>
<groupId>com.bob</groupId>
<artifactId>alice</artifactId>
<version>1.2.3</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
And then add the dependency slf4j like this : (You can modify the version of the slf4j)
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.5.6</version>
</dependency>

How can I remove artifacts by Maven from the lib folder of the ear?

How can I remove artifacts from the lib folder of the ear? For exemple: activation.jar.
I was try follow the especification about Excluding a module (just change webModule for jarModule) but without success with this error: Artifact[jar:javax.activation:activation] is not a dependency of the project.
Use provided as scope wherever the dependency is defined.
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>provided</scope>
</dependency>
Set the scope to provided. Maven will still add the dependency to the compile time classpath but not to the final WAR.
As others have said, you need to use provided as the scope. If the jars you need to remove are not dependencies of your project directly (ie are transient dependencies), then you need to exclude them from whatever is bringing them into your build . If you actually need those classes at compile-time, you'll have to re-include them as provided:
<dependency>
<!-- this dependency has javax.activation as a dependency -->
<groupId>blah.groupId</groupId>
<artifactId>blah.artifactId</artifactId>
<version>blah.version</version>
<exclusions>
<exclusion>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<exclusion>
</exclusions>
</dependency>
<!-- only necessary if this jar is needed at compile-time -->
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
<scope>provided</scope>
</dependency>

Resources