Our build server does not have access to the Maven central repositories.
When updating dependencies I typically create a backup of my repository and then do a diff, and copy the new dependencies to the build machine.
When updating my Log4j dependency to deal with the recent vulnerability this process seems to have broken down.
My dependency on log4j comes from:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
I set the log4j version property as such:
<properties>
<log4j2.version>2.16.0</log4j2.version>
</properties>
It builds fine on my machine. And I found the following new files in my local Maven repository which I copied to the Maven repository on the build machine.
But when the build runs on the build machine, it appears to go hunting for the new version of Log4j in the remote repository and fails as such:
161 [INFO] Scanning for projects...
162 Downloading from central: https://repo.maven.apache.org/maven2/org/apache/logging/logging-parent/3/logging-parent-3.pom
163 [ERROR] [ERROR] Some problems were encountered while processing the POMs:
164 [FATAL] Non-resolvable parent POM for org.apache.logging.log4j:log4j-bom:2.16.0: Could not transfer artifact org.apache.logging:logging-parent:pom:3 from/to central (https://repo.maven.apache.org/maven2): Transfer failed for https://repo.maven.apache.org/maven2/org/apache/logging/logging-parent/3/logging-parent-3.pom # org.apache.logging.log4j:log4j-bom:2.16.0, C:\Users\gitlab-runner.ate\.m2\repository\org\apache\logging\log4j\log4j-bom\2.16.0\log4j-bom-2.16.0.pom, line 19, column 11
Related
I have a maven build that fails on executing mvn go-offline, because it tries to download log4j-core:2.11.2 - a version which has been removed from my company's Artifactory due to the Log4Shell vulnerability.
But I can't figure out why my project is trying to download that specific version of log4j-core. I have explicitly defined a log4j-core:2.17.1 dependency in my pom, and log4j-core:2.11.2 is nowhere in my project's dependency tree. In addition, running mvn install works fine and doesn't require log4j-core:2.11.2: only the mvn go-offline command thinks it needs 2.11.2.
The project set up with a parent pom, like this:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.7</version>
<relativePath/>
</parent>
...
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
...
</dependencies>
Result of executing mvn -X dependency:go-offline:
[DEBUG] Resolving artifact org.apache.logging.log4j:log4j-core:pom:2.11.2 from [central (https://artifacts.mycompany.int/artifactory/maven-all, default, releases), snapshots (https://artifacts.mycompany.int/artifactory/maven-all, default, releases+snapshots), apache.snapshots (https://repository.apache.org/snapshots, default, snapshots)]
[INFO] Downloading from central: https://artifacts.mycompany.int/artifactory/maven-all/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.pom
[DEBUG] Writing tracking file /mybuilddir/.m2/repository/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.pom.lastUpdated
[WARNING] The POM for org.apache.logging.log4j:log4j-core:jar:2.11.2 is missing, no dependency information available
[DEBUG] Resolving artifact org.apache.logging.log4j:log4j-core:jar:2.11.2 from [central (https://artifacts.mycompany.int/artifactory/maven-all, default, releases), snapshots (https://artifacts.mycompany.int/artifactory/maven-all, default, releases+snapshots)]
[INFO] Downloading from central: https://artifacts.mycompany.int/artifactory/maven-all/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
[DEBUG] Writing tracking file /mybuilddir/.m2/repository/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar.lastUpdated
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.2.0:go-offline (default-cli) on project myproject: org.eclipse.aether.resolution.DependencyResolutionException: Could not find artifact org.apache.logging.log4j:log4j-core:jar:2.11.2 in central (https://artifacts.mycompany.int/artifactory/maven-all) -> [Help 1]
Result of executing mvn -X org.apache.maven.plugins:maven-dependency-plugin:3.3.0:tree -Dverbose=true (the only version of log4j-core that shows up is 2.17.1. Version 2.11.2 is not mentioned anywhere in this tree):
[DEBUG] com.mycompany:myproject:jar:1.7.0
...
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
...
I cannot understand why my pom is trying to download a dependency version not listed in the tree. Is it some sort of transitive dependency that is not being printed out in the tree? If so, how do I get the dependency tree to print it, as well as which artifact is bringing it in? Does anyone have any advice?
dependency:go-offline try to resolve and download all dependencies used in your project ... but also try to resolve all Maven plugins used in project and their dependencies
Also dependency:tree show what you use in project.
So even if your project have no dependencies to log4j-core:2.11.2 some of plugins used to build project can have it ...
Please examine output of:
mvn dependency:resolve-plugins
I'm switching a maven project's db from MySQL to Oracle. I have this dependency in my pom.xml:
<!-- https://mvnrepository.com/artifact/com.oracle/ojdbc14 -->
<dependency>
<groupId>com.oracle</groupId>
<artifactId>ojdbc14</artifactId>
<version>10.2.0.4.0</version>
</dependency>
But IntelliJ's maven view shows red squigglies on that dependency and mvn clean install gives me:
Could not resolve dependencies for project com.example:polls:jar:0.0.1-SNAPSHOT: Failure to find com.oracle:ojdbc6:jar:11.2.0.1.0 in https://repo.maven.apache.org/maven2 was cached in the local repository,
resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]
So per this advice, I did a force (mvn clean install -U). But that gives me:
Downloading from central: https://repo.maven.apache.org/maven2/com/oracle/ojdbc6/11.2.0.1.0/ojdbc6-11.2.0.1.0.pom
[WARNING] The POM for com.oracle:ojdbc6:jar:11.2.0.1.0 is missing, no dependency information available
Downloading from central: https://repo.maven.apache.org/maven2/com/oracle/ojdbc6/11.2.0.1.0/ojdbc6-11.2.0.1.0.jar
... even though my .m2 does contain that dependency:
So why does my project not build? Is there some reason Oracle jars are not accessible via maven central?
It turns out Oracle JDBC drivers need to be obtained from the "Oracle Maven Repository". There's lots of guidance on that, which I guess I missed at first. They can also be downloaded directly.
In jenkins there are two project A and B both are maven project and both the projects are running fine when do clean and install from the STS.
However,when the same project is refered in jenkins as a maven project.Its not able to resolve the dependency of Project A.
When I put explicitly the Dependency in jenkins .m2 folder repository it works
Projects A jar is created here.
4.0.0
<groupId>com.XYZ.k</groupId>
<artifactId>abc</artifactId>
<version>1.0.0-SNAPSHOT</version>
<name>abc</name>
Referring in Project B POM like below.
<dependency>
<groupId>com.XYZ.k</groupId>
<artifactId>abc</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
Problem is coming like not able to resolve dependency:
enter code here
[ERROR] Failed to execute goal on project rpg4xref: Could not resolve dependencies for project com.xyz.xa:B:jar:13.2.00-SNAPSHOT: Failure to find com.xyz.abc:abc:jar:1.0.0-SNAPSHOT in file:/// was cached in the local repository, resolution will not be reattempted until the update interval of localRepsoitory has elapsed or updates are forced -> [Help 1]
Hello I am trying to learn spring boot. I have installed Spring STS
Spring Tool Suite
Version: 3.6.4.RELEASE
Build Id: 201503100339
Platform: Eclipse Luna SR1 (4.4.2)
Java 1.7.
I am trying to create a spring starter project. After I do it with the sts I get the project generated but the Maven pom contains errors.
It always says : Project build error:
Project build error: Non-resolvable import POM: Failure to transfer org.springframework:spring-framework-bom:pom:4.1.6.RELEASE from repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced. Original error: Could not transfer artifact org.springframework:spring-framework-bom:pom:4.1.6.RELEASE from/to central repo.maven.apache.org/maven2): The operation was cancelled.
Failure to transfer org.springframework:spring-framework-bom:pom:4.1.6.RELEASE from //repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced. Original error: Could not transfer artifact org.springframework:spring-framework-bom:pom:4.1.6.RELEASE from/to central repo.maven.apache.org/maven2): The operation was cancelled.
Project build error: Non-resolvable import POM: Failure to transfer org.springframework.security:spring-security-bom:pom:3.2.7.RELEASE from repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced. Original error: Could not transfer artifact org.springframework.security:spring-security-bom:pom:3.2.7.RELEASE from/to central ( repo.maven.apache.org/maven2): The operation was cancelled.
The POM is automatically generated when I create a spring starter project and it always generates that error.
I understand that there is something wrong the the spring files but I don't know how to solve that problem.
Can someone here give me please an advice how to solve this.
Thanks.
Best regeards.
Khelvan
I was getting the same issue while importing maven project from spring initialzr.
Spring Tool Suite 4 Version: 4.1.0.RELEASE
Just add below lines in pom.xml file:-
<properties>
<maven-jar-plugin.version>3.1.1</maven-jar-plugin.version>
</properties>
Happy Coding ;
I had the same problem, using NetBeans 8.1, Maven 3.0.1, and Spring MVC versions 4.0.1 and 4.2.5.
The first solution I found on the web was to update Maven to version 3.3.9, which did not solve my problem. However, with more search I found a useful link. There it explains for including Maven's "bill of materials" (BOM) dependency you can use:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
Before I was missing <type> and <scope> tags in the auto-generated code. After adding them the problem was solved.
Since I am not sure if updating Maven also helped or not, you might also try that.
Check the version of the bom you are using. When I changed mine to 4.3.5.RELEASE, the error went away
I am using MacBook. I have installed Apache Maven 3.1.1 .
Under my maven local repository path, I see that there is already installed the artifact of my base project:
~/.m2/repository/com/my/base/project/MyBase/1.0/MyBase-1.0.jar
In another project(feature-project)'s pom.xml, I added my base project as a dependency:
<dependency>
<groupId>com.my.base.project</groupId>
<artifactId>MyBase</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
But when I run maven clean install under feature-project, I got error:
Failed to collect dependencies at com.my.base.project:MyBase:jar:1.0: Failed to read artifact descriptor for com.my.base.project:MyBase:jar:1.0:
WhY? What did I do wrong?