I have modules as below:
root
daemon
common
tests
Now daemon and test both have <dependency>common</dependency>.
I have written them just in brief to understand.
common has jaxrs-api version 2.1.1, earlier it was 2.0.
Built the whole project, cleaned it, but still daemon and tests show older version. common version is consistent across all modules. Dependency Analyzer plugin in IntelliJ still shows common having 2.0 and code has compilation issues due to mismatch.
Each module's version is coming from root as follows:
<parent>
<groupId>com.mycompany.domain</groupId>
<artifactId>app-name</artifactId>
<version>1.0.10-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
Apart from screenshot above, below are the only jax-rs entries in mvn dependency:tree
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # common ---
[INFO] com.zzz:common:jar:1.0.10-SNAPSHOT
[INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.8:compile
[INFO] | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.8:compile
[INFO] | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.8:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.1.1:compile
[INFO] +- org.testng:testng:jar:6.9.6:test
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # daemon ---
[INFO] com.zzz:daemon:jar:1.0.10-SNAPSHOT
[INFO] +- com.zzz:common:jar:1.0.10-SNAPSHOT:compile
[INFO] | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.8:compile
[INFO] | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.8:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.8:compile
[INFO] | +- javax.ws.rs:javax.ws.rs-api:jar:2.0:compile
[INFO] | \- com.paypal.usf:vo:jar:1.6.5:compile
See the daemon dependency log for issue, its brining older version of common with 2.0. I don't see any conflicts or the jar coming from other dependencies. I have also tried manually deleted the target directories and delete the directories inside .m2 but to no avail.
Run maven dependency:tree and check where the dependency of interest is present.
Maven always take teansitive dependency that is available at less distance from the root node.
Refer - https://dzone.com/articles/solving-dependency-conflicts-in-maven
Related
As part Log4jshell problem, we are trying to analyze which projects use which version of Log4j. I did try the following maven commands
mvn dependency:list | grep log4j
mvn dependency:tree -Dverbose
mvn dependency:tree -Dverbose | grep log4
But it lists information only like this
mvn dependency:tree | grep log4
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.1:provided
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:provided
[INFO] | | +- log4j:log4j:jar:1.2.16:compile
[INFO] | | +- log4j:log4j:jar:1.2.16:compile
[INFO] | +- log4j:log4j:jar:1.2.17:provided
[INFO] +- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:compile
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.13.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.1.8.RELEASE:compile
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.11.2:compile
[INFO] | +- org.apache.logging.log4j:log4j-jul:jar:2.11.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.1.8.RELEASE:compile
I cannot find which project in our workspace it points to. Can anyone please help on this?
Note: There are several maven projects and there is a parent pom.xml for all the pom.xml files. So want to identify which maven projects are using log4j along with the name.
Use the includes option
mvn dependency:tree -Dincludes=org.apache.logging.log4j
example output:
[INFO] com.test:test:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-security:jar:2.5.3:compile
[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.5.3:compile
[INFO] \- org.springframework.boot:spring-boot-starter-logging:jar:2.5.3:compile
[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
documentation
Thanks for the answer. Yes it did answer my question. I used the command below and got the result.
mvn dependency:tree -Dincludes=org.apache.logging.log4j -DoutputFile=`pwd`/maven-report-log4j.txt -DappendOutput=true
In a recent security alert, referenced here, I see there might be security concerns with Vaadin 7 because of a jsoup vulnerability. Because of other factors, I cannot upgrade. So I thought about just including the jsoup directly in my project. So before it was included indirectly via vaadin-server, now it is included directly, and the version vaadin-server references is "omitted for conflict with 1.14.2". Is this a safe way to address this security concern?
I am using Vaadin 7.7.17 and maven.
I ask largely because Vaadin did not offer this as a possible solution, so I assumed it would fail. But since maven is showing no error, I am worried I am missing something that will only show up in some strange runtime behavior.
Here is the dependency tree built via mvn dependency:tree. First of all, the original version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] | \- org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------
And now the new version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | \- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------
Just noting here. There is no actual problem in Vaadin 7 itself that would be impacted due potential Jsoup vulnerability in question. The dependency was updated to a newer version more in purpose to enforce application developers to use the newer version. Newer version of the Jsoup had some API changes that needed small code changes in Vaadin 7. If your application is not using Jsoup in the way that the vulnerability is not exposed, then the upgrade is not absolutely mandatory. Also reminding that Vaadin 7 versions newer than 7.7.17 require commercial license for extended support.
I have following dependency tree.
[INFO] +- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] | +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] | +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] | | +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] | | +- commons-lang:commons-lang:jar:2.6:compile
When I add dependency "commons-lang" as top level dependency in the pom file it automatically removes the transitive dependency for common-lang even without exclude it from pom file.
[INFO] +- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] | +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] | +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] | | +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] | | +- javax.inject:javax.inject:jar:1:compile
What is expected is it should exclude common-lang when we exclude it from jasperreports.
Dependency Mediation is the rule which you are talking about. It is one of the rule which maven follows to manage transitive dependencies.
It will put commons-lang in the dependency tree according to its nearest definition in the pom.
You can read about all the rules here :
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
So to quote them :
Dependency mediation - this determines what version of an artifact will be chosen when multiple versions are encountered as dependencies. Maven picks the "nearest definition". That is, it uses the version of the closest dependency to your project in the tree of dependencies. You can always guarantee a version by declaring it explicitly in your project's POM.
And the dependency of commons-lang is never removed, its place in the transitive tree has changed. Now it has become a Level 1 dependency.
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] \- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] | +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] | +- javax.inject:javax.inject:jar:1:compile
[INFO] | +- stax:stax:jar:1.2.0:compile
[INFO] | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.1.4:compile
When a dependency is declared in your projects pom maven will use that declaration instead of the transitive dependency.
Omitted dependencies are not displayed in the maven dependency tree, and I just learned that since maven-dependency-plugin version 3.0 the verbose option is no longer supported - which would show the omitted dependency.
I see this when I tried to provide -Dverbose option at maven command line (for "mvn dependency:tree -Dverbose=true"):
Verbose not supported since maven-dependency-plugin 3.0
See comments on answer in Display omitted versions in maven dependency:tree?
My pom references a parent pom with a lot of declared dependencies in the dependenyManagement section. This overwrites the version of a transitive dependency and causes runtime problems.
To solve this I now declare the transitive dependency as an explicit dependency, but it took me a while to figure out the problem. I would have noticed much sooner, if mvn dependency:tree would have shown me that the version was overwritten, but it did not.
Can you tell me how I can quickly see, where the versions of my dependency originate from and how I can see whether a transitive dependency was affected by the parent pom or not?
mvn dependency:tree -Dverbose=true
ought to do the trick. Alternativ, you can use:
mvn dependency:tree -X
Using Maven 3.3.9 and 3.5.2 (Both default to version 2.10 of maven-dependency-plugin:
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) # xxx ---
[WARNING] Using Maven 2 dependency tree to get verbose output, which may be inconsistent with actual Maven 3 resolution
[INFO] xxx:jar:1.0.0-SNAPSHOT
[INFO] +- com.sun.mail:javax.mail:jar:1.5.6:runtime
[INFO] | \- (javax.activation:activation:jar:1.1:runtime - omitted for conflict with 1.1.1)
[INFO] +- org.eclipse.jgit:org.eclipse.jgit.junit:jar:4.7.0.201704051617-r:test
[INFO] | \- (org.eclipse.jgit:org.eclipse.jgit:jar:3.5.3.201412180710-r:test - version managed from 4.7.0.201704051617-r; omitted for conflict with 4.7.0.201704051617-r)
[INFO] +- org.eclipse.jgit:org.eclipse.jgit.junit.http:jar:4.7.0.201704051617-r:test
[INFO] | +- (org.eclipse.jgit:org.eclipse.jgit:jar:3.5.3.201412180710-r:test - version managed from 4.7.0.201704051617-r; omitted for conflict with 4.7.0.201704051617-r)
[INFO] | +- org.eclipse.jgit:org.eclipse.jgit.http.server:jar:4.7.0.201704051617-r:test
[INFO] | | \- (org.eclipse.jgit:org.eclipse.jgit:jar:3.5.3.201412180710-r:test - version managed from 4.7.0.201704051617-r; omitted for conflict with 4.7.0.201704051617-r)
[INFO] | +- (org.eclipse.jgit:org.eclipse.jgit.junit:jar:4.7.0.201704051617-r:test - omitted for duplicate)
[INFO] | \- org.eclipse.jetty:jetty-servlet:jar:9.4.7.v20170914:test (version managed from 9.3.17.v20170317)
[INFO] | \- (org.eclipse.jetty:jetty-security:jar:9.4.7.v20170914:test - omitted for conflict with 9.3.19.v20170502)
[INFO] +- org.eclipse.jetty:jetty-security:jar:9.3.19.v20170502:test
[INFO] | \- org.eclipse.jetty:jetty-server:jar:9.4.7.v20170914:test (version managed from 9.3.19.v20170502)
[INFO] | +- javax.servlet:javax.servlet-api:jar:3.1.0:test
[INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.7.v20170914:test
[INFO] | | +- org.eclipse.jetty:jetty-util:jar:9.4.7.v20170914:test
[INFO] | | \- (org.eclipse.jetty:jetty-io:jar:9.4.7.v20170914:test - omitted for duplicate)
[INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.7.v20170914:test
[INFO] | \- (org.eclipse.jetty:jetty-util:jar:9.4.7.v20170914:test - omitted for duplicate)
[INFO] \- org.springframework.boot:spring-boot-starter-data-ldap:jar:1.5.8.RELEASE:compile
[INFO] \- (org.slf4j:jcl-over-slf4j:jar:1.7.25:compile - scope updated from runtime; omitted for duplicate)
If you are using Eclipse with the M2 plugin, the tab "Dependency Hierarchy" on the POM will display omitted versions as well.
Use these plugins
https://maven.apache.org/plugins/maven-dependency-plugin/list-mojo.html
https://maven.apache.org/plugins/maven-help-plugin/effective-pom-mojo.html
Run command
mvn dependency:list
and
help:effective-pom
then compare two lists.
I have trouble understanding the behaviour of the depencendy:tree output. When running the plugin on a higher module, I am missing vital information from modules it depends on. But when I run the plugin on the lower module I can see the depencendies. Here is an example to show the problem (names changed):
mvn -pl foo:bar-application dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-application 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-application ---
[INFO] foo:bar-application:ear:0.0.1-SNAPSHOT
[INFO] +- foo:bar-business:ejb:0.0.1-SNAPSHOT:compile
[INFO] | +- foo:common-util:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:bar-web:war:0.0.1-SNAPSHOT:compile
[INFO] \- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] ------------------------------------------------------------------------
The tree shows a depencendy to bar-web, but only one further depencendy from bar-web to other projects (common-logging).
But bar-web has far more dependencies:
mvn -pl foo:bar-web dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-web 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-web ---
[INFO] foo:bar-web:war:0.0.1-SNAPSHOT
[INFO] +- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] +- foo:culprit-business-client:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:common-rest:jar:0.0.1-SNAPSHOT:compile
[INFO] | \- foo:config-business-client:jar:0.0.1-SNAPSHOT:compile
[INFO] \- foo:bar-business:jar:0.0.1-SNAPSHOT:provided
[INFO] \- foo:some-client:jar:0.0.1-SNAPSHOT:provided
[INFO] ------------------------------------------------------------------------
Why are the other dependencies not shown when inspecting bar-application? It took me a while of searching to find the culprit.
Im a using
mvn --version
Apache Maven 3.0.5
mvn dependency:tree
shows you the effective dependencies, as in where your actual dependencies come from.
mvn dependency:tree -Dverbose
will show you all transitive dependencies including the reasonwhy they are excluded
A WAR includes its dependencies inside the archive, that's why Maven does not propagate them transitively to other artifacts depending on the WAR artifact.