I have following dependency tree.
[INFO] +- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] | +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] | +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] | | +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] | | +- commons-lang:commons-lang:jar:2.6:compile
When I add dependency "commons-lang" as top level dependency in the pom file it automatically removes the transitive dependency for common-lang even without exclude it from pom file.
[INFO] +- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] | +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] | +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] | | +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] | | +- javax.inject:javax.inject:jar:1:compile
What is expected is it should exclude common-lang when we exclude it from jasperreports.
Dependency Mediation is the rule which you are talking about. It is one of the rule which maven follows to manage transitive dependencies.
It will put commons-lang in the dependency tree according to its nearest definition in the pom.
You can read about all the rules here :
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
So to quote them :
Dependency mediation - this determines what version of an artifact will be chosen when multiple versions are encountered as dependencies. Maven picks the "nearest definition". That is, it uses the version of the closest dependency to your project in the tree of dependencies. You can always guarantee a version by declaring it explicitly in your project's POM.
And the dependency of commons-lang is never removed, its place in the transitive tree has changed. Now it has become a Level 1 dependency.
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] \- net.sf.jasperreports:jasperreports:jar:6.5.1:compile
[INFO] +- org.eclipse.jdt.core.compiler:ecj:jar:4.4.2:compile
[INFO] +- org.codehaus.castor:castor-xml:jar:1.3.3:compile
[INFO] | +- org.codehaus.castor:castor-core:jar:1.3.3:compile
[INFO] | +- javax.inject:javax.inject:jar:1:compile
[INFO] | +- stax:stax:jar:1.2.0:compile
[INFO] | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.1.4:compile
When a dependency is declared in your projects pom maven will use that declaration instead of the transitive dependency.
Omitted dependencies are not displayed in the maven dependency tree, and I just learned that since maven-dependency-plugin version 3.0 the verbose option is no longer supported - which would show the omitted dependency.
I see this when I tried to provide -Dverbose option at maven command line (for "mvn dependency:tree -Dverbose=true"):
Verbose not supported since maven-dependency-plugin 3.0
See comments on answer in Display omitted versions in maven dependency:tree?
Related
As part Log4jshell problem, we are trying to analyze which projects use which version of Log4j. I did try the following maven commands
mvn dependency:list | grep log4j
mvn dependency:tree -Dverbose
mvn dependency:tree -Dverbose | grep log4
But it lists information only like this
mvn dependency:tree | grep log4
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.1:provided
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:provided
[INFO] | | +- log4j:log4j:jar:1.2.16:compile
[INFO] | | +- log4j:log4j:jar:1.2.16:compile
[INFO] | +- log4j:log4j:jar:1.2.17:provided
[INFO] +- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:compile
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.13.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.1.8.RELEASE:compile
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.11.2:compile
[INFO] | +- org.apache.logging.log4j:log4j-jul:jar:2.11.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.1.8.RELEASE:compile
I cannot find which project in our workspace it points to. Can anyone please help on this?
Note: There are several maven projects and there is a parent pom.xml for all the pom.xml files. So want to identify which maven projects are using log4j along with the name.
Use the includes option
mvn dependency:tree -Dincludes=org.apache.logging.log4j
example output:
[INFO] com.test:test:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-security:jar:2.5.3:compile
[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.5.3:compile
[INFO] \- org.springframework.boot:spring-boot-starter-logging:jar:2.5.3:compile
[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
documentation
Thanks for the answer. Yes it did answer my question. I used the command below and got the result.
mvn dependency:tree -Dincludes=org.apache.logging.log4j -DoutputFile=`pwd`/maven-report-log4j.txt -DappendOutput=true
I have modules as below:
root
daemon
common
tests
Now daemon and test both have <dependency>common</dependency>.
I have written them just in brief to understand.
common has jaxrs-api version 2.1.1, earlier it was 2.0.
Built the whole project, cleaned it, but still daemon and tests show older version. common version is consistent across all modules. Dependency Analyzer plugin in IntelliJ still shows common having 2.0 and code has compilation issues due to mismatch.
Each module's version is coming from root as follows:
<parent>
<groupId>com.mycompany.domain</groupId>
<artifactId>app-name</artifactId>
<version>1.0.10-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
Apart from screenshot above, below are the only jax-rs entries in mvn dependency:tree
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # common ---
[INFO] com.zzz:common:jar:1.0.10-SNAPSHOT
[INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.8:compile
[INFO] | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.8:compile
[INFO] | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.8:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.1.1:compile
[INFO] +- org.testng:testng:jar:6.9.6:test
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # daemon ---
[INFO] com.zzz:daemon:jar:1.0.10-SNAPSHOT
[INFO] +- com.zzz:common:jar:1.0.10-SNAPSHOT:compile
[INFO] | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.8:compile
[INFO] | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.8:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.8:compile
[INFO] | +- javax.ws.rs:javax.ws.rs-api:jar:2.0:compile
[INFO] | \- com.paypal.usf:vo:jar:1.6.5:compile
See the daemon dependency log for issue, its brining older version of common with 2.0. I don't see any conflicts or the jar coming from other dependencies. I have also tried manually deleted the target directories and delete the directories inside .m2 but to no avail.
Run maven dependency:tree and check where the dependency of interest is present.
Maven always take teansitive dependency that is available at less distance from the root node.
Refer - https://dzone.com/articles/solving-dependency-conflicts-in-maven
My pom references a parent pom with a lot of declared dependencies in the dependenyManagement section. This overwrites the version of a transitive dependency and causes runtime problems.
To solve this I now declare the transitive dependency as an explicit dependency, but it took me a while to figure out the problem. I would have noticed much sooner, if mvn dependency:tree would have shown me that the version was overwritten, but it did not.
Can you tell me how I can quickly see, where the versions of my dependency originate from and how I can see whether a transitive dependency was affected by the parent pom or not?
mvn dependency:tree -Dverbose=true
ought to do the trick. Alternativ, you can use:
mvn dependency:tree -X
Using Maven 3.3.9 and 3.5.2 (Both default to version 2.10 of maven-dependency-plugin:
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) # xxx ---
[WARNING] Using Maven 2 dependency tree to get verbose output, which may be inconsistent with actual Maven 3 resolution
[INFO] xxx:jar:1.0.0-SNAPSHOT
[INFO] +- com.sun.mail:javax.mail:jar:1.5.6:runtime
[INFO] | \- (javax.activation:activation:jar:1.1:runtime - omitted for conflict with 1.1.1)
[INFO] +- org.eclipse.jgit:org.eclipse.jgit.junit:jar:4.7.0.201704051617-r:test
[INFO] | \- (org.eclipse.jgit:org.eclipse.jgit:jar:3.5.3.201412180710-r:test - version managed from 4.7.0.201704051617-r; omitted for conflict with 4.7.0.201704051617-r)
[INFO] +- org.eclipse.jgit:org.eclipse.jgit.junit.http:jar:4.7.0.201704051617-r:test
[INFO] | +- (org.eclipse.jgit:org.eclipse.jgit:jar:3.5.3.201412180710-r:test - version managed from 4.7.0.201704051617-r; omitted for conflict with 4.7.0.201704051617-r)
[INFO] | +- org.eclipse.jgit:org.eclipse.jgit.http.server:jar:4.7.0.201704051617-r:test
[INFO] | | \- (org.eclipse.jgit:org.eclipse.jgit:jar:3.5.3.201412180710-r:test - version managed from 4.7.0.201704051617-r; omitted for conflict with 4.7.0.201704051617-r)
[INFO] | +- (org.eclipse.jgit:org.eclipse.jgit.junit:jar:4.7.0.201704051617-r:test - omitted for duplicate)
[INFO] | \- org.eclipse.jetty:jetty-servlet:jar:9.4.7.v20170914:test (version managed from 9.3.17.v20170317)
[INFO] | \- (org.eclipse.jetty:jetty-security:jar:9.4.7.v20170914:test - omitted for conflict with 9.3.19.v20170502)
[INFO] +- org.eclipse.jetty:jetty-security:jar:9.3.19.v20170502:test
[INFO] | \- org.eclipse.jetty:jetty-server:jar:9.4.7.v20170914:test (version managed from 9.3.19.v20170502)
[INFO] | +- javax.servlet:javax.servlet-api:jar:3.1.0:test
[INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.7.v20170914:test
[INFO] | | +- org.eclipse.jetty:jetty-util:jar:9.4.7.v20170914:test
[INFO] | | \- (org.eclipse.jetty:jetty-io:jar:9.4.7.v20170914:test - omitted for duplicate)
[INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.7.v20170914:test
[INFO] | \- (org.eclipse.jetty:jetty-util:jar:9.4.7.v20170914:test - omitted for duplicate)
[INFO] \- org.springframework.boot:spring-boot-starter-data-ldap:jar:1.5.8.RELEASE:compile
[INFO] \- (org.slf4j:jcl-over-slf4j:jar:1.7.25:compile - scope updated from runtime; omitted for duplicate)
If you are using Eclipse with the M2 plugin, the tab "Dependency Hierarchy" on the POM will display omitted versions as well.
Use these plugins
https://maven.apache.org/plugins/maven-dependency-plugin/list-mojo.html
https://maven.apache.org/plugins/maven-help-plugin/effective-pom-mojo.html
Run command
mvn dependency:list
and
help:effective-pom
then compare two lists.
I can't start my Spring Boot application anymore after adding persistence. The error is:
java.lang.NoSuchMethodError: org.springframework.data.repository.config.AnnotationRepositoryConfigurationSource.<init>(Lorg/springframework/core/type/AnnotationMetadata;Ljava/lang/Class;Lorg/springframework/core/io/ResourceLoader;Lorg/springframework/core/env/Environment;Lorg/springframework/beans/factory/support/BeanDefinitionRegistry;)V
at org.springframework.boot.autoconfigure.data.AbstractRepositoryConfigurationSourceSupport$1.<init>(AbstractRepositoryConfigurationSourceSupport.java:68) ~[spring-boot-autoconfigure-1.5.7.RELEASE.jar:1.5.7.RELEASE]
I tracked this down to the changes in spring-data-commons where AnnotationRepositoryConfigurationSource resides and an additional constructor argument was added in version 1.13.5, and version 1.13.7 with the same constructor signature should be used by spring-boot-starter-data-jpa in version 1.5.7. And we only use Spring Boot dependencies with version number 1.5.7.
So then I built the dependency tree and strangely found spring-data-commons in version 1.13.4, not 1.13.7 (third to last line):
...(snippet)
[INFO] +- com.name.project:project-subproject8:jar:1.0.0-SNAPSHOT:compile
[INFO] | \- org.springframework.boot:spring-boot-starter-data-jpa:jar:1.5.7.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.4.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.15:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.15:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.9.RELEASE:compile
[INFO] | +- org.hibernate:hibernate-core:jar:5.0.12.Final:compile
[INFO] | | +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] | | +- antlr:antlr:jar:2.7.7:compile
[INFO] | | +- org.jboss:jandex:jar:2.0.0.Final:compile
[INFO] | | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | | \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile
[INFO] | +- org.hibernate:hibernate-entitymanager:jar:5.0.12.Final:compile
[INFO] | +- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO] | +- org.springframework.data:spring-data-jpa:jar:1.11.4.RELEASE:compile
[INFO] | | +- org.springframework.data:spring-data-commons:jar:1.13.4.RELEASE:compile
[INFO] | | \- org.springframework:spring-orm:jar:4.3.9.RELEASE:compile
[INFO] | \- org.springframework:spring-aspects:jar:4.3.9.RELEASE:compile
...
Going up the tree you can see that spring-data-jpa is included in version 1.11.4, whereas, according to Spring Boot Dependency Appendix, it should be version 1.11.7. This seems to cause the error. But we don't depend on spring-data-jpa directly via our pom files.
So I don't know how this older version got into the dependency tree.
The pom of spring-boot-starter-data-jpa doesn't indicate any version numbers.
I had the same issue, and yeah it is SOLVED now!!!
You can always exclude particular inner dependency from the outer dependency. You have already given hint to solve this issue.
The root cause is that you most likely have compiled a class against a different version of the class that is missing a method, than the one you are using when running it.
I switched to 1.5.7 version of spring boot, so i just needed to add jpa dependency compatible with spring boot 1.5.7 version. Why jpa dependency because - org.springframework.data.repository.config.AnnotationRepositoryConfigurationSource is in the spring data package. And it worked
I've an exception in my maven project:
class "javax.servlet.HttpConstraintElement"'s signer information does not match signer information of other classes in the same package
Question:
How to resolve this problem?
PS:
As I understand, I use two jars, both contains HttpConstraintElement. And those maven dependencies have two different versions. So I tried to:
$ mvn dependency:tree -Dverbose |grep servlet
[INFO] +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.2:compile
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] | +- org.apache.tiles:tiles-servlet-wildcard:jar:2.2.2:compile
[INFO] | | +- (org.apache.tiles:tiles-servlet:jar:2.2.2:compile - omitted for duplicate)
[INFO] | | +- (org.apache.tiles:tiles-servlet:jar:2.2.2:compile - omitted for duplicate)
[INFO] | | +- (org.apache.tiles:tiles-servlet:jar:2.2.2:compile - omitted for duplicate)
[INFO] +- org.apache.tiles:tiles-servlet:jar:2.2.2:compile
[INFO] | +- (org.apache.tiles:tiles-servlet:jar:2.2.2:compile - omitted for duplicate)
[INFO] \- org.eclipse.jetty:jetty-servlet:jar:9.0.0.M4:compile
[INFO] +- org.eclipse.jetty.orbit:javax.servlet:jar:3.0.0.v201112011016:compile
This answer worked for me, using Servlet API 3.0.
The solution was to take the explicit dependency on servlet-api, and change it from provided to compile scope.
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>compile</scope>
</dependency>
Two JDKs in path or classpath can create a similar problem.