Codenarc strange dependencies - gradle

We are using codenarc plugin and gradle, and i see the strange things in dependencies:
codenarc - The CodeNarc libraries to be used for this project.
\--- org.codenarc:CodeNarc:0.25.2
+--- junit:junit:4.8.1 -> 4.12
| \--- org.hamcrest:hamcrest-core:1.3
+--- org.codehaus.groovy:groovy-xml:2.1.8 -> 2.6.0-alpha-1
| \--- org.codehaus.groovy:groovy:2.6.0-alpha-1
+--- org.codehaus.groovy:groovy:2.1.8 -> 2.6.0-alpha-1
+--- org.codehaus.groovy:groovy-ant:2.1.8 -> 2.6.0-alpha-1
| +--- org.codehaus.groovy:groovy:2.6.0-alpha-1
| +--- org.codehaus.groovy:groovy-groovydoc:2.6.0-alpha-1 -> 2.4.9
| | +--- org.codehaus.groovy:groovy-templates:2.4.9
| | | +--- org.codehaus.groovy:groovy:2.4.9 -> 2.6.0-alpha-1
| | | \--- org.codehaus.groovy:groovy-xml:2.4.9 -> 2.6.0-alpha-1 (*)
| | \--- org.codehaus.groovy:groovy:2.4.9 -> 2.6.0-alpha-1
| +--- org.apache.ant:ant-junit:1.9.9
| \--- org.apache.ant:ant-antlr:1.9.9
\--- org.gmetrics:GMetrics:0.7
+--- org.codehaus.groovy:groovy:[2.1.0,) -> 2.6.0-alpha-1
+--- org.codehaus.groovy:groovy-xml:[2.1.0,) -> 2.6.0-alpha-1 (*)
\--- org.codehaus.groovy:groovy-ant:[2.1.0,) -> 2.6.0-alpha-1 (*)
Version of codenark is 0.25.2 and in pom it depends on groovy 2.1.8, but wtf - why it links to 2.6.0-alpha-1? How i can tell for codenark to use version of Groovy 2.1.8?
Thanks for help.

As you can see in your output the culprit is GMetrics.
CodeNarc 0.25.2 depends on GMetrics 0.7 which in turn depends on Groovy 2.1.0 or newer which resolves to the newest available version 2.6.0-alpha-1.
Default version conflict resolution strategy is to use the newest version on conflict, which then is the 2.6.0-alpha-1.
It is an error (in my opinion) for a lib to publish with a dynamic range.
GMetrics obviously also have seen this as error and fixed this dependency in 1.0 where they depend on a specific Groovy version instead.
CodeNarc 1.0 in turn depends on GMetrics 1.0.
So the easiest you could do if feasible, is to depend on CodeNarc 1.0 and your problem will be gone.
Alternatively you can also declare the Groovy version to be used in your own dependencies with force true which will force the version you define.
Alternatively you can configure the dependency resolution to influence the version selected.

Related

How to resolve JAXB classpath issues on Java 12

Im porting application using JAXB to JDK 11/12 but am completely lost when trying to fix those JAXB classpath issues. I have googled and read basically everything related to this so Im aware of the changes made in Java11, i.e. removal of JAXB from JDK ... However in that case I would assume a trivial fix consisting of adding api and impl JARs on classpath. But this is not working and despite I have those JARs on classpath Im still getting the known exception, despite using 2.3.2 JAXB:
javax.xml.bind.JAXBException
- with linked exception:
[java.lang.ClassNotFoundException: com.sun.xml.internal.bind.v2.ContextFactory]
even if I see the class is in different package and I instruct to use correct package via system variable it does not work either:
gradle -Djavax.xml.bind.context.factory=com.sun.xml.bind.v2.ContextFactory build
javax.xml.bind.JAXBException
- with linked exception:
[java.lang.ClassNotFoundException: com.sun.xml.bind.v2.ContextFactory]
Does anyone have clue how to resolve this? I dont want to play with manifest files etc. It should be possible to just place the right JARs on classpath and that is it, or not?
Summary here but unable to get it working:
http://www.descher.at/descher-vu/2019/01/java-11-jaxb-and-osgi/
Update, dependencies used in Gradle:
- jaxb-xjc has jaxb-runtime (impl.) as transitive dependency. I see it is picked by Gradle but still the same error.
classpath "com.sun.activation:javax.activation:1.2.0"
classpath "jakarta.xml.bind:jakarta.xml.bind-api:2.3.2"
classpath "org.glassfish.jaxb:jaxb-xjc:2.3.2"
classpath"org.glassfish.jaxb:jaxb-core:2.3.0.1"
[org.gradle.internal.operations.DefaultBuildOperationExecutor] Build operation 'Resolve jaxb-runtime.jar (org.glassfish.jaxb:jaxb-runtime:2.3.2)' completed
[org.gradle.internal.component.model.ComponentAttributeMatcher] Selected match org.glassfish.jaxb:jaxb-runtime:2.3.2 configuration runtime from candidates [org.glassfish.jaxb:jaxb-runtime:2.3.2 configuration runtime] for {org.gradle.dependency.bundling=external, org.gradle.jvm.version=12, org.gradle.usage=java-runtime}
This is output of "gradle dependencies" and all the JAXB jars are there, still classpath error is being thrown. The JAR file jaxb-runtime from Glassfish for sure has this ContextFactory class.
runtimeClasspath - Runtime classpath of source set 'main'.
+--- org.springframework.boot:spring-boot-starter-log4j2 -> 2.1.0.RELEASE
| +--- org.apache.logging.log4j:log4j-slf4j-impl:2.11.1
| | +--- org.slf4j:slf4j-api:1.7.25
| | +--- org.apache.logging.log4j:log4j-api:2.11.1
| | \--- org.apache.logging.log4j:log4j-core:2.11.1
| | \--- org.apache.logging.log4j:log4j-api:2.11.1
| +--- org.apache.logging.log4j:log4j-core:2.11.1 (*)
| +--- org.apache.logging.log4j:log4j-jul:2.11.1
| | \--- org.apache.logging.log4j:log4j-api:2.11.1
| \--- org.slf4j:jul-to-slf4j:1.7.25
| \--- org.slf4j:slf4j-api:1.7.25
+--- org.projectlombok:lombok -> 1.18.2
+--- org.apache.commons:commons-lang3 -> 3.8.1
+--- org.apache.commons:commons-collections4 -> 4.4
+--- com.google.guava:guava -> 23.0
| +--- com.google.code.findbugs:jsr305:1.3.9
| +--- com.google.errorprone:error_prone_annotations:2.0.18
| +--- com.google.j2objc:j2objc-annotations:1.1
| \--- org.codehaus.mojo:animal-sniffer-annotations:1.14
+--- org.apache.ws.xmlschema:xmlschema-core -> 2.0.1
+--- org.glassfish.jaxb:jaxb-runtime:2.3.2
| +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.2
| | \--- jakarta.activation:jakarta.activation-api:1.2.1
| +--- org.glassfish.jaxb:txw2:2.3.2
| +--- com.sun.istack:istack-commons-runtime:3.0.8
| | \--- jakarta.activation:jakarta.activation-api:1.2.1
| +--- org.jvnet.staxex:stax-ex:1.8.1
| | +--- jakarta.activation:jakarta.activation-api:1.2.1
| | \--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.2 (*)
| +--- com.sun.xml.fastinfoset:FastInfoset:1.2.16
| \--- jakarta.activation:jakarta.activation-api:1.2.1
\--- org.glassfish.jaxb:jaxb-core:2.3.0.1
+--- javax.xml.bind:jaxb-api:2.3.0 -> 2.3.1
| \--- javax.activation:javax.activation-api:1.2.0
+--- org.glassfish.jaxb:txw2:2.3.0.1 -> 2.3.2
\--- com.sun.istack:istack-commons-runtime:3.0.5 -> 3.0.8 (*)
From some reason I had no luck with Glassfish JARs, but those original Sun/Oracle dependencies worked.

gradle searching jar in artifactory without version

My Gradle build has below dependency
| | +--- org.spire-math:spire_2.10:0.7.4
| | | +--- org.scala-lang:scala-library:2.10.2 -> 2.10.5
| | | +--- org.spire-math:spire-macros_2.10:0.7.4
| | | | +--- org.scala-lang:scala-library:2.10.2 -> 2.10.5
| | | | \--- org.scala-lang:scala-reflect:2.10.2 -> 2.10.5 (*)
| | | \--- org.scala-lang:scala-reflect:2.10.2 -> 2.10.5 (*)
| | \--- org.slf4j:slf4j-api:1.7.5 -> 1.7.10
I get the following error on running the build
* What went wrong:
Could not resolve all dependencies for configuration ':myProject
:compileClasspath'.
> Could not find scala-reflect.jar (org.scala-lang:scala-reflect:2.10.5).
Searched in the following locations:
http://company_intranet:port/artifactory/vr-trunk/org/scala-lang/scala-reflect/2.10.5/scala-reflect-2.10.5.jar
I am not sure why the jar is searched without the version
Could not find scala-reflect.jar
I see that the version number is not appended to the jar
The jar with the right version is available in the artifactory
The cache in my local machine was causing this error.
Once i used gradlew clean build -x test --refresh-dependencies , it worked

Gradle dependency gets excluded from EAR

I have a gradle project with several subprojects. and I have defined several dependencies in library with version numbers and aliases in the root project. Now whenever subproject needs it it can define that alias with what level it wants e.g. compile.
root
- build.gradle
- libraries
- xercesImpl: 'xerces:xercesImpl:2.8.1',
- xalan: 'xalan:xalan:2.7.1',
\ project1 : ear
- build.gradle
- ear project('project2')
\ project2 : jar
- build.gradle
- compile libraries.xercesImpl
- compile libraries.xalan
Since I have defined xercesImpl and xalan as dependencies of project1 and project1 is included in project2 ear those jars should be added to EAR, but it's getting excluded from EAR. I checked and transitive dependencies is not declared anywhere as false.
I have printed dependency tree with gradlew and it prints only above 2 jars as excluded others are included:
+--- org.hibernate:hibernate:3.1.3
| +--- commons-logging:commons-logging:1.0.4 -> 1.1
| | +--- log4j:log4j:1.2.12
| | +--- logkit:logkit:1.0.1
| | +--- avalon-framework:avalon-framework:4.1.3
| | \--- javax.servlet:servlet-api:2.3
| +--- ehcache:ehcache:1.1
| | \--- commons-logging:commons-logging:1.0.4 -> 1.1 (*)
| +--- cglib:cglib:2.1_3
| | \--- asm:asm:1.5.3
| +--- asm:asm:1.5.3
| +--- asm:asm-attrs:1.5.3
| +--- commons-collections:commons-collections:2.1.1 -> 3.1
| +--- dom4j:dom4j:1.6.1
| +--- javax.transaction:jta:1.0.1B
| \--- antlr:antlr:2.7.6rc1 -> 2.7.6
+--- net.sf.ehcache:ehcache:2.9.0
| \--- org.slf4j:slf4j-api:1.7.7
+--- xerces:xercesImpl:2.8.1 (*)
+--- xalan:xalan:2.7.1 (*)

How to understand `org.ow2.asm:asm-tree:4.0 -> 5.0.3 (*)` in `gradle dependencies`?

When I run gradle dependencies on a project, it shows the dependency tree, and some of them are looking like:
+--- org.ow2.asm:asm:5.0.3
+--- com.jayway.restassured:rest-assured:1.8.1
| +--- org.codehaus.groovy:groovy:2.1.2
| | +--- antlr:antlr:2.7.7
| | +--- org.ow2.asm:asm-tree:4.0 -> 5.0.3 (*)
| | +--- org.ow2.asm:asm-commons:4.0 -> 5.0.3 (*)
| | +--- org.ow2.asm:asm:4.0 -> 5.0.3
For the last 3 lines, each line has two versions, 4.0 and 5.0.3.
What information can I get from this line? Does it mean the rest-assured 1.8.1 was relied on 4.0, but now it found a new version 5.0.3 existed, so it just use the new version?
Is it safe to use it this way? Is it better to upgrade the rest-assured to a new version which replied on ASM 5.0.3?
tl;dr
Have a look at this answer.
explanation
It means that among dependencies there are conflicted - with same group and artifactId. They are often transitively downloaded with dependencies specified. Gradle tries to resolve it automatically - by picking the latest version (signed with ->). Conflicting dependencies can be excluded.

Finding unwanted code dependencies on transitive dependencies

I want to find all my Java code dependencies on libraries that I have not included as top level dependencies in Gradle.
My first though as to how to accomplish this is to turn off all transitive dependencies in Gradle and see what compilation errors I get.
From my research the way to do this seems to be:
configurations.all { transitive = false }
Is there a better way, or does this do it?
I'm not sure I understand the question, but the command line "gradle dependencies" might help.
For example, consider this (from this modest project):
dependencies {
groovy 'org.codehaus.groovy:groovy-all:1.6.4'
groovy 'com.google.guava:guava-collections:r03'
releaseJars 'org.codehaus.groovy:groovy-all:1.6.4'
releaseJars 'com.google.guava:guava-collections:r03'
}
Using gradle dependencies gives output such as:
compile - Classpath for compiling the main sources.
+--- org.codehaus.groovy:groovy-all:1.6.4
| +--- junit:junit:3.8.2
| +--- org.apache.ant:ant:1.7.1
| | \--- org.apache.ant:ant-launcher:1.7.1
| +--- org.apache.ant:ant-launcher:1.7.1
| \--- jline:jline:0.9.94
| \--- junit:junit:3.8.1 -> 3.8.2
\--- com.google.guava:guava-collections:r03
+--- com.google.guava:guava-annotations:r03
\--- com.google.guava:guava-primitives:r03
....

Resources