I lately had some issues with some Maven dependencies and came across the error: "Failed to read artifact descriptor ...".
My question is not really about the error but more about the artifact descriptor itself. I would like to know what the actual problem is or what's creating the problem and I did not really find an explanation for what artifact descriptors are, so I wondered if someone could help me.
In other words, it's the POM. The POM is the Maven specific file that describes an artifact.
Maven 3.3.9 uses Eclipse Aether behind the scenes (which has been incorporated into Maven 3.5.0 itself as part of the Maven Resolver API), and it provides the class ArtifactDescriptorReader, explaining:
Provides information about an artifact that is relevant to transitive dependency resolution. Each artifact is expected to have an accompanying artifact descriptor that among others lists the direct dependencies of the artifact.
The Javadoc of its sole readArtifactDescriptor method is:
Gets information about an artifact like its direct dependencies and potential relocations.
So when you have an error that goes like "Failed to read artifact descriptor...", it means that the POM could not be read, or could not be resolved. Typically, it follows from network issues where the downloaded POM was corrupted, where Internet access is proxied and Maven isn't rightly configured, etc.
Related
When we use scope tag while providing dependencies in POM file of Maven, we can give several valid values (compile, run, provided etc..). I understand that tag is applicable for only transitive dependencies (i.: list of JARs required by direct dependencies that we give in POM).
When we give the scope as provided, will the dependency not be downloaded from Maven central repository ? Can someone please confirm.
Thanks!
Dependencies with scope provided are meant to be provided by the container in which the application runs (e.g. provided by jboss).
This means that they are downloaded by Maven, put on the compile and test classpath, but not included into the final WAR or EAR you are building.
Is there a way in Gradle to explicitly define where certain artifacts should be coming from?
We have a legacy project which is being on-boarded to use a proper artifact repository manager, instead of a network share. However, we have multiple repositories from which artifacts are being downloaded. We'd like to be able to fine-grain where certain artifacts should be coming from, until we can fully on-board to the artifact repository manager in question.
Is something like this possible?
Yes that is possible as of Gradle 5.1
https://docs.gradle.org/5.1/release-notes.html#repository-to-dependency-matching
Repository to dependency matching
It is now possible to match repositories to dependencies, so that Gradle doesn't search for a dependency in a repository if it's never going to be found there.
See the docs for more details: https://docs.gradle.org/5.6.2/userguide/declaring_repositories.html#sec::matching_repositories_to_dependencies
My team is migrating our code to an Azure environment and Microsoft's own article on the subject describes how to use Maven in an Azure environment:
https://learn.microsoft.com/en-us/azure/devops/java/labs/mavenpmvsts/?view=vsts
One of Maven's best practices is to avoid defining repository elements within the pom file and use a repository manager configured within the settings.xml instead.
The Microsoft article instructs otherwise: they say to add the repository url right in the pom file.
I would have been okay with it if the repository element was defined only in the distributionManagement section, but that is not the case. The article defines the url in a repositories element outside of the distribution context.
My understanding of the repository element of the pom.xml file is that it overrides the source of artifacts used for fetching dependencies. The problem I see defining this in the pom file is that it could have adverse effects depending how the library is being reused.
Use case example:
1) Shared library is created with repository url defined in pom
2) Shared library is deployed. POM file containing url and JAR file are published.
3) Artifact repository is moved, renamed or copied, url is changed.
4) Later on, a new application using that shared library is created, but uses the new repository url. The URL in the application pom is now different from the one in the shared library's previously published pom.
Because Maven uses a dependency graph and inheritance, what I would expect to happen is that when we build the new application:
1) maven will read the application pom file and begin exploring the dependency graph by downloading pom files for each of the application's dependencies from the URL found in the application's pom. In this case, the only download is the shared library's pom.
2) maven will explore transitive dependencies and read the shared library's pom. Reading the shared library's pom, the repository section will take precedence over the application's pom in the context of the shared library's dependencies. The shared library's dependencies poms would be downloaded from the old URL.
3) maven will continue like that and download all the pom files until the dependency tree has been built.
4) depending on project configuration, maven will go through the graph it built to download the jars and etc using the same rules.
In this use case, maven would download artifacts from both the old source and the new source. If the old source no longer exists or isn't accessible in this build context, the project cannot be built. This is why it's best to avoid setting repository urls in a pom file.
Or so I thought.
I wrote a scripted demo with local repositories to show my team exactly what would happen and to my surprise, even though Maven does download the shared library's pom file containing a different repository url, the repository tag does not seem to be overriding the one from the application being built. Logs show all artifacts being downloaded from the source specified in the "top" application pom.
So my question to Stack Overflow is two fold:
1) Why am I wrong? Did I misunderstand Maven's inheritance, dependency graph building and behavior?
2) Shouldn't Maven download the shared library's dependencies from the url specified in the repository tag, if specified? I'm sure there are some cases where the artifacts must come from a private repo. (ex: org.geotools)
3) Does anyone have experience setting up Maven on Azure? Did you follow Microsoft's guide or found a way to move repository urls to your settings.xml in an Azure environment?
Our builds generate a lot of errors like:
Unable to determine if resource XXXX exists in http://download.java.net/maven/2
I know this repository is gone, but I cannot locate the reference to it. If I look at the effective POM using Eclipse, the only repositories other than our internal one are:
http://repo1.maven.org/maven2
http://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/maven/repository
and the pluginRepository is
https://repo.maven.apache.org/maven2
The errors does break anything, but it would be nice for them to go away. Any ideas on what might be referencing this java.net URL? Perhaps some Maven plugin?
Has Maven some security parameter to limit the number or depth of dependencies downloaded to the local repository when building a pom?
Imagine an artifacts repository hacked in a way that, for every artifact dummy-1.0 requested, it serves dinamically a dummy-1.0 which has a dependency on dummy-1.1, and so on.
Has Maven some security mechanism to avoid such an infinite loop?
(I haven't found it explicitly on Maven's documentation nor googling it).