I have trouble understanding the behaviour of the depencendy:tree output. When running the plugin on a higher module, I am missing vital information from modules it depends on. But when I run the plugin on the lower module I can see the depencendies. Here is an example to show the problem (names changed):
mvn -pl foo:bar-application dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-application 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-application ---
[INFO] foo:bar-application:ear:0.0.1-SNAPSHOT
[INFO] +- foo:bar-business:ejb:0.0.1-SNAPSHOT:compile
[INFO] | +- foo:common-util:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:bar-web:war:0.0.1-SNAPSHOT:compile
[INFO] \- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] ------------------------------------------------------------------------
The tree shows a depencendy to bar-web, but only one further depencendy from bar-web to other projects (common-logging).
But bar-web has far more dependencies:
mvn -pl foo:bar-web dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-web 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-web ---
[INFO] foo:bar-web:war:0.0.1-SNAPSHOT
[INFO] +- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] +- foo:culprit-business-client:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:common-rest:jar:0.0.1-SNAPSHOT:compile
[INFO] | \- foo:config-business-client:jar:0.0.1-SNAPSHOT:compile
[INFO] \- foo:bar-business:jar:0.0.1-SNAPSHOT:provided
[INFO] \- foo:some-client:jar:0.0.1-SNAPSHOT:provided
[INFO] ------------------------------------------------------------------------
Why are the other dependencies not shown when inspecting bar-application? It took me a while of searching to find the culprit.
Im a using
mvn --version
Apache Maven 3.0.5
mvn dependency:tree
shows you the effective dependencies, as in where your actual dependencies come from.
mvn dependency:tree -Dverbose
will show you all transitive dependencies including the reasonwhy they are excluded
A WAR includes its dependencies inside the archive, that's why Maven does not propagate them transitively to other artifacts depending on the WAR artifact.
Related
In a recent security alert, referenced here, I see there might be security concerns with Vaadin 7 because of a jsoup vulnerability. Because of other factors, I cannot upgrade. So I thought about just including the jsoup directly in my project. So before it was included indirectly via vaadin-server, now it is included directly, and the version vaadin-server references is "omitted for conflict with 1.14.2". Is this a safe way to address this security concern?
I am using Vaadin 7.7.17 and maven.
I ask largely because Vaadin did not offer this as a possible solution, so I assumed it would fail. But since maven is showing no error, I am worried I am missing something that will only show up in some strange runtime behavior.
Here is the dependency tree built via mvn dependency:tree. First of all, the original version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] | \- org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------
And now the new version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | \- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------
Just noting here. There is no actual problem in Vaadin 7 itself that would be impacted due potential Jsoup vulnerability in question. The dependency was updated to a newer version more in purpose to enforce application developers to use the newer version. Newer version of the Jsoup had some API changes that needed small code changes in Vaadin 7. If your application is not using Jsoup in the way that the vulnerability is not exposed, then the upgrade is not absolutely mandatory. Also reminding that Vaadin 7 versions newer than 7.7.17 require commercial license for extended support.
I am having a nested multi module maven project as below.
The parent pom specifies the profiles to build various component.
Now I need to get the list of all dependencies of all component which I believe that I can get from dependency tree of eclipse ide. But it is not getting displayed. Is there any other way to get the list or I am trying a wrong thing.
Use the maven dependency plugin along with a profile in the normal way.
mvn dependency:tree -Pjava8
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] parent [pom]
[INFO] project-mod-1 [pom]
[INFO] java8 [jar]
[INFO] java7 [jar]
[INFO]
[INFO] --------------------------< com.greg:parent >---------------------------
[INFO] Building parent 1.0-SNAPSHOT [1/4]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # parent ---
[INFO] com.greg:parent:pom:1.0-SNAPSHOT
[INFO]
[INFO] -----------------------< com.greg:project-mod-1 >-----------------------
[INFO] Building project-mod-1 1.0-SNAPSHOT [2/4]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # project-mod-1 ---
[INFO] com.greg:project-mod-1:pom:1.0-SNAPSHOT
[INFO]
[INFO] ---------------------------< com.greg:java8 >---------------------------
[INFO] Building java8 1.0-SNAPSHOT [3/4]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # java8 ---
[INFO] com.greg:java8:jar:1.0-SNAPSHOT
[INFO] \- junit:junit:jar:4.11:test
[INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO]
[INFO] ---------------------------< com.greg:java7 >---------------------------
[INFO] Building java7 1.0-SNAPSHOT [4/4]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # java7 ---
[INFO] com.greg:java7:jar:1.0-SNAPSHOT
[INFO] \- junit:junit:jar:4.11:test
[INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for parent 1.0-SNAPSHOT:
[INFO]
[INFO] parent ............................................. SUCCESS [ 2.262 s]
[INFO] project-mod-1 ...................................... SUCCESS [ 0.015 s]
[INFO] java8 .............................................. SUCCESS [ 0.111 s]
[INFO] java7 .............................................. SUCCESS [ 0.250 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.169 s
[INFO] Finished at: 2019-03-20T08:18:24Z
[INFO] ------------------------------------------------------------------------
When I run dependency:tree on my pom.xml I get the following output:
...
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # com.test.client ---
[INFO] assemblies:com.test.client:jar:1.0.0-SNAPSHOT
[INFO] +- foundation:com.test.core:jar:1.0.0:compile
[INFO] | \- junit:junit:jar:4.11:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] \- assemblies:com.test.security:jar:1.0.0-SNAPSHOT:compile
...
When I run dependency:resolve on the same pom I get:
...
[INFO] The following files have been resolved:
[INFO] assemblies:com.test.security:jar:1.0.0-SNAPSHOT:compile
[INFO] foundation:com.test.core:jar:1.0.1-SNAPSHOT:compile
[INFO] junit:junit:jar:4.11:compile
[INFO] org.hamcrest:hamcrest-core:jar:1.3:compile
...
Why is the version of com.test.core different between :resolve and :tree?
This seems to be a bug in Maven 3.0.4. I updated to version 3.2.1 and now dependency:tree and :resolve are resolving the same dependencies.
UPDATE: This issue seems to have resolved itself. I could still produce it on a copy of the source code, but it was a temporary copy that I deleted before realizing I would need it to pin this issue down. I'm continuing to track this and see if I can identify a root cause. If not, I will close the issue.
When I run mvn dependency:list -DoutputFile=/path/to/file.txt -DappendOutput=true from the root directory of a multi-module Maven project, the resultant output file only contains the dependencies of the last module declared in the modules section of the root pom.xml file. Is there something different I need to do to get the output of each submodule to append to the output file?
Configuration:
Maven 3.0.3
maven-dependency-plugin 2.6
When I'm using the following command: -
mvn dependency:list -DoutputFile=/path/to/file.txt -DappendOutput=true
The result is invalid and the Maven told me that
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # ...
Then I change to specify the version
mvn org.apache.maven.plugins:maven-dependency-plugin:2.6:list -DoutputFile=/path/to/file.txt -DappendOutput=true
The result is valid and the Maven told me that
[INFO] --- maven-dependency-plugin:2.6:list (default-cli) # ...
I would suggest you to ensure that the executing is the version 2.6. Anyhow I always use the following command as
mvn dependency:list > /path/to/file.txt
IMHO the result is better and more clear for each module as the following example: -
[INFO] Scanning for projects...
[INFO] -------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] my-parent
[INFO] my-sub1
[INFO] my-sub2
[INFO]
[INFO] -------------------------------------------------------------------
[INFO] Building my-parent
[INFO] -------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # my-parent ---
[INFO]
[INFO] The following files have been resolved:
...
[INFO] -------------------------------------------------------------------
[INFO] Building my-sub1
[INFO] -------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # my-sub1 ---
[INFO]
[INFO] The following files have been resolved:
...
[INFO] -------------------------------------------------------------------
[INFO] Building my-sub2
[INFO] -------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # my-sub2 ---
[INFO]
[INFO] The following files have been resolved:
...
[INFO]
[INFO] -------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] my-parent ........................................ SUCCESS [0.745s]
[INFO] my-sub1 .......................................... SUCCESS [0.675s]
[INFO] my-sub2 .......................................... SUCCESS [0.671s]
[INFO] -------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] -------------------------------------------------------------------
[INFO] Total time: 2.938s
[INFO] Finished at: Fri Mar 01 17:01:39 ICT 2013
[INFO] Final Memory: 17M/218M
[INFO] -------------------------------------------------------------------
I hope this may help.
Regards,
Charlee Ch.
I'm suffering an issue similar to Maven 2 - different dependency versions in test and compile but the specified answer there does not work.
In my project I need to depend on a Cloudera distribution of Hadoop and a 'vanilla' version for JUnit testing, as the former only works on *nix.
When I try and execute my application, I get Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/hadoop/conf/Configuration. When I run JUnit tests from Maven or Eclipse, everything works fine. If I comment out the test dependencies, the application runs successfully.
Why is the compile dependency getting ignored when the test dependency is uncommented?
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-core</artifactId>
<version>0.20.2-cdh3u2</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-core</artifactId>
<version>1.0.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-test</artifactId>
<version>1.0.0</version>
<scope>test</scope>
</dependency>
mvn dependency:list is shown below. The compile scoped version does not show up at all:
[INFO] The following files have been resolved:
[INFO] ant:ant:jar:1.6.5:test
[INFO] aopalliance:aopalliance:jar:1.0:compile
[INFO] asm:asm:jar:3.3.1:compile
[INFO] cglib:cglib:jar:2.2.2:compile
[INFO] ch.qos.logback:logback-classic:jar:1.0.0:compile
[INFO] ch.qos.logback:logback-core:jar:1.0.0:compile
[INFO] com.google.guava:guava:jar:r08:compile
[INFO] com.h2database:h2:jar:1.3.164:test
[INFO] com.jolbox:bonecp:jar:0.7.1.RELEASE:compile
[INFO] com.sun.jersey:jersey-core:jar:1.11:test
[INFO] commons-beanutils:commons-beanutils:jar:1.7.0:test
[INFO] commons-beanutils:commons-beanutils-core:jar:1.8.0:test
[INFO] commons-cli:commons-cli:jar:1.2:test
[INFO] commons-codec:commons-codec:jar:1.4:test
[INFO] commons-collections:commons-collections:jar:3.2.1:test
[INFO] commons-configuration:commons-configuration:jar:1.6:test
[INFO] commons-digester:commons-digester:jar:1.8:test
[INFO] commons-el:commons-el:jar:1.0:test
[INFO] commons-httpclient:commons-httpclient:jar:3.0.1:test
[INFO] commons-lang:commons-lang:jar:2.4:test
[INFO] commons-logging:commons-logging:jar:1.1.1:compile
[INFO] commons-net:commons-net:jar:1.4.1:test
[INFO] hsqldb:hsqldb:jar:1.8.0.10:test
[INFO] junit:junit:jar:4.10:test
[INFO] mysql:mysql-connector-java:jar:5.1.18:compile
[INFO] net.java.dev.jets3t:jets3t:jar:0.7.1:test
[INFO] net.sf.kosmosfs:kfs:jar:0.3:test
[INFO] org.apache.commons:commons-math:jar:2.1:test
[INFO] org.apache.ftpserver:ftplet-api:jar:1.0.0:test
[INFO] org.apache.ftpserver:ftpserver-core:jar:1.0.0:test
[INFO] org.apache.ftpserver:ftpserver-deprecated:jar:1.0.0-M2:test
[INFO] org.apache.hadoop:hadoop-core:jar:1.0.0:test
[INFO] org.apache.hadoop:hadoop-test:jar:1.0.0:test
[INFO] org.apache.mina:mina-core:jar:2.0.0-M5:test
[INFO] org.codehaus.jackson:jackson-core-asl:jar:1.0.1:test
[INFO] org.codehaus.jackson:jackson-mapper-asl:jar:1.0.1:test
[INFO] org.eclipse.jdt:core:jar:3.1.1:test
[INFO] org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] org.liquibase:liquibase-core:jar:2.0.3:test
[INFO] org.liquibase.ext:liquibase-slf4j:jar:0.0.1:test
[INFO] org.mortbay.jetty:jetty:jar:6.1.26:test
[INFO] org.mortbay.jetty:jetty-util:jar:6.1.26:test
[INFO] org.mortbay.jetty:jsp-2.1:jar:6.1.14:test
[INFO] org.mortbay.jetty:jsp-api-2.1:jar:6.1.14:test
[INFO] org.mortbay.jetty:servlet-api:jar:2.5-20081211:test
[INFO] org.mortbay.jetty:servlet-api-2.5:jar:6.1.14:test
[INFO] org.slf4j:jcl-over-slf4j:jar:1.6.4:compile
[INFO] org.slf4j:log4j-over-slf4j:jar:1.6.4:compile
[INFO] org.slf4j:slf4j-api:jar:1.6.4:compile
[INFO] org.springframework:spring-aop:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-asm:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-beans:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-context:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-context-support:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-core:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-expression:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-jdbc:jar:3.1.1.RELEASE:compile
[INFO] org.springframework:spring-test:jar:3.1.1.RELEASE:test
[INFO] org.springframework:spring-tx:jar:3.1.1.RELEASE:compile
[INFO] org.springframework.data:spring-data-hadoop:jar:1.0.0.BUILD-SNAPSHOT:c
ompile
[INFO] oro:oro:jar:2.0.8:test
[INFO] tomcat:jasper-compiler:jar:5.5.12:test
[INFO] tomcat:jasper-runtime:jar:5.5.12:test
[INFO] xmlenc:xmlenc:jar:0.52:test
What you desire, is no longer valid for Maven 3 (this used to be valid for Maven 2). Maven 3 will attempt to obtain the nearest dependency, effectively ensuring that only one of the compile or test scoped dependency is used for both the compile and test phases.
In your case org.apache.hadoop:hadoop-core:1.0.0:test overrides org.apache.hadoop:hadoop-core:0.20.2-cdh3u2:compile and hence becomes the nearest dependency. You may see the following warning displayed by Maven when running the mvn dependency:list goal, that alludes to this being a problem in your project model:
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be
unique: org.apache.hadoop:hadoop-core:jar -> version 0.20.2-cdh3u2 vs 1.0.0 # line xyz, column xyz
To 'fix' this, it would be better to split your tests into a separate project whose project model can define a separate set of test dependencies.
Looks like a maven bug - or if not, something that is fishy enough I wouldn't trust the documentation if there were any.
In your case, I would probably:
upgrade maven and see if the issue is fixed in the latest m3
try repackaging one of the hadoop versions with another artifact id or group name. maven-shade-plugin, don't bother changing the package name, but just introduce something maven won't know is no different from org.apache.hadoop:hadoop-core
try moving the tests to a separate project downstream
start debugging maven and understand what's going on exactly (and then fall back on 1 or 2...)