is there any easiest way to modify dependency management version - maven

i am in a situation to modify all the dependency management versions manually...
<dependencymanagement>
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
</dependencymanagement>
i have more than 100 dependencies in the management which are not third party jars, all are project jars....
previously we have all the same versions,so we don't have any issues to modify....
now we introduced different versions for each module, for each and every time modifying the dependency management manually is some what difficulty...is there any easiest way to update by using the commands or any plugins.

You could use the Versions Maven Plugin which allows you to execute goals in order to handle versions, check the list here.

If you have 100-odd dependencies as you have mentioned, you should be using a repository manager like nexus or artifactory. Once you deploy your dependencies to the repository manager, then what #patric-lc suggests will work.

Related

Dependency error in jasper-reports from itext

From yesterday I have problems compiling with maven because of iText jar.
My project has a dependency of jasperreports-2.0.1 that depends on itext-1.02b or higher.
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,)</version>
<scope>compile</scope>
</dependency>
That is the log error in maven:
Failed to collect dependencies for [jasperreports:jasperreports:jar:2.0.1 (compile)]: Failed to read artifact descriptor for com.lowagie:itext:jar:4.2.2: Could not transfer artifact com.itextpdf:itextpdf:pom:4.2.2 from/to jaspersoft (http://www.jasperforge.org/maven2): Access denied to http://www.jasperforge.org/maven2/com/itextpdf/itextpdf/4.2.2/itextpdf-4.2.2.pom. Error code 403, Forbidden -> [Help 1]
I see here a comment from Amedee Van Gasse that says something about a 4.2.2 version with no jar.
Why does the 1.02b version attach to 4.2.2?
Edit:
Jasper-reports uses an open version range:
[1.02b,)
This range says to maven to take the library latest version.
With the update from iText adding new version Pom with no jar and editting the maven-metadata of maven-central to that no-jar version crashes the compilation to all jar depending form latest com.lowagie library.
Updating locally your maven-metadata-central.xml (and other metadata if your company has it's own nexus.public) from ...m2\repository\com\lowagie\itext
to that works. Temporally solucion until iText updates the metadata or ALL companies that has dependencies for it's latest version updates it's pom
<metadata modelVersion="1.1.0">
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<versioning>
<latest>4.2.1</latest>
<release>4.2.1</release>
<versions>
<version>0.99</version>
<version>1.1.4</version>
<version>1.02b</version>
<version>1.2.3</version>
<version>1.3</version>
<version>1.3.1</version>
<version>1.4</version>
<version>1.4.8</version>
<version>2.0.1</version>
<version>2.0.6</version>
<version>2.0.7</version>
<version>2.0.8</version>
<version>2.1.0</version>
<version>2.1.2</version>
<version>2.1.3</version>
<version>2.1.4</version>
<version>2.1.5</version>
<version>2.1.7</version>
<version>4.2.0</version>
<version>4.2.1</version>
</versions>
<lastUpdated>20150709153501</lastUpdated>
</versioning>
</metadata>
A much simpler solution may be to upgrade to a newer version of jasperreports. Version 6.1.0 has this dependency on iText:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7.js2</version>
<scope>compile</scope>
</dependency>
No more "floating" dependency on iText, and it's a version that's custom made for jasperreports!
See http://mvnrepository.com/artifact/net.sf.jasperreports/jasperreports/6.1.0 for the complete pom.xml.
I'm using gradle and for the current version 6.8.2 I got the following build error:
> Could not find com.lowagie:itext:2.1.7.js6
So I added http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/ as repository and now it works.
repositories {
mavenCentral()
maven { url "https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/" }
}
dependencies {
compile 'net.sf.jasperreports:jasperreports:6.8.0'
}
EDIT:
If you used this solution and suddenly get an error like
> Could not resolve com.lowagie:itext:2.1.7.js6.
> Could not parse POM http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/com/lowagie/itext/2.1.7.js6/itext-2.1.7.js6.pom
> The element type "hr" must be terminated by the matching end-tag "</hr>".
This is because the jfrog repository disabled http and only allows https now. For some reason this creates a broken pom with the following content
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
Solution: Replace the http in the repository url with https.
The problem is indeed in the POM of jasper-reports:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,)</version>
<scope>compile</scope>
</dependency>
Jasper-reports distributes a (modified) build of iText 2.1.7 since at least November 2012 (if memory serves me well), so if your version of jasper-reports still has a dependency on 1.02b and up, it must be a very old version.
The jasper-reports dependency on iText should be changed to:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,2.1.7]</version>
<scope>compile</scope>
</dependency>
Or just:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
<scope>compile</scope>
</dependency>
This relates to this question: How do I tell Maven to use the latest version of a dependency?
That page is riddled with cautions about always using the latest version for your dependencies. It reduces reproducibility of your builds.
2.1.7 was the last version of iText released by the company iText Group NV (or its legal predecessor), with the com.lowagie groupId. The next version of iText, released by the company iText Group NV, was version 5.0.0, with the com.itextpdf groupId, which means it's binary incompatible with your current code. There's also the matter of a license change to AGPL, but that is outside the scope of StackOverflow, I want to restrict my answer to the technical matters.
Any other versions of iText between 2.1.7 and 5.0.0, like 4.2.0 and 4.2.1, are forks by other companies. According to Apache's Guide to uploading artifacts to the Central Repository (https://maven.apache.org/guides/mini/guide-central-repository-upload.html), those companies should have used a different groupId, as the page clearly states in their FAQ:
I have a patched version of the foo project developed at foo.com, what
groupId should I use? When you patch / modify a third party project,
that patched version becomes your project and therefore should be
distributed under a groupId you control as any project you would have
developed, never under com.foo. See above considerations about
groupId.
TL;DR
If you don't want to change your code, tell your Maven to only get iText 2.1.7.
We decide to maintain same jasperreport version and made this changes in conflicteds pom:
<dependencies>
<dependency>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>2.0.1</version>
<exclusions>
<exclusion>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
</dependency>
...
</dependencies>
Edit: Change dependecy to 2.1.7 to be certain it will compile in future
I was making manteinance to some legacy code, and i faced the same problem. The solution that i found was to add the following to the pom.xml:
<repositories>
<repository>
<id>jasper-3rd-party</id>
<name>Jasper3rdParty</name>
<url>http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.12.2</version>
</dependency>
<!-- More dependencies like: commons-collections4, org.apache.xmlgraphics, etc -->
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7.js4</version>
</dependency>
</dependencies>
The JasperReports version used to test this code was released on Mar/2020. Hope this helps!
I got the same problem,
Just realized that https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts is not accessible by public, you need to change the artifactory to jaspersoft directory.
For maven you can use below repositories in pom.xml
<repositories>
<repository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
JasperReports patched the iText with some bug fixes. So you have to add the patched iText repo[1] in your pom/gradle file.
[1] http://jasperreports.sourceforge.net/maven2/
Below is the gradle snippet for your reference when using jasper report 6.1.1.
repositories {
mavenLocal()
mavenCentral()
maven { url "http://repo.spring.io/release" }
maven { url "https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts/" }
maven { url "http://jasperreports.sourceforge.net/maven2/" }
}
This worked with the latest jasper-reports version 6.17.0 and maven 3.8.1, especially with the jasperreports-plugin from com.alexnederlof in version 2.8:
<project>
...
<repositories>
<!-- JasperSoft, they modified a standard library for their own special needs -->
<repository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
<pluginRepositories>
<!-- JasperSoft, they modified a standard library for their own special needs -->
<pluginRepository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</pluginRepository>
</pluginRepositories>
...
It's important to know that there is not only <repositories> but also <pluginRepositories> which you maybe have to supply (depending on your setup and transitive dependencies).
Answer for searchers in 2k19
Artifact:
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
is deprecated now.
Better to exclude it from jasperreports and add new itext dependency manually
<dependency>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.10.0</version> <!--(or higher)-->
<exclusions>
<exclusion>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>itextpdf</artifactId>
<version>5.5.13</version> <!--(or higher)-->
</dependency>
"Fix" for me was to switch from jasperreports version 5.5.0 to 4.5.1 LOL. (which doesn't depend on itext)
Then it doesn't depend on a custom, seemingly unpublished dependency version of itext (2.1.7.js2 in my case).
You could download 2.1.7.js2.jar from the jasper people and publish it locally to your "own" custom maven repo, or even your local ~/.m2/repository (ugh). I've even seen people have a custom ivy command to "publish" a local copy of it to a local server (ivy or maven).
Or add the repo's in the other answers. Or just specify it manually as 2.1.7, which is in the main repo's, etc. (you'll miss some bug fixes though).
If you are using gradle Note That the url to the jaspersoft package below was changed from this one:
maven{ url "http://jaspersoft.artifactoryonline.com/jaspersoft/third-party-ce-artifacts" }
To this one here:
maven { url "https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts" }
We have the same problem. To solve it, we have deleted the proxy parameters of the Maven config, and change the last version of the maven-metadata-central (in folder com\lowagie\itext of your repository).
A bad solution, but, temporaly, works :/
I have the same problem when using Maven 2.2.1, i re-built my project using Maven 3.2.3 and its works !
You have to use Maven 3 to resolve your problem, the bug seem to be resolved in this version.

Update all versions in maven

I've got a maven project with a large number of sub-projects with many dependencies. Now I'd like to update all versions of my pom files to a new version and rebuild them. For example if I've got a a pom like that:
<parent>
<groupId>theparentId</groupId>
<artifactId>theParentArtifact</artifactId>
<version>2.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>eaics-wsa-model</artifactId>
<packaging>model</packaging>
<dependencies>
<dependency>
<groupId>groupId1</groupId>
<artifactId>artifactId1</artifactId>
<version>1.1</version>
</dependency>
<dependency>
<groupId>groupId2</groupId>
<artifactId>artifactId2</artifactId>
<version>2.0</version>
</dependency>
<dependency>
<groupId>groupId3</groupId>
<artifactId>artifactId3</artifactId>
<version>1.3</version>
</dependency>
</dependencies>
I need to update the dependencies of groupId1 to groupId3 to a new version which doesn't exist jet. Because I also need to "create" a new updated version of my dependencies themself.
Because the dependencies in their pom.xml look like that at the moment:
<groupId>groupId3</groupId>
<artifactId>artifactId3</artifactId>
<version>1.2</version>
As you see, the version is on 1.2 but needs to be updated to 1.3 before the dependency uses it.
So is there a way to recursively update all pom (versions)? If it's possible in Java with MavenXpp3Reader etc. great. But is there a more simple method? Because my fear is, that I can't build my projects after that, because I think they don't build recursively and won't find the new dependency versions.
You can update all the pom's version using versions-maven-plugin There a some examples that can help you.

How to use jars from Wildfly correctly in Maven?

I'm working on a project to deploy to Wildfly, and I'm using Maven to build it. This is a complex project with multiple war/jar/ear files, so there's a parent pom.xml with the following in it:
...
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.wildfly.bom</groupId>
<artifactId>jboss-javaee-7.0-with-all</artifactId>
<version>8.1.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
...
Unfortunately, the above BOM does not include various jar files that I know are in the default Wildfly 8.1.0.Final distribution. In particular, the cause of this question is the cxf-api jar file. I know it resides at this location in Wildfly:
wildfly-8.1.0.Final/modules/system/layers/base/org/apache/cxf/main/cxf-api-2.7.11.jar
but it is not being managed by the BOM recommended for Wildfly.
How do I correctly add cxf-api, and similar jar files, to the project's pom.xml, preferably without having to specify each one individually? Sure, I could do something like this:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-api</artifactId>
<version>2.7.11</version>
<scope>provided</scope>
</dependency>
but I'd really rather not have to do this for each and every jar file that is already a part of Wildfly.
Isn't there a BOM that I can import?
WildFly BOMs (aka JBoss Bill of Materials in its original version) is a set of dependencies used to enhance deployment of dependant projects and automate in some way their tests. It does not unfortunately includes dependencies used in WildFly core i.e. the Application Server.
The pom.xml (project descriptor) that you really need to import just the way you did for your BOMs pom file is the WildFly parent pom. So just import it into your own project pom and you will have your dependecies transitevelly resolved:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.wildfly</groupId>
<artifactId>wildfly-parent</artifactId>
<version>8.1.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Checkout the Apache CXF version used in the target WildFly version and just pick up the stable tags that match your needs.

How do I indicate to maven that one dependency provides another?

After version 11.0.2, Google's guava library switched to Java 6. Fortunately, for those of us stuck on Java 5, they also released a "guava-jdk5" artifact.
Unfortunately, some of my dependencies pull in guava 11.0.2 transitively. Which leaves my project containing both guava-jdk5 and guava.
Normally when I have conflicting versions, I can use the "dependencymanagement" tag to indicate which version to pull in. But since these are two different artifacts, I do not understand how to do this. Ultimately I want to tell maven, guava and guava-jdk5 are the same artifact and I want the 17.0 version of guava-jdk5 to be the one that is used. How do I do this?
Thanks!
One easy way is to use a dependency exclusion, nutshell from the link:
<project>
...
<dependencies>
<dependency>
<groupId>sample.ProjectA</groupId>
<artifactId>Project-A</artifactId>
<version>1.0</version>
<scope>compile</scope>
<exclusions>
<exclusion> <!-- declare the exclusion here -->
<groupId>sample.ProjectB</groupId>
<artifactId>Project-B</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</project>

Maven cannot resolve a jar which I can see on the repository

I specify wicket version 1.5-RC7 in my pom.xml. When I do a mvn install it complains about: The following artifacts could not be resolved: org.apache.wicket:wicket:jar:1.5-RC7, javax.transaction:jta:jar:1.0.1B. So I try searching for the javax.transaction.jta-1.0.1B.jar on mvnrepository.com, and I am able to find it. Why does maven tell me it can't resolve avax.transaction:jta:jar:1.0.1B?
My pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
…
<repositories>
<repository>
<id>mvnrepository</id>
<url>http://repo1.maven.org/maven2</url>
</repository>
</repositories>
<dependencies>
<!-- WICKET DEPENDENCIES -->
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-spring</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-extensions</artifactId>
<version>${wicket.version}</version>
</dependency>
…
</dependencies>
</build>
<properties>
<wicket.version>1.5-RC7</wicket.version>
...
</properties>
</project>
First, http://repo1.maven.org/maven2 is the default one that Maven will lookup. You don't need to declare it again.
Can you check, when you build, which server your Maven is trying to connect? You should see something like Downloading: http://whatever.com/path/to/dependencies.pom.
I have just checked in maven central repo, there is no org.apache.wicket:wicket:1.5-RC7. You have better to check if you have declared the correct dependency
For JTA, it is a bit tricky. For quite some Java spec JARs, because of licensing issue, the actual JAR is not available in the public central Maven repo. If you look at http://search.maven.org/#artifactdetails|javax.transaction|jta|1.0.1B|jar , you will see it only contains POM, but not the JAR.
There are some ways to solve:
If you have a Maven repo in your own company, consider getting the JAR from Sun/Oracle, and deploy it yourself
For JTA spec itself, JAR is available for newer version (1.1) . Check if it is fine for you to use to latter spec
Switch to use Geromino spec. It should be compatible. http://search.maven.org/#search|gav|1|g%3A%22geronimo-spec%22%20AND%20a%3A%22geronimo-spec-jta%22
Edit
I have missed the wicket 1.5-RC7 in my previous search. Sorry. After looking into the POM, it seems that it is not a JAR POM. org.apache.wicket:wicket:1.5-RC7 is of type POM, in which declares dependency to wicket-core artifact.
You have two ways to do:
Change your dependency to point to wicket-core (and maybe other wicket modules) instead of wicket.
Change your dependency declaration to have <type>pom</type> (because default is jar)
I am not familiar with Wicket, but I believe method 1 is preferred.
Check your ~/.m2/settings.xml, I'm guessing you have an internal company (Nexus) repo mirror/proxy setting avoiding you fetching from internet -- and this mirror is stale.
If this is the case there are two common way to fix it: fix your internal Nexus repo so it's up to date, or bypass the Nexus repo so you fetch from the internet
I had faced this issue just now and resolved it. I have seen lot of questions in stack overflow related to this . Since my resolution was slightly different I am posting this answer. .
Issue :-Failed to execute goal on project Apigee-Edge-deploy-plugin: Could not resolve dependencies for project io.apigee.build-tools.enterprise4g:Apigee-Edge-deploy-plugin:maven-plugin:1.0.0: The following artifacts could not be resolved:
Root Cause:- The Repo had the dependency jars mentioned in the project. But the dependencies in turn had other dependencies which was not present in the repo and caused this issue. I added exclusion to the dependency and it worked.
eg:-
<dependency>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-metadata</artifactId>
<version>1.3</version>
<type>jar</type>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>woden</artifactId>
<groupId>org.apache.woden</groupId>
</exclusion>
</exclusions>
</dependency>
Reference:-
Also checkout the very good article on maven dependencies and exclusion

Resources