Maven dependencyManagement version ignored in transitive dependencies - maven

Maven is transitively pulling in version 16 of guava, even though I have a <dependencyManagement> section which specifies version 18.
The quick summary:
gwizard-example depends on gwizard-config
gwizard-config has a parent pom, gwizard-parent
gwizard-parent has <dependencyManagement> which specifies version 18 of guava
Thankfully this is an opensource project, so you can see the poms directly: gwizard-parent, gwizard-config, gwizard-example. However, here's the important bit in gwizard-parent:
<properties>
<guava.version>18.0</guava.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
...and the no-frills dependency declared in gwizard-example:
<properties>
<gwizard.version>0.5</gwizard.version>
</properties>
<dependencies>
<dependency>
<groupId>org.gwizard</groupId>
<artifactId>gwizard-config</artifactId>
<version>${gwizard.version}</version>
</dependency>
</dependencies>
The dependency tree for gwizard-config shows guava 18 correctly:
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # gwizard-config ---
[INFO] org.gwizard:gwizard-config:jar:0.5
[INFO] +- com.google.inject:guice:jar:4.0-beta5:compile
[INFO] | \- com.google.guava:guava:jar:18.0:compile
However, the dependency tree for gwizard-example shows guava 16 (which causes problems):
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # gwizard-example ---
[INFO] org.gwizard:gwizard-example:jar:1.0-SNAPSHOT
[INFO] +- org.gwizard:gwizard-config:jar:0.5:compile
[INFO] | +- com.google.inject:guice:jar:4.0-beta5:compile
[INFO] | | \- com.google.guava:guava:jar:16.0.1:compile
This is using Maven v3.2.5. I am baffled. Help?
Possibly related: dependencyManagement in parent ignored
UPDATE: The poms linked on github are changing; adding a dependency to gwizard-services (which directly declares a guava dep) in gwizard-example "fixed" the problem. There's still some sort of bad underlying behavior here.
UPDATE: Created this JIRA issue

There is a simple thing. A dependencyManagement does not declare a dependency which is really used it's only defining versions etc. which can be used.
If you define something like this it will not result in a change.
<properties>
<guava.version>18.0</guava.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
If you really like to overwrite the version which is used in you tree you need to define a real dependency:
So based on the above definition you need to add the following as well:
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
</dependencies>
If you have added this please check afterwards via mvn dependency:tree.

Maven doesn't resolve the version transitive dependency issue in this case.
This issue can be used by using maven bom concept.
Check the maven documentation for bom in the below link
http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management
Here is another blog which explains usage of bom's
http://howtodoinjava.com/maven/maven-bom-bill-of-materials-dependency/
In your case to solve this issue, you need to add the below dependency in the dependencyManagement section of the project gwizard-example.
<dependency>
<groupId>org.gwizard</groupId>
<artifactId>gwizard-parent</artifactId>
<version>${gwizard.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>

Related

Maven - command line to update dependency by groupId

I would like to update dependencies just of the "groupA". How can I do this using command line?
<dependency>
<groupId>group-A</groupId>
<artifactId>artifact-1</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>group-A</groupId>
<artifactId>artifact-2</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>group-B</groupId>
<artifactId>artifact-1</artifactId>
<version>1.0.0</version>
</dependency>
The versions plugin has a goal "use-latest-versions" that seems to do what you need.
Assume you have something like:
<dependencies>
<dependency>
<groupId>group-B</groupId>
<artifactId>artifact-1</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.9</version>
</dependency>
</dependencies>
Then running: mvn versions:use-latest-versions -D"includes=org.apache.commons:*:*:*:*"
would update those two dependencies in that group:
[INFO] --- versions-maven-plugin:2.7:use-latest-versions (default-cli) # artifact-id ---
[INFO] Major version changes allowed
[INFO] Updated org.apache.commons:commons-lang3:jar:3.1 to version 3.9
[INFO] artifact org.apache.commons:commons-compress: checking for updates from central
[INFO] Updated org.apache.commons:commons-compress:jar:1.9 to version 1.18
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
Assuming you just want the latest version that can be found in a repository.
The versions plugin has some other things to offer as well. For dependency work the dependency plugin is also often handy.

Transitive dependencies brought by provided scope and compile scope are computed as compile scope

We face an issue when a same artifact-X is transitively brought by a dependency-1 with provided scope, and another dependency-2 with default (compile) scope.
This artifact-X will be computed as compile scope, while we expect it to be explicitly provided by dependency-1.
For example, dependency-1 pom contains:
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.1</version>
</dependency>
</dependencies>
dependency-2 pom contains:
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.8</version>
</dependency>
</dependencies>
Assembly project pom contains:
<dependencies>
<!-- do not include dependencies already provided by module-1 at runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-1</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<!-- get dependencies required by module-2 runtime -->
<dependency>
<groupId>com.company</groupId>
<artifactId>module-2</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
But a mvn dependency:tree on assembly project will output:
[INFO] --- maven-dependency-plugin:3.1.0:tree (show-app-dependencies) # module-3 ---
[INFO] com.company:module-3:pom:1.0
[INFO] +- com.company:module-1:jar:1.0:provided
[INFO] | +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] | \- org.apache.commons:commons-collections4:jar:4.1:provided
[INFO] \- com.company:module-2:jar:1.0:compile
And we can see the artifact commons-lang3:jar:3.7 which come from dependency-1 is now at compile scope. Note that we don't use any <dependencyManagement> here.
This is very confusing, and leads to duplicate libraries in runtime classpath when dependency-1 is effectively provided in classpath of dependency-2 runtime (for example by an application server).
Moreover, based on Maven documentation about dependency mediation/scope, the transitive dependencies that are provided should be always ommited.
http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
It seems to be a bug, that maven-3.6 does not handle, which is a shame !
However, as our goal is simply to package ONLY the libraries defined as compile/runtime (and ignore all the provided ones, and their transitives), how to achieve this using dependency management, or if impossible, using maven-assembly-plugin ??

Is there a way to set the version of a BOM we are using across modules?

We have many modules which use the same bom.
Is there a tool to roll them all up to the latest (or a specific) version?
Is there a way to prevent a SNAPSHOT bom being used in a release?
To update versions this goes well for me:
my pom with bom
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.7</java.version>
<spring.version>3.2.6.RELEASE</spring.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>${spring.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
with mvn versions:update-properties -Dincludes=org.springframework:spring-framework-bom in this case the result is
[INFO] --- versions-maven-plugin:2.2:update-properties (default-cli) # abc ---
[INFO] artifact org.springframework:spring-framework-bom: checking for updates from nexus-dev
[INFO] artifact org.springframework:spring-framework-bom: checking for updates from nexus
[INFO] Updated ${spring.version} from 3.2.6.RELEASE to 4.3.4.RELEASE
enforce plugin currenly not work detecting SNAPSHOT version into dependency managment setions but with managed dependencies declared out of dependency managment section it work. it would ativate the rule if into the bom exists a managed dependency with snapshot version and it dependency is declared in a child pom out dependency management section. But with thrithparty dependency bom artifact like springframework, by example, is very weard happen.

Understanding Maven Dependency tree output

I am trying to compile a Spring application in which the ApplicationConfig file has #EnableAspectJAutoProxy anotation I am facing this error when trying to run the project:
Failed to instantiate [org.springframework.aop.aspectj.annotation.
AnnotationAwareAspectJAutoProxyCreator]:
Constructor threw exception; nested exception is
java.lang.NoClassDefFoundError: org/aspectj/lang/annotation/Around
I have to say when I remove the above annotation the project is running successfully.
Having read on Internet I thought maybe it's because of incompatible versions for of libraries and jar files.
When I run mvn dependency:tree the output is as below:
[INFO] task-segment: [dependency:tree]
[INFO] ------------------------------------------------------------------------
[INFO] [dependency:tree {execution: default-cli}]
[INFO] groupId:myProject:jar:1.0-SNAPSHOT
[INFO] +- junit:junit:jar:4.11:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.3.0.RELEASE:compile
[INFO] | +- org.springframework:spring-aop:jar:4.2.6.RELEASE:compile (version m
anaged from 4.3.0.RELEASE)
[INFO] | | \- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework:spring-beans:jar:4.2.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.2.6.RELEASE:compile (versi
on managed from 4.3.0.RELEASE)
[INFO] | +- org.springframework:spring-core:jar:4.2.6.RELEASE:compile
[INFO] | +- org.springframework:spring-expression:jar:4.2.6.RELEASE:compile
[INFO] | \- org.springframework:spring-web:jar:4.2.6.RELEASE:compile (version m
anaged from 4.3.0.RELEASE)
[INFO] +- org.aspectj:aspectjweaver:jar:1.8.9:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] \- org.aspectj:aspectjrt:jar:1.8.9:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3 seconds
and this is the content of the pom.xml file :
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.8.9</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.8.9</version>
</dependency>
</dependencies>
Question: I don't understand this output is saying that everything is fine or there might be some incompatibility in my project, and if there are how to solve them?
If you have worked on maven in your projects for dependency management, then you must have faced one problem at least once or may be more than that. And the problem is version mismatch. It generally happens when you got some dependencies which bring it’s related dependencies together with certain version. And if you have included those dependencies with different version numbers already, they can face undesired results in compile time as well as runtime also.
Ideally to avoid above issue you need to explicitly exclude the related dependency, but it is quite possible that you can forget to do so.
To solve version mismatch issue, you can use the concept of a “bill of materials” (BOM) dependency. A BOM dependency keep track of version numbers and ensure that all dependencies (both direct and transitive) are at the same version.
How to add BOM [Bill Of Materials] dependency
Maven provides a tag dependencyManagement for this purpose. You need to add the bom information in this tag as follows. I am taking the example of Spring bom file.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.3.0.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
An added benefit of using the BOM is that you no longer need to specify the version attribute when depending on Spring Framework artifacts. So it will work perfectly fine.
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependencies>
Doing like above will resolve all version comparability issues and application works fine as we are not going to use unmatched versions

How to figure out the jars that the dependencies in the maven's pom.xml depend on?

I am very interested in how I can find out what are the jars that the dependences in the maven's pom.xml depend on.
I am used to doing the adding of libraries (jars) myself in my web application project. I came across this need when I was trying to configure the spring 3.0 samples. I really dislike that everything has to go through maven with spring 3.0.x. At this point it seems that I cannot dig deeper in the maven's dependency maze and learning it looks like a must. But I would really appreciate if someone can tell me a way I can find out this info.
For example, for the following pom.xml, I would like to know what the dependency with artifactId spring-context depends on. (I can see that it depends on commons-logging, since the creator of the sample excludes it - wanted to use slf4j instead of commons-logging.). I would like to find out the rest of the dependences for the dependency with artifactId spring-context, and the same for the rest of the dependences! How can I do this?
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.samples</groupId>
<artifactId>mvc-ajax</artifactId>
<name>mvc-ajax</name>
<packaging>war</packaging>
<version>1.0.0-SNAPSHOT</version>
<properties>
<org.springframework.version>3.0.5.RELEASE</org.springframework.version>
<org.slf4j.version>1.6.1</org.slf4j.version>
</properties>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${org.springframework.version}</version>
<exclusions>
<!-- Exclude Commons Logging in favor of SLF4j -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<!-- Logging -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${org.slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${org.slf4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${org.slf4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.16</version>
<scope>runtime</scope>
</dependency>
<!-- JSR 303 with Hibernate Validator -->
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.0.0.GA</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>4.1.0.Final</version>
</dependency>
<!-- Joda Time -->
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>1.6.2</version>
<scope>runtime</scope>
</dependency>
<!-- Jackson JSON Mapper -->
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.6.4</version>
</dependency>
<!-- Servlet -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- Test -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.7</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${org.springframework.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
<repositories>
<!-- For Hibernate Validator -->
<repository>
<id>org.jboss.repository.release</id>
<name>JBoss Maven Release Repository</name>
<url>https://repository.jboss.org/nexus/content/repositories/releases</url>
<snapshots><enabled>false</enabled></snapshots>
</repository>
</repositories>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.5</source>
<target>1.5</target>
<showWarnings>true</showWarnings>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>install</id>
<phase>install</phase>
<goals>
<goal>sources</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Kind Regards,
Despot
EDIT (some follow up on the answer given by Sean):
1) Download maven (I downloaded version 2.2.1) and follow the installation instructions given there.
2) Than open command prompt and go to the directory of the pom.xml
3) Do the "mvn dependency:tree" command as advised. (I tried using -DoutputFile="somePath" or -Dinclude=spring-context -> it wasn't writing in the file presented in the path and it was selecting all the dependancies instead of spring-context - no matter the general command will suffice). Wait for a while for the system to download all needed info and in the end you will get something like this:
[INFO] [dependency:tree {execution: default-cli}]
[INFO] org.springframework.samples:mvc-ajax:war:1.0.0-SNAPSHOT
[INFO] +- org.springframework:spring-context:jar:3.0.5.RELEASE:compile
[INFO] | +- org.springframework:spring-aop:jar:3.0.5.RELEASE:compile
[INFO] | | \- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework:spring-beans:jar:3.0.5.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:3.0.5.RELEASE:compile
[INFO] | +- org.springframework:spring-expression:jar:3.0.5.RELEASE:compile
[INFO] | \- org.springframework:spring-asm:jar:3.0.5.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:3.0.5.RELEASE:compile
[INFO] | +- org.springframework:spring-context-support:jar:3.0.5.RELEASE:
compile
[INFO] | \- org.springframework:spring-web:jar:3.0.5.RELEASE:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.6.1:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.6.1:runtime
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.1:runtime
[INFO] +- log4j:log4j:jar:1.2.16:runtime
[INFO] +- javax.validation:validation-api:jar:1.0.0.GA:compile
[INFO] +- org.hibernate:hibernate-validator:jar:4.1.0.Final:compile
[INFO] +- joda-time:joda-time:jar:1.6.2:runtime
[INFO] +- org.codehaus.jackson:jackson-mapper-asl:jar:1.6.4:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.6.4:compile
[INFO] +- javax.servlet:servlet-api:jar:2.5:provided
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.1:provided
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- junit:junit:jar:4.7:test
[INFO] \- org.springframework:spring-test:jar:3.0.5.RELEASE:test
[INFO] ---------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO] ---------------------------------------------------------------
[INFO] Total time: 1 minute 8 seconds
[INFO] Finished at: Tue Jan 04 16:53:45 CET 2011
[INFO] Final Memory: 12M/25M
[INFO] ---------------------------------------------------------------
You can download the jars using Jarvana (just type jarvana + the name of the jar) or you can use the svn checkout command.
The hibernate-validator:jar:4.1.0.Final in Jarvana returns an error (there is no 4.1.0 Final version -> only 4.0.2 Final
Also org.codehaus.jackson-mapper-asl 1.6.4 could not be found - only 1.6.2 (same goes to the jackson-core-asl). I am presuming that the same would happen if you used maven to build your project.
After I included all the needed jars, I started the server in debug mode and this happened:
TIME org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(C:\somePath\mvc-ajax3.0\WEB-INF\lib\jsp-api-2.1.jar) - jar not loaded.
See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/jsp/JspPage.class
TIME org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(C:\somePath\mvc-ajax3.0\WEB-INF\lib\servlet-api-2.5.jar) - jar not loaded.
See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
This means (I think) that those jars are found twice. Deleting them done the job for me. Seams like the pom.xml is not valid for this sample.
It took too much time for me to download the jars manually and to "fight" all the project configuration, so I guess is best to learn some Maven if you are trying to start with Spring 3.0.
Execute mvn dependency:tree and it will list all the project's dependencies.
Reference:
dependency:tree mojo
Resolving conflicts using the Dependency Tree
Filtering the Dependency Tree
You didn't mention what IDE you are using. If you are using Eclipse then install the M2Eclipse plugin for Maven. Once installed it has an excellent Maven pom.xml editor that can show you many things...including an interactive, recursive, dependency tree.
You can see some videos on this feature here:
http://m2eclipse.sonatype.org/overview-of-the-m2eclipse-pom-editor.html

Resources