When I run dependency:tree on my pom.xml I get the following output:
...
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # com.test.client ---
[INFO] assemblies:com.test.client:jar:1.0.0-SNAPSHOT
[INFO] +- foundation:com.test.core:jar:1.0.0:compile
[INFO] | \- junit:junit:jar:4.11:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] \- assemblies:com.test.security:jar:1.0.0-SNAPSHOT:compile
...
When I run dependency:resolve on the same pom I get:
...
[INFO] The following files have been resolved:
[INFO] assemblies:com.test.security:jar:1.0.0-SNAPSHOT:compile
[INFO] foundation:com.test.core:jar:1.0.1-SNAPSHOT:compile
[INFO] junit:junit:jar:4.11:compile
[INFO] org.hamcrest:hamcrest-core:jar:1.3:compile
...
Why is the version of com.test.core different between :resolve and :tree?
This seems to be a bug in Maven 3.0.4. I updated to version 3.2.1 and now dependency:tree and :resolve are resolving the same dependencies.
Related
In a recent security alert, referenced here, I see there might be security concerns with Vaadin 7 because of a jsoup vulnerability. Because of other factors, I cannot upgrade. So I thought about just including the jsoup directly in my project. So before it was included indirectly via vaadin-server, now it is included directly, and the version vaadin-server references is "omitted for conflict with 1.14.2". Is this a safe way to address this security concern?
I am using Vaadin 7.7.17 and maven.
I ask largely because Vaadin did not offer this as a possible solution, so I assumed it would fail. But since maven is showing no error, I am worried I am missing something that will only show up in some strange runtime behavior.
Here is the dependency tree built via mvn dependency:tree. First of all, the original version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] | \- org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------
And now the new version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | \- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------
Just noting here. There is no actual problem in Vaadin 7 itself that would be impacted due potential Jsoup vulnerability in question. The dependency was updated to a newer version more in purpose to enforce application developers to use the newer version. Newer version of the Jsoup had some API changes that needed small code changes in Vaadin 7. If your application is not using Jsoup in the way that the vulnerability is not exposed, then the upgrade is not absolutely mandatory. Also reminding that Vaadin 7 versions newer than 7.7.17 require commercial license for extended support.
Good day!
I have maven multimodule project. Contains war,jar and ear modules. When I try to start local Tomcat (web module exploded), got the following error:
Possible root causes include a too low setting for -Xss and illegal
cyclic inheritance dependencies. The class hierarchy being processed
was
[org.bouncycastle.asn1.ASN1EncodableVector->org.bouncycastle.asn1.DEREncodableVector->org.bouncycastle.asn1.ASN1EncodableVector]
I have read this question Avoid cyclic reference inheritance in grails
and found two version of jar: org.bouncycastle:bcprov-jdk15on:jar and org.bouncycastle:bcprov-jdk14:jar
but still cannot understand how to solve the issue..
Thank you in advance!
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # desktop-app ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building arm-data-entry 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # arm-data-entry ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building sea-print 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # sea-print ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building setup-docs 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # setup-docs ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building pdf-cuter 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # pdf-cuter ---
[INFO] ru.my-company.ea.old:pdf-cuter:jar:1.0.30-SNAPSHOT
[INFO] \- org.icepdf.os:icepdf-core:jar:6.1.2:compile
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.54:compile
[INFO] +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.54:compile
[INFO] \- org.bouncycastle:bcpkix-jdk15on:jar:1.54:compile
[INFO] \- (org.bouncycastle:bcprov-jdk15on:jar:1.54:compile - omitted for duplicate)
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building sea-web 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # sea-web ---
[INFO] ru.my-company.ea.old:sea-web:war:1.0.30-SNAPSHOT
[INFO] +- ru.my-company.ea.old:pdf-cuter:jar:1.0.30-SNAPSHOT:compile
[INFO] | \- org.icepdf.os:icepdf-core:jar:6.1.2:compile
[INFO] | +- org.bouncycastle:bcprov-jdk15on:jar:1.54:compile
[INFO] | +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.54:compile
[INFO] | \- org.bouncycastle:bcpkix-jdk15on:jar:1.54:compile
[INFO] | \- (org.bouncycastle:bcprov-jdk15on:jar:1.54:compile - omitted for duplicate)
[INFO] \- net.sf.jasperreports:jasperreports:jar:4.7.1:compile
[INFO] \- com.lowagie:itext:jar:2.1.7:compile
[INFO] \- org.bouncycastle:bctsp-jdk14:jar:1.38:compile
[INFO] +- org.bouncycastle:bcprov-jdk14:jar:1.38:compile
[INFO] \- org.bouncycastle:bcmail-jdk14:jar:1.38:compile
[INFO] \- (org.bouncycastle:bcprov-jdk14:jar:1.38:compile - omitted for duplicate)
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building the-ear 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # the-ear ---
[INFO] ru.my-company.ea.old:the-ear:ear:1.0.30-SNAPSHOT
[INFO] \- net.sf.jasperreports:jasperreports:jar:4.7.1:compile
[INFO] \- com.lowagie:itext:jar:2.1.7:compile
[INFO] \- org.bouncycastle:bctsp-jdk14:jar:1.38:compile
[INFO] +- org.bouncycastle:bcprov-jdk14:jar:1.38:compile
[INFO] \- org.bouncycastle:bcmail-jdk14:jar:1.38:compile
[INFO] \- (org.bouncycastle:bcprov-jdk14:jar:1.38:compile - omitted for duplicate)
[INFO] ------------------------------------------------------------------------
........
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.698 s
[INFO] Finished at: 2018-09-07T11:26:32+05:00
[INFO] Final Memory: 21M/226M
[INFO] ------------------------------------------------------------------------
D:\Projects\sea-eclipse>
I have trouble understanding the behaviour of the depencendy:tree output. When running the plugin on a higher module, I am missing vital information from modules it depends on. But when I run the plugin on the lower module I can see the depencendies. Here is an example to show the problem (names changed):
mvn -pl foo:bar-application dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-application 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-application ---
[INFO] foo:bar-application:ear:0.0.1-SNAPSHOT
[INFO] +- foo:bar-business:ejb:0.0.1-SNAPSHOT:compile
[INFO] | +- foo:common-util:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:bar-web:war:0.0.1-SNAPSHOT:compile
[INFO] \- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] ------------------------------------------------------------------------
The tree shows a depencendy to bar-web, but only one further depencendy from bar-web to other projects (common-logging).
But bar-web has far more dependencies:
mvn -pl foo:bar-web dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-web 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-web ---
[INFO] foo:bar-web:war:0.0.1-SNAPSHOT
[INFO] +- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] +- foo:culprit-business-client:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:common-rest:jar:0.0.1-SNAPSHOT:compile
[INFO] | \- foo:config-business-client:jar:0.0.1-SNAPSHOT:compile
[INFO] \- foo:bar-business:jar:0.0.1-SNAPSHOT:provided
[INFO] \- foo:some-client:jar:0.0.1-SNAPSHOT:provided
[INFO] ------------------------------------------------------------------------
Why are the other dependencies not shown when inspecting bar-application? It took me a while of searching to find the culprit.
Im a using
mvn --version
Apache Maven 3.0.5
mvn dependency:tree
shows you the effective dependencies, as in where your actual dependencies come from.
mvn dependency:tree -Dverbose
will show you all transitive dependencies including the reasonwhy they are excluded
A WAR includes its dependencies inside the archive, that's why Maven does not propagate them transitively to other artifacts depending on the WAR artifact.
UPDATE: This issue seems to have resolved itself. I could still produce it on a copy of the source code, but it was a temporary copy that I deleted before realizing I would need it to pin this issue down. I'm continuing to track this and see if I can identify a root cause. If not, I will close the issue.
When I run mvn dependency:list -DoutputFile=/path/to/file.txt -DappendOutput=true from the root directory of a multi-module Maven project, the resultant output file only contains the dependencies of the last module declared in the modules section of the root pom.xml file. Is there something different I need to do to get the output of each submodule to append to the output file?
Configuration:
Maven 3.0.3
maven-dependency-plugin 2.6
When I'm using the following command: -
mvn dependency:list -DoutputFile=/path/to/file.txt -DappendOutput=true
The result is invalid and the Maven told me that
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # ...
Then I change to specify the version
mvn org.apache.maven.plugins:maven-dependency-plugin:2.6:list -DoutputFile=/path/to/file.txt -DappendOutput=true
The result is valid and the Maven told me that
[INFO] --- maven-dependency-plugin:2.6:list (default-cli) # ...
I would suggest you to ensure that the executing is the version 2.6. Anyhow I always use the following command as
mvn dependency:list > /path/to/file.txt
IMHO the result is better and more clear for each module as the following example: -
[INFO] Scanning for projects...
[INFO] -------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] my-parent
[INFO] my-sub1
[INFO] my-sub2
[INFO]
[INFO] -------------------------------------------------------------------
[INFO] Building my-parent
[INFO] -------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # my-parent ---
[INFO]
[INFO] The following files have been resolved:
...
[INFO] -------------------------------------------------------------------
[INFO] Building my-sub1
[INFO] -------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # my-sub1 ---
[INFO]
[INFO] The following files have been resolved:
...
[INFO] -------------------------------------------------------------------
[INFO] Building my-sub2
[INFO] -------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:list (default-cli) # my-sub2 ---
[INFO]
[INFO] The following files have been resolved:
...
[INFO]
[INFO] -------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] my-parent ........................................ SUCCESS [0.745s]
[INFO] my-sub1 .......................................... SUCCESS [0.675s]
[INFO] my-sub2 .......................................... SUCCESS [0.671s]
[INFO] -------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] -------------------------------------------------------------------
[INFO] Total time: 2.938s
[INFO] Finished at: Fri Mar 01 17:01:39 ICT 2013
[INFO] Final Memory: 17M/218M
[INFO] -------------------------------------------------------------------
I hope this may help.
Regards,
Charlee Ch.
Is there a generally-accepted notation to allow a representation of dependencies, inheritance and module aggregation for Maven Projects?
I haven't spent a lot of time looking, but nothing had immediately jumped out at me.
I've seen with the notation used in Sonatype's Complete Reference (eg. Figure 3.5. Enterprise Multi-module vs. Inheritance), but would prefer something that doesn't rely on colour to convey semantics.
I've been using UML-like syntax which shows a project "aggregating" (diamond symbol) the projects listed in it's <modules> section, UML inheritance for parent-child relationships and a broken-line with arrow to show dependency.
Are there better ideas out there?
For dependency diagrams, the convention is to use the output of dependency:tree
i.e.
[user:maven-test]$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building maven-test 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # maven-test ---
[INFO] maven-test:maven-test:jar:1.0
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9.1:compile
[INFO] | +- org.codehaus.jettison:jettison:jar:1.1:compile
[INFO] | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | +- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile
[INFO] | | \- javax.xml.bind:jaxb-api:jar:2.2.2:compile
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] | | \- javax.activation:activation:jar:1.1:compile
[INFO] | +- org.codehaus.jackson:jackson-core-asl:jar:1.8.3:compile
[INFO] | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.8.3:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | +- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] | \- com.sun.jersey:jersey-core:jar:1.9.1:compile
[INFO] +- com.sun.jersey:jersey-server:jar:1.14:compile
[INFO] | \- asm:asm:jar:3.1:compile
[INFO] \- com.sun.jersey:jersey-client:jar:1.14:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
It turns out that this plugin can output to a visual graph.
See: Maven Dependency Plugin - Output type.
If you are using IntelliJ IDEA, it has a built in Maven dependency graph as well.