Develop Reference

Maven Dependency Management is importing wrong version

I am cloning project to import a 7.13 version dependency as depicted here. As you can see, the camunda-webapp: 7.11.0 (managed from 7.13.0) is creeping in. This is causing some ClassNotFoundExceptions since I need camunda-webapp: 7.13.0 which IS happening correctly in a diff project I dont own. I did a lot of digging and exclusions but I'm not able to figure out where is this whole 7.11.0 (managed from 7.13.0) is even coming from.
How can i force this project to use 7.13.0 throughout?
However, In another project importing 7.13 imports the transitive 7.13 correctly.
EDIT - Updating the POM here to triage the fix:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.camunda.bpm.getstarted</groupId>
<artifactId>camunda-ctil-cockpit</artifactId>
<version>0.0.1-SNAPSHOT</version>
<properties>
<camunda.spring-boot.version>7.13.0</camunda.spring-boot.version>
<spring-boot.version>2.3.9.RELEASE</spring-boot.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<capitalone.camunda.plugin.version>1.5</capitalone.camunda.plugin.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>plugin-dependencies</artifactId>
<version>${capitalone.camunda.plugin.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.camunda.bpm.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-webapp</artifactId>
<version>${camunda.spring-boot.version}</version>
<exclusions>
<exclusion>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp-webjar</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.camunda.bpm.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-rest</artifactId>
<version>${camunda.spring-boot.version}</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<version>2.2.3</version>
</dependency>
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>capitalone-uioverlay</artifactId>
<exclusions>
<exclusion>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>spring-plugin-commons</artifactId>
</dependency>
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>custom-engine-types</artifactId>
<exclusions>
<exclusion>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>common-cockpit-extensions</artifactId>
<exclusions>
<exclusion>
<groupId>org.camunda.bpm.webapp</groupId>
<artifactId>camunda-webapp</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.camunda.bpm.identity</groupId>
<artifactId>camunda-identity-ldap</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.2</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${spring-boot.version}</version>
<configuration>
<layout>ZIP</layout>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
<finalName>camunda-ctil-cockpit</finalName>
</build>
</project>
However this results still in. As you can see 7.11 is still there. If I exclude 7.11 completely, the camunda-webapp.jar completely disappears. Was hoping 7.13 would get popped in. Also camunda-webapp-webjar is completely removed, comparing to the screenshots above :

First change the property value of
<camunda.spring-boot.version>3.2.0</camunda.spring-boot.version>
to 7.13.0
See e.g. https://start.camunda.com/
If the issue persists the the plugin jars define their own versions, not driven by the BOM:
You shared the main project POM including the engine and webapps, but the unwanted dependency is coming in as a dependency of your custom com.capitalone.* jars, as the screenshot of the dependency tree shows. camunda-webapp:7.11.0 is a dependency which is pulled in by
1)
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>capitalone-uioverlay</artifactId>
</dependency>
2)
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>custom-engine-types</artifactId>
</dependency>
3)
<dependency>
<groupId>com.capitalone.camunda.plugins</groupId>
<artifactId>common-cockpit-extensions</artifactId>
</dependency>
A) If possible update the POMs of those projects and run a mvn clean install on them
B) If you have no control over these projects then you can also add exclusions to the dependency tags listed above (as the jar is already included in the main project). However, this would mean your plugin jars running with another jar version than they have been compiled against. It is not a good practice and may cause issue if compatibility changed.
On a different note:
"Please note that we updated the frontend plugin interface with Camunda Platform Runtime 7.14. Plugins written for Camunda Platform Runtime 7.13 and earlier might no longer work with Camunda Platform Runtime 7.14. Checkout the update guide for more details." https://docs.camunda.org/manual/latest/webapps/cockpit/extend/plugins/

How to lock version Dependency/Plugin with Maven archetype

I'm currently working on how to fix version of dependencies and plugins with maven archetype. Here is how my archetype-resources/pom.xml look like.
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-version}</version>
The archetype-metadata.xml look like that:
<requiredProperties>
<requiredProperty key="spring-version">
<defaultValue>2.1.5.RELEASE</defaultValue>
</requiredProperty>
</requiredProperties>
Then i added the property to the archetype.properties file
spring-version=2.1.5.RELEASE
When I create an project from this archetype it will correctly show the 2.1.5.RELEASE version.
However this method seems not the best when you have a lot more dependencies or it is not the proper manner on how to lock version?

from https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
Dependency Management
The dependency management section is a mechanism for centralizing dependency information. When you have a set of projects that inherits a common parent it's possible to put all information about the dependency in the common POM and have simpler references to the artifacts in the child POMs. The mechanism is best illustrated through some examples. Given these two POMs which extend the same parent:
Project A:
<project>
...
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
<version>1.0</version>
<exclusions>
<exclusion>
<groupId>group-c</groupId>
<artifactId>excluded-artifact</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>bar</type>
<scope>runtime</scope>
</dependency>
</dependencies>
</project>
Project B:
<project>
...
<dependencies>
<dependency>
<groupId>group-c</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>bar</type>
<scope>runtime</scope>
</dependency>
</dependencies>
</project>
These two example POMs share a common dependency and each has one non-trivial dependency. This information can be put in the parent POM like this:
<project>
...
<dependencyManagement>
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
<version>1.0</version>
<exclusions>
<exclusion>
<groupId>group-c</groupId>
<artifactId>excluded-artifact</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>group-c</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<version>1.0</version>
<type>bar</type>
<scope>runtime</scope>
</dependency>
</dependencies>
</dependencyManagement>
</project>
Then the two child poms become much simpler:
<project>
...
<dependencies>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-a</artifactId>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<!-- This is not a jar dependency, so we must specify type. -->
<type>bar</type>
</dependency>
</dependencies>
</project>
<project>
...
<dependencies>
<dependency>
<groupId>group-c</groupId>
<artifactId>artifact-b</artifactId>
<!-- This is not a jar dependency, so we must specify type. -->
<type>war</type>
</dependency>
<dependency>
<groupId>group-a</groupId>
<artifactId>artifact-b</artifactId>
<!-- This is not a jar dependency, so we must specify type. -->
<type>bar</type>
</dependency>
</dependencies>
</project>
you can do this also for plugins with
What is pluginManagement in Maven's pom.xml?

Maven Dependency version resolution issue

I'm hitting a problem that confusing me and confounding my understanding of Maven.
I'm using a multi-module project with the structure
root
|_ db/pom.xml
|_ server/pom.xml
The server pom.xml references the db pom.xml. In db/pom.xml I've defined
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
<version>3.2.0</version>
</dependency>
with the expectation that it'll be inherited by the server. But I'm seeing the server tests complain about a missing method. Sure enough when I use
mvn dependency:tree -Dverbose -Dincludes=com.zaxxer:HikariCP compile
I notice the following.
[INFO] server:war:2.0-SNAPSHOT
[INFO] \- db:jar:2.0-SNAPSHOT:compile
[INFO] \- com.zaxxer:HikariCP:jar:2.5.1:compile (version managed from 3.2.0)
So 2.5.1 is being used for the tests instead of 3.2.0. That explains the complaint about the missing method.
But I'm having trouble identifying where that dependency is coming from? My best guess is that it's coming from starter type of pom.xml that defines it in the test scope.
Any suggestions on how I can identify where this version is defined? I've googled but have not come across a solution.
Working past this issue I decided to also define the following in db
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
<version>3.2.0</version>
<scope>test</scope>
</dependency>
Meaning I've two definitions of HikariCP in the db pom.xml. Now when I run dependency:tree there are no references to 2.5.1. But... if I try
mvn verify
I get an error in the db
DBConfig.java:[17,25] package com.zaxxer.hikari does not exist
What's going on here?
My expectations are:
The compile scope defined in db should override/win the test scope defined elsewhere (though I can see why that might not be desired)
Defining a compile and test version of HikariCP should not result in a package cannot be found error
---- Updated with requested info ----
db/pom.xml
<modelVersion>4.0.0</modelVersion>
<artifactId>db</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>
<parent>
<groupId>my.group</groupId>
<artifactId>root</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.2.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>javax.inject</groupId>
<artifactId>javax.inject</artifactId>
</dependency>
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
<version>3.2.0</version>
</dependency>
</dependencies>
server/pom.xml
<modelVersion>4.0.0</modelVersion>
<artifactId>server</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<parent>
<groupId>my.group</groupId>
<artifactId>root</artifactId>
<version>1.0-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-contract-stub-runner</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.jayway.restassured</groupId>
<artifactId>rest-assured</artifactId>
<version>2.9.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>my.group</groupId>
<artifactId>db</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
The root pom.xml defines no dependencies. But it's parent defines common versions for TPLs, etc that'd be too verbose to list here.
I've also found where hikaricp version 2.5.1 is defined. It's in spring-boot-dependencies. That's likely being introduced by the server's spring-boot-starter-tomcat. But it could also come in through the db's spring-boot-starter-jdbc.
I'll also note that there is no problem if I also define the HikariCP dependency in the server pom.xml.

How to use JUnit 5.2 BOM in Maven dependency?

According to the newly released v. 5.2 of JUnit, there is now a BOM:
JUnit BOM: To ease dependency management using Maven or Gradle, a Bill of Materials POM is now provided under the org.junit:junit-bom:5.2.0 Maven coordinates.
As a starting point, currently my POM looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.bosspanda.tmp</groupId>
<version>0.1-SNAPSHOT</version>
<artifactId>tmp</artifactId>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<maven.compiler.source>10</maven.compiler.source>
<maven.compiler.target>10</maven.compiler.target>
<java.version>10</java.version>
<junit.version>4.12</junit.version>
<junit.jupiter.version>5.2.0</junit.jupiter.version>
<junit.vintage.version>5.2.0</junit.vintage.version>
<junit.platform.version>1.2.0</junit.platform.version>
</properties>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-params</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
<version>${junit.vintage.version}</version>
<scope>test</scope>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
If I understand this BOM release note above correctly, it is a simplification of this junit <dependency> tags into a single BOM dependency.
However, I have stark troubles integrating it into my project's pom.xml. After having a look at the linked resource (https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies) I came to the conclusion that I have to replace the distinct dependencies with a single:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.junit</groupId>
<artifactId>junit-bom</artifactId>
<version>5.2.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
But with this in place IntelliJ IDEA (v. 2018.1.3 Ultimate x64, Maven v. 3.5.3, target JDK 10.0.1) does not seem to know what the <dependencyManagement> tag is and does not parse its content. No modules are registered in the project structure.
But also if I remove the <dependencyManagement> tag, the BOM does not get loaded by IDEA.
I also tried adding the maven coordinates of the BOM via IDEA by using the maven plugin, but while it finds the distinct junit packages, it does not find the BOM and cannot download anything from org.junit:junit-bom:5.2.0
How do I add this BOM file to my pom dependency?
Thank you!

Referencing a bom file under <dependencyManagement><dependencies> only manages versions to be compatible. You still need to declare all needed dependencies under <dependencies> but without <version>. Thats how Maven bom references work. IntelliJ can handle them that way too.

The following worked for me using surefire.plugin.version 2.22.2
junit-jupiter artifact brings in all other necessary artifacts, individual direct dependencies are not needed in this case.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.junit</groupId>
<artifactId>junit-bom</artifactId>
<version>5.5.2</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<!--Optional: Supports running Junit4 along with Junit5 -->
<dependency>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
<scope>test</scope>
</dependency>
</dependencies>

Why does my project always try to download the latest spring-beans 3.2.*.RELEASE artefact

I have a spring MVC web application that has the following spring dependencies:
spring-aop-3.2.1.RELEASE
spring-beans-3.2.1.RELEASE
spring-context-support-3.2.1.RELEASE
spring-context-3.2.1.RELEASE
spring-core-3.2.1.RELEASE
spring-expression-3.2.1.RELEASE
spring-jdbc-3.2.1.RELEASE
spring-jms-3.2.1.RELEASE
spring-orm-3.2.1.RELEASE
spring-test-3.2.1.RELEASE
spring-tx-3.2.1.RELEASE
spring-web-3.2.1.RELEASE
spring-webmvc-3.2.1.RELEASE
spring-aspects-3.2.1.RELEASE
spring-spring-security-core-3.2.0.RELEASE
spring-security-web-3.2.0.RELEASE
spring-security-config-3.2.0.RELEASE
spring-security-taglibs-3.2.0.RELEASE
My question is that when i build using mvn clean install does it try and download spring-beans-3.2.10.RELEASE. I am assuming one of my dependencies is dragging it in but not sure which.
Any help would be greatly appreciated.
Thanks in advance.

You can define your dependencies in the <dependencyManagement> section of POM. The versions that you define in <dependencyManagement> will apply not only to the dependencies that you mention in the top-level <dependencies> section, but also to their transitive dependencies.
For example:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>3.2.1.RELEASE</version>
</dependency>
...
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</dependency>
...
</dependencies>
These fragments will make sure that Maven uses only version 3.2.1.RELEASE. (Note that there are no <version> in the second section.)
If you still want to find out where that dependency comes from, and if you use Eclipse, open your pom.xml and have a look at the Dependency Hierarchy tab. If necessary, you can double-click on dependencies there: it will open the dependency's own pom.xml where you can research transitive dependencies further.

You can solve your proble in the following way:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.0.BUILD-SNAPSHOT</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependencies>
and then you can manage your dependency without worry of single version number. In this way all spring dependencies will have the same 4.1.0.BUILD-SNAPSHOT version