I am using Maven 3.0.5 and I have the following in pom.xml
<dependency>
<groupId>antlr</groupId>
<artifactId>antlr</artifactId>
<version>2.7.7</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
<exclusion>
<groupId>janino</groupId>
<artifactId>janino</artifactId>
</exclusion>
</exclusions>
</dependency>
When I build war using mvn install, I can see that in war file xml-apis-1.0.b2.jar is also included although I have put xml-apis in exclusion list.
Why artifactId which is mentioned in exclusions is part of war file?
How can I make sure that xml-apis-1.0.b2.jar is not part of war the file?
Any help is highly appreciable.
Looking at maven dependency description in maven repo, I do not see any transitive dependency for antlr.
So this means the retrieved dependencies for xml-apis is coming from some other dependency in your project. Please check if this is the case.
Related
in my project, I am using monitoring-interceptors dependency from io.confluent version 7.2.2. This particular jar is using google protobuf jar but that is some old jar and it is not passing Aqua scan. I am trying to remove this protobuf jar from like below:
<dependency>
<groupId>io.confluent</groupId>
<artifactId>monitoring-interceptors</artifactId>
<version>7.2.2</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java-util</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>4.0.0-rc-2</version>
</dependency>
But my Aqua scan is still showing older version of protobuf jar coming from monitoring-interceptors-7.2.2 jar.
I tried to put above portion in dependency management tag also but it still not working. Any idea how to make it work?
I'd like to know if there is a way to exclude sdk-s3 just one time. I want to do it because I don't use it and also maven for some reason, starts downloading all the sdk-s3 versions and takes a long time to finish.
Is there a way to exlude this dependecy globally? Thanks
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sqs</artifactId>
<version>1.11.591</version>
<exclusions>
<exclusion>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-s3</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sts</artifactId>
<version>1.11.591</version>
<exclusions>
<exclusion>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-s3</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<version>1.11.591</version>
<exclusions>
<exclusion>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-s3</artifactId>
</exclusion>
</exclusions>
</dependency>
There is no real way to exclude a dependency globally. You can set the scope of the dependency to provided in <dependencyManagement>. This makes sure that the dependency will not be included in the resulting war or ear. It will still be on the compile classpath, though. You could also use the scope test for that.
This scope based approach is of course not what the developers of Maven intended.
Note furthermore, that Maven downloads dependencies only once and caches them in the local repository afterwards. If you want to avoid to have multiple versions, you can fix one version in the <dependencyManagement>.
As #JF Meier said, there is no real way to exclude it from all the transitive dependencies.
If the problem is that it's causing a conflict with another version of the same dependency, you override this, but explicitly defining the dependency with the version that you're interested in. This way, as it will be higher in the hierarchy, you can override all the transitive dependencies from where it's coming.
I have the following in my pom
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-all</artifactId>
<version>2.4.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.spockframework</groupId>
<artifactId>spock-core</artifactId>
<version>1.0-groovy-2.4</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>org.codehaus.groovy</artifactId>
<groupId>groovy-all</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.spockframework</groupId>
<artifactId>spock-spring</artifactId>
<version>1.0-groovy-2.4</version>
<scope>test</scope>
<exclusions>
<exclusion>
<artifactId>org.codehaus.groovy</artifactId>
<groupId>groovy-all</groupId>
</exclusion>
</exclusions>
</dependency>
Basically, I want to force my second and third dependencies to use the version of groovy-all that I'm setting in my first dependency. Is there a better way to do this than setting an exclusion on each of them?
Since as a first dependency you're explicitly defining a version of the groovy-all dependency, this will override the version of this dependency for all transitive dependencies needing this exact dependency. Hence, you won't have to define explicit exclusions.
To validate this, you can run the following before and after the change:
mvn dependency:tree -Dverbose
And compare the output.
Fix is to lock down the version, either via a direct dependency, or a dependency-management section.
Is it possible that my pom.xml adds by himself dependencies and exclusions ?
For example : almost this part was been added automatically !!
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml</artifactId>
<version>2.6.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>1.0.13</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.0.13</version>
</dependency>
Any idea ? thanks
I think the answer of my question is that IDEA IntelliJ is adding the dependencies to my pom.xml.
Intellij asked me in the past to authorize it to update the dependencies automatically and I've agreed.
So thanks to every one helped me :)
Maven has a feature called 'Transitive Dependencies'. When an application has a dependency that has it's own dependencies, Maven will add those dependencies to your project automatically. You can read more about transitive dependencies on the Maven website here.
I just started using maven ant task, and one issue I found today was, when the pom contains wildward exclusion, seems the artifacts won’t be excluded.
My script snippet below:
Ant:
<artifact:dependencies filesetId="ls.jar.all">
<pom file="ls-jar-all.pom.xml" />
</artifact:dependencies>
Ls-jar-all.pom.xml:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-bundle</artifactId>
<version>2.1</version>
<exclusions>
<exclusion>
<groupId>org.apache.abdera</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
While changing wildcard to individual artifactIds, the exclusion works. (the wildward pom works when using maven)
Any suggestions, thanks