Determining source of a (masked version) maven dependency - maven

I had a situation in my project where two dependencies relied on a different version of a jar. Just showing the dependency tree only showed the newer version and where it was used, so I ended up going through the POM files (I had an idea where it might be) to find the source.
My question: is it possible to get a dependency tree that includes these dependencies that were removed (showing why they were removed). I seem to recall the m2eclipse plugin can do it, but I'd prefer a command line tool (since I'm not using eclipse).
edit:
Specifically, I already tried the dependency tree, including running with full debug output (-X). As far as I could tell, it doesn't show when it's masking these dependencies.

Just try the maven-dependency-plugin use the tree goal to look at the tree of dependencies. But it might be a good idea to use Eclipse via m2e plugin for such problems.

Related

How to make optional dependencies mandatory, or visible, with Gradle?

I have a Gradle plugin that needs to install JARs into a local repository before compiling a program (and other things).
To do this, I traverse the dependency tree, installing the leaves of the tree first (dependencies which don't require any other dependencies), so that when a dependency is installed which requires something, that something is already installed and things work.
The problem is that there seems to be no way to get Gradle to show the optional dependencies... if there is a way, then this alone would solve my problem... but supposing there isn't (reading the Gradle code I didn't see anything indicating that could be possible), then I can live with manually adding the dependency in the build file... however, that won't usually work because that causes a broken dependency tree where one of the branches is missing, so my code will try to install a dependency before having that optional dependency installed in the local repo (because Gradle doesn't know and doesn't tell me there's a link there!).
So we're back at square one...
So I really seem to need to be able to see optional dependencies in the dependency graph. Is there any way to achieve that?
EDIT: this is about resolving optional dependencies, which is done by Gradle, it has absolutely nothing to do with order of plugin application, as some SO editor suggested.

Why did a specific jar file get included?

I have a project that uses gradle and mavenCentral() (plus mavenLocal()). It has enough dependencies that I can't go through them one by one.
Given the name of a .jar file in build/install/x/lib, how do I find out the chain of transitive dependencies that caused it to be included?
update: I discovered gradle dependencies. The output shows:
org.apache.commons:commons-jexl:2.1.1
\---- commons-logging:commons-logging:1.1.1 -> 1.1.3
What does this mean? 1.1.1 is the version I expect, and 1.1.3 is the version I seem to actually end up using. Looking at the pom for commons-jexl it looks like it does indeed list logging:1.1.1 as a requirement. What's going on? Is there a way for me to tell it to avoid certain versions, or force it to use the version it was set to?
The problem in my case is that it's including a -SNAPSHOT version and I'd rather it didn't. In fact I probably want it to just use the version numbers I'm asking for instead of the most recent it can find.
Dependencies of gradle-managed project have their own dependencies (they're called transitive). It may happen (and happens quite often) that two different dependencies has the same (group and module) dependency but in the different version). This is the case with commons-logging:commons-logging. In this case there are two transitive dependencies one versioned with 1.1.1 and the second one with 1.1.3. If both of the libraries will be included in the final artifact it may result in a conflict and exception. To prevent such situation gradle tries to resolve mentioned version resolution problems by picking (by default) the latest version. It's indicated with the right arrow -> see here. You can exclude transitive dependencies from a particular dependency. This chapter of manual might be useful.

How can I find the root cause of my never ending maven dependency hell?

I have a maven java project in Eclipse IDE, and it needs to communicate with components on a weblogic server. When I first coded this, it worked without importing too many jars. However, I needed to make my project a part of a bigger assembly, and now my dependency requirements have gone out of control. I am still a little new to maven, and how it integrates with eclipse, but I've found that most of my ClassNotFoundExceptions points to classes that do exist, but with slight variances in path. See image below.
I suspect that I have imported a wrong library somewhere in the beginning of my dependencies, that now seems to be dependent on a great big tree structure of Classes that actually already exist, but with another path, and I'm stuck retrieving each of them individually, when they are already there...
Just look at the image: I have com.sun.xml.internal.bind.marshaller.SAX2DOMEx.class, but not com.sun.xml.bind.marshaller.SAX2DOMEx.class
Am I right in assuming that I am trying to fix symptoms, when I should focus on fixing the cause? If so, how can I retrace my imports, and find the root cause, in other words where I start importing the wrong jar?
#KjetilNordin,
You wrote:
I've found that most of my ClassNotFoundExceptions points to classes that do exist, but with slight variances in path
This suggests that somewhere along the way, one or more of the jars you depend on has 2 conflicting versions, between which the class moved between different packages. Maven's dependency resolution mechanism is resolving the jar to the version where the class sits in a different package from where you expect.
Run mvn dependency:tree on your project to see the entire hierarchy of transitive dependencies organized so you can track what depends on what. You'll likely see your jar come up in multiple locations, and presumably the wrong version is getting precedence in terms of Maven version resolution.
Next decide which version you want to go with.
Finally, add a <dependencyManagement> block in your pom.xml file to force the version to match your desired version.
Hope that helps.

How to run plugin on maven dependency

I'm setting up a (java) maven project that depends on a library (Jettison, among others) that is in the Maven repo. Jettison, in turn, depends on stax. I need to run a tool (Jar Jar Links) on stax (to change the namespace). How do I alter the rules for a transitive dependency in a maven project? My transitive dependencies are being included in my target folder using the copy-dependencies goal (I assume this is how things are usually done). I assume that this is the point where the plugin would be run on the transitively-generated artifact.
Extra question: I don't need this at this point but how would I go about altering the source in the transitive dependency? I can get the jar of the source with mvn dependency:sources but, from there, I'm not sure what the right approach is.
Victory!
Seems at least two people are even more clueless about Maven than me so let me explain what I'm doing before I report the fix at the bottom of this post (spoiler alert: it looks to be a bug in JarJar).
Android uses Java but its missing a lot of the java core (specifically, javax classes). The Android DEX compiler (which converts .jars to Android .dex files) won't even allow you to compile things in the java.* or javax.* namespace because it'll (usually) break stuff. However, in some (many) cases, there are routines that you might want to include -- specifically because they are used by existing libraries. The most legendary is StAX, which is why Google posted an example of how to include it here in the Dalvik repo's wiki. The example uses JarJar... with ant. Transitive dependencies are not really an issue when you aren't using a repo so they are not addressed in the wiki.
I was able to get JarJar to run on my source with Maven but without changing the namespaces in the dependencies (and transitive dependencies), that's worthless. Hence my question.
I thought that the copy-dependencies plugin might be useful for... copying the dependencies and running a transforming plugin in the process. Copying dependencies is mentioned as a step in the official "Maven in 5 minutes" doc so it seemed like a good start but maybe the the people who wrote the official docs don't know how to use it :-) . Either way, it it didn't help -- there is no simple way I could see to transform the jars as it copies.
Using the verbose spew from Maven, I was able to see that Jar Jar was in fact processing my jars properly... and then throwing out the result. It would have packaged the converted classes from the transitive dependencies in my artifact with the rest of my code but, instead, it "Excluded" them. Jar Jar parameters are basically undocumented and most of the tags aren't even listed in the docs but all of the examples I could find use a section with wild-cards that tell it what classes to hold onto. At least I thought (think?) that's what the section is for. Instead, it seems to randomly throw out stuff. Basically, the section is busted. For example, I had:
<keep>
<pattern>com.example.**</pattern>
</keep>
...thinking that this would keep classes that began with com.example. Wrong. It keeps whatever the hell it wants. I tried a million things in that spot until one worked:
<keep>
<pattern>*.**</pattern>
</keep>
This only keeps the classes I wanted -- the classes it updated and the originals of the ones that it didnt touch. Note that ** doesn't even work. This is version 1.8 of the JarJar plugin (the version most poms Ive found use).
Back to work.

Freezing transitive dependencies on maven release to get build fully reproducible

A problem that relates to basic maven concepts:
Once released I would like to have a guarantee that the project build is fully reproducible. So all project and plugin dependencies, including transitive one, should be always resolved the same way.
Unfortunately it is not the case, if dependencies are expressed in terms of version ranges. It can happen that even though direct dependencies of a project are set (using versions:use-releases), the transitive dependencies can still be resolved in some other way in the future.
How to address the problem? Is there a known solution?
I was thinking (just an idea), about creating a plugin, which on release time would dump all dependencies of the project to a separate file, and then once building in the future, the dependencies read from the file would take precedence over the standard way maven uses to resolve dependencies. But I'm afraid that there is no plugin api for that. So it would require some hacking, which I would like to avoid. Is there another way?
Thanks,
Lukasz
Freeze artifacts versions using <dependencyManagement>. Even if you don't use version ranges (as you said), but rather 3rd party libs (your dependencies) do, your <dependencyManagement> will have higher priority in specifying version of any artifacts.
The simple solution is: Do not use version-ranges. This is bad practice cause it will result in the described problems.

Resources