[
https://issues.apache.org/jira/browse/MRESOLVER-270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17585578#comment-17585578
]
Tamás Cservenák commented on MRESOLVER-270:
-------------------------------------------
Something is fishy, and need to look more, but here is where am so far:
* modifed MNG-7529 IT to run with 3.8.6, it FAILS as expected
* then changed settings.xml of IT, by simply reordering repository definitions
(so made it maven-core-it-repo, maven-core-it-snapshors), and it PASSED
* This happens as two reposes (intentionally or unintentionally, unsure about
the real intent here) contains same versions (just like this issue above, uses
same URL, the MNG-7529 IT uses same remote repositories
* hence, the two repositories with return SAME SET of versions
* if you look at related commit
[https://github.com/apache/maven/commit/ce4579108d653be2ab7eab43be7d5951151dae5b]
it had this line:
{noformat}
!versionIndex.containsKey( version ) {noformat}
that was prepended by commit with "isEnabled...". In short, this means FIRST
REPO WINS.
* having said all this above, IMHO it is in spirit of Maven, as you have same
versions in your both remote repositories, you ordered them as such, and for
Maven "first repo wins"...
So far IMHO Maven behaves. Now, am still interested in intent here, as as I
wrote above, this issue can be circumvented in build.
> Maven resolver makes bad repository choices when resolving version ranges
> -------------------------------------------------------------------------
>
> Key: MRESOLVER-270
> URL: https://issues.apache.org/jira/browse/MRESOLVER-270
> Project: Maven Resolver
> Issue Type: Bug
> Components: Resolver
> Affects Versions: 1.6.3
> Reporter: Henning Schmiedehausen
> Priority: Major
>
> This also affects the maven-resolver-provider which is part of Maven core. I
> still file the bug here because it is easier to explain.
> I have a repository setup like this:
> {quote} <profiles>
> <profile>
> <id>repo</id>
> <repositories>
> <repository>
> <id>snapshots</id>
> <url>[https://.../maven-public/]</url>
> <releases>
> <enabled>false</enabled>
> <updatePolicy>never</updatePolicy>
> <checksumPolicy>warn</checksumPolicy>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> <updatePolicy>interval:180</updatePolicy>
> <checksumPolicy>fail</checksumPolicy>
> </snapshots>
> <layout>default</layout>
> </repository>
> <repository>
> <id>central</id>
> <url>[https://...|https://.../]/maven-public/</url>
> <releases>
> <enabled>true</enabled>
> <updatePolicy>never</updatePolicy>
> <checksumPolicy>warn</checksumPolicy>
> </releases>
> <snapshots>
> <enabled>false</enabled>
> <updatePolicy>interval:180</updatePolicy>
> <checksumPolicy>fail</checksumPolicy>
> </snapshots>
> <layout>default</layout>
> </repository>
> </repositories>
> {quote}
>
> Maven is trying to resolve the metadata from this component:
> [https://repo1.maven.org/maven2/com/googlecode/owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/owasp-java-html-sanitizer-20220608.1.pom]
> which contains (after resolution):
>
> {quote}<dependency>
> <groupId>com.google.code.findbugs</groupId>
> <artifactId>jsr305</artifactId>
> <version>[2.0.1,)</version>
> <scope>provided</scope>
> </dependency>
> {quote}
> {quote}<dependency>
> <groupId>com.google.code.findbugs</groupId>
> <artifactId>annotations</artifactId>
> <version>[2.0.1,)</version>
> <scope>provided</scope>
> </dependency>
>
> {quote}
>
> what happens now is that maven uses the DefaultVersionRangeResolver, which
> contains this line:
> {quote}{{Metadata metadata = new DefaultMetadata(
> request.getArtifact().getGroupId(), request.getArtifact().getArtifactId(),
> MAVEN_METADATA_XML, Metadata.Nature.RELEASE_OR_SNAPSHOT );}}
> {quote}
> So it tries to resolve the dependency range against all the repositories.
> By searching for "Nature.RELEASE_OR_SNAPSHOT", both configured repositories
> (snapshot and central) are eligible and selected. And by the order, the
> snapshot repository is chosen first.
> Because both remote repositories map to the same local repository, the
> following version check in lines 210 - 231 iterates over the local versions
> and finds the matching version in the "snapshots" repository.
> All of this code is called from the ProjectDependenciesResolver (which is
> injected into a mojo as a component), when calling resolve() on a
> DependencyResolutionRequest for this specific component
> (com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:bundle:20220608.1).
> It results in the following (slightly obscure) error message:
> {quote}Could not resolve dependencies for project
> com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:bundle:20220608.1:
> The following artifacts could not be resolved:
> com.google.code.findbugs:jsr305:jar:3.0.2,
> com.google.code.findbugs:annotations:jar:3.0.1u2: Could not find artifact
> com.google.code.findbugs:jsr305:jar:3.0.2
> {quote}
> However, that artifact is clearly present both in the local and remote
> repository.
>
> What happens is that the ProjectDependenciesResolver tries to resolve the
> (release) artifact om.google.code.findbugs:jsr305:jar:3.0.2 against the
> resolved repository (which is a snapshot only repository) and that repository
> rightfully refuses to resolve it. Hence the error message.
> I can fix this (which confirms this behavior) by removing the snapshot
> repository from the maven_settings.xml and enable snapshots for the "central"
> repository.
>
> Expected resolution: The DefaultVersionRangeResolver will not select the
> "first repository that contains the version" but looks at snapshot/release
> enabled and choose based on that information.
> I might find time to whip up a bug fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
