[jira] [Created] (MENFORCER-434) Version 3.1.0 is not enforcing bannedDependency rules

Fri, 30 Sep 2022 15:13:09 -0700 

Chris created MENFORCER-434:
-------------------------------

             Summary: Version 3.1.0 is not enforcing bannedDependency rules
                 Key: MENFORCER-434
                 URL: https://issues.apache.org/jira/browse/MENFORCER-434
             Project: Maven Enforcer Plugin
          Issue Type: Bug
    Affects Versions: 3.1.0
            Reporter: Chris


I've been testing rules regarding log4j and have found that the 
bannedDependencies behave differently between version 3.0.0 and 3.1.0


My relevant section where I'm purposely creating a failure case by banning 
log4j2 versions "3" and less, as well as any log4j 1.x
NOTE this is using version 3.0.0 of maven-enforcer-plugin

 
{code:java}
      <plugin>
        <!-- 
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
 -->
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>3.0.0</version>
        <executions>
          <execution>
            <id>enforce-versions</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <fail>true</fail>
              <rules>
                <bannedPlugins>
                  <!-- will only display a warning but does not fail the build. 
-->
                  <level>WARN</level>
                  <excludes>
                    
<exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
                  </excludes>
                  <message>Please consider using the maven-invoker-plugin 
(http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
                </bannedPlugins>
                <bannedDependencies>
                  <searchTransitive>true</searchTransitive>
                  <excludes>
                    <!--
                       Log4j - Refer to 
https://logging.apache.org/log4j/2.x/security.html
                             - Ban Log4j less than "3"
                    -->
                    <exclude>org.apache.logging.log4j:*:(,3)</exclude>
                    <exclude>log4j:log4j</exclude>
                  </excludes>
                </bannedDependencies>
                <requireMavenVersion>
                  <version>3.8.2</version>
                </requireMavenVersion>
                <requireJavaVersion>
                  <version>1.8.0-202</version>
                </requireJavaVersion>
              </rules>
            </configuration>
          </execution>
        </executions>
      </plugin>
{code}

results in:
{code:java}
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @ 
xxx-xxxxx-xxx ---
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed 
with message:
Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
Found Banned Dependency: log4j:log4j:jar:1.2.17
Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.516 s
[INFO] Finished at: 2022-09-30T15:06:57-07:00
[INFO] 
------------------------------------------------------------------------{code}

ONLY changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the 
rule does not fail.



 
{code:java}
      <plugin>
        <!-- 
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
 -->
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>3.1.0</version>
        <executions>
          <execution>
            <id>enforce-versions</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <fail>true</fail>
              <rules>
                <bannedPlugins>
                  <!-- will only display a warning but does not fail the build. 
-->
                  <level>WARN</level>
                  <excludes>
                    
<exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
                  </excludes>
                  <message>Please consider using the maven-invoker-plugin 
(http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
                </bannedPlugins>
                <bannedDependencies>
                  <searchTransitive>true</searchTransitive>
                  <excludes>
                    <!--
                       Log4j - Refer to 
https://logging.apache.org/log4j/2.x/security.html
                             - Ban Log4j less than "3"
                    -->
                    <exclude>org.apache.logging.log4j:*:(,3)</exclude>
                    <exclude>log4j:log4j</exclude>
                  </excludes>
                </bannedDependencies>
                <requireMavenVersion>
                  <version>3.8.2</version>
                </requireMavenVersion>
                <requireJavaVersion>
                  <version>1.8.0-202</version>
                </requireJavaVersion>
              </rules>
            </configuration>
          </execution>
        </executions>
      </plugin>
{code}
 
{code:java}
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @ 
rxn-commons-time ---
[INFO] {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to