Chris created MENFORCER-434: ------------------------------- Summary: Version 3.1.0 is not enforcing bannedDependency rules Key: MENFORCER-434 URL: https://issues.apache.org/jira/browse/MENFORCER-434 Project: Maven Enforcer Plugin Issue Type: Bug Affects Versions: 3.1.0 Reporter: Chris
I've been testing rules regarding log4j and have found that the bannedDependencies behave differently between version 3.0.0 and 3.1.0 My relevant section where I'm purposely creating a failure case by banning log4j2 versions "3" and less, as well as any log4j 1.x NOTE this is using version 3.0.0 of maven-enforcer-plugin {code:java} <plugin> <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin --> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-versions</id> <goals> <goal>enforce</goal> </goals> <configuration> <fail>true</fail> <rules> <bannedPlugins> <!-- will only display a warning but does not fail the build. --> <level>WARN</level> <excludes> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude> </excludes> <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message> </bannedPlugins> <bannedDependencies> <searchTransitive>true</searchTransitive> <excludes> <!-- Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html - Ban Log4j less than "3" --> <exclude>org.apache.logging.log4j:*:(,3)</exclude> <exclude>log4j:log4j</exclude> </excludes> </bannedDependencies> <requireMavenVersion> <version>3.8.2</version> </requireMavenVersion> <requireJavaVersion> <version>1.8.0-202</version> </requireJavaVersion> </rules> </configuration> </execution> </executions> </plugin> {code} results in: {code:java} [INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @ xxx-xxxxx-xxx --- [WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message: Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0 Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0 Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0 Found Banned Dependency: log4j:log4j:jar:1.2.17 Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0 Use 'mvn dependency:tree' to locate the source of the banned dependencies. [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 0.516 s [INFO] Finished at: 2022-09-30T15:06:57-07:00 [INFO] ------------------------------------------------------------------------{code} ONLY changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the rule does not fail. {code:java} <plugin> <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin --> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.1.0</version> <executions> <execution> <id>enforce-versions</id> <goals> <goal>enforce</goal> </goals> <configuration> <fail>true</fail> <rules> <bannedPlugins> <!-- will only display a warning but does not fail the build. --> <level>WARN</level> <excludes> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude> </excludes> <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message> </bannedPlugins> <bannedDependencies> <searchTransitive>true</searchTransitive> <excludes> <!-- Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html - Ban Log4j less than "3" --> <exclude>org.apache.logging.log4j:*:(,3)</exclude> <exclude>log4j:log4j</exclude> </excludes> </bannedDependencies> <requireMavenVersion> <version>3.8.2</version> </requireMavenVersion> <requireJavaVersion> <version>1.8.0-202</version> </requireJavaVersion> </rules> </configuration> </execution> </executions> </plugin> {code} {code:java} [INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @ rxn-commons-time --- [INFO] {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)