Hi,
I'm not sure if I understand your problem correct, because based on the
copy-dependencies goal as stated in the docs:
"Goal that copies the project dependencies from the repository to a
defined location."
it copies as stated...
The question is what you expect to be copied and furthermore the the
more important question: Why do you need to copy those parts?
It would also very helpful to have a full pom file of that project or
maybe a link to a github project (or alike)?
Another point is: do you use the most recent version of all plugins in
your build ?
Kind regards
Karl Heinz Marbaise
On 24.06.24 17:31, Robert Turner wrote:
(Note I had originally sent this on Feb 14, but I think it never got posted
to the mailing list -- likely because I forgot to subscribe first -- as
such, some of the version information may not be "current" as of today).
All:
I'm looking into an issue where we had an old package [1] flagged by
security tooling as being present on our build servers in the Maven
repository (~/.m2/repository). After a bit of digging, I managed to narrow
down where it came from and when it got fetched, and I can reproduce in a
pretty narrow use case as well.
We have a library (jar) that gets built for the purposes of a REST API.
This package was generated with some automated tooling, but has been
hand-tweaked. However, the specifics of the package do not seem to be that
important (other than the tools it uses). The specific plugin with the
transitive dependency to the offending package [1] is
"maven-javadoc-plugin" (which likely needs some updates of dependencies,
etc, in particular maven-reporting-xxxx which seem to be the ones that are
older).
During our build process, "maven-dependency-plugin" is used with the goal
"copy-dependencies" to copy runtime artifacts to the output directory
(target/lib) [2]. It does this, and copies in about 15 or so files as
expected. [3] None of these files are the "offending" package being flagged
by the security tools.
However, if you clean your Maven repository (rm -rf ~/.m2/repository), and
run either the build up to and including the dependency copying (e.g. mvn
package) [3], or just run "mvn dependency:tree" [4], the offending package
gets copied into the local Maven repository (~/.m2/repository).
So, my questions are:
a) Why does maven-dependency-plugin fetch absolutely everything regardless
of how far it actually needs to traverse the tree to do the task it's
performing? (or does it really need to traverse the whole tree?)
b) Is there a way to stop this behaviour without either removing the
dependency (maven-javadoc.plugin) with the offending dependency [1] from
the project, or not using "maven-dependency-plugin"? I have tried some
exclusion methods documented for the goals, but they do not seem to change
the fetching / tree traversal behaviour.
Thanks,
Robert
== References / Details ==
[1] log4j:log4j:1.2.12
[2]
<plugin>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.6.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/lib</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
[3]
$ rm -rf ~/.m2/repository
$ mvn package
09:26:55.703 [INFO] Scanning for projects...
09:26:55.726 [INFO]
...snip...
09:27:14.083 [INFO]
09:27:14.083 [INFO] --- dependency:3.6.1:copy-dependencies (default) @
<name-withheld> ---
Downloading from central:
https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom
(1.6 kB at 27 kB/s)
...snip...
Downloading from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
(145 B at 2.1 kB/s)
...snip...
Downloaded from central:
https://repo.maven.apache.org/maven2/com/github/luben/zstd-jni/1.5.5-5/zstd-jni-1.5.5-5.jar
(5.9 MB at 3.7 MB/s)
09:27:28.043 [INFO] com.google.code.findbugs:jsr305:jar:3.0.2 already
exists in destination.
09:27:28.043 [INFO] org.apache.httpcomponents.client5:httpclient5:jar:5.2.1
already exists in destination.
09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5:jar:5.2
already exists in destination.
09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2
already exists in destination.
09:27:28.043 [INFO] org.slf4j:slf4j-api:jar:1.7.36 already exists in
destination.
09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-core:jar:2.15.2
already exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2 already exists in
destination.
09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-databind:jar:2.15.2
already exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2 already
exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2 already exists in
destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2
already exists in destination.
09:27:28.043 [INFO] jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3 already
exists in destination.
09:27:28.043 [INFO] jakarta.activation:jakarta.activation-api:jar:1.2.2
already exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2 already
exists in destination.
09:27:28.043 [INFO] jakarta.annotation:jakarta.annotation-api:jar:1.3.5
already exists in destination.
09:27:28.043 [INFO] junit:junit:jar:4.13.2 already exists in destination.
09:27:28.043 [INFO] org.hamcrest:hamcrest-core:jar:1.3 already exists in
destination.
09:27:28.043 [INFO]
...snip...
[4]
$ rm -rf ~/.m2/repository
$ mvn dependency:tree
09:24:23.287 [INFO] Scanning for projects...
Downloading from central:
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom
(9.7 kB at 24 kB/s)
...snip...
Downloading from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
(145 B at 2.4 kB/s)
...snip...
09:24:46.340 [INFO] <name-withheld>:jar:3.13.0-SNAPSHOT
09:24:46.340 [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
09:24:46.340 [INFO] +-
org.apache.httpcomponents.client5:httpclient5:jar:5.2.1:compile
09:24:46.340 [INFO] | +-
org.apache.httpcomponents.core5:httpcore5:jar:5.2:compile
09:24:46.340 [INFO] | +-
org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2:compile
09:24:46.340 [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.core:jackson-core:jar:2.15.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.core:jackson-databind:jar:2.15.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2:compile
09:24:46.340 [INFO] | +-
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2:compile
09:24:46.340 [INFO] | \-
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2:compile
09:24:46.340 [INFO] | +-
jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
09:24:46.340 [INFO] | \-
jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2:compile
09:24:46.340 [INFO] +-
jakarta.annotation:jakarta.annotation-api:jar:1.3.5:provided
09:24:46.340 [INFO] \- junit:junit:jar:4.13.2:test
09:24:46.340 [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
09:24:46.340 [INFO]
------------------------------------------------------------------------
09:24:46.340 [INFO] BUILD SUCCESS
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
