Hi, I'm not sure if I understand your problem correct, because based on the copy-dependencies goal as stated in the docs:
"Goal that copies the project dependencies from the repository to a defined location." it copies as stated... The question is what you expect to be copied and furthermore the the more important question: Why do you need to copy those parts? It would also very helpful to have a full pom file of that project or maybe a link to a github project (or alike)? Another point is: do you use the most recent version of all plugins in your build ? Kind regards Karl Heinz Marbaise On 24.06.24 17:31, Robert Turner wrote:
(Note I had originally sent this on Feb 14, but I think it never got posted to the mailing list -- likely because I forgot to subscribe first -- as such, some of the version information may not be "current" as of today). All: I'm looking into an issue where we had an old package [1] flagged by security tooling as being present on our build servers in the Maven repository (~/.m2/repository). After a bit of digging, I managed to narrow down where it came from and when it got fetched, and I can reproduce in a pretty narrow use case as well. We have a library (jar) that gets built for the purposes of a REST API. This package was generated with some automated tooling, but has been hand-tweaked. However, the specifics of the package do not seem to be that important (other than the tools it uses). The specific plugin with the transitive dependency to the offending package [1] is "maven-javadoc-plugin" (which likely needs some updates of dependencies, etc, in particular maven-reporting-xxxx which seem to be the ones that are older). During our build process, "maven-dependency-plugin" is used with the goal "copy-dependencies" to copy runtime artifacts to the output directory (target/lib) [2]. It does this, and copies in about 15 or so files as expected. [3] None of these files are the "offending" package being flagged by the security tools. However, if you clean your Maven repository (rm -rf ~/.m2/repository), and run either the build up to and including the dependency copying (e.g. mvn package) [3], or just run "mvn dependency:tree" [4], the offending package gets copied into the local Maven repository (~/.m2/repository). So, my questions are: a) Why does maven-dependency-plugin fetch absolutely everything regardless of how far it actually needs to traverse the tree to do the task it's performing? (or does it really need to traverse the whole tree?) b) Is there a way to stop this behaviour without either removing the dependency (maven-javadoc.plugin) with the offending dependency [1] from the project, or not using "maven-dependency-plugin"? I have tried some exclusion methods documented for the goals, but they do not seem to change the fetching / tree traversal behaviour. Thanks, Robert == References / Details == [1] log4j:log4j:1.2.12 [2] <plugin> <artifactId>maven-dependency-plugin</artifactId> <version>3.6.1</version> <executions> <execution> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <outputDirectory>${project.build.directory}/lib</outputDirectory> </configuration> </execution> </executions> </plugin> [3] $ rm -rf ~/.m2/repository $ mvn package 09:26:55.703 [INFO] Scanning for projects... 09:26:55.726 [INFO] ...snip... 09:27:14.083 [INFO] 09:27:14.083 [INFO] --- dependency:3.6.1:copy-dependencies (default) @ <name-withheld> --- Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom (1.6 kB at 27 kB/s) ...snip... Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 2.1 kB/s) ...snip... Downloaded from central: https://repo.maven.apache.org/maven2/com/github/luben/zstd-jni/1.5.5-5/zstd-jni-1.5.5-5.jar (5.9 MB at 3.7 MB/s) 09:27:28.043 [INFO] com.google.code.findbugs:jsr305:jar:3.0.2 already exists in destination. 09:27:28.043 [INFO] org.apache.httpcomponents.client5:httpclient5:jar:5.2.1 already exists in destination. 09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5:jar:5.2 already exists in destination. 09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2 already exists in destination. 09:27:28.043 [INFO] org.slf4j:slf4j-api:jar:1.7.36 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-core:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-databind:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3 already exists in destination. 09:27:28.043 [INFO] jakarta.activation:jakarta.activation-api:jar:1.2.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] jakarta.annotation:jakarta.annotation-api:jar:1.3.5 already exists in destination. 09:27:28.043 [INFO] junit:junit:jar:4.13.2 already exists in destination. 09:27:28.043 [INFO] org.hamcrest:hamcrest-core:jar:1.3 already exists in destination. 09:27:28.043 [INFO] ...snip... [4] $ rm -rf ~/.m2/repository $ mvn dependency:tree 09:24:23.287 [INFO] Scanning for projects... Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom (9.7 kB at 24 kB/s) ...snip... Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 2.4 kB/s) ...snip... 09:24:46.340 [INFO] <name-withheld>:jar:3.13.0-SNAPSHOT 09:24:46.340 [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile 09:24:46.340 [INFO] +- org.apache.httpcomponents.client5:httpclient5:jar:5.2.1:compile 09:24:46.340 [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2:compile 09:24:46.340 [INFO] | +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2:compile 09:24:46.340 [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.15.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2:compile 09:24:46.340 [INFO] | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2:compile 09:24:46.340 [INFO] | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2:compile 09:24:46.340 [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile 09:24:46.340 [INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2:compile 09:24:46.340 [INFO] +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:provided 09:24:46.340 [INFO] \- junit:junit:jar:4.13.2:test 09:24:46.340 [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test 09:24:46.340 [INFO] ------------------------------------------------------------------------ 09:24:46.340 [INFO] BUILD SUCCESS
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org