(Note I had originally sent this on Feb 14, but I think it never got posted
to the mailing list -- likely because I forgot to subscribe first -- as
such, some of the version information may not be "current" as of today).
All:
I'm looking into an issue where we had an old package [1] flagged by
security tooling as being present on our build servers in the Maven
repository (~/.m2/repository). After a bit of digging, I managed to narrow
down where it came from and when it got fetched, and I can reproduce in a
pretty narrow use case as well.
We have a library (jar) that gets built for the purposes of a REST API.
This package was generated with some automated tooling, but has been
hand-tweaked. However, the specifics of the package do not seem to be that
important (other than the tools it uses). The specific plugin with the
transitive dependency to the offending package [1] is
"maven-javadoc-plugin" (which likely needs some updates of dependencies,
etc, in particular maven-reporting-xxxx which seem to be the ones that are
older).
During our build process, "maven-dependency-plugin" is used with the goal
"copy-dependencies" to copy runtime artifacts to the output directory
(target/lib) [2]. It does this, and copies in about 15 or so files as
expected. [3] None of these files are the "offending" package being flagged
by the security tools.
However, if you clean your Maven repository (rm -rf ~/.m2/repository), and
run either the build up to and including the dependency copying (e.g. mvn
package) [3], or just run "mvn dependency:tree" [4], the offending package
gets copied into the local Maven repository (~/.m2/repository).
So, my questions are:
a) Why does maven-dependency-plugin fetch absolutely everything regardless
of how far it actually needs to traverse the tree to do the task it's
performing? (or does it really need to traverse the whole tree?)
b) Is there a way to stop this behaviour without either removing the
dependency (maven-javadoc.plugin) with the offending dependency [1] from
the project, or not using "maven-dependency-plugin"? I have tried some
exclusion methods documented for the goals, but they do not seem to change
the fetching / tree traversal behaviour.
Thanks,
Robert
== References / Details ==
[1] log4j:log4j:1.2.12
[2]
<plugin>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.6.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/lib</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
[3]
$ rm -rf ~/.m2/repository
$ mvn package
09:26:55.703 [INFO] Scanning for projects...
09:26:55.726 [INFO]
...snip...
09:27:14.083 [INFO]
09:27:14.083 [INFO] --- dependency:3.6.1:copy-dependencies (default) @
<name-withheld> ---
Downloading from central:
https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom
(1.6 kB at 27 kB/s)
...snip...
Downloading from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
(145 B at 2.1 kB/s)
...snip...
Downloaded from central:
https://repo.maven.apache.org/maven2/com/github/luben/zstd-jni/1.5.5-5/zstd-jni-1.5.5-5.jar
(5.9 MB at 3.7 MB/s)
09:27:28.043 [INFO] com.google.code.findbugs:jsr305:jar:3.0.2 already
exists in destination.
09:27:28.043 [INFO] org.apache.httpcomponents.client5:httpclient5:jar:5.2.1
already exists in destination.
09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5:jar:5.2
already exists in destination.
09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2
already exists in destination.
09:27:28.043 [INFO] org.slf4j:slf4j-api:jar:1.7.36 already exists in
destination.
09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-core:jar:2.15.2
already exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2 already exists in
destination.
09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-databind:jar:2.15.2
already exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2 already
exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2 already exists in
destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2
already exists in destination.
09:27:28.043 [INFO] jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3 already
exists in destination.
09:27:28.043 [INFO] jakarta.activation:jakarta.activation-api:jar:1.2.2
already exists in destination.
09:27:28.043 [INFO]
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2 already
exists in destination.
09:27:28.043 [INFO] jakarta.annotation:jakarta.annotation-api:jar:1.3.5
already exists in destination.
09:27:28.043 [INFO] junit:junit:jar:4.13.2 already exists in destination.
09:27:28.043 [INFO] org.hamcrest:hamcrest-core:jar:1.3 already exists in
destination.
09:27:28.043 [INFO]
...snip...
[4]
$ rm -rf ~/.m2/repository
$ mvn dependency:tree
09:24:23.287 [INFO] Scanning for projects...
Downloading from central:
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom
(9.7 kB at 24 kB/s)
...snip...
Downloading from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central:
https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
(145 B at 2.4 kB/s)
...snip...
09:24:46.340 [INFO] <name-withheld>:jar:3.13.0-SNAPSHOT
09:24:46.340 [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
09:24:46.340 [INFO] +-
org.apache.httpcomponents.client5:httpclient5:jar:5.2.1:compile
09:24:46.340 [INFO] | +-
org.apache.httpcomponents.core5:httpcore5:jar:5.2:compile
09:24:46.340 [INFO] | +-
org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2:compile
09:24:46.340 [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.core:jackson-core:jar:2.15.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.core:jackson-databind:jar:2.15.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2:compile
09:24:46.340 [INFO] | +-
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2:compile
09:24:46.340 [INFO] | \-
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2:compile
09:24:46.340 [INFO] | +-
jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
09:24:46.340 [INFO] | \-
jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
09:24:46.340 [INFO] +-
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2:compile
09:24:46.340 [INFO] +-
jakarta.annotation:jakarta.annotation-api:jar:1.3.5:provided
09:24:46.340 [INFO] \- junit:junit:jar:4.13.2:test
09:24:46.340 [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
09:24:46.340 [INFO]
------------------------------------------------------------------------
09:24:46.340 [INFO] BUILD SUCCESS
