8

I am using the Maven enforcer plugin to check for dependency convergence. Given this (contrived) example:

project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>warren</groupId>
  <artifactId>warren</artifactId>
  <packaging>war</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>warren Maven Webapp</name>
  <url>http://maven.apache.org</url>
  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>net.sf.jtidy</groupId>
      <artifactId>jtidy</artifactId>
      <version>r938</version>
    </dependency>
    <dependency>
      <groupId>org.apache.maven.plugin-tools</groupId>
      <artifactId>maven-plugin-tools-api</artifactId>
      <version>2.5.1</version>
    </dependency>
  </dependencies>
  <build>
    <finalName>warren</finalName>

    <!-- The Maven Enforcer -->
    <plugins>
    <plugin>
      <groupId>org.apache.maven.plugins</groupId>
      <artifactId>maven-enforcer-plugin</artifactId>
      <version>1.4</version>
      <dependencies>
        <dependency>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>extra-enforcer-rules</artifactId>
          <version>1.0-beta-2</version>
        </dependency>
      </dependencies>
      <executions>
        <!-- ******************************************************* -->
        <!-- Ensure that certain really important things are checked -->
        <!-- and fail the build if any of these are violated         -->
        <!-- ****************************************************** -->
        <execution>
          <id>enforce-important-stuff</id>
          <goals>
            <goal>enforce</goal>
          </goals>
          <phase>validate</phase>
          <configuration>
            <rules>
              <requireMavenVersion>
                <version>3.2.1</version>
              </requireMavenVersion>
              <requireJavaVersion>
                <version>1.7</version>
              </requireJavaVersion>
              <DependencyConvergence />
              <bannedDependencies>
                <searchTransitive>true</searchTransitive>
                <excludes>
                  <!-- Should be javax.servlet:javax.servlet-api:3.0.1 -->
                  <exclude>javax.servlet:servlet-api:2.*</exclude>
                  <!-- Should be org.springframework:3.2.* . Note this is
                       for the core spring framework. Others such as
                       WS etc may be different, but the convergence to the underlying
                       core Spring framework should be the same -->
                  <exclude>org.springframework:2.*</exclude>
                  <exclude>org.springframework:3.0.*</exclude>
                  <exclude>org.springframework:3.1.*</exclude>&gt;
                  <!-- Should be slf4j 1.7.5 with logback and
                       bridges to JCL, JUL and log4j (this means these
                       individual libraries should not be included as the
                       "bridges" implement the API and redirect to the
                       underlying SLF4j impl -->
                  <exclude>log4j:log4j</exclude>
                  <exclude>commons-logging</exclude>
                  <exclude>org.slf4j:1.5*</exclude>
                  <exclude>org.slf4j:1.6*</exclude>
                </excludes>
              </bannedDependencies>
            </rules>
            <failFast>true</failFast>
          </configuration>
        </execution>
        <execution>
          <id>warn-about-stuff-which-may-cause-problems</id>
          <goals>
            <goal>enforce</goal>
          </goals>
          <phase>validate</phase>
          <configuration>
            <rules>
              <banDuplicateClasses>
                <ignoreClasses>

                </ignoreClasses>
                <findAllDuplicates>true</findAllDuplicates>
              </banDuplicateClasses>
            </rules>
            <fail>false</fail>
          </configuration>
        </execution>
      </executions>
    </plugin>
    </plugins>
  </build>
</project>

I get this output:

[ERROR] +-warren:warren:1.0-SNAPSHOT
[ERROR] +-org.apache.maven.plugin-tools:maven-plugin-tools-api:2.5.1
[ERROR] +-org.codehaus.plexus:plexus-utils:1.5.6
[ERROR] and
[ERROR] +-warren:warren:1.0-SNAPSHOT
[ERROR] +-org.apache.maven.plugin-tools:maven-plugin-tools-api:2.5.1
[ERROR] +-org.codehaus.plexus:plexus-container-default:1.0-alpha-9-stable-1
[ERROR] +-org.codehaus.plexus:plexus-utils:1.0.4

So, I naively thought I could change my pom to use wildcard exclusions to avoid this issue ie:

<dependency>
  <groupId>net.sf.jtidy</groupId>
  <artifactId>jtidy</artifactId>
  <version>r938</version>
</dependency>
<dependency>
  <groupId>org.apache.maven.plugin-tools</groupId>
  <artifactId>maven-plugin-tools-api</artifactId>
  <version>2.5.1</version>
  <exclusions>
    <exclusion>
      <groupId>*</groupId>
      <artifactId>*</artifactId>
    </exclusion>
  </exclusions>
</dependency>

but Maven ignores the wildcards and I get the same error. The only way to fix the error is to explicitly put in the group & artifact ids.

  <exclusions>
    <exclusion>
      <groupId>org.codehaus.plexus</groupId>
      <artifactId>plexus-utils</artifactId>
    </exclusion>
  </exclusions>

Is it possible to use wildcard exclusions in this situation? Note I have tried using maven 3.0.5, 3.2.1 and 3.3.3 but no luck!

Many thanks

MandyW
  • 1,117
  • 3
  • 14
  • 23
  • Can you show the full pom files? If you think this is a bug please file in a JIRA issue http://issues.apache.org/jira/browse/MENFORCER – khmarbaise Jul 13 '15 at 06:07
  • Many thanks for the response - I have edited the post to include the full pom. I will also raise a Jira. – MandyW Jul 13 '15 at 21:18
  • Why have you added the maven-plugin-tools-api which does not really make sense for a war project ? – khmarbaise Jul 14 '15 at 08:40
  • I completely agree - it was just a contrived example to show a convergence error, I just chose a random dependency which I knew would cause a convergence error. I realise it makes no sense in the real world! – MandyW Jul 14 '15 at 16:52
  • Can you make a `mvn dependency:tree` and put the full output here or please case an JIRA issue and attach as much as information you can provide....best would be a example project which produces the behaviour... – khmarbaise Jul 15 '15 at 07:02

2 Answers2

7

There is an open issue for dependencyConvergence when using wildcard exclusions: https://issues.apache.org/jira/browse/MENFORCER-195.

There is no indication of when we can expect a fix, or any recent activity on this issue (or on the issue https://issues.apache.org/jira/browse/MSHARED-339). I hit it with maven-enforcer-plugin 1.4.1.

Aled Sage
  • 766
  • 7
  • 12
3

The best ways to fix this as of now is to add both wildcard exclusion and exclusion for every dependency that caused the enforcer to fail:

<dependency>
  <groupId>org.apache.maven.plugin-tools</groupId>
  <artifactId>maven-plugin-tools-api</artifactId>
  <version>2.5.1</version>
  <exclusions>
    <exclusion>
      <groupId>*</groupId>
      <artifactId>*</artifactId>
    </exclusion>
    <exclusion>
      <groupId>org.codehaus.plexus</groupId>
      <artifactId>plexus-utils</artifactId>
    </exclusion>
  </exclusions>
  </exclusions>
</dependency>
kolobok
  • 3,835
  • 3
  • 38
  • 54