'Dependency not found' with release 17 while analyzing

Question

One of the project that I was looking into has these relevant configurations:

<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>

<plugin>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>3.2.0</version>
    <configuration>
        <failOnWarning>true</failOnWarning>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>analyze-only</goal>
            </goals>
        </execution>
    </executions>
</plugin>


<dependency>
    <groupId>org.hamcrest</groupId>
    <artifactId>hamcrest</artifactId>
    <version>2.2</version>
    <!-- not scoped to test -->
</dependency>

On executing mvn clean verify (apache-maven-3.6.3, java : 17-ea), the build succeeds as expected. I have now, made a change in the properties to replace the source and target with release as:

<maven.compiler.release>17</maven.compiler.release>

and the logs on the terminal read

[INFO] --- maven-dependency-plugin:3.2.0:analyze-only (default) @ java-8-matchers ---
[WARNING] Non-test scoped test only dependencies found:
[WARNING]    org.hamcrest:hamcrest:jar:2.2:compile

leading to a failure(because of warning)! Why/How is the dependency treated differently with the upgrade in the Java version? Any way to fix this?

If it might be of help, the debug logs for this goal reads:

[DEBUG] Configuring mojo org.apache.maven.plugins:maven-dependency-plugin:3.2.0:analyze-only from plugin realm ClassRealm[plugin>org.apache.maven.plugins:maven-dependency-plugin:3.2.0, parent: jdk.internal.loader.ClassLoaders$AppClassLoader@579bb367]
[DEBUG] Configuring mojo 'org.apache.maven.plugins:maven-dependency-plugin:3.2.0:analyze-only' with basic configurator -->
[DEBUG]   (f) analyzer = default
[DEBUG]   (f) baseDir = .../java-8-matchers
[DEBUG]   (f) failOnWarning = true
[DEBUG]   (f) ignoreNonCompile = false
[DEBUG]   (f) ignoreUnusedRuntime = false
[DEBUG]   (f) outputDirectory = .../java-8-matchers/target
[DEBUG]   (f) outputXML = false
[DEBUG]   (f) project = MavenProject: uk.co.probablyfine:java-8-matchers:2.0.0-SNAPSHOT @ .../java-8-matchers/pom.xml
[DEBUG]   (f) scriptableFlag = $$%%%
[DEBUG]   (f) scriptableOutput = false
[DEBUG]   (f) skip = false
[DEBUG]   (f) verbose = false
[DEBUG] -- end configuration --
[WARNING] Non-test scoped test only dependencies found:
[WARNING]    org.hamcrest:hamcrest:jar:2.2:compile

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.2.0:analyze-only (default) on project java-8-matchers: Dependency problems found -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.2.0:analyze-only (default) on project java-8-matchers: Dependency problems found
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)

Reproduce using:

Git checkout this branch.
Configure maven to use Java-17.
Edit the failOnWarning property to true.
Execute mvn clean verify.

@BasilBourque I have replaced the previous two properties with the release one. — Naman, Jun 17 '21 at 06:02
Thank you for the suggestion @BasilBourque, have made an edit to make that explicit and share a link to complete project to attempt reproducing. — Naman, Jun 17 '21 at 06:10
Did you try replacing the `17` with `1.8` to narrow down whether the hamcrest issue is due to Java 17 or due to the use of `release`? — Basil Bourque, Jun 17 '21 at 06:12
That shouldn't be a concern for the configuration of `maven-dependency-plugin` or any other for that matter. But yeah, to be very sure, I have tested that as well @BasilBourque and it fails as otherwise. My hunch is the issue might be hidden in the "How" part of my question. — Naman, Jun 17 '21 at 06:19
Randomly trying out things, for one,`provided` helps the build succeed. But usage of the library is impacted as `org.hamcrest.Matcher` is no more accessible after that or one would get *Error occurred during initialization of boot layer java.lang.module.FindException: Module org.hamcrest not found, required by uk.co.probablyfine.matchers* — Naman, Jun 18 '21 at 22:15

score 9 · Accepted Answer · answered Jun 29 '21 at 01:08

After investigation I figured out that issue is in upgrading maven-dependency-plugin from version 3.1.2 to 3.2.0, because in new version of plugin was added new property for analyzing: testArtifactsWithNonTestScope you can compare screenshots of code below: Version 3.1.2:

Version 3.2.0:

I debugged the full analyzer dependencies process in the plugin and found that dependency:

<dependency>
   <groupId>org.hamcrest</groupId>
   <artifactId>hamcrest</artifactId>
   <version>2.2</version>
</dependency>

is passed to testArtifactsWithNonTestScope set of artifacts because class org.hamcrest.MatcherAssert is used only in test classes. Of course that behavior is incorrect, because other classes from hamcrest dependecy are present in non test classes - definitely there is defect in maven-dependency-plugin.

P.S.

Like proof of my idea you can change one of non test classes in following way:

...
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.is;
...

public final class Java8Matchers {

    public static void customAssert(String reason, boolean assertion) {
        assertThat(reason, assertion);
    }
    
    ...
}

As you can see I added new method with usage of org.hamcrest.MatcherAssert in Java8Matchers and after that build process will be finished successfully.

After all the above aspects, you have the following ways to solve the issue:

use the latest version of java which is supported by plugin 3.1.2 and do not update the plugin until the bug is fixed
turn off the analyzer for the build and wait for the fix for the analyzer

This makes sense, have created [MDEP-759](https://issues.apache.org/jira/browse/MDEP-759) corresponding to this question with a comment mentioning your first-hand debugging. Thank you for investing your time. — Naman, Jun 29 '21 at 01:19
One quick question, with the concept, that `3.2.0` brings in the issue we are discussing, should the failure not reflect with Java-8 as well there? — Naman, Jun 29 '21 at 01:21
It doesn't matter which version of java, there is bug in plugin starts from 3.2.0 version — saver, Jun 29 '21 at 09:33
Yeah, I could revalidate that. I agree it's the upgraded version. Should be a critical bug in my opinion, since this is breaking backward incompatibility. Thank you for your findings as well. Updating the bug reported too. — Naman, Jun 29 '21 at 15:05
Have awarded the bounty for the useful findings which confirms that it's a bug. Would wait for a certain response to see, what could be a better solution than just using `MatcherAssert...` unnecessarily in a non-test class. — Naman, Jun 29 '21 at 15:43

jeanpic · Answer 2 · 2021-07-01T06:56:50.077

0

This problem is not related to the Java version, it also fails with Java 16, to me it seems that it appeared when the maven-dependency-plugin was upgraded from 3.1.2 to 3.2.0 by dependabot, downgrading solves the problem.

edited Jul 01 '21 at 06:56

answered Jun 26 '21 at 20:52

jeanpic

481
3
15

1

Using the mentioned version of the plugin results in `Execution default of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.2:analyze-only failed: Unsupported class file major version 61`. The problem is related to upgrading the java version as the configurations work just fine with `3.2.0` and `Java-8`. – Naman Jun 27 '21 at 03:51
Yes unfortunately this version of the plugin will fail with versions above Java 15. – jeanpic Jun 27 '21 at 06:38
The configuration doesn't work with **3.2.0** and **Java-8** on my computer either. – jeanpic Jun 27 '21 at 06:56
Yes, that is the reason I had tagged the question with the Java version I am working with. – Naman Jun 27 '21 at 11:23
To redress what I had said, you were right that the issue is with `3.2.0`. The details are shared in [this answer](https://stackoverflow.com/a/68171467/1746118). – Naman Jul 01 '21 at 04:01

score 0 · Answer 3 · answered Feb 22 '22 at 08:44

0

I solved this problem by cloning the maven-dependency-plugin from the following repo https://github.com/apache/maven-dependency-plugin/tree/maven-dependency-plugin-3.2.0 and I built it myself. Then I used the 3.3.0-SNAPSHOT version in my project!

answered Feb 22 '22 at 08:44

Haylemicheal Berihun

91
1
2

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/31131054) – Procrastinator Feb 26 '22 at 07:05
The issue is on the maven-dependency plugin. The maintainers said they have fixed it in version 3.3.0 but it is not released yet. The problem is caused by the code that identifies Non-test scoped test-only dependencies. It is not working correctly so to solve the problem I cloned the dependency repository and commented out the code that gives the above warning. This is the edited repo https://github.com/Haylemicheal/maven-dependency-plugin. However, When the maven-dependency-plugin-3.3.0 is released you should use that dependency. – Haylemicheal Berihun Mar 08 '22 at 06:19

'Dependency not found' with release 17 while analyzing

3 Answers3