maven-dependeny-plugin 3.2.0 downloading struts 1.3.8

Question

We are using the maven-dependency-plugin to get a ZIP from our nexus for later use. We do this cause it's the easiest way to download from our protected nexus using the integrated maven-user handling.

When using the maven-dependency-plugin it downloads Struts 1.3.8 as Dependency.

In older versions of the plugin this is normal, as it is a transitive dependency of the plugin: https://maven.apache.org/plugins-archives/maven-dependency-plugin-3.1.2/dependencies.html

In the current version it has been removed: https://maven.apache.org/plugins-archives/maven-dependency-plugin-3.2.0/dependencies.html This was accomplished by an update from org.apache.maven.doxia:doxia-site-renderer:jar:1.9 to org.apache.maven.doxia:doxia-site-renderer:jar:1.9.2 (1.9.2 excludes the struts dependency)

Still the usage of the plugin downloads struts and I can't figure out why.

I tried with the latest Maven (3.8.3) and narrowed it down to a simple command:

mvn org.apache.maven.plugins:maven-dependency-plugin:3.2.0:get -DgroupId=commons-lang -DartifactId=commons-lang -Dversion=2.6 -Dmaven.repo.local=repo

That downloads an old commons-lang dependency using "repo" as repository folder. If you check the download logs or the folder it will contain "org/apache/struts/....".

I also tested with an simple pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.test</groupId>
    <artifactId>test-dep-plugin</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>pom</packaging>

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-dependency-plugin</artifactId>
                    <version>3.2.0</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-site-plugin</artifactId>
                    <version>3.9.1</version>
                </plugin>
            </plugins>
        </pluginManagement>

        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <executions>
                    <execution>
                        <id>get</id>
                        <phase>validate</phase>
                        <goals>
                            <goal>get</goal>
                        </goals>
                        <configuration>
                            <groupId>org.apache.commons</groupId>
                            <artifactId>commons-lang3</artifactId>
                            <version>3.12.0</version>

                            <transitive>false</transitive>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

</project>

You can try "mvn clean verify" to run this. That results in the same problem. I updated the "site" plugin because it also had an struts dependency in the older version.

I also tried to check the plugin-dependencies by using: mvn dependency:resolve-plugins

That doesn't give me any struts dependencies. Still some part of maven seems to need them. They are gone, if I remove the maven-dependency-plugin.

How can I get rid of all the (outdated and unneeded) struts-dependencies?

After checking that it looks like that the dependency to struts-taglib is defined by doxia-site-renderer in contradiction having exclusions for the struts parts... which is really strange...First I would suggest to create an issue entry (https://issues.apache.org/jira/projects/MDEP) and add the example as a working project... — khmarbaise, Oct 20 '21 at 14:44
Furthermore the question is: What is the problem with the struts dependency? — khmarbaise, Oct 20 '21 at 14:44
We get security issues from our admin team cause struts 1.x has reached it‘s end of life in 2013. By using it in our build we get the struts files on Nexus, Jenkins, local machines, ... And I also don’t have a clue, why a plugin for maven dependencies would need a web framework. — TomStroemer, Oct 20 '21 at 17:18
Looks like there’s already an issue: https://issues.apache.org/jira/browse/MDEP-765 (same error, different maven goal) — TomStroemer, Oct 20 '21 at 19:12
Looks like this comes in via `maven-reporting-impl`, which uses doxia 1.7 — tgdavies, Oct 21 '21 at 06:43

score 0 · Accepted Answer · answered Apr 13 '22 at 10:49

An update to maven-dependency-plugin 3.3.0 seems to fix the issue.

When executing mvn org.apache.maven.plugins:maven-dependency-plugin:3.3.0:get -DgroupId=commons-lang -DartifactId=commons-lang -Dversion=2.6 -Dmaven.repo.local=repo I don't get a struts dependencies in the repo folder.

maven-dependeny-plugin 3.2.0 downloading struts 1.3.8

1 Answers1