1

I have the following Maven dependency in the tree:

...
[INFO] |  |  |  \- io.netty:netty-tcnative-boringssl-static:jar:2.0.50.Final:compile
[INFO] |  |  |     +- io.netty:netty-tcnative-classes:jar:2.0.48.Final:compile
[INFO] |  |  |     +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.48.Final:compile
[INFO] |  |  |     +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.48.Final:compile
[INFO] |  |  |     +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.48.Final:compile
[INFO] |  |  |     +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.48.Final:compile
[INFO] |  |  |     \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.48.Final:compile
...

This is flagged by the dependencyConvergence rule of Maven Enforcer plugin like below:

[WARNING] 
Dependency convergence error for io.netty:netty-tcnative-boringssl-static:2.0.50.Final paths to dependency are:
+-com.twitter:finagle-http_2.12:22.2.0
  +-io.netty:netty-tcnative-boringssl-static:2.0.50.Final
and
+-com.twitter:finagle-http_2.12:22.2.0
  +-io.netty:netty-tcnative-boringssl-static:2.0.50.Final
    +-io.netty:netty-tcnative-boringssl-static:2.0.48.Final

And here is the plugin configuration:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-enforcer-plugin</artifactId>
    <version>${enforce-plugin.version}</version>
    <executions>
        <execution>
            <id>enforce-banned-dependencies</id>
            <goals>
                <goal>enforce</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <rules>
            <dependencyConvergence>
                <uniqueVersions>true</uniqueVersions>
            </dependencyConvergence>
        </rules>
        <fail>true</fail>
    </configuration>
</plugin>

This cannot be fixed by excluding the conflicting dependency, so is there a way to configure the plugin to just ignore this dependency?

EDIT:

After updating the maven-enforcer-plugin to latest version, the issue is still there, but the error message changed a bit:

Dependency convergence error for io.netty:netty-tcnative-boringssl-static:jar:2.0.50.Final:compile paths to dependency are:

+-com.ing.wbs.toolkit:wbs-toolkit-tpa-httpclient:jar:5.5.0
  +-com.ing.apisdk:toolkit-connectivity-transport-http_2.12:jar:20.1.0:compile
    +-com.twitter:finagle-http_2.12:jar:22.2.0:compile
      +-io.netty:netty-tcnative-boringssl-static:jar:2.0.50.Final:compile
and
+-com.ing.wbs.toolkit:wbs-toolkit-tpa-httpclient:jar:5.5.0
  +-com.ing.apisdk:toolkit-connectivity-transport-http_2.12:jar:20.1.0:compile
    +-com.twitter:finagle-http_2.12:jar:22.2.0:compile
      +-io.netty:netty-tcnative-boringssl-static:jar:2.0.50.Final:compile
        +-io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.48.Final:compile

So it seems that the netty-tcnative-boringssl-static library has a dependency to an older version of an architecture-specific version of itself; still, maven-enforcer thinks it's just an older version of itself and flags it as an issue.

Vlad
  • 844
  • 1
  • 12
  • 22
  • You can add it directly to your project...the nearest dependency wins.. – khmarbaise Mar 23 '22 at 19:13
  • The problem is that that dependency has a dependency that is perceived by maven enforcer as an older version of itself (although if you look at the tree it isn't exactly the case), so adding it directly to the project won't help. – Vlad Mar 24 '22 at 15:16
  • The output looks weird: `io.netty:netty-tcnative-boringssl-static:2.0.50.Final +-io.netty:netty-tcnative-boringssl-static:2.0.48.Final` the lib has a dependency on its own? Looks wrong... furthermore it would help to post the full output as well as the pom file... – khmarbaise Mar 24 '22 at 15:29
  • I added more details to the question. Apparently, that lib has a dependency to an older version of an architecture-specific version of itself. – Vlad Mar 24 '22 at 15:43

0 Answers0