I have a doubt with the dependency management in maven central. I have to say that this is a project in initial phase and I am not using my own repository, that's why I have this doubt.
GitHub dependabot tells me that the version I use jackson-databind is vulnerable.
Package com.fasterxml.jackson.core:jackson-databind (Maven)
Affected versions >= 2.13.0, <= 2.13.2.0
Patched version 2.13.2.1
[ERROR] Failed to execute goal on project erp-cloud-api: Could not resolve dependencies for project es.test.api.cloud:cloud-api:jar:0.3.0: The following artifacts could not be resolved: com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.13.2.1, com.fasterxml.jackson.core:jackson-core:jar:2.13.2.1, com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2.1, com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.2.1, com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.13.2.1: com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.13.2.1 was not found in https://repo.maven.apache.org/maven2 during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]
I am using version 2.13.2 in Maven core, because there are no patched versions. And dependabot still detects the version as vulnerable. How would be the right way to fix this without stopping using maven central?
What I want is to be able to have a reproducible build and use the patched version correctly.
Thank you very much and sorry if the way has already been explained.
Solution:
That version did exist. The problem was with other artifacts (like jackson-annotations, jackson-databind or jackson-datatype-joda etc.) of the same groupId that did not have that version. I was using a common property to group them all together and that's where the problem was coming from. Thank you!
A brief search of maven central reveals that the newest version of jackson-databind is 2.13.2.2.
Related
I am currently trying to follow this guide and every time I try to run the test code I am getting this error:
[ERROR] Failed to execute goal on project MyBot: Could not resolve
dependencies for project org.example:MyBot:jar:1.0-SNAPSHOT:
org.javacord:javacord:jar:3.4.0 was not found in
https://repo.maven.apache.org/maven2 during a previous attempt. This
failure was cached in the local repository and resolution is not
reattempted until the update interval of central has elapsed or
updates are forced -> [Help 1]
pom.xml
Maybe you have to load the dependencies you added to the pom.xml.
in IntelliJ you can right click on your pom.xml chose maven -> reload Project.
This loads all dependencies from pom.xml.
Check the console output for any errors.
Should the answer from Kaspatoo not working for you you can try to add the repository from Javacord to your project.
I figured it out, maven had downloaded the jars for the Dependency but wasn't loading them, I pointed maven to them in the system directory, and its working now
I am trying to import jaxb2-maven-plugin in to maven project and I am working on JDK 1.8. While importing itself it showing the below errors.
Actually, my requirement is to generate the xml to java classes by the jaxb2 plugin.
Thanks in Advance.
ERRORS:
Execution schemagen of goal org.codehaus.mojo:jaxb2-maven-plugin:1.6:schemagen failed: Plugin
org.codehaus.mojo:jaxb2-maven-plugin:1.6 or one of its dependencies could not be resolved: Failure to find
se.west.converters:custom-jaxb-converters:jar:1.2.14 in https://repo.maven.apache.org/maven2 was cached in the
local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are
I'm upgrading some dependency versions I have in a java/maven/spring application, which is using our nexus repo as the central repository mirroring maven central.
I tried upgrading hibernate to it's newest version of 3.5.4-Final as listed:
Hibernate newest release stable version
And when I run maven install, I see in my nexus server that there is now 3.5.4-Final listed, but inside its directory there is only a pom.xml file for the project and none of it's associated JAR's.
When I inspect the POM, I can see it's packaging is listed as POM and not JAR.
Why is this, and how can I make maven take the jar packaged version of the library rather than just the POM?
EDIT - mvn install error message posted:
[ERROR] Failed to execute goal on project app: Could not resolve dependencies for project com.app:app:war:16.2.1-SNAPSHOT: Failure to find org.hibernate:hibernate:jar:3.5.4-Final in http://ssp-nexus1.mynexus-server.com:8081/nexus/content/groups/public was cached in the local repository, resolution will not be reattempted until the update interval of company.nexus.mirror has elapsed or updates are forced -> [Help 1]
As mentioned in the link you provided
Aggregator of the Hibernate Core modules.
So, the artifact you linked is effectively a pom which aggregates (as a multimodule) other Hibernate artefacts.
Instead, the hibernate-core artifact, as an example, can be found here, as a standard maven dependency (that is, a jar).
By default dependencies have type jar, so if you add the maven coordinates (GAV) for a dependency that is instead of type pom, maven will then look up for it as a jar. So that's why you are getting the error mentioned in your edit.
You should remove its dependency from your pom and only add the hibernate dependency you effectively need. As a rule of thumb, add the dependency you explicitly use in your code (as import statements, for instance) or your configuration files, and let then maven take care of the required transitive dependencies, given that they will be available on your company repository, obviously.
Update
Following your latest comments and feedback, here is a further explanation about why just changing the version of the existing Hibernate dependency you got to this issue:
The new 3.5.4-Final and the previous 3.2.7.ga version share the same groupId and artifactId on the Maven repository
However, the former has type pom (it's a pom file), while the latter has type jar (the default one)
So, the previously existing version was working fine and changing the version of the dependency you switched it from jar to pom, breaking the maven resolution (which was looking for a jar for a version which instead was a pom)
This mainly happened because you switched from a ga to a FINAL version. For a further explanation about the difference between these versions, you can check this SO question and this one
As a side note, I find a bit inconsistent that changing a version number also changes the dependency type, it might a point of debate, but if I were the Hibernate team, I would handle this version management differently.
I upgrade to Grails 2.4.2 because that supposedly fixes a bug with the maven plugin that caused it to generate a bad pom.xml file. Now, when I try to run the 2.4.2-generated pom with mvn clean install I get the following error message:
[ERROR] Failed to execute goal
org.grails:grails-maven-plugin:2.4.2:maven-compile
(default-maven-compile) on project PROJECT : Failed to create
classpath for Grails execution. Failure to find
org.codehaus.groovy:groovy-all:jar:2.4.2 in https://REPO was cached in
the local repository, resolution will not be reattempted until the
update interval of nexus has elapsed or updates are forced -> [Help 1]
Groovy 2.4.2 obvious doesn't exist since 2.3.X is the latest release. How do I force the maven plugins to take 2.3.2's groovy-all package as the dependency to use for Groovy?
Solution: it was a bug in the Maven plugin. I sent a code fix to the owner.
Update: I sent a bug fix that was incorporated into Grails. The new dependency is org.grails:grails-maven-plugin:2.4.3. You should update your Grails BuildConfig and the pom file (or regenerate it).
I'm new to Maven and JSF and I have the following problem when compiling my project:
Failed to execute goal on project ViewController: Could not resolve dependencies for project com.km.eFarmer:ViewController:war:1.0.1-alpha1-SNAPSHOT: The following artifacts could not be resolved: com.sun.faces:jsf-api:jar:2.0.3-FCS, com.sun.faces:jsf-impl:jar:2.0.3-FCS, org.openfaces:openfaces:jar:3.0.2-KM, cssparser:cssparser:jar:0.9.5, it.eng.spago:sbi-utils:jar:3.3.0: Failure to find com.sun.faces:jsf-api:jar:2.0.3-FCS in http://repo1.maven.org/maven2/ was cached in the local repository, resolution will not be reattempted until the update interval of maven.maven2 has elapsed or updates are forced -> [Help 1
This is means that the artifact com.sun.faces:jsf-api:jar:2.0.3-FCS is absent in repository http://repo1.maven.org/maven2/.
Indeed, there is no jsf-api.jar with version 2.0.3-FCS in this repo.
There's a list of available versions. So, you should change artifact version, or repository url
Simple delete the folder local repository com/sun/faces and and retry it.