I have bouncy castle dependency used in my application and I want this dependency to be excluded in the pom.xml file. Even after removing this dependency from the pom file, it is still appearing in the m2 repository folder. My application is a Spring-MVC 5 framework and running on Tomcat version 9. While deploying there are two different versions of "bcprov". I need to exclude both bcprov-jdk14 and bcprov-jdk15on from the pom.xml file.
Below is the dependency in the pom file.
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
<version>140</version>
</dependency>
I also tried another link for the exclusion but it did not work - Maven Transitive Dependency issue
Please help how to exclude the above dependencies.
To exclude some transitive dependencies you just have to add <exclusion> tags in your POM file. You need to remove the bcprov-jdk14 artifact from every dependency that uses it (check the dependency tree), e.g.:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
<exclusions>
<exclusion>
<groupId>bouncycastle</groupId>
<artifactId>bcmail-jdk14</artifactId>
</exclusion>
<exclusion>
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcmail-jdk14</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bctsp-jdk14</artifactId>
</exclusion>
</exclusions>
</dependency>
Remember however to add the correct versions of those dependencies:
<properties>
...
<bc.version>1.69</bc.version>
</properties>
<dependencies>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>${bc.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcmail-jdk15on</artifactId>
<version>${bc.version}</version>
</dependency>
</dependencies>
Alternatively don't use the features of the libraries that depend on BouncyCastle (signature verification/encryption).
Related
I have a batch Apache Beam pipeline that worked successfully until I upgraded from version 2.42 to 2.43 and above. The pipeline uses Storage Write API to write to Biguery and it now fails with the error: "Error message from worker: org.apache.beam.vendor.guava.v26_0_jre.com.google.common.util.concurrent.ExecutionError:java.lang.NoSuchMethodError: 'com.google.cloud.biguery.storage.v1.StreamWriter$Builder com.google.cloud.biguery.storage.v1.StreamWriter$Builder.setEnableConnectionPool(bool)'".
When I switched to FileLoads method instead of StorageWriteAPI it works again. But wondering what's wrong with StorageWriteAPI now. Tried checking the release notes but couldn't find anything helpful (https://github.com/apache/beam/releases). Can I please get some help here?
I think you have a dependency conflict with Guava in your Maven pom or Gradle build file. I share with you the Guava version I used in my pom file for Beam 2.43.0 or 2.44.0 version :
<guava.version>31.0.1-jre</guava.version>
If you use the following dependencies, you have to exclude an old version of Guava :
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>${google-api-client.version}</version>
<exclusions>
<!-- Exclude an old version of guava that is being pulled
in by a transitive dependency of google-api-client -->
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-bigquery</artifactId>
<version>${bigquery.version}</version>
<exclusions>
<!-- Exclude an old version of guava that is being pulled
in by a transitive dependency of google-api-client -->
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client</artifactId>
<exclusions>
<!-- Exclude an old version of guava that is being pulled
in by a transitive dependency of google-api-client -->
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-pubsub</artifactId>
<version>${pubsub.version}</version>
<exclusions>
<!-- Exclude an old version of guava that is being pulled
in by a transitive dependency of google-api-client -->
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</exclusion>
</exclusions>
</dependency>
I hope it can help.
I have a project Pom in which for one of the dependency the type for it is test-jar. Now I want to exclude one of the dependency coming through it. But it is not getting excluded as the type for it is test-jar.
<dependency>
<groupId>com.myproject</groupId>
<artifactId>myproject<artifactId>
<scope>test</scope>
<type>test-jar</type>
<exclusions>
<exclusion>
<groupId>com.myproject1</groupId>
<artifactId>myproject1<artifactId>
</exclusion>
</exclusions>
</dependency>
How can I exclude the dependency incase the type is test-jar
I have a dependency on Guava in my Maven dependencies:
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>23.3-jre</version>
</dependency>
I also have a dependency to Google API Client in my dependencies:
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.23.0</version>
</dependency>
But for some odd reason, this has the following dependency:
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</dependency>
Now my WAR ends up with two Guava JARs:
guava-23.3-jre.jar
guava-jdk5-17.0.jar
This gives several issues, since the runtime prefers guava-jdk5-17.0.jar while the code is compiled with guava-23.3-jre.jar.
Why does Google API Client have dependency on Guava for JDK5? Wouldn't it make more sense to have two versions, like:
google-api-client which depends on regular Guava, preferably version 23.3 (as of current)
google-api-client-jdk5 which depends on Guava for JDK5
See https://github.com/google/google-api-java-client/issues/903. The following work-around should be possible:
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<exclusions>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava-jdk5</artifactId>
</exclusion>
</exclusions>
</dependency>
The pom for my main project declares a version of hadoop-client. A dependency declares a different version of hadoop-client. Which one actually ends up being used?
pom.xml for my main project:
<dependency>
<groupId>com.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>2.7.0</version>
<exclusions>
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.myown.group</groupId>
<artifactId>my-own-artifact</artifactId>
<version>1.0.0</version>
<exclusions>
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
pom.xml for the library that my main project depends on:
<dependency>
<groupId>com.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>2.5.0</version>
<exclusions>
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
Maven has a complex set of rules for version resolution, summarized as 'nearest wins'. One source of details is this post here. You can find out what Maven decided by using mvn dependency:list or mvn dependency:tree.
Spring-boot has the following maven dependencies around org.apache.httpcomponents
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpasyncclient</artifactId>
<version>${httpasyncclient.version}</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>${httpclient.version}</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpmime</artifactId>
<version>${httpclient.version}</version>
</dependency>
However I don't have access to anything org.apache.http related in my codebase unless I add the extra dependency myself.
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</dependency>
Why is this? Isn't this the same as adding a dependency twice?
The artifacts are declared in the dependencyManagement section of the spring-boot-dependencies pom.
Meaning when you inherit from the spring boot starter, you can declare you want to use any of the dependencies managed by it. Notice you don't need to provide a version of the httpclient. This is because Spring has so nicely managed it for you, hence dependencyManagement. So it is not the same thing as declaring it twice.
More info here
http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#using-boot-maven-parent-pom