We're using Maven 3 with IntelliJ for our IDE. After a compile we get a bunch of spring 2.0 stuff being included in the External Libraries. If I look through Maven Projects dependencies in Intellij I don't see anyone with a dependency on spring 2.0 so I suspect it's something we're depending on which depends on it.
My question is how would I track this down? I tried doing a mvn dependency:tree -Dverbose -Dincludes=spring-aop and even -Dincludes=spring but get no results when ran from the root or a sub module directory that I know is using spring.
It looks like the pattern passed to -Dincludes is incorrect.
From the documentation of Maven Dependency Plugin, the syntax of -Dincludes is defined by StrictPatternIncludesArtifactFilter. From the javadoc of AbstractStrictPatternArtifactFilter from which this is subclassed,
The artifact pattern syntax is of the
form:
[groupId]:[artifactId]:[type]:[version]
Where each pattern segment is optional and supports full and
partial * wildcards. An empty pattern
segment is treated as an implicit
wildcard.
For example, org.apache.* would match all artifacts whose group
id started with org.apache., and :::*-SNAPSHOT would match all snapshot
artifacts.
Maybe you should run mvn dependency:tree without -Dincludes and see if it shows up the spring 2.0 related dependency. Alternately, specify the appropriate pattern for -Dincludes.
The format you are searching for is wrong. Try this:
mvn dependency:tree -Dverbose -Dincludes=:spring*::
(Searches for any artifact with a groupId that starts with spring)
Or this:
mvn dependency:tree -Dverbose -Dincludes=org.springframework
(Searches for any artifact with artifactId org.springframework)
Why not use intellij and easy fix it.
Open your pom.xml, right-click (invoke context menu) and choose UML > show dependencies (assumin you have UML plugin enabled).
Idea will mark all duplicate dependency and you can use ALT+Enter combo to exclude dependencies.
#see also:
http://blogs.jetbrains.com/idea/2010/05/maven-dependencies-diagram/
Related
Due to the Log4Shell vulnerability I would like to search and find out if my Java project is implementing Log4j directly or by dependencies, and which version.
I have, for example, projects with these dependency management tools:
Maven project
Apache Ivy project
Old legacy project without any dependency management
How can I do this on these types of dependency management tools?
Details about the vulnerability (including mitigation steps):
CVE-2021-44228
Apache Log4j Security Vulnerabilities
You may run Maven dependency tree from the command line inside your project:
mvn dependency:tree
In the output do a search for log4j. If you find it, it might mean that your project is either directly including log4j, or another dependency is including log4j as a transitive dependency.
If you use Maven and Linux, you can run:
mvn dependency:tree | grep log4j
This will check your dependencies and show results only if you have Log4j as a dependency.
And if it is a transitive dependency, and you want to check the dependency it came from, you can use:
mvn dependency: tree | grep -B20 log4j
It will show 20 lines before Log4j on the screen. If you still can't see the main dependency where it comes from, you can increase from 20 to 50, and so on until you find it.
KKKK
So far I'm satisfied what Syft and Grype provide. These tools list all code dependencies of a given Docker image or a directory containing code - independent of the stack! Easy setup and quick execution.
It's Java-independent though and more generic than your specific question for a Maven-based solution. So it is up to you if it's of use or not.
I recently upgraded from Spring 3.2.11.RELEASE to Spring 4.2.3.RELEASE.
When running my unit tests, I'm getting this error:
java.lang.ExceptionInInitializerError: null
at org.springframework.test.web.servlet.result.MockMvcResultHandlers.<clinit>(MockMvcResultHandlers.java:44)
And:
java.lang.NoClassDefFoundError: Could not initialize class org.springframework.test.web.servlet.result.MockMvcResultHandlers
Line 44 of MockMvcResultHandlers looks like this:
private static final Log logger = LogFactory.getLog(MockMvcResultHandlers.class.getPackage().getName());
I confirmed that I have commons-logging 1.2 as a dependency in Maven.
Any ideas of what the issue could be?
Thanks!
I've confirmed that the NullPointerException is coming from MockMvcResultHandlers.class.getPackage().
Update: From what I've read, some people are saying that using the maven-surefire-plugin with a forkCount greater than 0 might fix it. Unfortunately, in my particular situation, I can't update the forkCount to verify that.
Update: I opened a JIRA against Spring and they said it will be fixed in 4.2.4:
https://jira.spring.io/browse/SPR-13802
You might have a conflicting spring-test version included by another dependency. I would try to identify whether other dependencies are importing a different version. You can do this in intelliJ, if you use it (and probably other IDEs do it but that's what I use), and you can also do a maven dependency tree. I find both methods useful.
Maven Dependency Tree:
mvn dependency:tree -Dverbose > tree.txt
or, to isolate your specific dependency,
mvn dependency:tree -Dverbose -Dincludes=spring-test > tree.txt
I find it useful to output to a file and then search through it using less or some other tool.
In IntelliJ:
In the Maven Projects tab at right, expand all (CTRL+PLUS in Windows) and look through the dependencies of dependencies and see if you see commons-logging. This is obviously more of a brute force method.
I am new to Maven and I faced a problem when I tried to convert my current project from using Ant -> using Maven.
That project requires many Jars, and I look up those jars on mvnrepository and add all to POM.xml.
I don't know if some dependency is redundant.
Do you guy know any way to check if which dependency which I really need?
The Maven dependency analyzer plugin is just what you're looking for.
Just run
mvn install dependency:analyze
(on some platforms, for some reason, the full notation is required:)
mvn install org.apache.maven.plugins:maven-dependency-plugin:2.9:analyze
And review the report it produces.
Let us say, ArtifactA depends on ArtifactB and ArtifactC also depends on ArtifactB
I understand that "mvn dependency plugin" can help list the dependencies of a project/artifact.
But how about the reverse? If I want to find the list of projects/artifacts which depend on a given artifact?
From the above example, given ArtifactB, I would like to get ArtifactA and ArtifactC
How can I achieve this?
Maven can only operate on the current project, so it can only detect dependencies between from the current project (or sub-modules) to other projects (including sub-modules of the current project).
So what you can do is search for specific submodules depending on other submodules:
mycompany:parent
/ \
mycompany:child1 mycompany:child2
/ / \
mycompany:grandchild1 mycompany:grandchild2 mycompany:grandchild3
This is how you can find all subprojects that have dependencies to grandchild3:
mvn validate -pl child2/grandchild3 -amd
This will run the validate phase on all projects within the current project that depend on grandchild3.
It is not easy at all. One option is using m2eclipse which has a feature called Class search. In the maven repositories view, right click a repository and enable full index.
Then Navigate > Open type from maven - there you can look through all artifacts available based on java package convention.
Another option is to develop your own tool based on JarAnalyzer for instance, that will accept a JAR file and search through your local maven repository, looking for the most appropriate artifacts that satisfy the the imported packages/classes from the JAR.
I'm looking for something like this:
List<URL> urls = listURLFromPOM("c:\pom.xml");
..
http://repo1.maven.org/maven2/org/apache/ibatis/ibatis-core/3.0/ibatis-core-3.0.jar
http://repo1.maven.org/maven2/org/apache/camel/camel-activemq/1.1.0/camel-activemq-1.1.0.jar
...
A dependency is not aware of its "source repository" which might not be unique so you won't be able to get the "source URL" of a dependency without actually resolving it. One way to do that (without writing code using Maven internal APIs) would be to use dependency:purge-local-repository. From the Maven Dependency Plugin documentation:
dependency:purge-local-repository tells Maven to clear all dependency-artifact files out of the local repository, and optionally re-resolve them.
Run that command and redirect the output to a file for post-processing:
mvn dependency:purge-local-repository > raw.txt
As I just mentioned, if you are using several repositories, you might need to do some post processing to separate the "successful" download from "failed" attempts. Here is a sample regex on Rubular that might be helpful to implement such a post-processing (I provided some content illustrating the "problem").
You can use the Maven Dependency Plugin to analyze the dependencies of you POM.
mvn dependency:list -DoutputAbsoluteArtifactFilename=true -DoutputFile=dependencies.txt