英文:
maven-enforcer-plugin 3.3.0 breaking behavior for scope
问题
When upgrading Spring Boot to 3.1, I encountered a transitive upgrade of maven-enforcer-plugin
to version 3.3.0, which caused issues in my build. The configuration of scopes for transitive dependencies is behaving oddly.
Current configuration:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.apache.tomcat.embed:*:*:*:compile</exclude>
</excludes>
</bannedDependencies>
</rules>
</configuration>
</execution>
</executions>
</plugin>
Dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<scope>test</scope>
</dependency>
Error:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce (enforce-banned-dependencies) on project enrollment-server:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.BannedDependencies failed with message:
[ERROR] com.example:test:war:1.0.0-SNAPSHOT
[ERROR] org.springframework.boot:spring-boot-starter-validation:jar:3.1.0
[ERROR] org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.8 <--- banned via the exclude/include list
I noticed that there's an option <searchTransitive>false</searchTransitive>
, but it appears to ignore transitive dependencies completely. Thus, the dependency is not checked but still attached. In my opinion, the main goal of this plugin was to control the content of the final artifact.
I have downgraded to maven-enforcer-plugin
3.1.0 for now.
Full example:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>test</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<!-- Overriding scope of transitive dependency from spring-boot-starter-validation but new enforcer plugin does NOT respect that -->
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<!-- Working with 3.1.0 -->
<!-- <version>3.1.0</version> -->
<!-- Implicit version 3.3.0 breaks the build -->
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.apache.tomcat.embed:*:*:*:compile</exclude>
</excludes>
</bannedDependencies>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
英文:
When upgrading Spring Boot to 3.1 I got a transitive upgrade of maven-enforcer-plugin
3.3.0, breaking my build. The configuration of scopes for transitive dependencies behaves strangely.
Current configuration
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.apache.tomcat.embed:*:*:*:compile</exclude>
</bannedDependencies>
</rules>
</configuration>
</execution>
</executions>
</plugin>
Dependencies
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<scope>test</scope>
</dependency>
Error
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce (enforce-banned-dependencies) on project enrollment-server:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.BannedDependencies failed with message:
[ERROR] com.example:test:war:1.0.0-SNAPSHOT
[ERROR] org.springframework.boot:spring-boot-starter-validation:jar:3.1.0
[ERROR] org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.8 <--- banned via the exclude/include list
I have noticed, that there is an option <searchTransitive>false</searchTransitive>
but it seems to me, that it ignores transitive dependencies completely. So the dependency is not checked but is attached. IMHO the main goal of this plugin was to control the content of the final artifact.
Downgrading to maven-enforcer-plugin
3.1.0 so far.
Full example:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>test</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<!-- Overriding scope of transitive dependency from spring-boot-starter-validation but new enforcer plugin does NOT respect that -->
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<!-- Working with 3.1.0 -->
<!-- <version>3.1.0</version> -->
<!-- Implicit version 3.3.0 breaks the build -->
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.apache.tomcat.embed:*:*:*:compile</exclude>
</excludes>
</bannedDependencies>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
答案1
得分: 1
第一个使用给定规则的maven-enforcer-plugin确切地执行了它应该执行的操作,即根据规则不允许的依赖项来中断构建... 尝试了两个版本,行为完全相同... 只是输出看起来有点不同...
使用maven-enforcer-plugin版本3.1.0会产生与此相同的失败:
[INFO] -----------------< com.soebes.spring.example:employee >-----------------
[INFO] 正在构建Employee Demo Application 0.0.1-SNAPSHOT
[INFO] 来自pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:3.2.0:clean(default-clean) @ employee ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.1.0:enforce(enforce-banned-dependencies) @ employee ---
[ERROR] Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies 失败,带有消息:
找到被禁止的依赖项:org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.8
找到被禁止的依赖项:org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.8
找到被禁止的依赖项:org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.8
使用 'mvn dependency:tree' 来查找被禁止的依赖项的来源。
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] 总时间:0.447秒
[INFO] 完成于:2023-06-12T12:53:26+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] 执行目标 org.apache.maven.plugins:maven-enforcer-plugin:3.1.0:enforce(enforce-banned-dependencies) 时出错:某些强制执行规则失败。请查看上面的具体消息,以了解规则失败的原因。 -> [帮助 1]
与maven-enforcer-plugin版本3.3.0一样:
[INFO]
[INFO] --- maven-clean-plugin:3.2.0:clean(default-clean) @ employee ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.3.0:enforce(enforce-banned-dependencies) @ employee ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] 总时间:0.405秒
[INFO] 完成于:2023-06-12T12:55:35+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] 执行目标 org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce(enforce-banned-dependencies) 时出错:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.BannedDependencies 失败,带有消息:
[ERROR] com.soebes.spring.example:employee:jar:0.0.1-SNAPSHOT
[ERROR] org.springframework.boot:spring-boot-starter-web:jar:3.1.0
[ERROR] org.springframework.boot:spring-boot-starter-tomcat:jar:3.1.0
[ERROR] org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.8 <--- 通过排除/包含列表被禁止
[ERROR] org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.8 <--- 通过排除/包含列表被禁止
[ERROR] org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.8 <--- 通过排除/包含列表被禁止
[ERROR]
[ERROR] -> [帮助 1]
[ERROR]
[ERROR] 要查看错误的完整堆栈跟踪,请使用 -e 开关重新运行Maven。
[ERROR] 使用 -X 开关重新运行Maven以启用完整的调试日志记录。
更新:
如果您通过以下方式排除了Tomcat依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
但您必须小心,因为您需要其他支持Servlet等的内容。
如果您需要覆盖依赖项的范围(即更改范围),您必须在dependencyManagement部分中执行此操作...
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring.boot.version}</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<!-- 通过 spring-boot-starter-validation 的传递依赖项覆盖范围,但新的强制执行插件不尊重这一点 -->
<scope>test</scope>
</dependency>
这需要对要更改范围的每个依赖项执行。
英文:
First maven-enforcer-plugin with the given rule is exactly doing what it should be doing means breaking the build based on the given dependencies which are not allowed based on the rules... tried both version exactly the same behaviour ... only the output looks a bit different...
Using the maven-enforcer-plugin version 3.1.0 produces the same failure like this:
[INFO] -----------------< com.soebes.spring.example:employee >-----------------
[INFO] Building Employee Demo Application 0.0.1-SNAPSHOT
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:3.2.0:clean (default-clean) @ employee ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-banned-dependencies) @ employee ---
[ERROR] Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Found Banned Dependency: org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.8
Found Banned Dependency: org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.8
Found Banned Dependency: org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.8
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.447 s
[INFO] Finished at: 2023-06-12T12:53:26+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.1.0:enforce (enforce-banned-dependencies) on project employee: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
As the maven-enforcer-plugin version 3.3.0 does:
[INFO]
[INFO] --- maven-clean-plugin:3.2.0:clean (default-clean) @ employee ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.3.0:enforce (enforce-banned-dependencies) @ employee ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.405 s
[INFO] Finished at: 2023-06-12T12:55:35+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce (enforce-banned-dependencies) on project employee:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.BannedDependencies failed with message:
[ERROR] com.soebes.spring.example:employee:jar:0.0.1-SNAPSHOT
[ERROR] org.springframework.boot:spring-boot-starter-web:jar:3.1.0
[ERROR] org.springframework.boot:spring-boot-starter-tomcat:jar:3.1.0
[ERROR] org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.8 <--- banned via the exclude/include list
[ERROR] org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.8 <--- banned via the exclude/include list
[ERROR] org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.8 <--- banned via the exclude/include list
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
Update:
If you exclude the tomcat dependency via:
<!-- language:language-xml -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
But you must be careful because you need something else which supports servlet etc.
If you need to overwrite the sope of dependency (which means change the scope) you have to do that in a dependencyManagement section...
<!-- language:language-xml -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring.boot.version}</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<!-- Overriding scope of transitive dependency from spring-boot-starter-validation but new enforcer plugin does NOT respect that -->
<scope>test</scope>
</dependency>
That needed to done with each dependency you want to change the scope for...
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论