You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Mark Nolan (Jira)" <ji...@apache.org> on 2020/07/21 10:06:00 UTC

[jira] [Updated] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1

     [ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mark Nolan updated MNG-6965:
----------------------------
    Description: 
A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization (edited to add: due to vulnerabilities), meaning such a pom always fails.

 
{code:xml}
<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
  http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test</groupId>
<artifactId>test</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>maven-archetype</packaging>
<name>test</name>

<build>
  <extensions> 
    <extension>
      <groupId>org.apache.maven.archetype</groupId>
      <artifactId>archetype-packaging</artifactId>
      <version>3.1.2</version>
    </extension>
  </extensions>

  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-archetype-plugin</artifactId>
        <version>3.1.2</version>
      </plugin>
    </plugins>
  </pluginManagement>
</build>
</project>
{code}
Running any goal, such as mvn -X clean, produces the following before the goal is executed:
{code}
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}
[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
[DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
{code}
 

As far as I can see, there is no declared dependency on plexus-utils:1.1.

 

  was:
A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization, meaning such a pom always fails.

{{<project xmlns="http://maven.apache.org/POM/4.0.0"}}
 {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}}
 {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}}
 {{[http://maven.apache.org/xsd/maven-4.0.0.xsd]">}}
 {{<modelVersion>4.0.0</modelVersion>}}
 {{<groupId>test</groupId>}}
 {{<artifactId>test</artifactId>}}
 {{<version>0.0.1-SNAPSHOT</version>}}
 {{<packaging>maven-archetype</packaging>}}

{{<name>test</name>}}

{{<build>}}
 {{<extensions> }}
 {{<extension>}}
 {{<groupId>org.apache.maven.archetype</groupId>}}
 {{<artifactId>archetype-packaging</artifactId>}}
 {{<version>3.1.2</version>}}
 {{</extension>}}
 {{</extensions>}}

{{<pluginManagement>}}
 {{<plugins>}}
 {{<plugin>}}
 {{<groupId>org.apache.maven.plugins</groupId>}}
 {{<artifactId>maven-archetype-plugin</artifactId>}}
 {{<version>3.1.2</version>}}
 {{</plugin>}}
 {{</plugins>}}
 {{</pluginManagement>}}
 {{</build>}}
 {{</project>}}

 

Running any goal, such as mvn -X clean, produces the following before the goal is executed:

{{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}}}
 {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}}
 {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}}

 

As far as I can see, there is no declared dependency on plexus-utils:1.1.

 


> archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
> -------------------------------------------------------------------------------
>
>                 Key: MNG-6965
>                 URL: https://issues.apache.org/jira/browse/MNG-6965
>             Project: Maven
>          Issue Type: Bug
>          Components: Plugins and Lifecycle
>    Affects Versions: 3.6.0, 3.6.3
>         Environment: Win7, Win10, at least one variant of Linux (not sure which)
>            Reporter: Mark Nolan
>            Priority: Major
>              Labels: archetype
>         Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization (edited to add: due to vulnerabilities), meaning such a pom always fails.
>  
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0"
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
>   http://maven.apache.org/xsd/maven-4.0.0.xsd">
> <modelVersion>4.0.0</modelVersion>
> <groupId>test</groupId>
> <artifactId>test</artifactId>
> <version>0.0.1-SNAPSHOT</version>
> <packaging>maven-archetype</packaging>
> <name>test</name>
> <build>
>   <extensions> 
>     <extension>
>       <groupId>org.apache.maven.archetype</groupId>
>       <artifactId>archetype-packaging</artifactId>
>       <version>3.1.2</version>
>     </extension>
>   </extensions>
>   <pluginManagement>
>     <plugins>
>       <plugin>
>         <groupId>org.apache.maven.plugins</groupId>
>         <artifactId>maven-archetype-plugin</artifactId>
>         <version>3.1.2</version>
>       </plugin>
>     </plugins>
>   </pluginManagement>
> </build>
> </project>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>  
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)