You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Mark Nolan (Jira)" <ji...@apache.org> on 2020/07/21 10:06:00 UTC
[jira] [Updated] (MNG-6965) archetype-packaging.jar:3.1.2 requires
org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mark Nolan updated MNG-6965:
----------------------------
Description:
A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization (edited to add: due to vulnerabilities), meaning such a pom always fails.
{code:xml}
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test</groupId>
<artifactId>test</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>maven-archetype</packaging>
<name>test</name>
<build>
<extensions>
<extension>
<groupId>org.apache.maven.archetype</groupId>
<artifactId>archetype-packaging</artifactId>
<version>3.1.2</version>
</extension>
</extensions>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-archetype-plugin</artifactId>
<version>3.1.2</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
{code}
Running any goal, such as mvn -X clean, produces the following before the goal is executed:
{code}
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}
[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime
{code}
As far as I can see, there is no declared dependency on plexus-utils:1.1.
was:
A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization, meaning such a pom always fails.
{{<project xmlns="http://maven.apache.org/POM/4.0.0"}}
{{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}}
{{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}}
{{[http://maven.apache.org/xsd/maven-4.0.0.xsd]">}}
{{<modelVersion>4.0.0</modelVersion>}}
{{<groupId>test</groupId>}}
{{<artifactId>test</artifactId>}}
{{<version>0.0.1-SNAPSHOT</version>}}
{{<packaging>maven-archetype</packaging>}}
{{<name>test</name>}}
{{<build>}}
{{<extensions> }}
{{<extension>}}
{{<groupId>org.apache.maven.archetype</groupId>}}
{{<artifactId>archetype-packaging</artifactId>}}
{{<version>3.1.2</version>}}
{{</extension>}}
{{</extensions>}}
{{<pluginManagement>}}
{{<plugins>}}
{{<plugin>}}
{{<groupId>org.apache.maven.plugins</groupId>}}
{{<artifactId>maven-archetype-plugin</artifactId>}}
{{<version>3.1.2</version>}}
{{</plugin>}}
{{</plugins>}}
{{</pluginManagement>}}
{{</build>}}
{{</project>}}
Running any goal, such as mvn -X clean, produces the following before the goal is executed:
{{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}}}
{{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}}
{{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}}
As far as I can see, there is no declared dependency on plexus-utils:1.1.
> archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
> -------------------------------------------------------------------------------
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Bug
> Components: Plugins and Lifecycle
> Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure which)
> Reporter: Mark Nolan
> Priority: Major
> Labels: archetype
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization (edited to add: due to vulnerabilities), meaning such a pom always fails.
>
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd">
> <modelVersion>4.0.0</modelVersion>
> <groupId>test</groupId>
> <artifactId>test</artifactId>
> <version>0.0.1-SNAPSHOT</version>
> <packaging>maven-archetype</packaging>
> <name>test</name>
> <build>
> <extensions>
> <extension>
> <groupId>org.apache.maven.archetype</groupId>
> <artifactId>archetype-packaging</artifactId>
> <version>3.1.2</version>
> </extension>
> </extensions>
> <pluginManagement>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-archetype-plugin</artifactId>
> <version>3.1.2</version>
> </plugin>
> </plugins>
> </pluginManagement>
> </build>
> </project>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)