You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Dennis Lundberg (Jira)" <ji...@apache.org> on 2020/07/21 07:57:00 UTC
[jira] [Comment Edited] (MNG-6965) archetype-packaging.jar:3.1.2
requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17161836#comment-17161836 ]
Dennis Lundberg edited comment on MNG-6965 at 7/21/20, 7:56 AM:
----------------------------------------------------------------
I guess that the reason it is banned is because of vulnerabilities?
[https://snyk.io/vuln/maven:org.codehaus.plexus%3Aplexus-utils]
A good way to find out from where a dependency is pulled in is to use this command on the project that is pulling the dependency in question. In this case archetype-packaging:
{noformat}
mvn dependency:tree
{noformat}
was (Author: dennisl):
I guess that the reason it is banned because of vulnerabilities?
https://snyk.io/vuln/maven:org.codehaus.plexus%3Aplexus-utils
A good way to find out from where a dependency is pulled in is to use this command on the project that is pulling the dependency in question. In this case archetype-packaging:
{noformat}
mvn dependency:tree
{noformat}
> archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
> -------------------------------------------------------------------------------
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Bug
> Components: Plugins and Lifecycle
> Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure which)
> Reporter: Mark Nolan
> Priority: Major
> Labels: archetype
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization, meaning such a pom always fails.
> {{<project xmlns="http://maven.apache.org/POM/4.0.0"}}
> {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}}
> {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}}
> {{[http://maven.apache.org/xsd/maven-4.0.0.xsd]">}}
> {{<modelVersion>4.0.0</modelVersion>}}
> {{<groupId>test</groupId>}}
> {{<artifactId>test</artifactId>}}
> {{<version>0.0.1-SNAPSHOT</version>}}
> {{<packaging>maven-archetype</packaging>}}
> {{<name>test</name>}}
> {{<build>}}
> {{<extensions> }}
> {{<extension>}}
> {{<groupId>org.apache.maven.archetype</groupId>}}
> {{<artifactId>archetype-packaging</artifactId>}}
> {{<version>3.1.2</version>}}
> {{</extension>}}
> {{</extensions>}}
> {{<pluginManagement>}}
> {{<plugins>}}
> {{<plugin>}}
> {{<groupId>org.apache.maven.plugins</groupId>}}
> {{<artifactId>maven-archetype-plugin</artifactId>}}
> {{<version>3.1.2</version>}}
> {{</plugin>}}
> {{</plugins>}}
> {{</pluginManagement>}}
> {{</build>}}
> {{</project>}}
>
> Running any goal, such as mvn -X clean, produces the following before the goal is executed:
> {{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}}}
> {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}}
> {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)