You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Slawomir Jaranowski (Jira)" <ji...@apache.org> on 2022/12/25 09:09:00 UTC
[jira] [Updated] (MENFORCER-434) Version 3.1.0 is not enforcing bannedDependencies rules
[ https://issues.apache.org/jira/browse/MENFORCER-434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Slawomir Jaranowski updated MENFORCER-434:
------------------------------------------
Fix Version/s: 3.2.0
> Version 3.1.0 is not enforcing bannedDependencies rules
> -------------------------------------------------------
>
> Key: MENFORCER-434
> URL: https://issues.apache.org/jira/browse/MENFORCER-434
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.1.0
> Reporter: Chris
> Priority: Major
> Fix For: 3.2.0
>
> Attachments: pom-enforced.xml, pom-not-enforced.xml
>
>
> I've been testing rules regarding log4j and have found that the {{bannedDependencies}} behave differently between version 3.0.0 and 3.1.0
> My relevant section where I'm purposely creating a failure case by banning log4j2 versions less than "3", as well as any log4j 1.x
> NOTE: the following configuration is using version 3.0.0 of maven-enforcer-plugin
> {code:java}
> <plugin>
> <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.0.0</version>
> <executions>
> <execution>
> <id>enforce-versions</id>
> <goals>
> <goal>enforce</goal>
> </goals>
> <configuration>
> <fail>true</fail>
> <rules>
> <bannedPlugins>
> <!-- will only display a warning but does not fail the build. -->
> <level>WARN</level>
> <excludes>
> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
> </excludes>
> <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
> </bannedPlugins>
> <bannedDependencies>
> <searchTransitive>true</searchTransitive>
> <excludes>
> <!--
> Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html
> - Ban Log4j less than "3"
> -->
> <exclude>org.apache.logging.log4j:*:(,3)</exclude>
> <exclude>log4j:log4j</exclude>
> </excludes>
> </bannedDependencies>
> <requireMavenVersion>
> <version>3.8.2</version>
> </requireMavenVersion>
> <requireJavaVersion>
> <version>1.8.0-202</version>
> </requireJavaVersion>
> </rules>
> </configuration>
> </execution>
> </executions>
> </plugin>
> {code}
> This results in a positive failure:
> {code:java}
> [INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @ xxx-xxxxx-xxx ---
> [WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
> Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
> Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
> Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
> Found Banned Dependency: log4j:log4j:jar:1.2.17
> Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
> Use 'mvn dependency:tree' to locate the source of the banned dependencies.
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 0.516 s
> [INFO] Finished at: 2022-09-30T15:06:57-07:00
> [INFO] ------------------------------------------------------------------------{code}
> However, only changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the rule does not fail:
> {code:java}
> <plugin>
> <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.1.0</version>
> <executions>
> <execution>
> <id>enforce-versions</id>
> <goals>
> <goal>enforce</goal>
> </goals>
> <configuration>
> <fail>true</fail>
> <rules>
> <bannedPlugins>
> <!-- will only display a warning but does not fail the build. -->
> <level>WARN</level>
> <excludes>
> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
> </excludes>
> <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
> </bannedPlugins>
> <bannedDependencies>
> <searchTransitive>true</searchTransitive>
> <excludes>
> <!--
> Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html
> - Ban Log4j less than "3"
> -->
> <exclude>org.apache.logging.log4j:*:(,3)</exclude>
> <exclude>log4j:log4j</exclude>
> </excludes>
> </bannedDependencies>
> <requireMavenVersion>
> <version>3.8.2</version>
> </requireMavenVersion>
> <requireJavaVersion>
> <version>1.8.0-202</version>
> </requireJavaVersion>
> </rules>
> </configuration>
> </execution>
> </executions>
> </plugin>
> {code}
>
> {code:java}
> [INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @ xxx-xxxxx-xxx ---
> [INFO] {code}
> ... and the build continues
--
This message was sent by Atlassian Jira
(v8.20.10#820010)