You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "James Howe (Jira)" <ji...@apache.org> on 2022/05/10 11:48:00 UTC
[jira] [Updated] (MENFORCER-417) requireUpperBoundDeps doesn't account for dependencyManagement
[ https://issues.apache.org/jira/browse/MENFORCER-417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Howe updated MENFORCER-417:
---------------------------------
Description:
{code:xml}
<rules>
<requireUpperBoundDeps/>
</rules>{code}
Example false-positive in a project using spring-boot-dependencies:
{noformat}
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for org.slf4j:slf4j-api:1.7.36 paths to dependency are:
+-com.example:project:1.0-SNAPSHOT
+-org.springframework.security.extensions:spring-security-saml2-core:1.0.10.RELEASE
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.29
and
+-com.example:project:1.0-SNAPSHOT
+-com.github.zhanhb:thymeleaf-layout-dialect:3.0.0
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.32
and
+-com.example:project:1.0-SNAPSHOT
+-org.springframework.boot:spring-boot-starter-logging:2.6.7 (managed) <-- org.springframework.boot:spring-boot-starter-logging:2.6.7
+-org.slf4j:jul-to-slf4j:1.7.36 (managed) <-- org.slf4j:jul-to-slf4j:1.7.36
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.36
...
{noformat}
was:
{code:xml}
<rules>
<requireUpperBoundDeps/>
</rules>{code}
Example false-positive in a project using spring-boot-dependencies:
{noformat}
Require upper bound dependencies error for org.slf4j:slf4j-api:1.7.36 paths to dependency are:
+-com.example:project:1.0-SNAPSHOT
+-org.springframework.security.extensions:spring-security-saml2-core:1.0.10.RELEASE
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.29
and
+-com.example:project:1.0-SNAPSHOT
+-com.github.zhanhb:thymeleaf-layout-dialect:3.0.0
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.32
+-com.example:project:1.0-SNAPSHOT
+-org.springframework.boot:spring-boot-starter-actuator:2.6.7
+-org.springframework.boot:spring-boot-starter:2.6.7 (managed) <-- org.springframework.boot:spring-boot-starter:2.6.7
+-org.springframework.boot:spring-boot-starter-logging:2.6.7 (managed) <-- org.springframework.boot:spring-boot-starter-logging:2.6.7
+-org.slf4j:jul-to-slf4j:1.7.36 (managed) <-- org.slf4j:jul-to-slf4j:1.7.36
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.36
{noformat}
> requireUpperBoundDeps doesn't account for dependencyManagement
> --------------------------------------------------------------
>
> Key: MENFORCER-417
> URL: https://issues.apache.org/jira/browse/MENFORCER-417
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Components: Standard Rules
> Affects Versions: 3.0.0
> Reporter: James Howe
> Priority: Major
>
> {code:xml}
> <rules>
> <requireUpperBoundDeps/>
> </rules>{code}
> Example false-positive in a project using spring-boot-dependencies:
> {noformat}
> Failed while enforcing RequireUpperBoundDeps. The error(s) are [
> Require upper bound dependencies error for org.slf4j:slf4j-api:1.7.36 paths to dependency are:
> +-com.example:project:1.0-SNAPSHOT
> +-org.springframework.security.extensions:spring-security-saml2-core:1.0.10.RELEASE
> +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.29
> and
> +-com.example:project:1.0-SNAPSHOT
> +-com.github.zhanhb:thymeleaf-layout-dialect:3.0.0
> +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.32
> and
> +-com.example:project:1.0-SNAPSHOT
> +-org.springframework.boot:spring-boot-starter-logging:2.6.7 (managed) <-- org.springframework.boot:spring-boot-starter-logging:2.6.7
> +-org.slf4j:jul-to-slf4j:1.7.36 (managed) <-- org.slf4j:jul-to-slf4j:1.7.36
> +-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.36
> ...
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)