Wednesday, October 19, 2016

Maven Dependancy Exclusion

Consider the case where you are using the Log4J2 however the dependency you are trying to add for CXF or something brings in log4j1.x.

You are missing a bunch of new functionality because logger still refers to old version.

Obvious  you need to remove the Transitive dependency but how to identify the transitive dependencies

mvn dependency:tree -Dverbose -Dincludes=log4j:log4j

[groupId]:[artifactId]:[type]:[version]

http://maven.apache.org/plugins/maven-dependency-plugin/examples/filtering-the-dependency-tree.html

will show you the dependency-tree, but only the relevant excerpt. Using this information you can now add your exclusions to the affected pom.xml files

Eg:

<!-- CXF Dependancies --><dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-java2wadl-plugin</artifactId>
    <version>${cxf-version}</version>
    <exclusions>
        <exclusion>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Then you can enforce that the dependency needs to be some version and above 

<build>
    <plugins>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-enforcer-plugin</artifactId>
            <version>1.3.1</version>
            <executions>
                <execution>
                    <id>enforce-version</id>
                    <goals>
                        <goal>enforce</goal>
                    </goals>
                    <configuration>
                        <rules>
                            <bannedDependencies>
                                <excludes>
                                    <!-- exclude all versions lower than 1.2.17-->                                   
                                    <exclude>log4j:log4j:[0.0,1.2.17)</exclude>
                                </excludes>
                            </bannedDependencies>
                        </rules>
                    </configuration>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>
Finally run a Maven Site plugin to generate the Dependancy site.
https://maven.apache.org/plugins/maven-site-plugin/
IF you follow the steps it POM should be clean by now.

No comments:

Post a Comment