[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206897#comment-17206897 ] Michael Osipov commented on MNG-6965: - Found it, last issue is gone. All Its pass now. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Assignee: Sylwester Lachiewicz >Priority: Major > Labels: archetype > Fix For: 3.7.0 > > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206865#comment-17206865 ] Michael Osipov commented on MNG-6965: - I am hanging for ours trying to understand why Plexus Utils is necessary. I think there is some hidden exception which make the loading fail for the IT MNG-2749. OR the entire IT is conceptionlly broken. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Assignee: Sylwester Lachiewicz >Priority: Major > Labels: archetype > Fix For: 3.7.0 > > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206856#comment-17206856 ] Hudson commented on MNG-6965: - Build unstable in Jenkins: Maven » Maven TLP » maven » MNG-6965 #15 See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven/job/MNG-6965/15/ > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Assignee: Sylwester Lachiewicz >Priority: Major > Labels: archetype > Fix For: 3.7.0 > > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206844#comment-17206844 ] Michael Osipov commented on MNG-6965: - After rebasing, I am down to: {noformat} [ERROR] Failures: [ERROR] MavenITmng2749ExtensionAvailableToPluginTest>AbstractMavenIntegrationTestCase.runTest:255->testitMNG2749:62 [INFO] [ERROR] Tests run: 849, Failures: 1, Errors: 0, Skipped: 0 {noformat} > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Assignee: Sylwester Lachiewicz >Priority: Major > Labels: archetype > Fix For: 3.7.0 > > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206841#comment-17206841 ] Michael Osipov commented on MNG-6965: - Failure for {{MavenITmng2749ExtensionAvailableToPluginTest}} is now gone > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Assignee: Sylwester Lachiewicz >Priority: Major > Labels: archetype > Fix For: 3.7.0 > > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206721#comment-17206721 ] Michael Osipov commented on MNG-6965: - Pushed an IT branch, down to: {noformat} [ERROR] Failures: [ERROR] MavenITmng2749ExtensionAvailableToPluginTest>AbstractMavenIntegrationTestCase.runTest:255->testitMNG2749:62 [ERROR] Errors: [ERROR] MavenITmng6772NestedImportScopeRepositoryOverride>AbstractMavenIntegrationTestCase.runTest:255->testitInDependency:74 » Verification [ERROR] MavenITmng6772NestedImportScopeRepositoryOverride>AbstractMavenIntegrationTestCase.runTest:255->testitInProject:57 » Verification [INFO] [ERROR] Tests run: 849, Failures: 1, Errors: 2, Skipped: 0 {noformat} > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Assignee: Sylwester Lachiewicz >Priority: Major > Labels: archetype > Fix For: 3.7.0 > > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17163321#comment-17163321 ] Mark Nolan commented on MNG-6965: - {quote}It's injected by [https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/plugin/internal/PlexusUtilsInjector.java] {quote} Well, having looked at that and read the comment in the code, I am left somewhat in disbelief! It is extraordinary to have such a fixed dependency. I realise that the situation of plexus-utils:1.1 being blocked may be a specific situation for my company, but we cannot be unique. That version is very old and it has multiple vulnerabilities. It isn't fit for purpose in a corporate environment. Indeed, we should all be avoiding vulnerable software and baking in such a dependency is a bad idea. But, in addition, this seems like a very poor way to solve the problem. If a plugin (in this case an extension, but I assume the same process applies) requires a dependency on plexus-utils, then that should be enforced, not slipped in under the covers. My proposals for resolving this would be, in order of preference: # This is required for Maven 2.x compatibility. Simply remove it. Maven 2 was EOL 2014. # If extensions continue to have an implicit dependency on plexus-utils, make it explicit. All extensions and plug-ins must declare such a dependency or fail. Change the injector to throw an exception if the dependency is not found. # If really worried about how many are using this implicit dependency, then at least make it respect any dependencyManagement declaration. In this case, that would result in 3.2.0 being used by archetype-packaging. # Add an explicit dependency to archetype-packaging so that the version of plexus-utils respects the version in the parent pom. I don't see "do nothing" as an option. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17163110#comment-17163110 ] Sylwester Lachiewicz commented on MNG-6965: --- It's injected by [https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/plugin/internal/PlexusUtilsInjector.java] > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17162755#comment-17162755 ] Dennis Lundberg commented on MNG-6965: -- My guess is that the components.xml file used to declare Plexus components, somehow has a (runtime?) dependency on plexus-utils. We need someone who knows Plexus to answer this. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17162676#comment-17162676 ] Mark Nolan commented on MNG-6965: - If I create a version of the extension (archetype-packaging) with an explicit dependency on plexus-utils, it is resolved by the parent pom to be version 3.2.0, which works fine. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > http://maven.apache.org/POM/4.0.0; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd;> > 4.0.0 > test > test > 0.0.1-SNAPSHOT > maven-archetype > test > > > > org.apache.maven.archetype > archetype-packaging > 3.1.2 > > > > > > org.apache.maven.plugins > maven-archetype-plugin > 3.1.2 > > > > > > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17161912#comment-17161912 ] Mark Nolan commented on MNG-6965: - {quote}Why do you consider this to be a bug? It is obviously a transitive dependency, isn't it? {quote} Because I cannot find any declaration of this as a dependency. It is not declared in the pom for {{archetype-packaging}} and the parent has a {{dependencyManagement}} section with 3.2.0 declared. But there is simply no reference to it in a {{dependencies}} section as far as I can see. Also, it is a *very* old version and I can't find any other recent dependencies on this version. [~dennisl], as I think you've found by now, {{dependency:tree}} doesn't reveal anything because it is not a transitive dependency of the project. And {{dependency:resolve-plugins}} also doesn't reveal anything because it is not a dependency of any of the plugins. I am not really familiar with how Maven resolves different {{packaging}}, but it looks like that is where it is being evaluated. And, yes, it is the vulnerabilities that prevent me using plexus-utils:1.1 > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization, meaning such a pom always fails. > {{http://maven.apache.org/POM/4.0.0"}} > {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}} > {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}} > {{[http://maven.apache.org/xsd/maven-4.0.0.xsd];>}} > {{4.0.0}} > {{test}} > {{test}} > {{0.0.1-SNAPSHOT}} > {{maven-archetype}} > {{test}} > {{}} > {{ }} > {{}} > {{org.apache.maven.archetype}} > {{archetype-packaging}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > {{org.apache.maven.plugins}} > {{maven-archetype-plugin}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500}}} > {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}} > {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17161889#comment-17161889 ] Dennis Lundberg commented on MNG-6965: -- I can confirm that plexus-utils:1.1 gets downloaded using Maven 3.6.3 with a clean repo and the command line: mvn clean for the attached project. However I have not been able to establish why. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization, meaning such a pom always fails. > {{http://maven.apache.org/POM/4.0.0"}} > {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}} > {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}} > {{[http://maven.apache.org/xsd/maven-4.0.0.xsd];>}} > {{4.0.0}} > {{test}} > {{test}} > {{0.0.1-SNAPSHOT}} > {{maven-archetype}} > {{test}} > {{}} > {{ }} > {{}} > {{org.apache.maven.archetype}} > {{archetype-packaging}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > {{org.apache.maven.plugins}} > {{maven-archetype-plugin}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500}}} > {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}} > {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17161836#comment-17161836 ] Dennis Lundberg commented on MNG-6965: -- I guess that the reason it is banned because of vulnerabilities? https://snyk.io/vuln/maven:org.codehaus.plexus%3Aplexus-utils A good way to find out from where a dependency is pulled in is to use this command on the project that is pulling the dependency in question. In this case archetype-packaging: {noformat} mvn dependency:tree {noformat} > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization, meaning such a pom always fails. > {{http://maven.apache.org/POM/4.0.0"}} > {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}} > {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}} > {{[http://maven.apache.org/xsd/maven-4.0.0.xsd];>}} > {{4.0.0}} > {{test}} > {{test}} > {{0.0.1-SNAPSHOT}} > {{maven-archetype}} > {{test}} > {{}} > {{ }} > {{}} > {{org.apache.maven.archetype}} > {{archetype-packaging}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > {{org.apache.maven.plugins}} > {{maven-archetype-plugin}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500}}} > {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}} > {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-6965) archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1
[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17161762#comment-17161762 ] Michael Osipov commented on MNG-6965: - Why do you consider this to be a bug? It is obviously a transitive dependency, isn't it? > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > --- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle >Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) >Reporter: Mark Nolan >Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization, meaning such a pom always fails. > {{http://maven.apache.org/POM/4.0.0"}} > {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}} > {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}} > {{[http://maven.apache.org/xsd/maven-4.0.0.xsd];>}} > {{4.0.0}} > {{test}} > {{test}} > {{0.0.1-SNAPSHOT}} > {{maven-archetype}} > {{test}} > {{}} > {{ }} > {{}} > {{org.apache.maven.archetype}} > {{archetype-packaging}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > {{org.apache.maven.plugins}} > {{maven-archetype-plugin}} > {{3.1.2}} > {{}} > {{}} > {{}} > {{}} > {{}} > > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500}}} > {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}} > {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)