> On 5 Dec 2024, at 17:30, Tamás Cservenák <ta...@cservenak.net> wrote: > > And... Can you tell us how these dependencies come into play? > > Can you paste the (in color or in bw -- for Manfred) output of the > tree command? > > Thanks > T
Tamás, I’ve observed the same in Owasp Dependency Check maven plugin (though nowadays only for libraries that the plugin-plugin does not complain about as the items getting complained about have been explicitly added to the pom.xml to make them provided scoped)… a single example from that to reduce the noice of a large dependency tree: aikebah@rajah maven % mvn dependency:tree -Dincludes=org.apache.maven.resolver:maven-resolver-api [INFO] Scanning for projects... [INFO] Inspecting build with total of 1 modules... [INFO] Installing Nexus Staging features: [INFO] ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin [INFO] [INFO] ------------------< org.owasp:dependency-check-maven >------------------ [INFO] Building Dependency-Check Maven Plugin 11.1.1-SNAPSHOT [INFO] from pom.xml [INFO] ----------------------------[ maven-plugin ]---------------------------- [INFO] [INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven --- [INFO] org.owasp:dependency-check-maven:maven-plugin:11.1.1-SNAPSHOT [INFO] \- org.apache.maven:maven-core:jar:3.6.3:provided [INFO] \- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.625 s [INFO] Finished at: 2024-12-05T17:44:26+01:00 [INFO] ------------------------------------------------------------------------ Maven does not give me any reason in the depedency-tree why the resolver API would be compile-scoped. A a sidenote: your colorized toolbox command does not list it as a dependency (but then again, it appears to skip all provided deps, it’s not even listing maven-core as a dependency. > > On Thu, Dec 5, 2024 at 2:41 PM Jochen Wiedmann > <jochen.wiedm...@gmail.com> wrote: >> >> On Wed, Dec 4, 2024 at 10:10 PM Slawomir Jaranowski >> <s.jaranow...@gmail.com> wrote: >> >>> It can be transitive dependencies from other dependencies in compile scope. >>> >>> look at output of dependency:tree >> >> I did, and it they are not. >> >> Jochen >> >>> On Wed, 4 Dec 2024 at 21:11, Jochen Wiedmann <jochen.wiedm...@gmail.com> >>> wrote: >>>> >>>> Hi, >>>> >>>> a Maven plugin of mine has the following dependency: >>>> >>>> <dependency> >>>> <groupId>org.apache.maven</groupId> >>>> <artifactId>maven-core</artifactId> >>>> <version>3.9.9</version> >>>> <scope>provided</scope> >>>> </dependency> >>>> >>>> As you can see. the dependency has scope "provided". Now upon building >>>> the plugin I get the warning below. As fars as I can tell, these are >>>> transitive dependencies of the Maven core. Now, I am wondering how to >>>> get rid of these warnings. The only idea, that comes to mind, would be >>>> to declare all of these as explicit dependencies with scope >>>> "provided". but doesn't sound good. >>>> >>>> Are there any better ideas? >>>> >>>> Thanks, >>>> >>>> Jochen >>>> >>>> >>>> [WARNING] >>>> >>>> Some dependencies of Maven Plugins are expected to be in provided scope. >>>> Please make sure that dependencies listed below declared in POM >>>> have set '<scope>provided</scope>' as well. >>>> >>>> The following dependencies are in wrong scope: >>>> * org.apache.maven:maven-model:jar:3.9.9:compile >>>> * org.apache.maven:maven-settings:jar:3.9.9:compile >>>> * org.apache.maven:maven-settings-builder:jar:3.9.9:compile >>>> * org.apache.maven:maven-builder-support:jar:3.9.9:compile >>>> * org.apache.maven:maven-repository-metadata:jar:3.9.9:compile >>>> * org.apache.maven:maven-artifact:jar:3.9.9:compile >>>> * org.apache.maven:maven-model-builder:jar:3.9.9:compile >>>> * org.apache.maven:maven-resolver-provider:jar:3.9.9:compile >>>> * org.apache.maven:maven-compat:jar:3.9.9:compile >>>> >>>> >>>> -- >>>> The woman was born in a full-blown thunderstorm. She probably told it >>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>>> For additional commands, e-mail: users-h...@maven.apache.org >>>> >>> >>> >>> -- >>> Sławomir Jaranowski >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>> For additional commands, e-mail: users-h...@maven.apache.org >>> >> >> >> -- >> The woman was born in a full-blown thunderstorm. She probably told it >> to be quiet. It probably did. (Robert Jordan, Winter's heart) >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >> For additional commands, e-mail: users-h...@maven.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org >
