Hans, just figured what you wrote, two important remarks: - toolbox _by default_ uses "runtime" scope! (unlike m-dependency-p:tree!), so you want -Dscope=compile See https://github.com/maveniverse/toolbox/blob/main/toolbox/src/main/java/eu/maveniverse/maven/toolbox/plugin/mp/TreeMojo.java#L27 https://github.com/maveniverse/toolbox/blob/main/toolbox/src/main/java/eu/maveniverse/maven/toolbox/plugin/gav/GavTreeMojo.java#L40
Reason is that I usually use tree to display ANY artifact runtime tree (hence the gav-tree, that unlike the tree mojo does NOT need a project, just point it at any resolvable artifact with -Dgav=g:a:v). I usually use these tools for some quick analysis... Thanks T On Thu, Dec 5, 2024 at 6:02 PM Hans Aikema <hans.aik...@aikebah.net.invalid> wrote: > > > > > On 5 Dec 2024, at 17:30, Tamás Cservenák <ta...@cservenak.net> wrote: > > > > And... Can you tell us how these dependencies come into play? > > > > Can you paste the (in color or in bw -- for Manfred) output of the > > tree command? > > > > Thanks > > T > > Tamás, I’ve observed the same in Owasp Dependency Check maven plugin (though > nowadays only for libraries that the plugin-plugin does not complain about as > the items getting complained about have been explicitly added to the pom.xml > to make them provided scoped)… a single example from that to reduce the noice > of a large dependency tree: > > aikebah@rajah maven % mvn dependency:tree > -Dincludes=org.apache.maven.resolver:maven-resolver-api > [INFO] Scanning for projects... > [INFO] Inspecting build with total of 1 modules... > [INFO] Installing Nexus Staging features: > [INFO] ... total of 1 executions of maven-deploy-plugin replaced with > nexus-staging-maven-plugin > [INFO] > [INFO] ------------------< org.owasp:dependency-check-maven > >------------------ > [INFO] Building Dependency-Check Maven Plugin 11.1.1-SNAPSHOT > [INFO] from pom.xml > [INFO] ----------------------------[ maven-plugin > ]---------------------------- > [INFO] > [INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven --- > [INFO] org.owasp:dependency-check-maven:maven-plugin:11.1.1-SNAPSHOT > [INFO] \- org.apache.maven:maven-core:jar:3.6.3:provided > [INFO] \- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 1.625 s > [INFO] Finished at: 2024-12-05T17:44:26+01:00 > [INFO] > ------------------------------------------------------------------------ > > Maven does not give me any reason in the depedency-tree why the resolver API > would be compile-scoped. > > A a sidenote: your colorized toolbox command does not list it as a dependency > (but then again, it appears to skip all provided deps, it’s not even listing > maven-core as a dependency. > > > > > > On Thu, Dec 5, 2024 at 2:41 PM Jochen Wiedmann > > <jochen.wiedm...@gmail.com> wrote: > >> > >> On Wed, Dec 4, 2024 at 10:10 PM Slawomir Jaranowski > >> <s.jaranow...@gmail.com> wrote: > >> > >>> It can be transitive dependencies from other dependencies in compile > >>> scope. > >>> > >>> look at output of dependency:tree > >> > >> I did, and it they are not. > >> > >> Jochen > >> > >>> On Wed, 4 Dec 2024 at 21:11, Jochen Wiedmann <jochen.wiedm...@gmail.com> > >>> wrote: > >>>> > >>>> Hi, > >>>> > >>>> a Maven plugin of mine has the following dependency: > >>>> > >>>> <dependency> > >>>> <groupId>org.apache.maven</groupId> > >>>> <artifactId>maven-core</artifactId> > >>>> <version>3.9.9</version> > >>>> <scope>provided</scope> > >>>> </dependency> > >>>> > >>>> As you can see. the dependency has scope "provided". Now upon building > >>>> the plugin I get the warning below. As fars as I can tell, these are > >>>> transitive dependencies of the Maven core. Now, I am wondering how to > >>>> get rid of these warnings. The only idea, that comes to mind, would be > >>>> to declare all of these as explicit dependencies with scope > >>>> "provided". but doesn't sound good. > >>>> > >>>> Are there any better ideas? > >>>> > >>>> Thanks, > >>>> > >>>> Jochen > >>>> > >>>> > >>>> [WARNING] > >>>> > >>>> Some dependencies of Maven Plugins are expected to be in provided scope. > >>>> Please make sure that dependencies listed below declared in POM > >>>> have set '<scope>provided</scope>' as well. > >>>> > >>>> The following dependencies are in wrong scope: > >>>> * org.apache.maven:maven-model:jar:3.9.9:compile > >>>> * org.apache.maven:maven-settings:jar:3.9.9:compile > >>>> * org.apache.maven:maven-settings-builder:jar:3.9.9:compile > >>>> * org.apache.maven:maven-builder-support:jar:3.9.9:compile > >>>> * org.apache.maven:maven-repository-metadata:jar:3.9.9:compile > >>>> * org.apache.maven:maven-artifact:jar:3.9.9:compile > >>>> * org.apache.maven:maven-model-builder:jar:3.9.9:compile > >>>> * org.apache.maven:maven-resolver-provider:jar:3.9.9:compile > >>>> * org.apache.maven:maven-compat:jar:3.9.9:compile > >>>> > >>>> > >>>> -- > >>>> The woman was born in a full-blown thunderstorm. She probably told it > >>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >>>> For additional commands, e-mail: users-h...@maven.apache.org > >>>> > >>> > >>> > >>> -- > >>> Sławomir Jaranowski > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >>> For additional commands, e-mail: users-h...@maven.apache.org > >>> > >> > >> > >> -- > >> The woman was born in a full-blown thunderstorm. She probably told it > >> to be quiet. It probably did. (Robert Jordan, Winter's heart) > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >> For additional commands, e-mail: users-h...@maven.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > For additional commands, e-mail: users-h...@maven.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
