> On 5 Dec 2024, at 19:03, Tamás Cservenák <ta...@cservenak.net> wrote: > > Howdy, > > ok, color or not :) here are the paths in tree that leads to maven artifacts: > https://gist.github.com/cstamas/697999008c0b8b2968c97cd327ec752b > > Thanks > T
The thing is: all the paths listed in your result as leading up to compile-scoped maven artifacts are dependencies that are explicitly declared provided in the pom-file of the plugin [INFO] Paths found in project org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT [INFO] -> org.apache.maven:maven-plugin-api:jar:3.6.3 https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L120-L123 [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT [INFO] -> org.apache.maven:maven-settings:jar:3.6.3 https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L124-L128 [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT [INFO] -> org.apache.maven:maven-core:jar:3.6.3 https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L129-L133 [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT [INFO] -> org.apache.maven:maven-model:jar:3.6.3 https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L172-L176 [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT [INFO] -> org.apache.maven:maven-artifact:jar:3.6.3 https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L177-L181 > > On Thu, Dec 5, 2024 at 6:02 PM Hans Aikema > <hans.aik...@aikebah.net.invalid> wrote: >> >> >> >>> On 5 Dec 2024, at 17:30, Tamás Cservenák <ta...@cservenak.net> wrote: >>> >>> And... Can you tell us how these dependencies come into play? >>> >>> Can you paste the (in color or in bw -- for Manfred) output of the >>> tree command? >>> >>> Thanks >>> T >> >> Tamás, I’ve observed the same in Owasp Dependency Check maven plugin (though >> nowadays only for libraries that the plugin-plugin does not complain about >> as the items getting complained about have been explicitly added to the >> pom.xml to make them provided scoped)… a single example from that to reduce >> the noice of a large dependency tree: >> >> aikebah@rajah maven % mvn dependency:tree >> -Dincludes=org.apache.maven.resolver:maven-resolver-api >> [INFO] Scanning for projects... >> [INFO] Inspecting build with total of 1 modules... >> [INFO] Installing Nexus Staging features: >> [INFO] ... total of 1 executions of maven-deploy-plugin replaced with >> nexus-staging-maven-plugin >> [INFO] >> [INFO] ------------------< org.owasp:dependency-check-maven >> >------------------ >> [INFO] Building Dependency-Check Maven Plugin 11.1.1-SNAPSHOT >> [INFO] from pom.xml >> [INFO] ----------------------------[ maven-plugin >> ]---------------------------- >> [INFO] >> [INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven --- >> [INFO] org.owasp:dependency-check-maven:maven-plugin:11.1.1-SNAPSHOT >> [INFO] \- org.apache.maven:maven-core:jar:3.6.3:provided >> [INFO] \- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile >> [INFO] >> ------------------------------------------------------------------------ >> [INFO] BUILD SUCCESS >> [INFO] >> ------------------------------------------------------------------------ >> [INFO] Total time: 1.625 s >> [INFO] Finished at: 2024-12-05T17:44:26+01:00 >> [INFO] >> ------------------------------------------------------------------------ >> >> Maven does not give me any reason in the depedency-tree why the resolver API >> would be compile-scoped. >> >> A a sidenote: your colorized toolbox command does not list it as a >> dependency (but then again, it appears to skip all provided deps, it’s not >> even listing maven-core as a dependency. >> >> >>> >>> On Thu, Dec 5, 2024 at 2:41 PM Jochen Wiedmann >>> <jochen.wiedm...@gmail.com> wrote: >>>> >>>> On Wed, Dec 4, 2024 at 10:10 PM Slawomir Jaranowski >>>> <s.jaranow...@gmail.com> wrote: >>>> >>>>> It can be transitive dependencies from other dependencies in compile >>>>> scope. >>>>> >>>>> look at output of dependency:tree >>>> >>>> I did, and it they are not. >>>> >>>> Jochen >>>> >>>>> On Wed, 4 Dec 2024 at 21:11, Jochen Wiedmann <jochen.wiedm...@gmail.com> >>>>> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> a Maven plugin of mine has the following dependency: >>>>>> >>>>>> <dependency> >>>>>> <groupId>org.apache.maven</groupId> >>>>>> <artifactId>maven-core</artifactId> >>>>>> <version>3.9.9</version> >>>>>> <scope>provided</scope> >>>>>> </dependency> >>>>>> >>>>>> As you can see. the dependency has scope "provided". Now upon building >>>>>> the plugin I get the warning below. As fars as I can tell, these are >>>>>> transitive dependencies of the Maven core. Now, I am wondering how to >>>>>> get rid of these warnings. The only idea, that comes to mind, would be >>>>>> to declare all of these as explicit dependencies with scope >>>>>> "provided". but doesn't sound good. >>>>>> >>>>>> Are there any better ideas? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Jochen >>>>>> >>>>>> >>>>>> [WARNING] >>>>>> >>>>>> Some dependencies of Maven Plugins are expected to be in provided scope. >>>>>> Please make sure that dependencies listed below declared in POM >>>>>> have set '<scope>provided</scope>' as well. >>>>>> >>>>>> The following dependencies are in wrong scope: >>>>>> * org.apache.maven:maven-model:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-settings:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-settings-builder:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-builder-support:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-repository-metadata:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-artifact:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-model-builder:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-resolver-provider:jar:3.9.9:compile >>>>>> * org.apache.maven:maven-compat:jar:3.9.9:compile >>>>>> >>>>>> >>>>>> -- >>>>>> The woman was born in a full-blown thunderstorm. She probably told it >>>>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>>>>> For additional commands, e-mail: users-h...@maven.apache.org >>>>>> >>>>> >>>>> >>>>> -- >>>>> Sławomir Jaranowski >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>>>> For additional commands, e-mail: users-h...@maven.apache.org >>>>> >>>> >>>> >>>> -- >>>> The woman was born in a full-blown thunderstorm. She probably told it >>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>>> For additional commands, e-mail: users-h...@maven.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>> For additional commands, e-mail: users-h...@maven.apache.org >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org >
