Sorry, we are juggling with two plugins, so the verbose tree for dependency check is: https://gist.github.com/cstamas/de07501f64597343e3e9030b36450ad6
On Thu, Dec 5, 2024 at 8:41 PM Hans Aikema <hans.aik...@aikebah.net.invalid> wrote: > > > > > On 5 Dec 2024, at 19:03, Tamás Cservenák <ta...@cservenak.net> wrote: > > > > Howdy, > > > > ok, color or not :) here are the paths in tree that leads to maven > > artifacts: > > https://gist.github.com/cstamas/697999008c0b8b2968c97cd327ec752b > > > > Thanks > > T > > The thing is: all the paths listed in your result as leading up to > compile-scoped maven artifacts are dependencies that are explicitly declared > provided in the pom-file of the plugin > > [INFO] Paths found in project > org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > [INFO] -> org.apache.maven:maven-plugin-api:jar:3.6.3 > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L120-L123 > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > [INFO] -> org.apache.maven:maven-settings:jar:3.6.3 > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L124-L128 > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > [INFO] -> org.apache.maven:maven-core:jar:3.6.3 > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L129-L133 > > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > [INFO] -> org.apache.maven:maven-model:jar:3.6.3 > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L172-L176 > > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > [INFO] -> org.apache.maven:maven-artifact:jar:3.6.3 > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L177-L181 > > > > > > On Thu, Dec 5, 2024 at 6:02 PM Hans Aikema > > <hans.aik...@aikebah.net.invalid> wrote: > >> > >> > >> > >>> On 5 Dec 2024, at 17:30, Tamás Cservenák <ta...@cservenak.net> wrote: > >>> > >>> And... Can you tell us how these dependencies come into play? > >>> > >>> Can you paste the (in color or in bw -- for Manfred) output of the > >>> tree command? > >>> > >>> Thanks > >>> T > >> > >> Tamás, I’ve observed the same in Owasp Dependency Check maven plugin > >> (though nowadays only for libraries that the plugin-plugin does not > >> complain about as the items getting complained about have been explicitly > >> added to the pom.xml to make them provided scoped)… a single example from > >> that to reduce the noice of a large dependency tree: > >> > >> aikebah@rajah maven % mvn dependency:tree > >> -Dincludes=org.apache.maven.resolver:maven-resolver-api > >> [INFO] Scanning for projects... > >> [INFO] Inspecting build with total of 1 modules... > >> [INFO] Installing Nexus Staging features: > >> [INFO] ... total of 1 executions of maven-deploy-plugin replaced with > >> nexus-staging-maven-plugin > >> [INFO] > >> [INFO] ------------------< org.owasp:dependency-check-maven > >> >------------------ > >> [INFO] Building Dependency-Check Maven Plugin 11.1.1-SNAPSHOT > >> [INFO] from pom.xml > >> [INFO] ----------------------------[ maven-plugin > >> ]---------------------------- > >> [INFO] > >> [INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven --- > >> [INFO] org.owasp:dependency-check-maven:maven-plugin:11.1.1-SNAPSHOT > >> [INFO] \- org.apache.maven:maven-core:jar:3.6.3:provided > >> [INFO] \- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile > >> [INFO] > >> ------------------------------------------------------------------------ > >> [INFO] BUILD SUCCESS > >> [INFO] > >> ------------------------------------------------------------------------ > >> [INFO] Total time: 1.625 s > >> [INFO] Finished at: 2024-12-05T17:44:26+01:00 > >> [INFO] > >> ------------------------------------------------------------------------ > >> > >> Maven does not give me any reason in the depedency-tree why the resolver > >> API would be compile-scoped. > >> > >> A a sidenote: your colorized toolbox command does not list it as a > >> dependency (but then again, it appears to skip all provided deps, it’s not > >> even listing maven-core as a dependency. > >> > >> > >>> > >>> On Thu, Dec 5, 2024 at 2:41 PM Jochen Wiedmann > >>> <jochen.wiedm...@gmail.com> wrote: > >>>> > >>>> On Wed, Dec 4, 2024 at 10:10 PM Slawomir Jaranowski > >>>> <s.jaranow...@gmail.com> wrote: > >>>> > >>>>> It can be transitive dependencies from other dependencies in compile > >>>>> scope. > >>>>> > >>>>> look at output of dependency:tree > >>>> > >>>> I did, and it they are not. > >>>> > >>>> Jochen > >>>> > >>>>> On Wed, 4 Dec 2024 at 21:11, Jochen Wiedmann > >>>>> <jochen.wiedm...@gmail.com> wrote: > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> a Maven plugin of mine has the following dependency: > >>>>>> > >>>>>> <dependency> > >>>>>> <groupId>org.apache.maven</groupId> > >>>>>> <artifactId>maven-core</artifactId> > >>>>>> <version>3.9.9</version> > >>>>>> <scope>provided</scope> > >>>>>> </dependency> > >>>>>> > >>>>>> As you can see. the dependency has scope "provided". Now upon building > >>>>>> the plugin I get the warning below. As fars as I can tell, these are > >>>>>> transitive dependencies of the Maven core. Now, I am wondering how to > >>>>>> get rid of these warnings. The only idea, that comes to mind, would be > >>>>>> to declare all of these as explicit dependencies with scope > >>>>>> "provided". but doesn't sound good. > >>>>>> > >>>>>> Are there any better ideas? > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> Jochen > >>>>>> > >>>>>> > >>>>>> [WARNING] > >>>>>> > >>>>>> Some dependencies of Maven Plugins are expected to be in provided > >>>>>> scope. > >>>>>> Please make sure that dependencies listed below declared in POM > >>>>>> have set '<scope>provided</scope>' as well. > >>>>>> > >>>>>> The following dependencies are in wrong scope: > >>>>>> * org.apache.maven:maven-model:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-settings:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-settings-builder:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-builder-support:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-repository-metadata:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-artifact:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-model-builder:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-resolver-provider:jar:3.9.9:compile > >>>>>> * org.apache.maven:maven-compat:jar:3.9.9:compile > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> The woman was born in a full-blown thunderstorm. She probably told it > >>>>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) > >>>>>> > >>>>>> --------------------------------------------------------------------- > >>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >>>>>> For additional commands, e-mail: users-h...@maven.apache.org > >>>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Sławomir Jaranowski > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >>>>> For additional commands, e-mail: users-h...@maven.apache.org > >>>>> > >>>> > >>>> > >>>> -- > >>>> The woman was born in a full-blown thunderstorm. She probably told it > >>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >>>> For additional commands, e-mail: users-h...@maven.apache.org > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >>> For additional commands, e-mail: users-h...@maven.apache.org > >>> > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > For additional commands, e-mail: users-h...@maven.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
