Culprit is here https://gist.github.com/cstamas/de07501f64597343e3e9030b36450ad6#file-gistfile1-txt-L244
Also, that library should be tossed away: https://cwiki.apache.org/confluence/display/MAVEN/Maven+Ecosystem+Cleanup#MavenEcosystemCleanup-MavenArtifactTransfer On Thu, Dec 5, 2024 at 8:47 PM Tamás Cservenák <ta...@cservenak.net> wrote: > > Sorry, we are juggling with two plugins, so the verbose tree for > dependency check is: > https://gist.github.com/cstamas/de07501f64597343e3e9030b36450ad6 > > > On Thu, Dec 5, 2024 at 8:41 PM Hans Aikema > <hans.aik...@aikebah.net.invalid> wrote: > > > > > > > > > On 5 Dec 2024, at 19:03, Tamás Cservenák <ta...@cservenak.net> wrote: > > > > > > Howdy, > > > > > > ok, color or not :) here are the paths in tree that leads to maven > > > artifacts: > > > https://gist.github.com/cstamas/697999008c0b8b2968c97cd327ec752b > > > > > > Thanks > > > T > > > > The thing is: all the paths listed in your result as leading up to > > compile-scoped maven artifacts are dependencies that are explicitly > > declared provided in the pom-file of the plugin > > > > [INFO] Paths found in project > > org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > > [INFO] -> org.apache.maven:maven-plugin-api:jar:3.6.3 > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L120-L123 > > > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > > [INFO] -> org.apache.maven:maven-settings:jar:3.6.3 > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L124-L128 > > > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > > [INFO] -> org.apache.maven:maven-core:jar:3.6.3 > > > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L129-L133 > > > > > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > > [INFO] -> org.apache.maven:maven-model:jar:3.6.3 > > > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L172-L176 > > > > > > [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT > > [INFO] -> org.apache.maven:maven-artifact:jar:3.6.3 > > > > https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L177-L181 > > > > > > > > > > On Thu, Dec 5, 2024 at 6:02 PM Hans Aikema > > > <hans.aik...@aikebah.net.invalid> wrote: > > >> > > >> > > >> > > >>> On 5 Dec 2024, at 17:30, Tamás Cservenák <ta...@cservenak.net> wrote: > > >>> > > >>> And... Can you tell us how these dependencies come into play? > > >>> > > >>> Can you paste the (in color or in bw -- for Manfred) output of the > > >>> tree command? > > >>> > > >>> Thanks > > >>> T > > >> > > >> Tamás, I’ve observed the same in Owasp Dependency Check maven plugin > > >> (though nowadays only for libraries that the plugin-plugin does not > > >> complain about as the items getting complained about have been > > >> explicitly added to the pom.xml to make them provided scoped)… a single > > >> example from that to reduce the noice of a large dependency tree: > > >> > > >> aikebah@rajah maven % mvn dependency:tree > > >> -Dincludes=org.apache.maven.resolver:maven-resolver-api > > >> [INFO] Scanning for projects... > > >> [INFO] Inspecting build with total of 1 modules... > > >> [INFO] Installing Nexus Staging features: > > >> [INFO] ... total of 1 executions of maven-deploy-plugin replaced with > > >> nexus-staging-maven-plugin > > >> [INFO] > > >> [INFO] ------------------< org.owasp:dependency-check-maven > > >> >------------------ > > >> [INFO] Building Dependency-Check Maven Plugin 11.1.1-SNAPSHOT > > >> [INFO] from pom.xml > > >> [INFO] ----------------------------[ maven-plugin > > >> ]---------------------------- > > >> [INFO] > > >> [INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven > > >> --- > > >> [INFO] org.owasp:dependency-check-maven:maven-plugin:11.1.1-SNAPSHOT > > >> [INFO] \- org.apache.maven:maven-core:jar:3.6.3:provided > > >> [INFO] \- > > >> org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile > > >> [INFO] > > >> ------------------------------------------------------------------------ > > >> [INFO] BUILD SUCCESS > > >> [INFO] > > >> ------------------------------------------------------------------------ > > >> [INFO] Total time: 1.625 s > > >> [INFO] Finished at: 2024-12-05T17:44:26+01:00 > > >> [INFO] > > >> ------------------------------------------------------------------------ > > >> > > >> Maven does not give me any reason in the depedency-tree why the resolver > > >> API would be compile-scoped. > > >> > > >> A a sidenote: your colorized toolbox command does not list it as a > > >> dependency (but then again, it appears to skip all provided deps, it’s > > >> not even listing maven-core as a dependency. > > >> > > >> > > >>> > > >>> On Thu, Dec 5, 2024 at 2:41 PM Jochen Wiedmann > > >>> <jochen.wiedm...@gmail.com> wrote: > > >>>> > > >>>> On Wed, Dec 4, 2024 at 10:10 PM Slawomir Jaranowski > > >>>> <s.jaranow...@gmail.com> wrote: > > >>>> > > >>>>> It can be transitive dependencies from other dependencies in compile > > >>>>> scope. > > >>>>> > > >>>>> look at output of dependency:tree > > >>>> > > >>>> I did, and it they are not. > > >>>> > > >>>> Jochen > > >>>> > > >>>>> On Wed, 4 Dec 2024 at 21:11, Jochen Wiedmann > > >>>>> <jochen.wiedm...@gmail.com> wrote: > > >>>>>> > > >>>>>> Hi, > > >>>>>> > > >>>>>> a Maven plugin of mine has the following dependency: > > >>>>>> > > >>>>>> <dependency> > > >>>>>> <groupId>org.apache.maven</groupId> > > >>>>>> <artifactId>maven-core</artifactId> > > >>>>>> <version>3.9.9</version> > > >>>>>> <scope>provided</scope> > > >>>>>> </dependency> > > >>>>>> > > >>>>>> As you can see. the dependency has scope "provided". Now upon > > >>>>>> building > > >>>>>> the plugin I get the warning below. As fars as I can tell, these are > > >>>>>> transitive dependencies of the Maven core. Now, I am wondering how to > > >>>>>> get rid of these warnings. The only idea, that comes to mind, would > > >>>>>> be > > >>>>>> to declare all of these as explicit dependencies with scope > > >>>>>> "provided". but doesn't sound good. > > >>>>>> > > >>>>>> Are there any better ideas? > > >>>>>> > > >>>>>> Thanks, > > >>>>>> > > >>>>>> Jochen > > >>>>>> > > >>>>>> > > >>>>>> [WARNING] > > >>>>>> > > >>>>>> Some dependencies of Maven Plugins are expected to be in provided > > >>>>>> scope. > > >>>>>> Please make sure that dependencies listed below declared in POM > > >>>>>> have set '<scope>provided</scope>' as well. > > >>>>>> > > >>>>>> The following dependencies are in wrong scope: > > >>>>>> * org.apache.maven:maven-model:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-settings:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-settings-builder:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-builder-support:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-repository-metadata:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-artifact:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-model-builder:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-resolver-provider:jar:3.9.9:compile > > >>>>>> * org.apache.maven:maven-compat:jar:3.9.9:compile > > >>>>>> > > >>>>>> > > >>>>>> -- > > >>>>>> The woman was born in a full-blown thunderstorm. She probably told it > > >>>>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) > > >>>>>> > > >>>>>> --------------------------------------------------------------------- > > >>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > >>>>>> For additional commands, e-mail: users-h...@maven.apache.org > > >>>>>> > > >>>>> > > >>>>> > > >>>>> -- > > >>>>> Sławomir Jaranowski > > >>>>> > > >>>>> --------------------------------------------------------------------- > > >>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > >>>>> For additional commands, e-mail: users-h...@maven.apache.org > > >>>>> > > >>>> > > >>>> > > >>>> -- > > >>>> The woman was born in a full-blown thunderstorm. She probably told it > > >>>> to be quiet. It probably did. (Robert Jordan, Winter's heart) > > >>>> > > >>>> --------------------------------------------------------------------- > > >>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > >>>> For additional commands, e-mail: users-h...@maven.apache.org > > >>>> > > >>> > > >>> --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > >>> For additional commands, e-mail: users-h...@maven.apache.org > > >>> > > >> > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > > For additional commands, e-mail: users-h...@maven.apache.org > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
