> On 5 Dec 2024, at 20:48, Tamás Cservenák <ta...@cservenak.net> wrote:
>
> Culprit is here
> https://gist.github.com/cstamas/de07501f64597343e3e9030b36450ad6#file-gistfile1-txt-L244
>
> Also, that library should be tossed away:
> https://cwiki.apache.org/confluence/display/MAVEN/Maven+Ecosystem+Cleanup#MavenEcosystemCleanup-MavenArtifactTransfer
Yeah, already spotted those before and made a mental note to dive deeper into
how to fulfull the ODC needs without using the maven-artifact-transfer library
The verbose tree of the toolbox plugin is indeed a nice tool to add to my maven
toolbox
>
> On Thu, Dec 5, 2024 at 8:47 PM Tamás Cservenák <ta...@cservenak.net> wrote:
>>
>> Sorry, we are juggling with two plugins, so the verbose tree for
>> dependency check is:
>> https://gist.github.com/cstamas/de07501f64597343e3e9030b36450ad6
>>
>>
>> On Thu, Dec 5, 2024 at 8:41 PM Hans Aikema
>> <hans.aik...@aikebah.net.invalid> wrote:
>>>
>>>
>>>
>>>> On 5 Dec 2024, at 19:03, Tamás Cservenák <ta...@cservenak.net> wrote:
>>>>
>>>> Howdy,
>>>>
>>>> ok, color or not :) here are the paths in tree that leads to maven
>>>> artifacts:
>>>> https://gist.github.com/cstamas/697999008c0b8b2968c97cd327ec752b
>>>>
>>>> Thanks
>>>> T
>>>
>>> The thing is: all the paths listed in your result as leading up to
>>> compile-scoped maven artifacts are dependencies that are explicitly
>>> declared provided in the pom-file of the plugin
>>>
>>> [INFO] Paths found in project
>>> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT
>>> [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT
>>> [INFO] -> org.apache.maven:maven-plugin-api:jar:3.6.3
>>> https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L120-L123
>>>
>>> [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT
>>> [INFO] -> org.apache.maven:maven-settings:jar:3.6.3
>>> https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L124-L128
>>>
>>> [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT
>>> [INFO] -> org.apache.maven:maven-core:jar:3.6.3
>>>
>>> https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L129-L133
>>>
>>>
>>> [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT
>>> [INFO] -> org.apache.maven:maven-model:jar:3.6.3
>>>
>>> https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L172-L176
>>>
>>>
>>> [INFO] -> org.owasp:dependency-check-maven:jar:11.1.2-SNAPSHOT
>>> [INFO] -> org.apache.maven:maven-artifact:jar:3.6.3
>>>
>>> https://github.com/jeremylong/DependencyCheck/blob/main/maven/pom.xml#L177-L181
>>>
>>>
>>>>
>>>> On Thu, Dec 5, 2024 at 6:02 PM Hans Aikema
>>>> <hans.aik...@aikebah.net.invalid> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> On 5 Dec 2024, at 17:30, Tamás Cservenák <ta...@cservenak.net> wrote:
>>>>>>
>>>>>> And... Can you tell us how these dependencies come into play?
>>>>>>
>>>>>> Can you paste the (in color or in bw -- for Manfred) output of the
>>>>>> tree command?
>>>>>>
>>>>>> Thanks
>>>>>> T
>>>>>
>>>>> Tamás, I’ve observed the same in Owasp Dependency Check maven plugin
>>>>> (though nowadays only for libraries that the plugin-plugin does not
>>>>> complain about as the items getting complained about have been explicitly
>>>>> added to the pom.xml to make them provided scoped)… a single example from
>>>>> that to reduce the noice of a large dependency tree:
>>>>>
>>>>> aikebah@rajah maven % mvn dependency:tree
>>>>> -Dincludes=org.apache.maven.resolver:maven-resolver-api
>>>>> [INFO] Scanning for projects...
>>>>> [INFO] Inspecting build with total of 1 modules...
>>>>> [INFO] Installing Nexus Staging features:
>>>>> [INFO] ... total of 1 executions of maven-deploy-plugin replaced with
>>>>> nexus-staging-maven-plugin
>>>>> [INFO]
>>>>> [INFO] ------------------< org.owasp:dependency-check-maven
>>>>> >------------------
>>>>> [INFO] Building Dependency-Check Maven Plugin 11.1.1-SNAPSHOT
>>>>> [INFO] from pom.xml
>>>>> [INFO] ----------------------------[ maven-plugin
>>>>> ]----------------------------
>>>>> [INFO]
>>>>> [INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven
>>>>> ---
>>>>> [INFO] org.owasp:dependency-check-maven:maven-plugin:11.1.1-SNAPSHOT
>>>>> [INFO] \- org.apache.maven:maven-core:jar:3.6.3:provided
>>>>> [INFO] \-
>>>>> org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>> [INFO] BUILD SUCCESS
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>> [INFO] Total time: 1.625 s
>>>>> [INFO] Finished at: 2024-12-05T17:44:26+01:00
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> Maven does not give me any reason in the depedency-tree why the resolver
>>>>> API would be compile-scoped.
>>>>>
>>>>> A a sidenote: your colorized toolbox command does not list it as a
>>>>> dependency (but then again, it appears to skip all provided deps, it’s
>>>>> not even listing maven-core as a dependency.
>>>>>
>>>>>
>>>>>>
>>>>>> On Thu, Dec 5, 2024 at 2:41 PM Jochen Wiedmann
>>>>>> <jochen.wiedm...@gmail.com> wrote:
>>>>>>>
>>>>>>> On Wed, Dec 4, 2024 at 10:10 PM Slawomir Jaranowski
>>>>>>> <s.jaranow...@gmail.com> wrote:
>>>>>>>
>>>>>>>> It can be transitive dependencies from other dependencies in compile
>>>>>>>> scope.
>>>>>>>>
>>>>>>>> look at output of dependency:tree
>>>>>>>
>>>>>>> I did, and it they are not.
>>>>>>>
>>>>>>> Jochen
>>>>>>>
>>>>>>>> On Wed, 4 Dec 2024 at 21:11, Jochen Wiedmann
>>>>>>>> <jochen.wiedm...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> a Maven plugin of mine has the following dependency:
>>>>>>>>>
>>>>>>>>> <dependency>
>>>>>>>>> <groupId>org.apache.maven</groupId>
>>>>>>>>> <artifactId>maven-core</artifactId>
>>>>>>>>> <version>3.9.9</version>
>>>>>>>>> <scope>provided</scope>
>>>>>>>>> </dependency>
>>>>>>>>>
>>>>>>>>> As you can see. the dependency has scope "provided". Now upon building
>>>>>>>>> the plugin I get the warning below. As fars as I can tell, these are
>>>>>>>>> transitive dependencies of the Maven core. Now, I am wondering how to
>>>>>>>>> get rid of these warnings. The only idea, that comes to mind, would be
>>>>>>>>> to declare all of these as explicit dependencies with scope
>>>>>>>>> "provided". but doesn't sound good.
>>>>>>>>>
>>>>>>>>> Are there any better ideas?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Jochen
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [WARNING]
>>>>>>>>>
>>>>>>>>> Some dependencies of Maven Plugins are expected to be in provided
>>>>>>>>> scope.
>>>>>>>>> Please make sure that dependencies listed below declared in POM
>>>>>>>>> have set '<scope>provided</scope>' as well.
>>>>>>>>>
>>>>>>>>> The following dependencies are in wrong scope:
>>>>>>>>> * org.apache.maven:maven-model:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-settings:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-settings-builder:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-builder-support:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-repository-metadata:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-artifact:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-model-builder:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-resolver-provider:jar:3.9.9:compile
>>>>>>>>> * org.apache.maven:maven-compat:jar:3.9.9:compile
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> The woman was born in a full-blown thunderstorm. She probably told it
>>>>>>>>> to be quiet. It probably did. (Robert Jordan, Winter's heart)
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
>>>>>>>>> For additional commands, e-mail: users-h...@maven.apache.org
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sławomir Jaranowski
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
>>>>>>>> For additional commands, e-mail: users-h...@maven.apache.org
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> The woman was born in a full-blown thunderstorm. She probably told it
>>>>>>> to be quiet. It probably did. (Robert Jordan, Winter's heart)
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
>>>>>>> For additional commands, e-mail: users-h...@maven.apache.org
>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
>>>>>> For additional commands, e-mail: users-h...@maven.apache.org
>>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
>>>> For additional commands, e-mail: users-h...@maven.apache.org
>>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
