Concerning the downloads, I can see that it first tries to download the pom.xml for the dependencies that were hard-deleted from the repos. It tried to download the pom.xml even if I explicitly excluded the dependency with an <exclusion> element. Since that first download already fails (with a not found), I can’t tell whether it would try and download the JARs for the excluded dependency version in case the pom.xml had been kept in the repo.
When the company finds CVEs related to a dependency, they remove the entire version from the repo, including the pom.xml and the JAR. It’s as if the dependency never existed in the repo in the first place. If Maven’s behaviour is to always download at least the pom.xml, I would need to make the case to the team that is enforcing this policy, and, perhaps, ask them to stop doing that and remove only the offending JARs from the repos, but I need to find some evidence that this in fact how Maven works. This could be documentation or an explanation from someone from Apache. Cheers. From: Tamás Cservenák <ta...@cservenak.net> Date: Thursday, 20 February 2025 at 8:35 am To: Maven Users List <users@maven.apache.org> Subject: Re: Are dependency exclusions only applied after they are downloaded? Howdy, Are we talking about POM or the JAR here? Thanks T On Wed, Feb 19, 2025 at 10:20 PM Tomo Suzuki <suzt...@google.com.invalid> wrote: > > Try running Maven with “-X” option to get debug logs. It prints dependency > graphs. You may find the problematic dependency in an unexpected place in > the graphs. > > Regards, > Tomo > > > On Wed, Feb 19, 2025 at 16:10 Gabriel Correa de Oliveira < > gabriel...@outlook.com> wrote: > > > Hi, All, > > > > I am working in a corporate environment that uses Artifactory and Nexus as > > artifact repositories. > > Access to Maven Central and any other public repositories are blocked in > > the corporate network. Public repositories can only be accessed through > > Artifactory or Nexus as a proxy/cache. > > > > JFrog Xray and Sonatype Nexus IQ are being used to scan all artifacts that > > are published to these repositories or pulled from the public ones for > > security vulnerabilities. The company is particularly sensitive to > > dependencies with publicly reported CVEs. Once a dependency is identified > > with CVE, it is hard-deleted from the corresponding repository. > > > > As a result, and I can see Maven builds failing because dependencies that > > are OK often have dependencies on other artifacts that have CVEs reported > > against them, and, thus, were deleted from the repositories. > > > > I want to use <exclusions> in my pom.xml files and replace the versions of > > these transitive dependencies by others slightly newer or older that do not > > have CVEs reported against them, and, thus, are still in the internal > > repositories. > > > > However, Maven seems to still attempt to download these transitive > > dependencies from the repositories before applying the exclusions I > > configured in the pom.xml. If this is the way it behaves, my builds will > > keep failing. > > > > Can anyone here confirm if this the expected behaviour for Maven? Is it > > really going to download all transitive dependencies in accordance with the > > original relationships before applying the exclusions I have configured in > > the pom.xml? If so, is there any way I can tell Maven not to attempt to > > download versions that I have already excluded in the pom.xml? > > > > I already searched through documentation, but I could not find this level > > of detail anywhere. > > > > Thank you. > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
