Howdy, I am not sure we are on the same page. Could you please create a reproducer and explain to me what is happening and what you expect to happen?
Thanks T On Thu, Feb 20, 2025 at 11:06 PM Gabriel Correa de Oliveira <gabriel...@outlook.com> wrote: > > Concerning the downloads, I can see that it first tries to download the > pom.xml for the dependencies that were hard-deleted from the repos. It tried > to download the pom.xml even if I explicitly excluded the dependency with an > <exclusion> element. Since that first download already fails (with a not > found), I can’t tell whether it would try and download the JARs for the > excluded dependency version in case the pom.xml had been kept in the repo. > > When the company finds CVEs related to a dependency, they remove the entire > version from the repo, including the pom.xml and the JAR. It’s as if the > dependency never existed in the repo in the first place. > > If Maven’s behaviour is to always download at least the pom.xml, I would need > to make the case to the team that is enforcing this policy, and, perhaps, ask > them to stop doing that and remove only the offending JARs from the repos, > but I need to find some evidence that this in fact how Maven works. This > could be documentation or an explanation from someone from Apache. > > Cheers. > > From: Tamás Cservenák <ta...@cservenak.net> > Date: Thursday, 20 February 2025 at 8:35 am > To: Maven Users List <users@maven.apache.org> > Subject: Re: Are dependency exclusions only applied after they are downloaded? > > Howdy, > > Are we talking about POM or the JAR here? > > Thanks > T > > On Wed, Feb 19, 2025 at 10:20 PM Tomo Suzuki <suzt...@google.com.invalid> > wrote: > > > > Try running Maven with “-X” option to get debug logs. It prints dependency > > graphs. You may find the problematic dependency in an unexpected place in > > the graphs. > > > > Regards, > > Tomo > > > > > > On Wed, Feb 19, 2025 at 16:10 Gabriel Correa de Oliveira < > > gabriel...@outlook.com> wrote: > > > > > Hi, All, > > > > > > I am working in a corporate environment that uses Artifactory and Nexus as > > > artifact repositories. > > > Access to Maven Central and any other public repositories are blocked in > > > the corporate network. Public repositories can only be accessed through > > > Artifactory or Nexus as a proxy/cache. > > > > > > JFrog Xray and Sonatype Nexus IQ are being used to scan all artifacts that > > > are published to these repositories or pulled from the public ones for > > > security vulnerabilities. The company is particularly sensitive to > > > dependencies with publicly reported CVEs. Once a dependency is identified > > > with CVE, it is hard-deleted from the corresponding repository. > > > > > > As a result, and I can see Maven builds failing because dependencies that > > > are OK often have dependencies on other artifacts that have CVEs reported > > > against them, and, thus, were deleted from the repositories. > > > > > > I want to use <exclusions> in my pom.xml files and replace the versions of > > > these transitive dependencies by others slightly newer or older that do > > > not > > > have CVEs reported against them, and, thus, are still in the internal > > > repositories. > > > > > > However, Maven seems to still attempt to download these transitive > > > dependencies from the repositories before applying the exclusions I > > > configured in the pom.xml. If this is the way it behaves, my builds will > > > keep failing. > > > > > > Can anyone here confirm if this the expected behaviour for Maven? Is it > > > really going to download all transitive dependencies in accordance with > > > the > > > original relationships before applying the exclusions I have configured in > > > the pom.xml? If so, is there any way I can tell Maven not to attempt to > > > download versions that I have already excluded in the pom.xml? > > > > > > I already searched through documentation, but I could not find this level > > > of detail anywhere. > > > > > > Thank you. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
