Over the weekend, I created a minimal reproducible example to illustrate my 
point and published it to Stackoverflow because of the ease of formatting: 
https://stackoverflow.com/q/79461137/1411125

I summary, what is happening is:

Give this POM:
<project xmlns="http://maven.apache.org/POM/4.0.0";
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/maven-v4_0_0.xsd";>
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.mycompany.app</groupId>
  <artifactId>deleted-artifacts-app</artifactId>
  <packaging>jar</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>deleted-artifacts-app</name>
  <url>http://maven.apache.org</url>
  <dependencies>
    <dependency>
      <groupId>com.atlassian.bamboo</groupId>
      <artifactId>atlassian-bamboo-api</artifactId>
      <version>9.2.8</version>
      <scope>provided</scope>
      <exclusions>
        <exclusion>
          <groupId>com.atlassian.platform</groupId>
          <artifactId>third-party</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
  </dependencies>
</project>

Maven will still try and download multiple versions of 
com.atlassian.platform:third-party even though it is excluded. Examples:

Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom
 (11 kB at 8.4 kB/s)
Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom
 (11 kB at 7.5 kB/s)
Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom
 (9.0 kB at 5.9 kB/s)
Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom
 (11 kB at 8.2 kB/s)
Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom
 (11 kB at 8.3 kB/s)
Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom
 (11 kB at 8.4 kB/s)
Downloading from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom
Downloaded from atlassianMirror: 
http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom
 (11 kB at 8.0 kB/s)

My expectation it for Maven never to download anything from the 
atlassian/com/atlassian/platform/third-party path, because I excluded all 
versions of this transitive dependency from my pom.xml.

I am working in a corporate environment where dependencies for which CVEs are 
identified are hard-deleted from the mirrors we must use, and my Maven goals 
are not working because it keeps trying to download dependencies that I already 
marked as excluded (because I know they have been removed from the mirror).

Thank you,


From: Tamás Cservenák <ta...@cservenak.net>
Date: Friday, 21 February 2025 at 8:41 pm
To: Maven Users List <users@maven.apache.org>
Subject: Re: Are dependency exclusions only applied after they are downloaded?

Howdy,

I am not sure we are on the same page.
Could you please create a reproducer and
explain to me what is happening and what you expect to happen?

Thanks
T

On Thu, Feb 20, 2025 at 11:06 PM Gabriel Correa de Oliveira
<gabriel...@outlook.com> wrote:
>
> Concerning the downloads, I can see that it first tries to download the 
> pom.xml for the dependencies that were hard-deleted from the repos. It tried 
> to download the pom.xml even if I explicitly excluded the dependency with an 
> <exclusion> element. Since that first download already fails (with a not 
> found), I can’t tell whether it would try and download the JARs for the 
> excluded dependency version in case the pom.xml had been kept in the repo.
>
> When the company finds CVEs related to a dependency, they remove the entire 
> version from the repo, including the pom.xml and the JAR. It’s as if the 
> dependency never existed in the repo in the first place.
>
> If Maven’s behaviour is to always download at least the pom.xml, I would need 
> to make the case to the team that is enforcing this policy, and, perhaps, ask 
> them to stop doing that and remove only the offending JARs from the repos, 
> but I need to find some evidence that this in fact how Maven works. This 
> could be documentation or an explanation from someone from Apache.
>
> Cheers.
>
> From: Tamás Cservenák <ta...@cservenak.net>
> Date: Thursday, 20 February 2025 at 8:35 am
> To: Maven Users List <users@maven.apache.org>
> Subject: Re: Are dependency exclusions only applied after they are downloaded?
>
> Howdy,
>
> Are we talking about POM or the JAR here?
>
> Thanks
> T
>
> On Wed, Feb 19, 2025 at 10:20 PM Tomo Suzuki <suzt...@google.com.invalid> 
> wrote:
> >
> > Try running Maven with “-X” option to get debug logs. It prints dependency
> > graphs. You may find the problematic dependency in an unexpected place in
> > the graphs.
> >
> > Regards,
> > Tomo
> >
> >
> > On Wed, Feb 19, 2025 at 16:10 Gabriel Correa de Oliveira <
> > gabriel...@outlook.com> wrote:
> >
> > > Hi, All,
> > >
> > > I am working in a corporate environment that uses Artifactory and Nexus as
> > > artifact repositories.
> > > Access to Maven Central and any other public repositories are blocked in
> > > the corporate network. Public repositories can only be accessed through
> > > Artifactory or Nexus as a proxy/cache.
> > >
> > > JFrog Xray and Sonatype Nexus IQ are being used to scan all artifacts that
> > > are published to these repositories or pulled from the public ones for
> > > security vulnerabilities. The company is particularly sensitive to
> > > dependencies with publicly reported CVEs. Once a dependency is identified
> > > with CVE, it is hard-deleted from the corresponding repository.
> > >
> > > As a result, and I can see Maven builds failing because dependencies that
> > > are OK often have dependencies on other artifacts that have CVEs reported
> > > against them, and, thus, were deleted from the repositories.
> > >
> > > I want to use <exclusions> in my pom.xml files and replace the versions of
> > > these transitive dependencies by others slightly newer or older that do 
> > > not
> > > have CVEs reported against them, and, thus, are still in the internal
> > > repositories.
> > >
> > > However, Maven seems to still attempt to download these transitive
> > > dependencies from the repositories before applying the exclusions I
> > > configured in the pom.xml. If this is the way it behaves, my builds will
> > > keep failing.
> > >
> > > Can anyone here confirm if this the expected behaviour for Maven? Is it
> > > really going to download all transitive dependencies in accordance with 
> > > the
> > > original relationships before applying the exclusions I have configured in
> > > the pom.xml? If so, is there any way I can tell Maven not to attempt to
> > > download versions that I have already excluded in the pom.xml?
> > >
> > > I already searched through documentation, but I could not find this level
> > > of detail anywhere.
> > >
> > > Thank you.
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Reply via email to