Over the weekend, I created a minimal reproducible example to illustrate my point and published it to Stackoverflow because of the ease of formatting: https://stackoverflow.com/q/79461137/1411125
I summary, what is happening is: Give this POM: <project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> <modelVersion>4.0.0</modelVersion> <groupId>com.mycompany.app</groupId> <artifactId>deleted-artifacts-app</artifactId> <packaging>jar</packaging> <version>1.0-SNAPSHOT</version> <name>deleted-artifacts-app</name> <url>http://maven.apache.org</url> <dependencies> <dependency> <groupId>com.atlassian.bamboo</groupId> <artifactId>atlassian-bamboo-api</artifactId> <version>9.2.8</version> <scope>provided</scope> <exclusions> <exclusion> <groupId>com.atlassian.platform</groupId> <artifactId>third-party</artifactId> </exclusion> </exclusions> </dependency> </dependencies> </project> Maven will still try and download multiple versions of com.atlassian.platform:third-party even though it is excluded. Examples: Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom (11 kB at 8.4 kB/s) Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom (11 kB at 7.5 kB/s) Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom (9.0 kB at 5.9 kB/s) Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom (11 kB at 8.2 kB/s) Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom (11 kB at 8.3 kB/s) Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom (11 kB at 8.4 kB/s) Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom (11 kB at 8.0 kB/s) My expectation it for Maven never to download anything from the atlassian/com/atlassian/platform/third-party path, because I excluded all versions of this transitive dependency from my pom.xml. I am working in a corporate environment where dependencies for which CVEs are identified are hard-deleted from the mirrors we must use, and my Maven goals are not working because it keeps trying to download dependencies that I already marked as excluded (because I know they have been removed from the mirror). Thank you, From: Tamás Cservenák <ta...@cservenak.net> Date: Friday, 21 February 2025 at 8:41 pm To: Maven Users List <users@maven.apache.org> Subject: Re: Are dependency exclusions only applied after they are downloaded? Howdy, I am not sure we are on the same page. Could you please create a reproducer and explain to me what is happening and what you expect to happen? Thanks T On Thu, Feb 20, 2025 at 11:06 PM Gabriel Correa de Oliveira <gabriel...@outlook.com> wrote: > > Concerning the downloads, I can see that it first tries to download the > pom.xml for the dependencies that were hard-deleted from the repos. It tried > to download the pom.xml even if I explicitly excluded the dependency with an > <exclusion> element. Since that first download already fails (with a not > found), I can’t tell whether it would try and download the JARs for the > excluded dependency version in case the pom.xml had been kept in the repo. > > When the company finds CVEs related to a dependency, they remove the entire > version from the repo, including the pom.xml and the JAR. It’s as if the > dependency never existed in the repo in the first place. > > If Maven’s behaviour is to always download at least the pom.xml, I would need > to make the case to the team that is enforcing this policy, and, perhaps, ask > them to stop doing that and remove only the offending JARs from the repos, > but I need to find some evidence that this in fact how Maven works. This > could be documentation or an explanation from someone from Apache. > > Cheers. > > From: Tamás Cservenák <ta...@cservenak.net> > Date: Thursday, 20 February 2025 at 8:35 am > To: Maven Users List <users@maven.apache.org> > Subject: Re: Are dependency exclusions only applied after they are downloaded? > > Howdy, > > Are we talking about POM or the JAR here? > > Thanks > T > > On Wed, Feb 19, 2025 at 10:20 PM Tomo Suzuki <suzt...@google.com.invalid> > wrote: > > > > Try running Maven with “-X” option to get debug logs. It prints dependency > > graphs. You may find the problematic dependency in an unexpected place in > > the graphs. > > > > Regards, > > Tomo > > > > > > On Wed, Feb 19, 2025 at 16:10 Gabriel Correa de Oliveira < > > gabriel...@outlook.com> wrote: > > > > > Hi, All, > > > > > > I am working in a corporate environment that uses Artifactory and Nexus as > > > artifact repositories. > > > Access to Maven Central and any other public repositories are blocked in > > > the corporate network. Public repositories can only be accessed through > > > Artifactory or Nexus as a proxy/cache. > > > > > > JFrog Xray and Sonatype Nexus IQ are being used to scan all artifacts that > > > are published to these repositories or pulled from the public ones for > > > security vulnerabilities. The company is particularly sensitive to > > > dependencies with publicly reported CVEs. Once a dependency is identified > > > with CVE, it is hard-deleted from the corresponding repository. > > > > > > As a result, and I can see Maven builds failing because dependencies that > > > are OK often have dependencies on other artifacts that have CVEs reported > > > against them, and, thus, were deleted from the repositories. > > > > > > I want to use <exclusions> in my pom.xml files and replace the versions of > > > these transitive dependencies by others slightly newer or older that do > > > not > > > have CVEs reported against them, and, thus, are still in the internal > > > repositories. > > > > > > However, Maven seems to still attempt to download these transitive > > > dependencies from the repositories before applying the exclusions I > > > configured in the pom.xml. If this is the way it behaves, my builds will > > > keep failing. > > > > > > Can anyone here confirm if this the expected behaviour for Maven? Is it > > > really going to download all transitive dependencies in accordance with > > > the > > > original relationships before applying the exclusions I have configured in > > > the pom.xml? If so, is there any way I can tell Maven not to attempt to > > > download versions that I have already excluded in the pom.xml? > > > > > > I already searched through documentation, but I could not find this level > > > of detail anywhere. > > > > > > Thank you. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
