James Howe created MENFORCER-417:
------------------------------------
Summary: requireUpperBoundDeps doesn't account for
dependencyManagement
Key: MENFORCER-417
URL: https://issues.apache.org/jira/browse/MENFORCER-417
Project: Maven Enforcer Plugin
Issue Type: Bug
Components: Standard Rules
Affects Versions: 3.0.0
Reporter: James Howe
{code:xml}
<rules>
<requireUpperBoundDeps/>
</rules>{code}
Example false-positive in a project using spring-boot-dependencies:
{noformat}
Require upper bound dependencies error for org.slf4j:slf4j-api:1.7.36 paths to
dependency are:
+-com.example:project:1.0-SNAPSHOT
+-org.springframework.security.extensions:spring-security-saml2-core:1.0.10.RELEASE
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.29
and
+-com.example:project:1.0-SNAPSHOT
+-com.github.zhanhb:thymeleaf-layout-dialect:3.0.0
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.32
+-com.example:project:1.0-SNAPSHOT
+-org.springframework.boot:spring-boot-starter-actuator:2.6.7
+-org.springframework.boot:spring-boot-starter:2.6.7 (managed) <--
org.springframework.boot:spring-boot-starter:2.6.7
+-org.springframework.boot:spring-boot-starter-logging:2.6.7 (managed)
<-- org.springframework.boot:spring-boot-starter-logging:2.6.7
+-org.slf4j:jul-to-slf4j:1.7.36 (managed) <--
org.slf4j:jul-to-slf4j:1.7.36
+-org.slf4j:slf4j-api:1.7.36 (managed) <-- org.slf4j:slf4j-api:1.7.36
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
