[
https://issues.apache.org/jira/browse/MENFORCER-434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris updated MENFORCER-434:
----------------------------
Description:
I've been testing rules regarding log4j and have found that the
bannedDependencies behave differently between version 3.0.0 and 3.1.0
My relevant section where I'm purposely creating a failure case by banning
log4j2 versions "3" and less, as well as any log4j 1.x
NOTE this is using version 3.0.0 of maven-enforcer-plugin
{code:java}
<plugin>
<!--
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
-->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>enforce-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<fail>true</fail>
<rules>
<bannedPlugins>
<!-- will only display a warning but does not fail the build.
-->
<level>WARN</level>
<excludes>
<exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
</excludes>
<message>Please consider using the maven-invoker-plugin
(http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
</bannedPlugins>
<bannedDependencies>
<searchTransitive>true</searchTransitive>
<excludes>
<!--
Log4j - Refer to
https://logging.apache.org/log4j/2.x/security.html
- Ban Log4j less than "3"
-->
<exclude>org.apache.logging.log4j:*:(,3)</exclude>
<exclude>log4j:log4j</exclude>
</excludes>
</bannedDependencies>
<requireMavenVersion>
<version>3.8.2</version>
</requireMavenVersion>
<requireJavaVersion>
<version>1.8.0-202</version>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
{code}
results in:
{code:java}
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @
xxx-xxxxx-xxx ---
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed
with message:
Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
Found Banned Dependency: log4j:log4j:jar:1.2.17
Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.516 s
[INFO] Finished at: 2022-09-30T15:06:57-07:00
[INFO]
------------------------------------------------------------------------{code}
ONLY changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the
rule does not fail.
{code:java}
<plugin>
<!--
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
-->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>enforce-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<fail>true</fail>
<rules>
<bannedPlugins>
<!-- will only display a warning but does not fail the build.
-->
<level>WARN</level>
<excludes>
<exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
</excludes>
<message>Please consider using the maven-invoker-plugin
(http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
</bannedPlugins>
<bannedDependencies>
<searchTransitive>true</searchTransitive>
<excludes>
<!--
Log4j - Refer to
https://logging.apache.org/log4j/2.x/security.html
- Ban Log4j less than "3"
-->
<exclude>org.apache.logging.log4j:*:(,3)</exclude>
<exclude>log4j:log4j</exclude>
</excludes>
</bannedDependencies>
<requireMavenVersion>
<version>3.8.2</version>
</requireMavenVersion>
<requireJavaVersion>
<version>1.8.0-202</version>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
{code}
{code:java}
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @
xxx-xxxxx-xxx ---
[INFO] {code}
was:
I've been testing rules regarding log4j and have found that the
bannedDependencies behave differently between version 3.0.0 and 3.1.0
My relevant section where I'm purposely creating a failure case by banning
log4j2 versions "3" and less, as well as any log4j 1.x
NOTE this is using version 3.0.0 of maven-enforcer-plugin
{code:java}
<plugin>
<!--
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
-->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>enforce-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<fail>true</fail>
<rules>
<bannedPlugins>
<!-- will only display a warning but does not fail the build.
-->
<level>WARN</level>
<excludes>
<exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
</excludes>
<message>Please consider using the maven-invoker-plugin
(http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
</bannedPlugins>
<bannedDependencies>
<searchTransitive>true</searchTransitive>
<excludes>
<!--
Log4j - Refer to
https://logging.apache.org/log4j/2.x/security.html
- Ban Log4j less than "3"
-->
<exclude>org.apache.logging.log4j:*:(,3)</exclude>
<exclude>log4j:log4j</exclude>
</excludes>
</bannedDependencies>
<requireMavenVersion>
<version>3.8.2</version>
</requireMavenVersion>
<requireJavaVersion>
<version>1.8.0-202</version>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
{code}
results in:
{code:java}
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @
xxx-xxxxx-xxx ---
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed
with message:
Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
Found Banned Dependency: log4j:log4j:jar:1.2.17
Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.516 s
[INFO] Finished at: 2022-09-30T15:06:57-07:00
[INFO]
------------------------------------------------------------------------{code}
ONLY changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the
rule does not fail.
{code:java}
<plugin>
<!--
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
-->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>enforce-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<fail>true</fail>
<rules>
<bannedPlugins>
<!-- will only display a warning but does not fail the build.
-->
<level>WARN</level>
<excludes>
<exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
</excludes>
<message>Please consider using the maven-invoker-plugin
(http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
</bannedPlugins>
<bannedDependencies>
<searchTransitive>true</searchTransitive>
<excludes>
<!--
Log4j - Refer to
https://logging.apache.org/log4j/2.x/security.html
- Ban Log4j less than "3"
-->
<exclude>org.apache.logging.log4j:*:(,3)</exclude>
<exclude>log4j:log4j</exclude>
</excludes>
</bannedDependencies>
<requireMavenVersion>
<version>3.8.2</version>
</requireMavenVersion>
<requireJavaVersion>
<version>1.8.0-202</version>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
{code}
{code:java}
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @
rxn-commons-time ---
[INFO] {code}
> Version 3.1.0 is not enforcing bannedDependency rules
> -----------------------------------------------------
>
> Key: MENFORCER-434
> URL: https://issues.apache.org/jira/browse/MENFORCER-434
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.1.0
> Reporter: Chris
> Priority: Major
>
> I've been testing rules regarding log4j and have found that the
> bannedDependencies behave differently between version 3.0.0 and 3.1.0
> My relevant section where I'm purposely creating a failure case by banning
> log4j2 versions "3" and less, as well as any log4j 1.x
> NOTE this is using version 3.0.0 of maven-enforcer-plugin
>
> {code:java}
> <plugin>
> <!--
> https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
> -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.0.0</version>
> <executions>
> <execution>
> <id>enforce-versions</id>
> <goals>
> <goal>enforce</goal>
> </goals>
> <configuration>
> <fail>true</fail>
> <rules>
> <bannedPlugins>
> <!-- will only display a warning but does not fail the
> build. -->
> <level>WARN</level>
> <excludes>
>
> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
> </excludes>
> <message>Please consider using the maven-invoker-plugin
> (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
> </bannedPlugins>
> <bannedDependencies>
> <searchTransitive>true</searchTransitive>
> <excludes>
> <!--
> Log4j - Refer to
> https://logging.apache.org/log4j/2.x/security.html
> - Ban Log4j less than "3"
> -->
> <exclude>org.apache.logging.log4j:*:(,3)</exclude>
> <exclude>log4j:log4j</exclude>
> </excludes>
> </bannedDependencies>
> <requireMavenVersion>
> <version>3.8.2</version>
> </requireMavenVersion>
> <requireJavaVersion>
> <version>1.8.0-202</version>
> </requireJavaVersion>
> </rules>
> </configuration>
> </execution>
> </executions>
> </plugin>
> {code}
> results in:
> {code:java}
> [INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @
> xxx-xxxxx-xxx ---
> [WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed
> with message:
> Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
> Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
> Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
> Found Banned Dependency: log4j:log4j:jar:1.2.17
> Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
> Use 'mvn dependency:tree' to locate the source of the banned dependencies.
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 0.516 s
> [INFO] Finished at: 2022-09-30T15:06:57-07:00
> [INFO]
> ------------------------------------------------------------------------{code}
> ONLY changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the
> rule does not fail.
>
> {code:java}
> <plugin>
> <!--
> https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
> -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.1.0</version>
> <executions>
> <execution>
> <id>enforce-versions</id>
> <goals>
> <goal>enforce</goal>
> </goals>
> <configuration>
> <fail>true</fail>
> <rules>
> <bannedPlugins>
> <!-- will only display a warning but does not fail the
> build. -->
> <level>WARN</level>
> <excludes>
>
> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
> </excludes>
> <message>Please consider using the maven-invoker-plugin
> (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
> </bannedPlugins>
> <bannedDependencies>
> <searchTransitive>true</searchTransitive>
> <excludes>
> <!--
> Log4j - Refer to
> https://logging.apache.org/log4j/2.x/security.html
> - Ban Log4j less than "3"
> -->
> <exclude>org.apache.logging.log4j:*:(,3)</exclude>
> <exclude>log4j:log4j</exclude>
> </excludes>
> </bannedDependencies>
> <requireMavenVersion>
> <version>3.8.2</version>
> </requireMavenVersion>
> <requireJavaVersion>
> <version>1.8.0-202</version>
> </requireJavaVersion>
> </rules>
> </configuration>
> </execution>
> </executions>
> </plugin>
> {code}
>
> {code:java}
> [INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @
> xxx-xxxxx-xxx ---
> [INFO] {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
