[
https://issues.apache.org/jira/browse/MENFORCER-434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611994#comment-17611994
]
Chris commented on MENFORCER-434:
---------------------------------
Please see that attached files where the only difference is the use of version
3.0.0 and 3.1.0 of the maven-enforcer-plugin
i.e.,
{code:bash}
user@box:/tmp/sample$ diff pom-enforced.xml pom-not-enforced.xml
22c22
< <version>3.0.0</version>
---
> <version>3.1.0</version>
{code}
{{mvn -V -f [^pom-enforced.xml] validate # Using version 3.0.0 DOES enforce the
rules}}
{code:bash}
user@box:/tmp/sample$ /opt/apache-maven-3.8.6/bin/mvn -V -f pom-enforced.xml
validate
Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: /opt/apache-maven-3.8.6
Java version: 1.8.0_342, vendor: Private Build, runtime:
/usr/lib/jvm/java-8-openjdk-amd64/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.19.0-76051900-generic", arch: "amd64", family:
"unix"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< maven.sample.issue:MENFORCER-434 >------------------
[INFO] Building MENFORCER-434 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @
MENFORCER-434 ---
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed
with message:
Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.241 s
[INFO] Finished at: 2022-10-01T15:04:59-07:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (enforce-versions)
on project MENFORCER-434: Some Enforcer rules have failed. Look above for
specific messages explaining why the rule failed. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please
read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
{code}
{{mvn -V -f [^pom-not-enforced.xml] validate # Using version 3.1.0 DOES NOT
enforce the rules}}
{code:bash}
user@box:/tmp/sample$ /opt/apache-maven-3.8.6/bin/mvn -V -f
pom-not-enforced.xml validate
Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: /opt/apache-maven-3.8.6
Java version: 1.8.0_342, vendor: Private Build, runtime:
/usr/lib/jvm/java-8-openjdk-amd64/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.19.0-76051900-generic", arch: "amd64", family:
"unix"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< maven.sample.issue:MENFORCER-434 >------------------
[INFO] Building MENFORCER-434 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @
MENFORCER-434 ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.267 s
[INFO] Finished at: 2022-10-01T15:04:55-07:00
[INFO] ------------------------------------------------------------------------
user@box:/tmp/sample$
{code}
> Version 3.1.0 is not enforcing bannedDependencies rules
> -------------------------------------------------------
>
> Key: MENFORCER-434
> URL: https://issues.apache.org/jira/browse/MENFORCER-434
> Project: Maven Enforcer Plugin
> Issue Type: Bug
> Affects Versions: 3.1.0
> Reporter: Chris
> Priority: Major
> Attachments: pom-enforced.xml, pom-not-enforced.xml
>
>
> I've been testing rules regarding log4j and have found that the
> {{bannedDependencies}} behave differently between version 3.0.0 and 3.1.0
> My relevant section where I'm purposely creating a failure case by banning
> log4j2 versions less than "3", as well as any log4j 1.x
> NOTE: the following configuration is using version 3.0.0 of
> maven-enforcer-plugin
> {code:java}
> <plugin>
> <!--
> https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
> -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.0.0</version>
> <executions>
> <execution>
> <id>enforce-versions</id>
> <goals>
> <goal>enforce</goal>
> </goals>
> <configuration>
> <fail>true</fail>
> <rules>
> <bannedPlugins>
> <!-- will only display a warning but does not fail the
> build. -->
> <level>WARN</level>
> <excludes>
>
> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
> </excludes>
> <message>Please consider using the maven-invoker-plugin
> (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
> </bannedPlugins>
> <bannedDependencies>
> <searchTransitive>true</searchTransitive>
> <excludes>
> <!--
> Log4j - Refer to
> https://logging.apache.org/log4j/2.x/security.html
> - Ban Log4j less than "3"
> -->
> <exclude>org.apache.logging.log4j:*:(,3)</exclude>
> <exclude>log4j:log4j</exclude>
> </excludes>
> </bannedDependencies>
> <requireMavenVersion>
> <version>3.8.2</version>
> </requireMavenVersion>
> <requireJavaVersion>
> <version>1.8.0-202</version>
> </requireJavaVersion>
> </rules>
> </configuration>
> </execution>
> </executions>
> </plugin>
> {code}
> This results in a positive failure:
> {code:java}
> [INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @
> xxx-xxxxx-xxx ---
> [WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed
> with message:
> Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
> Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
> Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
> Found Banned Dependency: log4j:log4j:jar:1.2.17
> Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
> Use 'mvn dependency:tree' to locate the source of the banned dependencies.
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 0.516 s
> [INFO] Finished at: 2022-09-30T15:06:57-07:00
> [INFO]
> ------------------------------------------------------------------------{code}
> However, only changing the version of maven-enforcer-plugin from 3.0.0 to
> 3.1.0, the rule does not fail:
> {code:java}
> <plugin>
> <!--
> https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin
> -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-enforcer-plugin</artifactId>
> <version>3.1.0</version>
> <executions>
> <execution>
> <id>enforce-versions</id>
> <goals>
> <goal>enforce</goal>
> </goals>
> <configuration>
> <fail>true</fail>
> <rules>
> <bannedPlugins>
> <!-- will only display a warning but does not fail the
> build. -->
> <level>WARN</level>
> <excludes>
>
> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
> </excludes>
> <message>Please consider using the maven-invoker-plugin
> (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
> </bannedPlugins>
> <bannedDependencies>
> <searchTransitive>true</searchTransitive>
> <excludes>
> <!--
> Log4j - Refer to
> https://logging.apache.org/log4j/2.x/security.html
> - Ban Log4j less than "3"
> -->
> <exclude>org.apache.logging.log4j:*:(,3)</exclude>
> <exclude>log4j:log4j</exclude>
> </excludes>
> </bannedDependencies>
> <requireMavenVersion>
> <version>3.8.2</version>
> </requireMavenVersion>
> <requireJavaVersion>
> <version>1.8.0-202</version>
> </requireJavaVersion>
> </rules>
> </configuration>
> </execution>
> </executions>
> </plugin>
> {code}
>
> {code:java}
> [INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @
> xxx-xxxxx-xxx ---
> [INFO] {code}
> ... and the build continues
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
