[ 
https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Guillaume Nodet updated MNG-6397:
---------------------------------
    Fix Version/s: 4.x / Backlog

> Maven Transitive Dependency Resolution Does Not Respect Repository Definition 
> in pom.xml
> ----------------------------------------------------------------------------------------
>
>                 Key: MNG-6397
>                 URL: https://issues.apache.org/jira/browse/MNG-6397
>             Project: Maven
>          Issue Type: New Feature
>          Components: Artifacts and Repositories, Dependencies, POM
>    Affects Versions: 3.0, 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3
>         Environment: Apache Maven 3.5.0 
> (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home: 
> /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
>            Reporter: Alan Czajkowski
>            Priority: Critical
>              Labels: maven
>             Fix For: 4.0.x-candidate, 4.x / Backlog, waiting-for-feedback
>
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot 
> access the Internet, I can only access my internal Maven repository inside my 
> network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/ 
> works fine_
> - _grabbing artifacts from anywhere else fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
>     <dependencies>
> ...
>         <dependency>
>             <groupId>org.springframework.boot</groupId>
>             <artifactId>spring-boot-starter-web</artifactId>
>             <version>2.0.0.RELEASE</version>
>         </dependency>
> ...
>     </dependencies>
> ...
>     <repositories>
> ...
>         <repository>
>             <id>central</id>
>             <name>Public</name>
>             <url>https://artifacts.example.com/repository/maven/</url>
>             <releases>
>                 <enabled>true</enabled>
>             </releases>
>             <snapshots>
>                 <enabled>true</enabled>
>             </snapshots>
>         </repository>
> ...
>     </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> |  +- 
> org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> |  |  +- 
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> |  |  +- 
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> |  |  \- 
> com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> |  +- 
> org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> |  +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
> |  |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> |  |  \- com.fasterxml:classmate:jar:1.3.1:compile
> |  \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading: 
> https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading: 
> https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading: 
> https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading: 
> https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend: 
> Could not resolve dependencies for project 
> com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed 
> to collect dependencies at 
> org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE -> 
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read 
> artifact descriptor for 
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not 
> transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to 
> spring-milestone (https://repo.spring.io/milestone): Connection reset -> 
> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone 
> ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the 
> {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom 
> structure a few jumps) you'll eventually get to a parent-pom 
> {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
>     <repositories>
>         <repository>
>             <snapshots>
>                 <enabled>false</enabled>
>             </snapshots>
>             <id>spring-milestone</id>
>             <name>Spring Milestone</name>
>             <url>https://repo.spring.io/milestone</url>
>         </repository>
>         <repository>
>             <snapshots>
>                 <enabled>true</enabled>
>             </snapshots>
>             <id>spring-snapshot</id>
>             <name>Spring Snapshot</name>
>             <url>https://repo.spring.io/snapshot</url>
>         </repository>
>         <repository>
>             <snapshots>
>                 <enabled>false</enabled>
>             </snapshots>
>             <id>rabbit-milestone</id>
>             <name>Rabbit Milestone</name>
>             <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
>         </repository>
>     </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to 
> [https://artifacts.example.com/repository/maven/] to try to find the missing 
> dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only 
> and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven 
> build does not even make a single attempt at trying to get {{shrinkwrap-bom}} 
> from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}. 
> The (grand)parents of the {{spring-boot-starter-web}} dependency completely 
> hi-jack the repository list that the build pulls from (this type of 
> hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist 
> in [https://artifacts.example.com/repository/maven/] and can be fetched no 
> problem if it is explicitly defined in my {{pom.xml}} but defining it 
> explicitly would be a work-around and I cannot use this work-around in my 
> situation.*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to