My application uses Maven to build, and among its dependencies are LibA and LibB. Both of them in turn depend on the same library, com.thoughtworks.xstream:xstream, but LibA depends on version 1.4.16 and LibB depends on 1.4.8. When I run mvn dependency:tree, I can see that only the 1.4.16 version is being used, and when I unzip the built JAR file, I see that only xstream-1.4.16.jar is present. But Xray reports that my application has security issues because it depends on xstream version 1.4.8, through LibB.
Has anyone else run into this behavior? Is there a way to make Xray realize that our binary has nothing to do with the old 1.4.8 version?
It turns out that LibB is a fat jar that included xstream 1.4.8 directly, so Xray was correct that our application included it, even though it wasn't on Maven's dependency list.
Related
I know it's a very old thing now, but I need it.
I download scala-sources from the link, unpacking on Ubuntu 20.04. Also I download Ant 1.7.0 and install it. Also I download Apache maven 2.2.1 (or I tried maven 3.5.0) and install it.I also use jdk1.8.0.
I am trying to run "ant" or "ant build" from the scala directory, and something happens, but the build failed for the following reasons:
failed to create task or type scalacfork
Build failed
The following messages also appear at the top:
[taskdef] java.util.zip.ZipException: zip file is empty
(several times)
...
[WARNING] POM for 'biz.aQute:bndlib:pom:1.43.0:compile' is invalid.
...
[taskdef] Could not load definitions from resource scala/tools/ant/sabbus/antlib.xml. It could not be found.
I understand that many things are no longer available now and are definitely not supported, but maybe someone will tell me a way to get the result.
Maybe I can download the necessary data and manually build scala? I'm new to this and don't quite understand what and where I can change. And I can't use a newer version of scala because of work.
I hope for any help. Thank you in advance.
Yes, it is possible. Although it requires some patches in the build process and a few workarounds.
Read the README.rst, it contains some information on how builds are structured
Run git init, git add ., git commit as the build uses some git info (commit hash, etc) during build. It may be not needed for release, but I have not tried.
You need either JDK 1.6 or JDK 1.7. It can't be built on the 1.8 JDK (compilation fails if you remove checks from build.xml). And on 1.7 it says it can't build swing library so you won't be able to build distribution.
Fix the tools/binary-repo-lib.sh and change URLs to https otherwise fetching artifacts will fail. Maybe you have to remove some of the curl arguments to see what happens, maybe it won't be required.
Run pull-binary-libs.sh
Fix build.xml to use https protocol. This is based on the Official usage documentation. You have to define repository before the first artifact:dependencies task in the file (I did that in the same block).
<artifact:remoteRepository id="central" url="https://repo1.maven.org/maven2" />
Then you have to tell every artifact:dependency task to use that repo by adding the remoteRepository element, the tasks should look like
<artifact:dependencies pathId="extra.tasks.classpath" filesetId="extra.tasks.fileset">
<dependency groupId="biz.aQute" artifactId="bnd" version="1.50.0"/>
<remoteRepository refid="central"/>
</artifact:dependencies>
I think this was enough for me to build it using ant build on JDK 1.7 (apparently, swing libs were not built).
But probably the easier way would be to just download prebuild Scala version or tell your build tool to use the Scala version you want.
I have two projects that I compile and run together. These projects use different versions of certain jars. so I may have foo.1.15.jar and foo.1.16.jar both in my maven repo. The pom files correctly specify which project should use which jar, and I can run mvn verify to run all my integration tests without issue from the command line.
However, when I try to run a junit test from within eclipse I often run into errors with the wrong version of the jar being used. I believe that eclipse is always using the newest version of a jar that it finds within the maven repo, so if it sees foo.1.15 and foo.1.16 it will use the 16 version. The problem is that I want the 15 version, the tests fail if they run with the 16 version because it's not backwards compatible.
How do I make eclipse recognize that it needs to use an older version? In particular is there a way that I can make the junit tests recognize my pom file and utilize the correct jar versions specified within the pom?
I'm using m2eclipse if that is relevant.
edit: it looks like the problem is not an insistence on using the newest jar each time.
The problem is that my project A uses my project B. A uses foo.16 and B uses foo.15. the junit tests for A tries to use foo.16 even when it's running classes in B that are dependent on 15. However, I can't really change the dependencies, A needs 16 and B needs 15. Can I make eclipse understand this?
Your assumption about Eclipse always using the latest version of a Maven artifact is not correct.
However, Eclipse only supports one classpath per project and cannot distinguish the Maven dependency scopes, so test scope dependencies are also on the Eclipse compile and runtime classpath. It's hard to tell if this is really related to your problem.
You can open the POM editor and look at the Dependency Hierarchy tab to find out the (transitive) dependency path and the version used for each artifact. This may given you a clue for fixing your setup.
Let me explain first what I mean by necessary libs. I'm creating my first project using the Google App Engine for Java with the official Google Maven Plugin, the main problem that have Maven as a packaging solution (or maybe the Java development as a whole) is that if the dependency tree grows too much, the release process may be harder.
Let me illustrate it with an example. Let's start with the Jackson JSON library (it's a good starting point since it has no parent dependencies), now someone makes a JSON-RPC library and uses Jackson for the JSON serialization/deserialization. Imagine that this library not just provides a JSON-RPC client implementation, but also a server, that means that the POM of this lib will add some Java EE related libraries such us Jetty as dependencies.
Probably the guidelines say that the application should be either divided into modules or mark the server related deps as optional, but you know that many people don't follow the standards.
Now someone need a JSON-RPC client for his/her project, call it Project X, and uses the lib mentioned above, at compile time there will be no problems, Maven will successfully download the required libs and the application will compile fine, but the problem comes when that person wants to release the application. Which dependencies should be distributed along with the package (in a lib folder for example)?
Actually that's something that happened to me, I wasn't too much familiar with Maven so I used the Eclipse Runnable Jar Exporter, that produced jar file with all the maven libs copied to a lb subfolder, so the workaround that I did then was to just delete the libs that looked unnecessary and then tested if the application was still working. If there are classes that are not executed, as far as I know they are not loaded by the ClassLoader so they could be omitted and are unnecessary
I can't use the same trick now since the scenario is much more complex, we are talking of a Java Web Application, not a desktop application like the other one, and the library that I want to include is a Liquid Template Engine, which uses the ANTLR framework to generate the parsers plus Jackson for the JSON handler and Jsoup for HTML parsing.
Which libs should be packaged inside the WEB-INF/lib folder? I'm sure that I will need Jackson for JSON parsing but I'm not so sure about Jsoup, and what about ANTLR, it is necessary or is used just at compile time?
Update: I think I need to re-formulate my question, actually what I want is to determine which dependencies are really necessary for the application, and package those into the app WEB-INF/lib folder
Solution: It seems that the POM file that is packaged in the WAR file of the web app is used once the app is in the Google App Engine production environment to retrieve the necessary dependencies, and probably the appengine:update goal only packages those dependencies that can't be retrieved from the maven central repo, so there is no need to worry about that.
Thanks to David to point this.
You should check Maven's dependency scopes. Here's an extract from the documentation :
There are 6 scopes available:
compile This is the default scope, used if none is specified. Compile
dependencies are available in all classpaths of a project.
Furthermore, those dependencies are propagated to dependent projects.
provided This is much like compile, but indicates you expect the JDK
or a container to provide the dependency at runtime. For example, when
building a web application for the Java Enterprise Edition, you would
set the dependency on the Servlet API and related Java EE APIs to
scope provided because the web container provides those classes. This
scope is only available on the compilation and test classpath, and is
not transitive.
runtime This scope indicates that the dependency is
not required for compilation, but is for execution. It is in the
runtime and test classpaths, but not the compile classpath.
test This
scope indicates that the dependency is not required for normal use of
the application, and is only available for the test compilation and
execution phases.
system This scope is similar to provided except that
you have to provide the JAR which contains it explicitly. The artifact
is always available and is not looked up in a repository.
import (only
available in Maven 2.0.9 or later) This scope is only used on a
dependency of type pom in the section. It
indicates that the specified POM should be replaced with the
dependencies in that POM's section. Since they
are replaced, dependencies with a scope of import do not actually
participate in limiting the transitivity of a dependency.
So in a Maven project, the developer indicates which dependencies should be bundled in the application and which should not.
Basically there are two cases here :
If you're building a web application (WAR or EAR format) and want to deploy it, or if you're building an actual runnable jar, then you will need to bundle it with all the dependencies with scope compile and runtime.
If you're building a library, then you do not package any dependency with your library. Instead you include the pom.xml so that others know what dependency your library requires. For Maven to know how to find the associated POM for a given jar, the best and most common solution is to deploy the library to a Maven repository. Repos have a directory structure that helps Maven find the right version of a library, and find the POM that indicates the required dependencies.
Depending on wether your library is open source or not, you will be able to be hosted for free by some repositories such as Sonatype (complete list here). But you can also setup your own repository either by installing a dedicated software such as Nexus or by configuring a Github project as the repo, as is explained on this blog.
You can exclude any transitive dependency.
For your case, to remove jetty from this json-rpc-library, you need:
<dependency>
<groupId>com.somecomp</groupId>
<artifactId>jsonrpclib</artifactId>
<version>1.0</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-server</artifactId>
</exclusion>
</exclusions>
</dependency>
See docs: http://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
I've seen that there are quite a few questions regarding this problem, but unfortunately none have solved it for me. Here is a screencap of what's going on:
It is dependent on the android-support-v4 jar file which as you can see is added to my build path. It the exact jar file from the maven library directory's libs folder. I've tried the following:
Restarting Eclipse
Cleaning the project
Right-clicking the project and updating dependencies
Updating project configuration Disabling and re-enabling workspace resolution
Nothing has helped. Is there any other tricks to getting this resolved? All of the answer's I've seen suggest doing these things that I have already tried.
Thanks a lot!
Actual root cause:
The OP JMRboosties reports in this instance having to desactivate Proguard (the tool which shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names)
disabling proguard on the line where the error occurred (the <plugin> item) in pom.xml solved the problem
(See "How to use ProGuard with android-maven-plugin ").
Certain side-effects can result from using Proguard: For example, the Proguard page does mention:
The default proguard.cfg file tries to cover general cases, but you might encounter exceptions such as ClassNotFoundException, which happens when ProGuard strips away an entire class that your application calls.
Original answer:
As mentioned in this GitHub post:
you need to use maven Android SDK Deployer to install it:
I'm going to deploy my own android artifacts to my personal repository to avoid having this problem again.
If you're not explicitly using Maven you can just import it as a regular Android project into eclipse and it'll pick up the .jar from the libs/ directory.
(Note your android-support-v4.jar isn't in libs in your project)
declare it in your pom.xml.
You have to install both Android 1.6 and the compat lib using the maven SDK deployer for now.
cd to platforms/platform-4/ and extras/compatibility-v4/ in the deployer and run mvn install in each.
Hopefully the compat lib makes it into maven central soon so I can avoid this step.
Again, the project is set up to be used as a normal Android project in eclipse too completely separate from maven.
File, New, Project, Android, use existing sources, select library/ folder.
Assuming you're using m2e-android behind the scenes, the reason you're getting compile problems is that the m2e-android plug-in strips out all provided scope dependencies from the Eclipse project classpath.
We do this because, due to changes in ADT 16.0.0, any JAR file in the Eclipse classpath will be packaged into distributable APK file.
sbt has a bunch of nice utils in (e.g.) sbt IO - I'd like to use these in my app. What are the artifact group/names/versions I should be referencing? (This is nearly impossible to Google for...) I looked in scala-tools.org but I could only find 2.7-compatible releases (and I'm building a 2.9 project) - am I out of luck? (For now I might try copying the relevant sources over into my project, if they're easy enough to tease apart and to port to 2.9.)
The groupId is org.scala-sbt as can be seen from https://github.com/harrah/xsbt/blob/0.12.1/project/Sbt.scala but apparently the latest artifacts are not available in a Maven repository. It might be best to build sbt yourself and install it into your local repository, or to just copy the source files into your project. The latest version of sbt (version 0.11) appears to use Scala 2.9.