I want to use ESAPI in my project and have added following dependency in the pom.xml
pom.xml with dependency:
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>
But when I import org.owasp.esapi.* intellij give me warning as shown in image.
I want to use ESAPI logger to prevent CRLF injection possibilities in log statements.
My current project uses slf4j.Logger
I am very new to this ESAPI and OWASP and have never used it and have tried from here
https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#configuring-esapi-to-use-slf4j
Please tell me if im doing something wrong and how to correctly use ESAPI in project.
Hmm. What JDK are you using with IntelliJ? Java 8 or later is required as of 2.4.0.0. That's the only thing that I can think of that would cause this behavior. Looks okay otherwise. Did you check if the esapi-2.5.0.0.jar got pulled down? Because it's either not finding that or it's not compatible with the Java version that your IntelliJ IDE is using.
Well i found that I was adding this dependency in <dependencyManagement> tag instead of <dependencies> tag, that's why it wasn't downloading from the repository.
Previous:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>
</dependencies>
</dependencyManagement>
after fix:
<dependencies>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>
</dependencies>
Whats the difference in <dependencies> and <dependencyManagement> please refer this Differences between dependencyManagement and dependencies in Maven
I'm helping a friend configure a maven project with m2eclipse for the first time. We're both pretty unfamiliar with it and are encountering an issue where even though a dependency jar is showing up with packages in it under "maven dependencies" in the Project directory, if we try to import anything from any of that jar's packages, it can't find the class.
I noticed that the jars that are having issues are gray and not as opaque as the rest of the jars that are working.
What's strange is if you hover of the class name in the import, it shows a brief description of the class (from the documentation in the jar!) but it won't let me import it. All the other maven dependencies can be imported fine. Any ideas? We can't seem to even find what the darker icon means.
Also, the pom.xml is dead simple:
http://maven.apache.org/xsd/maven-4.0.0.xsd">
4.0.0
<groupId>com.something.portal.test</groupId>
<artifactId>PortalFrontEndTests</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>PortalFrontEndTests</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<!-- Selenium -->
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<version>2.53.1</version>
</dependency>
<!-- TestNG -->
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>6.11</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
I'm not sure what I'm missing here
open your pom.xml file
check for the name of the grayed out jar file
change
<scope>test</scope>
to
<scope>compile</scope>
I found the issue. It was because I had the class in the source directory instead of the test directory and both of the maven dependencies had been marked as "Visible only to test"
I had the same problem when i used the <scope>test</scope> in the maven pom.
It seems as if the newer Eclipse/Java versions do have a new Attribute :
<classpathentry kind="src" output="target/test-classes" path="src/test/java/...">
<attributes>
<attribute name="test" value="true"/>
</attributes>
</classpathentry>
This should be enabled in the Java Build Path Settings:
Image showing "Containts test sources" option from build path menu
After enabling this i got rid of all the compiler errors.
check for your dependency scope in POM file
compile, provided, system and test these were the available test
test -> compile would change your dependencies from grey to white.
If your dependency is for test scope then that dependency is not available for normal use in application whereas compile scope sets that dependency in class path of your project.
I am not sure on the grayed out part. If this is the feature because it suggest that Testing class should be under /test rather /src.
However, solution to your problem is scope of plugin, change it to compile and you will be good to go.
i.e. replace test with compile:
<scope>test</scope>
<scope>compile</scope>
That's it. you will not get any error for import testing packages.
Just removing the Scope will work. I tried as the following:
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>5.8.0-M1</version>
</dependency>
I am also faced the same problem
set scope to compile or remove scope
open maven dependencies
right click on dependency and click download resources
I want to use an external BOM to manage dependency versions for my project in SBT.
For example, the AWS Java SDK publishes a bill-of-materials artifact to their maven repository: https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-bom/1.11.86
I can use it to manage versions of dependencies in the AWS SDK. In Maven I can do this by adding the BOM to my <dependencyManagement> section like so:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-bom</artifactId>
<version>1.11.86</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Then when I want to use a module that's covered in the BOM I can omit the version and the BOM will resolve it for me:
<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-s3</artifactId>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sns</artifactId>
</dependency>
</dependencies>
Similarly in Gradle, I can use the BOM to manage dependencies for me using this plugin, like so:
apply plugin: "io.spring.dependency-management"
dependencyManagement {
imports {
mavenBom 'com.amazonaws:aws-java-sdk-bom:1.11.86'
}
}
dependencies {
compile 'com.amazonaws:aws-java-sdk-sns'
compile 'com.amazonaws:aws-java-sdk-s3'
}
Is there a similar plugin for SBT?
I'm looking for the same and have searched in a lot of place.
Most interesting thing I found is it looks like there is Open Ticket on SBT Project:
https://github.com/sbt/sbt/issues/4531
Can't wait that it's resolved !
Have you tried to use Ivy with sbt? It allows you to specify "get latest" by using rev="+"
<ivy-module version="2.0" xmlns:m="http://ant.apache.org/ivy/maven" xmlns:e="http://ant.apache.org/ivy/extras">
<dependencies>
<dependency org="com.amazonaws" name="aws-java-sdk-s3" rev="+" conf="compile->compile(*),master(*);runtime->runtime(*)" />
</dependencies>
</ivy-module>
See http://www.scala-sbt.org/1.0/docs/Library-Dependencies.html
If I understand you correctly, you can add this to your libraryDependencies:
"com.amazonaws" % "aws-java-sdk-bom" % "1.11.800" pomOnly()
You still have to put that version number in a variable and use it with the SDKs you actually want, unless someone knows the right magic to use to use in the revision field. I know you can go latest.release if you want the latest release version.
From yesterday I have problems compiling with maven because of iText jar.
My project has a dependency of jasperreports-2.0.1 that depends on itext-1.02b or higher.
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,)</version>
<scope>compile</scope>
</dependency>
That is the log error in maven:
Failed to collect dependencies for [jasperreports:jasperreports:jar:2.0.1 (compile)]: Failed to read artifact descriptor for com.lowagie:itext:jar:4.2.2: Could not transfer artifact com.itextpdf:itextpdf:pom:4.2.2 from/to jaspersoft (http://www.jasperforge.org/maven2): Access denied to http://www.jasperforge.org/maven2/com/itextpdf/itextpdf/4.2.2/itextpdf-4.2.2.pom. Error code 403, Forbidden -> [Help 1]
I see here a comment from Amedee Van Gasse that says something about a 4.2.2 version with no jar.
Why does the 1.02b version attach to 4.2.2?
Edit:
Jasper-reports uses an open version range:
[1.02b,)
This range says to maven to take the library latest version.
With the update from iText adding new version Pom with no jar and editting the maven-metadata of maven-central to that no-jar version crashes the compilation to all jar depending form latest com.lowagie library.
Updating locally your maven-metadata-central.xml (and other metadata if your company has it's own nexus.public) from ...m2\repository\com\lowagie\itext
to that works. Temporally solucion until iText updates the metadata or ALL companies that has dependencies for it's latest version updates it's pom
<metadata modelVersion="1.1.0">
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<versioning>
<latest>4.2.1</latest>
<release>4.2.1</release>
<versions>
<version>0.99</version>
<version>1.1.4</version>
<version>1.02b</version>
<version>1.2.3</version>
<version>1.3</version>
<version>1.3.1</version>
<version>1.4</version>
<version>1.4.8</version>
<version>2.0.1</version>
<version>2.0.6</version>
<version>2.0.7</version>
<version>2.0.8</version>
<version>2.1.0</version>
<version>2.1.2</version>
<version>2.1.3</version>
<version>2.1.4</version>
<version>2.1.5</version>
<version>2.1.7</version>
<version>4.2.0</version>
<version>4.2.1</version>
</versions>
<lastUpdated>20150709153501</lastUpdated>
</versioning>
</metadata>
A much simpler solution may be to upgrade to a newer version of jasperreports. Version 6.1.0 has this dependency on iText:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7.js2</version>
<scope>compile</scope>
</dependency>
No more "floating" dependency on iText, and it's a version that's custom made for jasperreports!
See http://mvnrepository.com/artifact/net.sf.jasperreports/jasperreports/6.1.0 for the complete pom.xml.
I'm using gradle and for the current version 6.8.2 I got the following build error:
> Could not find com.lowagie:itext:2.1.7.js6
So I added http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/ as repository and now it works.
repositories {
mavenCentral()
maven { url "https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/" }
}
dependencies {
compile 'net.sf.jasperreports:jasperreports:6.8.0'
}
EDIT:
If you used this solution and suddenly get an error like
> Could not resolve com.lowagie:itext:2.1.7.js6.
> Could not parse POM http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/com/lowagie/itext/2.1.7.js6/itext-2.1.7.js6.pom
> The element type "hr" must be terminated by the matching end-tag "</hr>".
This is because the jfrog repository disabled http and only allows https now. For some reason this creates a broken pom with the following content
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
Solution: Replace the http in the repository url with https.
The problem is indeed in the POM of jasper-reports:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,)</version>
<scope>compile</scope>
</dependency>
Jasper-reports distributes a (modified) build of iText 2.1.7 since at least November 2012 (if memory serves me well), so if your version of jasper-reports still has a dependency on 1.02b and up, it must be a very old version.
The jasper-reports dependency on iText should be changed to:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,2.1.7]</version>
<scope>compile</scope>
</dependency>
Or just:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
<scope>compile</scope>
</dependency>
This relates to this question: How do I tell Maven to use the latest version of a dependency?
That page is riddled with cautions about always using the latest version for your dependencies. It reduces reproducibility of your builds.
2.1.7 was the last version of iText released by the company iText Group NV (or its legal predecessor), with the com.lowagie groupId. The next version of iText, released by the company iText Group NV, was version 5.0.0, with the com.itextpdf groupId, which means it's binary incompatible with your current code. There's also the matter of a license change to AGPL, but that is outside the scope of StackOverflow, I want to restrict my answer to the technical matters.
Any other versions of iText between 2.1.7 and 5.0.0, like 4.2.0 and 4.2.1, are forks by other companies. According to Apache's Guide to uploading artifacts to the Central Repository (https://maven.apache.org/guides/mini/guide-central-repository-upload.html), those companies should have used a different groupId, as the page clearly states in their FAQ:
I have a patched version of the foo project developed at foo.com, what
groupId should I use? When you patch / modify a third party project,
that patched version becomes your project and therefore should be
distributed under a groupId you control as any project you would have
developed, never under com.foo. See above considerations about
groupId.
TL;DR
If you don't want to change your code, tell your Maven to only get iText 2.1.7.
We decide to maintain same jasperreport version and made this changes in conflicteds pom:
<dependencies>
<dependency>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>2.0.1</version>
<exclusions>
<exclusion>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
</dependency>
...
</dependencies>
Edit: Change dependecy to 2.1.7 to be certain it will compile in future
I was making manteinance to some legacy code, and i faced the same problem. The solution that i found was to add the following to the pom.xml:
<repositories>
<repository>
<id>jasper-3rd-party</id>
<name>Jasper3rdParty</name>
<url>http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.12.2</version>
</dependency>
<!-- More dependencies like: commons-collections4, org.apache.xmlgraphics, etc -->
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7.js4</version>
</dependency>
</dependencies>
The JasperReports version used to test this code was released on Mar/2020. Hope this helps!
I got the same problem,
Just realized that https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts is not accessible by public, you need to change the artifactory to jaspersoft directory.
For maven you can use below repositories in pom.xml
<repositories>
<repository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
JasperReports patched the iText with some bug fixes. So you have to add the patched iText repo[1] in your pom/gradle file.
[1] http://jasperreports.sourceforge.net/maven2/
Below is the gradle snippet for your reference when using jasper report 6.1.1.
repositories {
mavenLocal()
mavenCentral()
maven { url "http://repo.spring.io/release" }
maven { url "https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts/" }
maven { url "http://jasperreports.sourceforge.net/maven2/" }
}
This worked with the latest jasper-reports version 6.17.0 and maven 3.8.1, especially with the jasperreports-plugin from com.alexnederlof in version 2.8:
<project>
...
<repositories>
<!-- JasperSoft, they modified a standard library for their own special needs -->
<repository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
<pluginRepositories>
<!-- JasperSoft, they modified a standard library for their own special needs -->
<pluginRepository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</pluginRepository>
</pluginRepositories>
...
It's important to know that there is not only <repositories> but also <pluginRepositories> which you maybe have to supply (depending on your setup and transitive dependencies).
Answer for searchers in 2k19
Artifact:
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
is deprecated now.
Better to exclude it from jasperreports and add new itext dependency manually
<dependency>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.10.0</version> <!--(or higher)-->
<exclusions>
<exclusion>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>itextpdf</artifactId>
<version>5.5.13</version> <!--(or higher)-->
</dependency>
"Fix" for me was to switch from jasperreports version 5.5.0 to 4.5.1 LOL. (which doesn't depend on itext)
Then it doesn't depend on a custom, seemingly unpublished dependency version of itext (2.1.7.js2 in my case).
You could download 2.1.7.js2.jar from the jasper people and publish it locally to your "own" custom maven repo, or even your local ~/.m2/repository (ugh). I've even seen people have a custom ivy command to "publish" a local copy of it to a local server (ivy or maven).
Or add the repo's in the other answers. Or just specify it manually as 2.1.7, which is in the main repo's, etc. (you'll miss some bug fixes though).
If you are using gradle Note That the url to the jaspersoft package below was changed from this one:
maven{ url "http://jaspersoft.artifactoryonline.com/jaspersoft/third-party-ce-artifacts" }
To this one here:
maven { url "https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts" }
We have the same problem. To solve it, we have deleted the proxy parameters of the Maven config, and change the last version of the maven-metadata-central (in folder com\lowagie\itext of your repository).
A bad solution, but, temporaly, works :/
I have the same problem when using Maven 2.2.1, i re-built my project using Maven 3.2.3 and its works !
You have to use Maven 3 to resolve your problem, the bug seem to be resolved in this version.
I have a maven project with a dependency (datanucleus-db4o). This dependency has itself a dependency on db4o (db4o:db4o:jar:7.12.126.14142-all-java5).
Now maven says:
09.09.10 19:43:09 MESZ: Missing artifact db4o:db4o:jar:7.12.126.14142-all-java5:compile
I am new to maven. Is it right that datanucleus-db4o defines its own dependency with a specific version number? Is this a good way? m2eclipse can't download it. I downloaded a newer Version of db4o and added it to the classpath. Maven keeps writing about the missing artifact.
Also I've got NoClassDefFound errors when I launch my application. This leads me to the other question:
Am I doing something wrong?
Thanks in advance.
Here is the relevant part of the pom.xml...
<dependency>
<groupId>org.datanucleus</groupId>
<artifactId>datanucleus-core</artifactId>
<version>2.2.0-m1</version>
<type>jar</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.datanucleus</groupId>
<artifactId>datanucleus-db4o</artifactId>
<version>2.1.1</version>
<type>jar</type>
<scope>compile</scope>
</dependency>
and here is the relevant part of the pom.xml of
<dependency>
<groupId>db4o</groupId>
<artifactId>db4o</artifactId>
<version>7.12.126.14142-all-java5</version>
</dependency>
Is it right that datanucleus-db4o defines its own dependency with a specific version number? Is this a good way?
I'm not sure I understood the question... Anyway, there is indeed something wrong with the db4o:db4o dependency of the datanucleus-db4o artifact: it is not available in Maven central nor in the DataNucleus repository. I don't understand how users are supposed to use the datanucleus-db4o artifact.
I downloaded a newer Version of db4o and added it to the classpath. Maven keeps writing about the missing artifact.
Not sure what you did exactly but maybe the following will work: exclude the dependency that can't be resolved and replace it with some equivalent from the db4o repository.
<dependencies>
...
<dependency>
<groupId>org.datanucleus</groupId>
<artifactId>datanucleus-db4o</artifactId>
<version>2.1.1</version>
<type>jar</type>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>db4o</groupId>
<artifactId>db4o</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.db4o</groupId>
<artifactId>db4o-full-java5</artifactId>
<version>7.12-SNAPSHOT</version>
</dependency>
</dependencies>
<repositories>
...
<repository>
<id>db4o</id>
<url>https://source.db4o.com/maven</url>
</repository>
</repositories>
I have no idea if this will work of course.
Also I've got NoClassDefFound errors when I launch my application. This leads me to the other question:
Can't say since you didn't post the error. But give the above a try.
The required file is not in the maven repositories, but it is in the datanucleus zip file (that one with all dependencies). Look into the /deps folder.
I unpacked it and installed it into the local maven repository with this command:
./mvn install:install-file -Dfile=/home/myUser/Downloads/db4o-7.12.126.14142-all-java5.jar -DgroupId=db4o -DartifactId=db4o -Dversion=7.12.126.14142-all-java5 -Dpackaging=jar
After that it is found by maven. Now there are other problems going on. I'll try to solve them myself...
Seems like the JDO or Datanucleus stuff is not well organized at the moment. I think they refactored some classes and now they can't be found at some versions and implementations are incompatible with the api and such stuff.