I want to use ESAPI in my project and have added following dependency in the pom.xml
pom.xml with dependency:
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>
But when I import org.owasp.esapi.* intellij give me warning as shown in image.
I want to use ESAPI logger to prevent CRLF injection possibilities in log statements.
My current project uses slf4j.Logger
I am very new to this ESAPI and OWASP and have never used it and have tried from here
https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#configuring-esapi-to-use-slf4j
Please tell me if im doing something wrong and how to correctly use ESAPI in project.
Hmm. What JDK are you using with IntelliJ? Java 8 or later is required as of 2.4.0.0. That's the only thing that I can think of that would cause this behavior. Looks okay otherwise. Did you check if the esapi-2.5.0.0.jar got pulled down? Because it's either not finding that or it's not compatible with the Java version that your IntelliJ IDE is using.
Well i found that I was adding this dependency in <dependencyManagement> tag instead of <dependencies> tag, that's why it wasn't downloading from the repository.
Previous:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>
</dependencies>
</dependencyManagement>
after fix:
<dependencies>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>
</dependencies>
Whats the difference in <dependencies> and <dependencyManagement> please refer this Differences between dependencyManagement and dependencies in Maven
I want to use an external BOM to manage dependency versions for my project in SBT.
For example, the AWS Java SDK publishes a bill-of-materials artifact to their maven repository: https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-bom/1.11.86
I can use it to manage versions of dependencies in the AWS SDK. In Maven I can do this by adding the BOM to my <dependencyManagement> section like so:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-bom</artifactId>
<version>1.11.86</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Then when I want to use a module that's covered in the BOM I can omit the version and the BOM will resolve it for me:
<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-s3</artifactId>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sns</artifactId>
</dependency>
</dependencies>
Similarly in Gradle, I can use the BOM to manage dependencies for me using this plugin, like so:
apply plugin: "io.spring.dependency-management"
dependencyManagement {
imports {
mavenBom 'com.amazonaws:aws-java-sdk-bom:1.11.86'
}
}
dependencies {
compile 'com.amazonaws:aws-java-sdk-sns'
compile 'com.amazonaws:aws-java-sdk-s3'
}
Is there a similar plugin for SBT?
I'm looking for the same and have searched in a lot of place.
Most interesting thing I found is it looks like there is Open Ticket on SBT Project:
https://github.com/sbt/sbt/issues/4531
Can't wait that it's resolved !
Have you tried to use Ivy with sbt? It allows you to specify "get latest" by using rev="+"
<ivy-module version="2.0" xmlns:m="http://ant.apache.org/ivy/maven" xmlns:e="http://ant.apache.org/ivy/extras">
<dependencies>
<dependency org="com.amazonaws" name="aws-java-sdk-s3" rev="+" conf="compile->compile(*),master(*);runtime->runtime(*)" />
</dependencies>
</ivy-module>
See http://www.scala-sbt.org/1.0/docs/Library-Dependencies.html
If I understand you correctly, you can add this to your libraryDependencies:
"com.amazonaws" % "aws-java-sdk-bom" % "1.11.800" pomOnly()
You still have to put that version number in a variable and use it with the SDKs you actually want, unless someone knows the right magic to use to use in the revision field. I know you can go latest.release if you want the latest release version.
From yesterday I have problems compiling with maven because of iText jar.
My project has a dependency of jasperreports-2.0.1 that depends on itext-1.02b or higher.
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,)</version>
<scope>compile</scope>
</dependency>
That is the log error in maven:
Failed to collect dependencies for [jasperreports:jasperreports:jar:2.0.1 (compile)]: Failed to read artifact descriptor for com.lowagie:itext:jar:4.2.2: Could not transfer artifact com.itextpdf:itextpdf:pom:4.2.2 from/to jaspersoft (http://www.jasperforge.org/maven2): Access denied to http://www.jasperforge.org/maven2/com/itextpdf/itextpdf/4.2.2/itextpdf-4.2.2.pom. Error code 403, Forbidden -> [Help 1]
I see here a comment from Amedee Van Gasse that says something about a 4.2.2 version with no jar.
Why does the 1.02b version attach to 4.2.2?
Edit:
Jasper-reports uses an open version range:
[1.02b,)
This range says to maven to take the library latest version.
With the update from iText adding new version Pom with no jar and editting the maven-metadata of maven-central to that no-jar version crashes the compilation to all jar depending form latest com.lowagie library.
Updating locally your maven-metadata-central.xml (and other metadata if your company has it's own nexus.public) from ...m2\repository\com\lowagie\itext
to that works. Temporally solucion until iText updates the metadata or ALL companies that has dependencies for it's latest version updates it's pom
<metadata modelVersion="1.1.0">
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<versioning>
<latest>4.2.1</latest>
<release>4.2.1</release>
<versions>
<version>0.99</version>
<version>1.1.4</version>
<version>1.02b</version>
<version>1.2.3</version>
<version>1.3</version>
<version>1.3.1</version>
<version>1.4</version>
<version>1.4.8</version>
<version>2.0.1</version>
<version>2.0.6</version>
<version>2.0.7</version>
<version>2.0.8</version>
<version>2.1.0</version>
<version>2.1.2</version>
<version>2.1.3</version>
<version>2.1.4</version>
<version>2.1.5</version>
<version>2.1.7</version>
<version>4.2.0</version>
<version>4.2.1</version>
</versions>
<lastUpdated>20150709153501</lastUpdated>
</versioning>
</metadata>
A much simpler solution may be to upgrade to a newer version of jasperreports. Version 6.1.0 has this dependency on iText:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7.js2</version>
<scope>compile</scope>
</dependency>
No more "floating" dependency on iText, and it's a version that's custom made for jasperreports!
See http://mvnrepository.com/artifact/net.sf.jasperreports/jasperreports/6.1.0 for the complete pom.xml.
I'm using gradle and for the current version 6.8.2 I got the following build error:
> Could not find com.lowagie:itext:2.1.7.js6
So I added http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/ as repository and now it works.
repositories {
mavenCentral()
maven { url "https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/" }
}
dependencies {
compile 'net.sf.jasperreports:jasperreports:6.8.0'
}
EDIT:
If you used this solution and suddenly get an error like
> Could not resolve com.lowagie:itext:2.1.7.js6.
> Could not parse POM http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/com/lowagie/itext/2.1.7.js6/itext-2.1.7.js6.pom
> The element type "hr" must be terminated by the matching end-tag "</hr>".
This is because the jfrog repository disabled http and only allows https now. For some reason this creates a broken pom with the following content
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
Solution: Replace the http in the repository url with https.
The problem is indeed in the POM of jasper-reports:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,)</version>
<scope>compile</scope>
</dependency>
Jasper-reports distributes a (modified) build of iText 2.1.7 since at least November 2012 (if memory serves me well), so if your version of jasper-reports still has a dependency on 1.02b and up, it must be a very old version.
The jasper-reports dependency on iText should be changed to:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>[1.02b,2.1.7]</version>
<scope>compile</scope>
</dependency>
Or just:
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
<scope>compile</scope>
</dependency>
This relates to this question: How do I tell Maven to use the latest version of a dependency?
That page is riddled with cautions about always using the latest version for your dependencies. It reduces reproducibility of your builds.
2.1.7 was the last version of iText released by the company iText Group NV (or its legal predecessor), with the com.lowagie groupId. The next version of iText, released by the company iText Group NV, was version 5.0.0, with the com.itextpdf groupId, which means it's binary incompatible with your current code. There's also the matter of a license change to AGPL, but that is outside the scope of StackOverflow, I want to restrict my answer to the technical matters.
Any other versions of iText between 2.1.7 and 5.0.0, like 4.2.0 and 4.2.1, are forks by other companies. According to Apache's Guide to uploading artifacts to the Central Repository (https://maven.apache.org/guides/mini/guide-central-repository-upload.html), those companies should have used a different groupId, as the page clearly states in their FAQ:
I have a patched version of the foo project developed at foo.com, what
groupId should I use? When you patch / modify a third party project,
that patched version becomes your project and therefore should be
distributed under a groupId you control as any project you would have
developed, never under com.foo. See above considerations about
groupId.
TL;DR
If you don't want to change your code, tell your Maven to only get iText 2.1.7.
We decide to maintain same jasperreport version and made this changes in conflicteds pom:
<dependencies>
<dependency>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>2.0.1</version>
<exclusions>
<exclusion>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
</dependency>
...
</dependencies>
Edit: Change dependecy to 2.1.7 to be certain it will compile in future
I was making manteinance to some legacy code, and i faced the same problem. The solution that i found was to add the following to the pom.xml:
<repositories>
<repository>
<id>jasper-3rd-party</id>
<name>Jasper3rdParty</name>
<url>http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.12.2</version>
</dependency>
<!-- More dependencies like: commons-collections4, org.apache.xmlgraphics, etc -->
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7.js4</version>
</dependency>
</dependencies>
The JasperReports version used to test this code was released on Mar/2020. Hope this helps!
I got the same problem,
Just realized that https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts is not accessible by public, you need to change the artifactory to jaspersoft directory.
For maven you can use below repositories in pom.xml
<repositories>
<repository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
JasperReports patched the iText with some bug fixes. So you have to add the patched iText repo[1] in your pom/gradle file.
[1] http://jasperreports.sourceforge.net/maven2/
Below is the gradle snippet for your reference when using jasper report 6.1.1.
repositories {
mavenLocal()
mavenCentral()
maven { url "http://repo.spring.io/release" }
maven { url "https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts/" }
maven { url "http://jasperreports.sourceforge.net/maven2/" }
}
This worked with the latest jasper-reports version 6.17.0 and maven 3.8.1, especially with the jasperreports-plugin from com.alexnederlof in version 2.8:
<project>
...
<repositories>
<!-- JasperSoft, they modified a standard library for their own special needs -->
<repository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</repository>
</repositories>
<pluginRepositories>
<!-- JasperSoft, they modified a standard library for their own special needs -->
<pluginRepository>
<id>jaspersoft-third-party</id>
<url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
</pluginRepository>
</pluginRepositories>
...
It's important to know that there is not only <repositories> but also <pluginRepositories> which you maybe have to supply (depending on your setup and transitive dependencies).
Answer for searchers in 2k19
Artifact:
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
is deprecated now.
Better to exclude it from jasperreports and add new itext dependency manually
<dependency>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.10.0</version> <!--(or higher)-->
<exclusions>
<exclusion>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>itextpdf</artifactId>
<version>5.5.13</version> <!--(or higher)-->
</dependency>
"Fix" for me was to switch from jasperreports version 5.5.0 to 4.5.1 LOL. (which doesn't depend on itext)
Then it doesn't depend on a custom, seemingly unpublished dependency version of itext (2.1.7.js2 in my case).
You could download 2.1.7.js2.jar from the jasper people and publish it locally to your "own" custom maven repo, or even your local ~/.m2/repository (ugh). I've even seen people have a custom ivy command to "publish" a local copy of it to a local server (ivy or maven).
Or add the repo's in the other answers. Or just specify it manually as 2.1.7, which is in the main repo's, etc. (you'll miss some bug fixes though).
If you are using gradle Note That the url to the jaspersoft package below was changed from this one:
maven{ url "http://jaspersoft.artifactoryonline.com/jaspersoft/third-party-ce-artifacts" }
To this one here:
maven { url "https://jaspersoft.jfrog.io/artifactory/third-party-ce-artifacts" }
We have the same problem. To solve it, we have deleted the proxy parameters of the Maven config, and change the last version of the maven-metadata-central (in folder com\lowagie\itext of your repository).
A bad solution, but, temporaly, works :/
I have the same problem when using Maven 2.2.1, i re-built my project using Maven 3.2.3 and its works !
You have to use Maven 3 to resolve your problem, the bug seem to be resolved in this version.
Is it possible using the m2e maven plugin for eclipse (or some other easy way), to figure out which <dependency> entry in my POM is the reason for a given .jar to be added to the classpath. afaik right click only allows me to see the pom of the given artifact.
in this example the my pom looks like
<dependencies>
<dependency>
<groupId>eu.medsea.mimeutil</groupId>
<artifactId>mime-util</artifactId>
<version>2.1.1</version>
</dependency>
</dependencies>
so it's pretty easy to understand that who is responsible for adding the log4j things
Open the POM in the m2e POM editor (should happen by default), click Dependency Hierarchy, type the name of the offending dependency into the filter box. It will highlight the dependency that drags it in.
Oh well figured it ..
right click->maven->exclude maven artifact would place a nice exclusion element on the dependency causing the inclusion
<dependencies>
<dependency>
<groupId>eu.medsea.mimeutil</groupId>
<artifactId>mime-util</artifactId>
<version>2.1.1</version>
<exclusions>
<exclusion>
<artifactId>slf4j-api</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
I am hoping to run an Akka project within an OSGi container (apache-servicemix-4.4.1-fuse-06-03) but am having a little trouble installing the dependent libraries. I have already installed akka-actor and config as follows:
osgi:install -s mvn:com.typesafe.akka/akka-actor/2.1-SNAPSHOT
osgi:install -s mvn:com.typesafe/config/0.4.1
But am unable to install scala-library (v2.9.2 required). I have tried creating my own bundle using the maven-bundle-plugin but to no avail and have googled round for ages.
Any help would be greatly appreciated.
If you're looking for a quick workaround, use the bundle from your Scala IDE/Eclipse for Scala 2.9.2. I did that for my Akka 2.1/Karaf POC and it worked fine. If you don't have one, download it from my lib folder here.
This was kindly uploaded after posting on the scala-users group:
https://github.com/guofengzh/scala-lang-osgi
The built binaries of scala-lang-osgi referred by #ben1729 is now available on our Bippo/Soluvas Nexus repository public repository: http://nexus.bippo.co.id/nexus/content/groups/public/
Feel free to browse our repository at http://nexus.bippo.co.id/nexus/
Usage:
<repository>
<id>bippo-nexus-public</id>
<url>http://nexus.bippo.co.id/nexus/content/groups/public/</url>
</repository>
then add one or all of them to your Maven POM file:
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-library</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-compiler</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-dbc</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-swing</artifactId>
<version>2.9.2</version>
</dependency>
Please let me know when a new version comes out so I can redeploy the newer artifacts to our repo.
Update: Scala OSGi 2.10-M6 is now available on our repository:
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-library</artifactId>
<version>2.10.0-M6</version>
</dependency>
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-compiler</artifactId>
<version>2.10.0-M6</version>
</dependency>
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-dbc</artifactId>
<version>2.10.0-M2</version>
</dependency>
<dependency>
<groupId>org.scala-lang-osgi</groupId>
<artifactId>scala-swing</artifactId>
<version>2.10.0-M6</version>
</dependency>
It can work with Akka but using a patched Akka 2.1-M1 (see http://www.assembla.com/spaces/akka/tickets/2367-osgi-manifest-references-2-9-2 ).
The patched Akka is available in our repository as: (in Karaf URL)
mvn:com.typesafe.akka/akka-actor/2.1-M1/jar/patch2
Summary on Akka bug: Akka 2.1-M1 requires 2.10-M6, it doesn't work with 2.9.2 :
Error executing command: Error starting bundles:
nable to resolve 160.0: missing requirement [160.0] osgi.wiring.package; (&(osgi.wiring.package=scala.collection.convert)(version>=2.9.2)(!(version>=2.10.0)))
But it currently imports the wrong package versions:
scala.collection.convert;version="[2.9.2,2.10)",
scala.concurrent.util;version="[2.9.2,2.10)",
scala.concurrent.util.duration;version="[2.9.2,2.10)",