2

Say I have a set of artifacts (with given groupId/artifactId) which I want to forbid as dependencies for my Maven project. The reason is that these artifacts are not allowed as part of a war due to some company rule (details don't matter -- it's a legacy problem).

Let me take log4j as an example.

I want to make sure that there is no direct and no transitive dependency on any version of log4j. Now I can go through the dependency tree, find all the positions where log4j is included and try to construct exclusions. As these dependencies may be indirect (transitive) dependencies, these exclusions should probably go to the dependencyManagement section. This seems to be complicated and error-prone.

Is there an easy way to completely exclude a given artifact (or a set of artifacts) as dependency (from the whole project)?

J Fabian Meier
  • 33,516
  • 10
  • 64
  • 142
  • Yes, check the `maven-enforcer-plugin`. You can ban dependencies: http://stackoverflow.com/questions/12794049/blacklist-maven-dependencies – Tunaki Oct 06 '16 at 14:21
  • @Tunaki If I understand it correctly, the enforcer plugin will fail the build, not exclude the dependency. Or did I get this wrong? – J Fabian Meier Oct 06 '16 at 14:23
  • Yes, it will fail the build if the dependency is declared or a transitive of another one. Is this not what you want? It makes sure the dependency isn't there. For other approaches, see this great answer http://stackoverflow.com/questions/33907162/systematic-approach-with-maven-to-deal-with-dependency-hell. – Tunaki Oct 06 '16 at 14:26
  • I want to say something like "exclude log4j" and then don't have any log4j version in my war. I don't want to spot all places that depend on log4j and add 17 exclusions just to make sure log4j does not sneak in through the backdoor. – J Fabian Meier Oct 06 '16 at 14:28
  • 2
    Also see [MNG-1977](https://issues.apache.org/jira/browse/MNG-1977). In the next Maven version, you can specify an `` parameter in the dependency management, it will make sure you will never inherit log4j. But if you declare it in your POM, you'll still have it. There is no other "global" exclusion mechanism I think. – Tunaki Oct 06 '16 at 14:32
  • The direct dependencies are under my control, this is more about not getting log4j (or any other specified dependency) transitively. This "optional" seems to be the thing I want - but Maven 3.5 will probably take some time... – J Fabian Meier Oct 06 '16 at 14:36
  • Possible duplication: http://stackoverflow.com/questions/547805/exclude-all-transitive-dependencies-of-a-single-dependency/7556707#7556707 – sirandy Oct 06 '16 at 14:43
  • @sirandy No, it is the other way round: I do not want to exclude all dependencies of a given artifacts, but exclude a given artifact as transitive dependency (at any place it occurs). This is more or less the "global exclude mechanism" that Tunaki mentioned in MNG-1977. – J Fabian Meier Oct 06 '16 at 14:53
  • @JFMeier No it's different. That linked question is for excluding all transitive dependencies from a given dependency. But MNG-1977 is about globally excluding a specific dependency, like you're asking here. To date, there's no way to do that, except enforcing that it isn't there (and failing the build if it is)... – Tunaki Oct 06 '16 at 14:56
  • @Tunaki This leaves me with the ugly method: Find all occurrences of log4j in dependency:tree and exclude them one by one. – J Fabian Meier Oct 06 '16 at 14:58

0 Answers0