0

so I want to exclude one jar file from a third party war dependency due to cve issues. I tried a lot of ways like overlay exclude, but it did not help. Basically, i just want maven to remove that jar transitive dependency in the war file. Here is my current code:

    <dependencies>
        <dependency>
            <groupId>org.apache.solr</groupId>
            <artifactId>solr</artifactId>
            <version>4.10.3</version>
            <type>war</type>
        </dependency>
    </dependencies>


    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-war-plugin</artifactId>
                <version>3.2.2</version>
                <configuration>
                    <overlays>
                        <overlay>
                            <groupId>org.apache.solr</groupId>
                            <artifactId>solr</artifactId>
                            <excludes>
                                <exclude>WEB-INF/lib/commons-fileupload-1.2.1.jar</exclude>
                            </excludes>
                        </overlay>
                    </overlays>
                </configuration>
            </plugin>
        </plugins>
    </build>

But when I check the solr war file, the commons-fileupload-1.2.1.jar is still there. I am kind of lost now.

CauchyNoConverge
  • 1
  • Hey ShubhWIP! Thank for the help. I checked that page, it is about exclude dependency for a plugin right? I guess my problem is that I cannot modify the third party war dependency. I want to exclude its transitive dependency from it. Any ideas on it would be realllllly helpful:) – CauchyNoConverge Feb 21 '21 at 05:18
  • Also just want to clarify... I guess I am not trying to build a war file. I just want to exclude the jar from the imported war dependency:) – CauchyNoConverge Feb 21 '21 at 05:27
  • Can this help ? https://stackoverflow.com/questions/1031695/how-to-exclude-jars-generated-by-maven-war-plugin – SRJ Feb 21 '21 at 05:50
  • You should probably exclude the dependency instead of the file itself, or quoting the docs in https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html ` sample.ProjectB Project-B 1.0-SNAPSHOT sample.ProjectE Project-E ` – Ale Zalazar Feb 21 '21 at 05:55
  • 1
    Simple answer to this. Is not possible. The exclusions etc. will not work because an exclusion will work on the dependencies but not on the packaged result (war file). The question which is coming up: Why do you want to remove a jar from a packaged jar? If either recreate the war where you exclude the jar file... – khmarbaise Feb 21 '21 at 09:27

0 Answers0