1

I have read:

And the conclusion that I have is that there is no way to exclude a particular dependency that is inherited from a parent pom. I'm using maven and the parent pom isn't editable.

So, I thought about excluding the jar itself, of the dependency, right before it got packaged into the target jar.

My parent pom is `sdk-java-starter-parent` that comes from an internal library.

<parent>
        <groupId>abc.def.xyz</groupId>
        <artifactId>sdk-java-starter-parent</artifactId>
        <version>6.1.0.4</version>
    </parent>

that pom declares log4-1.2.7 dependency, which I would like to exclude and not to import to my project at all.

<dependency>
        <groupId>log4j</groupId>
        <artifactId>log4j</artifactId>
        <version>1.2.17</version>
    </dependency>

If I would import the parent pom directly from spring's group, I could use spring-boot-maven-plugin in order to exclude it there. But because i'm importing the parent pom from an internal library, there is no use or possibility to use that plugin.

I thought about using maven-shader plugin and other re-packing plugins in order to 'shade' the jar right before it gets packed:

<excludes>
<exclude>log4j-1.2.17.jar</exclude> (tried also `**/log4j-1.2.17.jar`)
</excludes>

but it did not work as well. I have tried with <dependencyManagement> and it doesn't fit because I don't want to override the version, I just want to remove the whole dependency. to entirely exclude it or remove the jar of it.

I'm clueless to be honest, i'll be glad to hear some ideas how would u suggest me to do it, if it's possible at all.

What are my other options if it's not possible? How can I avoid receiving that log4j jar?

The final app is a docker container consisting of JARs.

The plugins that are being used are:

  • maven-jar-plugin
  • maven-surefire-plugin
  • docker-maven-plugin
  • swagger-maven-plugin

I'm not sure which one of these is responsible for building the app and for the jar packacing.

Thanks.

NoobCoder
  • 513
  • 3
  • 18
  • Does this answer your question? [How to exclude the parent pom dependency inside inherited child dependency for Maven?](https://stackoverflow.com/questions/51476017/how-to-exclude-the-parent-pom-dependency-inside-inherited-child-dependency-for-m) – pringi Feb 02 '22 at 12:28
  • @pringi unfurtunally no. As I said, I have tried with `` and it doesn't fit because I don't want to override the version, I just want to remove the whole dependency. to entirely exclude it or remove the jar of it. – NoobCoder Feb 02 '22 at 12:32
  • Maybe, if you already tried everything, why don't you change the scope of log4j to provided. That way it will not be included in the final jar. From what you have written I'm almost sure that you have analysed the dependencies that are bringing the log4j dependency into you child module and excluded it explicitly from those. If not can you try that path also? As reference consult if needed: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies – pringi Feb 02 '22 at 14:11
  • @pringi you are right. I did exlude log4j from all the other dependencies that bring log4j. The one that left is the paret pom. I just did what you have suggested, i've added the `` of log4j to my pom file, specified the version `1.2.17` that is brought from the parent pom, and also added a scope which defined as provided. It didn't work as well. I extract the final target jar of the project, and go into `BOOT-INF\lib\ ` and still see the the `log4j-1.2.17.jar` – NoobCoder Feb 02 '22 at 14:17
  • I've done some tests, and achieved the same conclusion as you. It is not possible to exclude a dependency from parent pom. There is a trick explained here that if you can follow will solve your problem: https://www.generacodice.com/en/articolo/822480/is-there-anyway-to-exclude-artifacts-inherited-from-a-parent-pom. Not sure if you can change your parent pom to another one, and import the current parent pom as dependency. If you can, the trick will solve the problem. – pringi Feb 02 '22 at 14:42

1 Answers1

0

I think you need to write the exclude as <exclude>*:log4j</exclude>

J Fabian Meier
  • 33,516
  • 10
  • 64
  • 142
  • exclude where? because as I said there is no available plugin for me to shade this – NoobCoder Feb 02 '22 at 13:38
  • Sorry, I thought you were using the maven shade plugin to shade the resulting JAR. What do you really use to build your application? Is it a WAR build with maven war plugin? Or something else? – J Fabian Meier Feb 02 '22 at 13:40
  • So actually i'm also trying to figure that out. I'm actually not quite sure which tool is used to build the app and the jar. I can list the plugins that are being used: maven-jar-plugin | maven-surefire-plugin | docker-maven-plugin | swagger-maven-plugin | .... I thought the the `maven-jar-plugin` is responsible for the build and packaging, that's why I have added the said `` in between its `` tags. But it did not work. Maybe because my syntax was incorrect or because `maven-jar-plugin` isn't the one who's in charge of building the app. – NoobCoder Feb 02 '22 at 13:48
  • So what is the final app? Is it a docker container consisting of JARs? – J Fabian Meier Feb 02 '22 at 14:18
  • Yes, it's a docker container. – NoobCoder Feb 02 '22 at 14:21
  • Then the docker-maven-plugin may be the place to look. – J Fabian Meier Feb 02 '22 at 18:24