I am using 4 plugin in my spring boot service - Maven-compiler plugin, surefire plugin, spring-boot-maven-plugin and Maven-deploy plugin but I can't able to locate some transitive dependency like plexus, plexus-archive, commons-compress etc due to which I am getting build failure as these dependency is blocked by my company due to vulnerabilities. Is there way to find and override these dependencies on these plugins. As mvn dependency tree and mv. resolve plugin aren't helping to find any of these dependencies.
I am using 4 plugin in my spring boot service - Maven-compiler plugin, surefire plugin, spring-boot-maven-plugin and Maven-deploy plugin but I can't able to locate some transitive dependency like plexus, plexus-archive, commons-compress etc due to which I am getting build failure as these dependency is blocked by my company due to vulnerabilities. Is there way to find and override these dependencies on these plugins. As mvn dependency tree and mv. resolve plugin aren't helping to find any of these dependencies.
Share Improve this question asked Feb 17 at 13:25 Jatin BholaJatin Bhola 314 bronze badges 1- You should post your pom.xml along with your build output – Jonathan S. Fisher Commented Feb 17 at 17:08
1 Answer
Reset to default -1To view your project's dependency tree from the command line, use the
Command:
mvn dependency:tree
For multi-module projects.
Command:
mvn compile dependency:tree
You can exclude transitive dependencies in your pom.xml using the tag within the dependency declaration.
Example:
<dependency>
<groupId>group-id-of-the-dependency-you-want-to-exclude-from</groupId>
<artifactId>artifact-id-of-the-dependency-you-want-to-exclude-from</artifactId>
<version>version-of-the-dependency-you-want-to-exclude-from</version>
<exclusions>
<exclusion>
<groupId>group-id-of-the-transitive-dependency-to-exclude</groupId>
<artifactId>artifact-id-of-the-transitive-dependency-to-exclude</artifactId>
</exclusion>
</exclusions>
</dependency>
Consequences of exclusion:
If your application actually relies on the functionality provided by the excluded transitive dependency, you'll get ClassNotFoundException, NoSuchMethodError, or similar errors at runtime. This is the most common and problematic consequence
Optimal Solution:
Upgrading to the latest version of your dependencies should be your first course of action. It's the safest and often the most effective way to manage transitive dependencies. Excluding dependencies should be considered only after you've explored upgrading and understand the potential consequences.