I have a local Nexus server in my home lab. I configured it to mirror Maven Central and Atlassian's public Maven repository as well. These are my settings in ~/.m2/settings.xml:
<settings xmlns=".2.0"
xmlns:xsi=";
xsi:schemaLocation=".2.0 .2.0.xsd">
<mirrors>
<mirror>
<id>centralMirror</id>
<mirrorOf>central</mirrorOf>
<url>:8081/repository/maven-central/</url>
</mirror>
<mirror>
<id>atlassianMirror</id>
<mirrorOf>atlassian</mirrorOf>
<url>:8081/repository/atlassian/</url>
</mirror>
</mirrors>
<profiles>
<profile>
<id>nexus</id>
<repositories>
<repository>
<id>atlassian</id>
<url>:8081/repository/atlassian/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>nexus</activeProfile>
</activeProfiles>
</settings>
I then created a sample project. This is the pom.xml:
<project xmlns=".0.0"
xmlns:xsi=";
xsi:schemaLocation=".0.0 .xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>deleted-artifacts-app</artifactId>
<packaging>jar</packaging>
<version>1.0-SNAPSHOT</version>
<name>deleted-artifacts-app</name>
<url>;/url>
<dependencies>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-api</artifactId>
<version>9.2.8</version>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>com.atlassian.platform</groupId>
<artifactId>third-party</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</project>
Notice that my project has a single dependency, from which I exclude any version of com.atlassian.platform:third-party. However, when I restore dependencies and look at the dependency tree:
$ mvn -U dependency:tree -Dverbose=true > mvn_dependency_tree_log.txt
I see that Maven is still downloading multiple versions of com.atlassian.platform:third-party even though it has been explicitly excluded. See my filtered logs:
$ cat mvn_dependency_tree_log.txt | grep "com/atlassian/platform/third-party"
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom (11 kB at 8.4 kB/s)
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom (11 kB at 7.5 kB/s)
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom (9.0 kB at 5.9 kB/s)
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom (11 kB at 8.2 kB/s)
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom (11 kB at 8.3 kB/s)
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom (11 kB at 8.4 kB/s)
Downloading from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom
Downloaded from atlassianMirror: :8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom (11 kB at 8.0 kB/s)
It's also important to notice that even though com.atlassian.platform:third-party is being downloaded, it is not displayed at all as part of the dependency tree, possibly because it is just a POM without any JARs: .0.29/.
I then configured my Nexus server to block access to com.atlassian.platform:third-party:6.0.29, because it has CVEs reported against its dependencies: .atlassian.platform/third-party/6.0.29. I did so by applying a rule to a Nexus “routing table” that will make it deny any request to any subpath under com/atlassian/platform/third-party/6.0.29/. It looks like this:
Then, if I try to restore dependencies, I get the following error:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.449 s
[INFO] Finished at: 2025-02-23T21:53:48+11:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project deleted-artifacts-app: Could not collect dependencies for project com.mycompany.app:deleted-artifacts-app:jar:1.0-SNAPSHOT
[ERROR] Failed to read artifact descriptor for com.atlassian.soy:soy-template-renderer-plugin-api:jar:6.0.7
[ERROR] Caused by: The following artifacts could not be resolved: com.atlassian.platform:third-party:pom:6.0.29 (absent): Could not transfer artifact com.atlassian.platform:third-party:pom:6.0.29 from/to atlassianMirror (:8081/repository/atlassian/): status code: 403, reason phrase: Routing rules block the requested item from this repository (403)
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1]
So, the question here is: Why does Maven insist on downloading com.atlassian.platform:third-party even when it is excluded?
In the corporate environment where I work, similar policies are applied. Public repositories like Maven Central or Atlassian's can never be accessed directly, only as mirrors. Dependencies with vulnerabilities are either blocked or removed from them after routine security scans. The behaviour I have reproduced, above, makes it impossible for me to override the version of a dependency by excluding it with the <exclusion> tag and later introducing a different version through <dependencyManagement>. I can see that Maven insists in downloading the dependencies that the repository will bock before even applying the restrictions.
I have a local Nexus server in my home lab. I configured it to mirror Maven Central and Atlassian's public Maven repository as well. These are my settings in ~/.m2/settings.xml:
<settings xmlns="http://maven.apache./SETTINGS/1.2.0"
xmlns:xsi="http://www.w3./2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache./SETTINGS/1.2.0 https://maven.apache./xsd/settings-1.2.0.xsd">
<mirrors>
<mirror>
<id>centralMirror</id>
<mirrorOf>central</mirrorOf>
<url>http://nexus.home.arpa:8081/repository/maven-central/</url>
</mirror>
<mirror>
<id>atlassianMirror</id>
<mirrorOf>atlassian</mirrorOf>
<url>http://nexus.home.arpa:8081/repository/atlassian/</url>
</mirror>
</mirrors>
<profiles>
<profile>
<id>nexus</id>
<repositories>
<repository>
<id>atlassian</id>
<url>http://nexus.home.arpa:8081/repository/atlassian/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>nexus</activeProfile>
</activeProfiles>
</settings>
I then created a sample project. This is the pom.xml:
<project xmlns="http://maven.apache./POM/4.0.0"
xmlns:xsi="http://www.w3./2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache./POM/4.0.0 http://maven.apache./maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>deleted-artifacts-app</artifactId>
<packaging>jar</packaging>
<version>1.0-SNAPSHOT</version>
<name>deleted-artifacts-app</name>
<url>http://maven.apache.</url>
<dependencies>
<dependency>
<groupId>com.atlassian.bamboo</groupId>
<artifactId>atlassian-bamboo-api</artifactId>
<version>9.2.8</version>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>com.atlassian.platform</groupId>
<artifactId>third-party</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</project>
Notice that my project has a single dependency, from which I exclude any version of com.atlassian.platform:third-party. However, when I restore dependencies and look at the dependency tree:
$ mvn -U dependency:tree -Dverbose=true > mvn_dependency_tree_log.txt
I see that Maven is still downloading multiple versions of com.atlassian.platform:third-party even though it has been explicitly excluded. See my filtered logs:
$ cat mvn_dependency_tree_log.txt | grep "com/atlassian/platform/third-party"
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.19/third-party-6.0.19.pom (11 kB at 8.4 kB/s)
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.13/third-party-6.0.13.pom (11 kB at 7.5 kB/s)
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/3.1.7/third-party-3.1.7.pom (9.0 kB at 5.9 kB/s)
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m04/third-party-6.0.0-m04.pom (11 kB at 8.2 kB/s)
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.0-m08/third-party-6.0.0-m08.pom (11 kB at 8.3 kB/s)
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/5.0.0-m1/third-party-5.0.0-m1.pom (11 kB at 8.4 kB/s)
Downloading from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom
Downloaded from atlassianMirror: http://nexus.home.arpa:8081/repository/atlassian/com/atlassian/platform/third-party/6.0.29/third-party-6.0.29.pom (11 kB at 8.0 kB/s)
It's also important to notice that even though com.atlassian.platform:third-party is being downloaded, it is not displayed at all as part of the dependency tree, possibly because it is just a POM without any JARs: https://maven.artifacts.atlassian/com/atlassian/platform/third-party/6.0.29/.
I then configured my Nexus server to block access to com.atlassian.platform:third-party:6.0.29, because it has CVEs reported against its dependencies: https://mvnrepository/artifact/com.atlassian.platform/third-party/6.0.29. I did so by applying a rule to a Nexus “routing table” that will make it deny any request to any subpath under com/atlassian/platform/third-party/6.0.29/. It looks like this:
Then, if I try to restore dependencies, I get the following error:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.449 s
[INFO] Finished at: 2025-02-23T21:53:48+11:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project deleted-artifacts-app: Could not collect dependencies for project com.mycompany.app:deleted-artifacts-app:jar:1.0-SNAPSHOT
[ERROR] Failed to read artifact descriptor for com.atlassian.soy:soy-template-renderer-plugin-api:jar:6.0.7
[ERROR] Caused by: The following artifacts could not be resolved: com.atlassian.platform:third-party:pom:6.0.29 (absent): Could not transfer artifact com.atlassian.platform:third-party:pom:6.0.29 from/to atlassianMirror (http://nexus.home.arpa:8081/repository/atlassian/): status code: 403, reason phrase: Routing rules block the requested item from this repository (403)
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache./confluence/display/MAVEN/DependencyResolutionException
So, the question here is: Why does Maven insist on downloading com.atlassian.platform:third-party even when it is excluded?
In the corporate environment where I work, similar policies are applied. Public repositories like Maven Central or Atlassian's can never be accessed directly, only as mirrors. Dependencies with vulnerabilities are either blocked or removed from them after routine security scans. The behaviour I have reproduced, above, makes it impossible for me to override the version of a dependency by excluding it with the <exclusion> tag and later introducing a different version through <dependencyManagement>. I can see that Maven insists in downloading the dependencies that the repository will bock before even applying the restrictions.
1 Answer
Reset to default 0Usually you approach this problem as follows:
You only block the download of the artifacts (JAR, WAR, ...) themselves, not the download of the corresponding POM files.
POM files are no harm, they just contain dependency information in XML format. I also sometimes get annoyed because Maven downloads a million POM files, but this is just meta information that Maven uses to calculate dependencies.
-Dverbose=true? – Slawomir Jaranowski Commented Feb 23 at 12:44