Description
I've been testing rules regarding log4j and have found that the bannedDependencies behave differently between version 3.0.0 and 3.1.0
My relevant section where I'm purposely creating a failure case by banning log4j2 versions less than "3", as well as any log4j 1.x
NOTE: the following configuration is using version 3.0.0 of maven-enforcer-plugin
<plugin> <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin --> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-versions</id> <goals> <goal>enforce</goal> </goals> <configuration> <fail>true</fail> <rules> <bannedPlugins> <!-- will only display a warning but does not fail the build. --> <level>WARN</level> <excludes> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude> </excludes> <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message> </bannedPlugins> <bannedDependencies> <searchTransitive>true</searchTransitive> <excludes> <!-- Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html - Ban Log4j less than "3" --> <exclude>org.apache.logging.log4j:*:(,3)</exclude> <exclude>log4j:log4j</exclude> </excludes> </bannedDependencies> <requireMavenVersion> <version>3.8.2</version> </requireMavenVersion> <requireJavaVersion> <version>1.8.0-202</version> </requireJavaVersion> </rules> </configuration> </execution> </executions> </plugin>
This results in a positive failure:
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @ xxx-xxxxx-xxx ---
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
Found Banned Dependency: log4j:log4j:jar:1.2.17
Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.516 s
[INFO] Finished at: 2022-09-30T15:06:57-07:00
[INFO] ------------------------------------------------------------------------
However, only changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the rule does not fail:
<plugin> <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin --> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.1.0</version> <executions> <execution> <id>enforce-versions</id> <goals> <goal>enforce</goal> </goals> <configuration> <fail>true</fail> <rules> <bannedPlugins> <!-- will only display a warning but does not fail the build. --> <level>WARN</level> <excludes> <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude> </excludes> <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message> </bannedPlugins> <bannedDependencies> <searchTransitive>true</searchTransitive> <excludes> <!-- Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html - Ban Log4j less than "3" --> <exclude>org.apache.logging.log4j:*:(,3)</exclude> <exclude>log4j:log4j</exclude> </excludes> </bannedDependencies> <requireMavenVersion> <version>3.8.2</version> </requireMavenVersion> <requireJavaVersion> <version>1.8.0-202</version> </requireJavaVersion> </rules> </configuration> </execution> </executions> </plugin>
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @ xxx-xxxxx-xxx --- [INFO]
... and the build continues
Attachments
Attachments
Issue Links
- is related to
-
MENFORCER-435 Get rid of maven-dependency-tree dependency
-
- Closed
-
- links to