Uploaded image for project: 'Maven Enforcer Plugin'
  1. Maven Enforcer Plugin
  2. MENFORCER-434

Version 3.1.0 is not enforcing bannedDependencies rules

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.0
    • 3.2.0, 3.2.1
    • None
    • None

    Description

      I've been testing rules regarding log4j and have found that the bannedDependencies behave differently between version 3.0.0 and 3.1.0

      My relevant section where I'm purposely creating a failure case by banning log4j2 versions less than "3", as well as any log4j 1.x

      NOTE: the following configuration is using version 3.0.0 of maven-enforcer-plugin

            <plugin>
              <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin -->
              <groupId>org.apache.maven.plugins</groupId>
              <artifactId>maven-enforcer-plugin</artifactId>
              <version>3.0.0</version>
              <executions>
                <execution>
                  <id>enforce-versions</id>
                  <goals>
                    <goal>enforce</goal>
                  </goals>
                  <configuration>
                    <fail>true</fail>
                    <rules>
                      <bannedPlugins>
                        <!-- will only display a warning but does not fail the build. -->
                        <level>WARN</level>
                        <excludes>
                          <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
                        </excludes>
                        <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
                      </bannedPlugins>
                      <bannedDependencies>
                        <searchTransitive>true</searchTransitive>
                        <excludes>
                          <!--
                             Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html
                                   - Ban Log4j less than "3"
                          -->
                          <exclude>org.apache.logging.log4j:*:(,3)</exclude>
                          <exclude>log4j:log4j</exclude>
                        </excludes>
                      </bannedDependencies>
                      <requireMavenVersion>
                        <version>3.8.2</version>
                      </requireMavenVersion>
                      <requireJavaVersion>
                        <version>1.8.0-202</version>
                      </requireJavaVersion>
                    </rules>
                  </configuration>
                </execution>
              </executions>
            </plugin>
      

      This results in a positive failure:

      [INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-versions) @ xxx-xxxxx-xxx ---
      [WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
      Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.19.0
      Found Banned Dependency: org.apache.logging.log4j:log4j-jul:jar:2.19.0
      Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.19.0
      Found Banned Dependency: log4j:log4j:jar:1.2.17
      Found Banned Dependency: org.apache.logging.log4j:log4j-slf4j-impl:jar:2.19.0
      Use 'mvn dependency:tree' to locate the source of the banned dependencies.
      [INFO] ------------------------------------------------------------------------
      [INFO] BUILD FAILURE
      [INFO] ------------------------------------------------------------------------
      [INFO] Total time:  0.516 s
      [INFO] Finished at: 2022-09-30T15:06:57-07:00
      [INFO] ------------------------------------------------------------------------

      However, only changing the version of maven-enforcer-plugin from 3.0.0 to 3.1.0, the rule does not fail:

            <plugin>
              <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-enforcer-plugin -->
              <groupId>org.apache.maven.plugins</groupId>
              <artifactId>maven-enforcer-plugin</artifactId>
              <version>3.1.0</version>
              <executions>
                <execution>
                  <id>enforce-versions</id>
                  <goals>
                    <goal>enforce</goal>
                  </goals>
                  <configuration>
                    <fail>true</fail>
                    <rules>
                      <bannedPlugins>
                        <!-- will only display a warning but does not fail the build. -->
                        <level>WARN</level>
                        <excludes>
                          <exclude>org.apache.maven.plugins:maven-verifier-plugin</exclude>
                        </excludes>
                        <message>Please consider using the maven-invoker-plugin (http://maven.apache.org/plugins/maven-invoker-plugin/)!</message>
                      </bannedPlugins>
                      <bannedDependencies>
                        <searchTransitive>true</searchTransitive>
                        <excludes>
                          <!--
                             Log4j - Refer to https://logging.apache.org/log4j/2.x/security.html
                                   - Ban Log4j less than "3"
                          -->
                          <exclude>org.apache.logging.log4j:*:(,3)</exclude>
                          <exclude>log4j:log4j</exclude>
                        </excludes>
                      </bannedDependencies>
                      <requireMavenVersion>
                        <version>3.8.2</version>
                      </requireMavenVersion>
                      <requireJavaVersion>
                        <version>1.8.0-202</version>
                      </requireJavaVersion>
                    </rules>
                  </configuration>
                </execution>
              </executions>
            </plugin>
      

       

      [INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @ xxx-xxxxx-xxx ---
      [INFO] 

      ... and the build continues

      Attachments

        1. pom-not-enforced.xml
          3 kB
          Chris
        2. pom-enforced.xml
          3 kB
          Chris

        Issue Links

          Activity

            People

              sjaranowski Slawomir Jaranowski
              ctorrens Chris
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: