Menu
Is there a way e.g. a Maven plug in that can take a list of unwanted/black listed dependencies (direct and transitive) and fails the build if it detects one of listed dependencies?
In my project we strictly want to get rid of Apache Commons Logging and replace it with the SLF4J JCL Bridge. I am aware that we have to exclude the unwanted deps ourselfs but I would like to have the build failed if someone adds a dependency that brings in blacklisted dependency.
940
This rule checks the dependencies and fails if any of the matching excludes are found. The following parameters are supported by this rule: searchTransitive - if transitive dependencies should be checked. Default is true.
Multiple transitive dependencies can be excluded by using the <exclusion> tag for each of the dependency you want to exclude and placing all these exclusion tags inside the <exclusions> tag in pom. xml. You will need to mention the group id and artifact id of the dependency you wish to exclude in the exclusion tag.
For example, a certain older jar may have security issues or be incompatible with the Java version you're using. To address this, Maven allows you to exclude specific dependencies. Exclusions are set on a specific dependency in your POM, and are targeted at a specific groupId and artifactId.
The Enforcer plugin provides goals to control certain environmental constraints such as Maven version, JDK version and OS family along with many more built-in rules and user created rules.
You can ban some dependencies using the maven-enforcer-plugin.
Here is their example with updates for your exclusion of Apache Commons Logging.
<project>
[...]
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.1.1</version>
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>commons-logging:commons-logging</exclude>
</excludes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
[...]
</project>
The output when running mvn install will be:
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Found Banned Dependency: commons-logging:commons-logging:jar:1.1.1
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
It all ends with a BUILD FAILURE.
171
Yes, the enforcer plugin supports this with its bannedDependencies rule.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
