maven-dependency-plugin icon indicating copy to clipboard operation
maven-dependency-plugin copied to clipboard

Published 20 hours ago verified publisher icon apache

[MDEP-891] Used undeclared dependencies found for class which is used by an indirect class

Open jira-importer opened this issue 2 years ago • 3 comments

Karl Heinz Marbaise opened MDEP-891 and commented

Based on an example described on StackOverflow with the example project https://github.com/DmitryTen/SO-mvn-question which can be used as reproducer (attached that example to the issue).

The failure starts happening with Maven Dependency Plugin:3.6.0:

[INFO] --- dependency:3.6.0:analyze-only (analyze-dependencies) @ test ---
[ERROR] Used undeclared dependencies found:
[ERROR]    org.springframework:spring-web:jar:5.3.5:compile
[INFO] -----------------------------------------------------------------

If we change the version of the plugin to 3.5.0:

[INFO] --- dependency:3.5.0:analyze-only (analyze-dependencies) @ test ---
[INFO] No dependency problems found
[INFO] Copying org.example:test:pom:1.0-SNAPSHOT to project local repository
[INFO] Copying org.example:test:jar:1.0-SNAPSHOT to project local repository
[INFO] Copying org.example:test:pom:consumer:1.0-SNAPSHOT to project local repository
[INFO] ----------------------------------------------------------------------------------

After a bit more diving into it, it looks like the upgrade of the maven-dependency-analyzer:1.3.2 in release 3.6.0 of the maven-dependency-plugin (https://issues.apache.org/jira/projects/MDEP/versions/12352921) caused that issue. If I use an older version of maven-dependency-plugin for example 3.5.0 and upgrade there the maven-dependency-analyzer:1.3.1 it will fail with the same output. The version maven-dependency-analyzer:1.3.0 will work fine.

I have taken a look into the code of the classes:

The class StandaloneVaultConfig which is created in the example project uses AppRoleAuthentication which is part of org.springframework.vault:spring-vault-core. The usage of classes from org.springframework:spring-web:jar:5.3.5:compile happening in the class AppRoleAuthentication.

Affects: 3.6.0, 3.6.1

Attachments:

Issue Links:

  • MDEP-871 3.6.0 reporting Used undeclared dependency that is only used indirectly

3 votes, 5 watchers

jira-importer avatar Oct 30 '23 18:10 jira-importer

Elliotte Rusty Harold commented

Based on the description this seems likely to be a bug in the analyzer, not the dependency-plugin. Can we move the issue there?

jira-importer avatar Oct 13 '24 12:10 jira-importer

Elliotte Rusty Harold commented

Manual bisecting suggests this was introduced in maven-dependency-analyzer 1.13.1 and is still present in 1.15.0

jira-importer avatar Oct 19 '24 11:10 jira-importer

Elliotte Rusty Harold commented

https://github.com/apache/maven-dependency-analyzer/pull/82/files looks like the most likely culprit. Other changes in the release notes are just dependency upgrades and utility method replacements.

jira-importer avatar Oct 19 '24 11:10 jira-importer