jenkinsci
Require upper bound dependencies error for `org.ow2.asm:asm:9.5`
While trying to upgrade workflow-job to the 5.0 release in https://github.com/jenkinsci/workflow-job-plugin/pull/471, I am getting this bizarre Enforcer error:
Require upper bound dependencies error for org.ow2.asm:asm:9.5 paths to dependency are:
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
+-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
+-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
+-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
+-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
+-org.ow2.asm:asm-commons:9.7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
+-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
+-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
+-org.ow2.asm:asm-tree:9.7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
+-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
+-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
+-org.ow2.asm:asm-util:9.7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
I cannot figure out where ASM 9.5 is coming from in the above dependency tree. Does anyone have any idea what is going on here?
A more minimal reproducible example (MRE) can be seen in scm-api with
diff --git a/pom.xml b/pom.xml
index e957746..f0eff46 100644
--- a/pom.xml
+++ b/pom.xml
@@ -29,7 +29,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
- <version>4.88</version>
+ <version>5.0</version>
<relativePath/>
</parent>
@@ -56,7 +56,7 @@
<properties>
<changelist>999999-SNAPSHOT</changelist>
- <jenkins.version>2.426.3</jenkins.version>
+ <jenkins.version>2.479</jenkins.version>
<gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
<no-test-jar>false</no-test-jar>
<hpi.compatibleSinceVersion>2.0.0</hpi.compatibleSinceVersion>
@@ -79,8 +79,8 @@
<dependencies>
<dependency>
<groupId>io.jenkins.tools.bom</groupId>
- <artifactId>bom-2.426.x</artifactId>
- <version>2839.v003b_4d9d24fd</version>
+ <artifactId>bom-2.452.x</artifactId>
+ <version>3413.v0d896b_76a_30d</version>
<scope>import</scope>
<type>pom</type>
</dependency>
which produces
Require upper bound dependencies error for org.ow2.asm:asm:9.5 paths to dependency are:
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
+-org.ow2.asm:asm-commons:9.7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
+-org.ow2.asm:asm-tree:9.7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
+-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
+-org.ow2.asm:asm-util:9.7
+-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
The relevant portion of mvn dependency:tree -Dverbose:
[INFO] org.jenkins-ci.plugins:scm-api:hpi:999999-SNAPSHOT
[INFO] +- io.jenkins.plugins:asm-api:jar:9.7-33.v4d23ef79fcc8:compile
[INFO] | +- org.ow2.asm:asm:jar:9.5:compile (version managed from 9.7)
[INFO] | +- org.ow2.asm:asm-analysis:jar:9.7:compile
[INFO] | | \- (org.ow2.asm:asm-tree:jar:9.7:compile - omitted for duplicate)
[INFO] | +- org.ow2.asm:asm-commons:jar:9.7:compile
[INFO] | | +- (org.ow2.asm:asm:jar:9.5:compile - version managed from 9.7; omitted for duplicate)
[INFO] | | \- (org.ow2.asm:asm-tree:jar:9.7:compile - omitted for duplicate)
[INFO] | +- org.ow2.asm:asm-tree:jar:9.7:compile
[INFO] | | \- (org.ow2.asm:asm:jar:9.5:compile - version managed from 9.7; omitted for duplicate)
[INFO] | \- org.ow2.asm:asm-util:jar:9.7:compile
[INFO] | +- (org.ow2.asm:asm:jar:9.5:compile - version managed from 9.7; omitted for duplicate)
[INFO] | +- (org.ow2.asm:asm-tree:jar:9.7:compile - omitted for duplicate)
[INFO] | \- (org.ow2.asm:asm-analysis:jar:9.7:compile - omitted for duplicate)
For the life of me I cannot understand where 9.5 is coming from. When I run the same mvn dependency:tree -Dverbose command in that repository, at the same tag (9.7-33.v4d23ef79fcc8), everything looks right:
[INFO] io.jenkins.plugins:asm-api:hpi:9.7-999999-SNAPSHOT
[INFO] +- org.ow2.asm:asm:jar:9.7:compile
[INFO] +- org.ow2.asm:asm-analysis:jar:9.7:compile
[INFO] | \- (org.ow2.asm:asm-tree:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] +- org.ow2.asm:asm-commons:jar:9.7:compile
[INFO] | +- (org.ow2.asm:asm:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] | \- (org.ow2.asm:asm-tree:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] +- org.ow2.asm:asm-tree:jar:9.7:compile
[INFO] | \- (org.ow2.asm:asm:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] +- org.ow2.asm:asm-util:jar:9.7:compile
[INFO] | +- (org.ow2.asm:asm:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] | +- (org.ow2.asm:asm-tree:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] | \- (org.ow2.asm:asm-analysis:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
So why is the version set to 9.5 when this plugin is consumed in e.g. scm-api?
So why is the version set to 9.5 when this plugin is consumed in e.g. scm-api?
After reading https://stackoverflow.com/questions/38245795/detect-versions-origin-of-a-managed-maven-dependency I ran mvn help:effective-pom -Dverbose which revealed the answer:
<dependency>
<groupId>org.ow2.asm</groupId> <!-- com.google.inject:guice-parent:6.0.0, line 170 -->
<artifactId>asm</artifactId> <!-- com.google.inject:guice-parent:6.0.0, line 171 -->
<version>9.5</version> <!-- com.google.inject:guice-parent:6.0.0, line 172 -->
</dependency>
which is coming from core. This looks like yet another case of #705.
For the life of me, I can't figure out how to get Jenkins core to stop delivering a managed dependency on ASM 9.5. I tried this in core:
diff --git a/bom/pom.xml b/bom/pom.xml
index a8c184ead7..070b5d7afd 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -51,6 +51,12 @@ THE SOFTWARE.
<version>6.0.0</version>
<type>pom</type>
<scope>import</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.ow2.asm</groupId>
+ <artifactId>asm</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
diff --git a/core/pom.xml b/core/pom.xml
index 9bff5e5ad0..422c42cec6 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -109,6 +109,10 @@ THE SOFTWARE.
<groupId>aopalliance</groupId>
<artifactId>aopalliance</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.ow2.asm</groupId>
+ <artifactId>asm</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
But ASM 9.5 still shows up in mvn help:effective-pom -Dverbose:
<dependency>
<groupId>org.ow2.asm</groupId> <!-- com.google.inject:guice-parent:6.0.0, line 170 -->
<artifactId>asm</artifactId> <!-- com.google.inject:guice-parent:6.0.0, line 171 -->
<version>9.5</version> <!-- com.google.inject:guice-parent:6.0.0, line 172 -->
</dependency>
Not sure what to do at this point.
I managed to get things to work in scm-api by moving guice-bom from bom/pom.xml to core/pom.xml in core:
diff --git a/bom/pom.xml b/bom/pom.xml
index a8c184ead7..d9a7cb81b0 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -45,13 +45,6 @@ THE SOFTWARE.
<dependencyManagement>
<dependencies>
- <dependency>
- <groupId>com.google.inject</groupId>
- <artifactId>guice-bom</artifactId>
- <version>6.0.0</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-bom</artifactId>
diff --git a/core/pom.xml b/core/pom.xml
index 9bff5e5ad0..cded39da00 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -48,6 +48,13 @@ THE SOFTWARE.
<dependencyManagement>
<dependencies>
+ <dependency>
+ <groupId>com.google.inject</groupId>
+ <artifactId>guice-bom</artifactId>
+ <version>6.0.0</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
<dependency>
<groupId>org.jenkins-ci.main</groupId>
<artifactId>jenkins-bom</artifactId>
though this may have negative consequences for things like artifact-manager-s3-plugin that use com.google.inject.extensions:guice-assistedinject.
https://github.com/jenkinsci/workflow-job-plugin/pull/471/commits/554c7967a9aa1b77acae2b2fb177441cbec21898 demonstrates that https://github.com/jenkinsci/jenkins/pull/9826 chases away the problem in workflow-job, but I am not satisfied with that solution because the problem is still visible in artifact-manager-s3-plugin.
https://github.com/jenkinsci/workflow-job-plugin/pull/471/commits/1df4ccc demonstrates that https://github.com/jenkinsci/jenkins/pull/9827 chases away the problem in workflow-job. At this time, I believe this is my most promising lead, as it is a strict improvement over the status quo, which cannot make the problem any worse, but makes the problem better in some cases. It is still not a full solution, and I cannot think of a full solution at this time.
I intend to deliver https://github.com/jenkinsci/jenkins/pull/9827 in 2.479.1.