Howdy, Are we talking about POM or the JAR here?
Thanks T On Wed, Feb 19, 2025 at 10:20 PM Tomo Suzuki <suzt...@google.com.invalid> wrote: > > Try running Maven with “-X” option to get debug logs. It prints dependency > graphs. You may find the problematic dependency in an unexpected place in > the graphs. > > Regards, > Tomo > > > On Wed, Feb 19, 2025 at 16:10 Gabriel Correa de Oliveira < > gabriel...@outlook.com> wrote: > > > Hi, All, > > > > I am working in a corporate environment that uses Artifactory and Nexus as > > artifact repositories. > > Access to Maven Central and any other public repositories are blocked in > > the corporate network. Public repositories can only be accessed through > > Artifactory or Nexus as a proxy/cache. > > > > JFrog Xray and Sonatype Nexus IQ are being used to scan all artifacts that > > are published to these repositories or pulled from the public ones for > > security vulnerabilities. The company is particularly sensitive to > > dependencies with publicly reported CVEs. Once a dependency is identified > > with CVE, it is hard-deleted from the corresponding repository. > > > > As a result, and I can see Maven builds failing because dependencies that > > are OK often have dependencies on other artifacts that have CVEs reported > > against them, and, thus, were deleted from the repositories. > > > > I want to use <exclusions> in my pom.xml files and replace the versions of > > these transitive dependencies by others slightly newer or older that do not > > have CVEs reported against them, and, thus, are still in the internal > > repositories. > > > > However, Maven seems to still attempt to download these transitive > > dependencies from the repositories before applying the exclusions I > > configured in the pom.xml. If this is the way it behaves, my builds will > > keep failing. > > > > Can anyone here confirm if this the expected behaviour for Maven? Is it > > really going to download all transitive dependencies in accordance with the > > original relationships before applying the exclusions I have configured in > > the pom.xml? If so, is there any way I can tell Maven not to attempt to > > download versions that I have already excluded in the pom.xml? > > > > I already searched through documentation, but I could not find this level > > of detail anywhere. > > > > Thank you. > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
