堆栈内存溢出
  简体   繁体   English

从 pom.xml 中的插件中排除 httpclient 依赖项

[英]Exclude httpclient dependency from plugin in pom.xml

 原文  2021-04-18 16:02:00       java/ spring-boot/ maven/ httpclient/ apache-httpcomponents

问题描述

Using Spring Boot 2.4.4 Version and Maven for dependency management.使用 Spring Boot 2.4.4 版本和 Maven 进行依赖管理。

We are using Twistlock for container security purposes and we could able to see the vulnerabilities listed for the "httpclient".我们将 Twistlock 用于容器安全目的,我们可以看到为“httpclient”列出的漏洞。

Generally, We will exclude and update the latest version of dependencies if any issues faced in the dependencies mentioned in the tag in pom.xml一般情况下,如果 pom.xml 标签中提到的依赖项出现问题,我们会排除并更新最新版本的依赖项

  1. We could able to see a dependency "org.apache.httpcomponents.httpclient-4.5.13" getting loaded from artifactory URL "custom artifactory/plugin/release/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.15.pom" from the CICD build URL.我们可以看到从工件 URL 加载的依赖项“org.apache.httpcomponents.httpclient-4.5.13”“custom artifactory/plugin/release/org/apache/httpcomponents/httpclient/4.5.13/。 .pom”来自 CICD 版本 URL。

Moreover, this "httpclient" is not listed in the "Dependency Hierarchy" of the POM.xml file in STS IDE too.此外,此“httpclient”也未列在 STS IDE 中的 POM.xml 文件的“依赖层次结构”中。

  1. We are using the following plugins in our POM.xml file我们在 POM.xml 文件中使用以下插件

maven-resources-plugin, spring-boot-maven-plugin, jacoco-maven-plugin, maven-surefire-plugin. maven-resources-plugin、spring-boot-maven-plugin、jacoco-maven-plugin、maven-surefire-plugin。

We suspect that this "httpclient" may be loaded from any of the plugins listed above because of the URL "plugin/release..."由于 URL “plugin/release...”,我们怀疑这个“httpclient”可能是从上面列出的任何插件加载的

We tried to look at the pom.xml and "Dependency Hierarchy" of the above plugin for the "httpclient" dependency but no luck.我们尝试查看上述插件的 pom.xml 和“依赖层次结构”以获取“httpclient”依赖项,但没有运气。

  • Is there any way to find, from which plugin this "httpclient" is getting loaded?有什么办法可以找到这个“httpclient”是从哪个插件加载的?
  • Is there any way to exclude the "httpclient" alone from the plugin management section of the POM.xml?有没有办法从 POM.xml 的插件管理部分单独排除“httpclient”?

Could someone share some input here?有人可以在这里分享一些意见吗?

1 个解决方案

解决方案1
 -2  2021-04-18 17:03:30

You can add below plugin to pom.xml to list dependencies from other plugins.您可以将以下插件添加到 pom.xml 以列出来自其他插件的依赖项。 Once added, the dependency tree now will show what you are looking for.添加后,依赖关系树现在将显示您要查找的内容。

<build>
    <plugins>
        <plugin>
            <artifactId>maven-dependency-plugin</artifactId>
            <configuration>
                <source>1.8</source>
                <target>1.8</target>
            </configuration>
        </plugin>
    </plugins>
</build>

Once added..一旦添加..

mvn dependency:tree -Dverbose -Dincludes=org.apache.httpcomponents:httpclient

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么在pom.xml / maven中可以选择排除依赖项的依赖项? - Why is there the option to exclude a dependency of a dependency in pom.xml / maven? 从pom.xml上的com.google.gwt依赖项中排除javax.servlet包 - Exclude javax.servlet package from com.google.gwt dependency on pom.xml Maven依赖项不在pom.xml中 - Maven dependency not in pom.xml pom.xml中的依赖类型 - Dependency type in pom.xml 配置 Sonar 从 Maven pom.xml 中排除文件 - Configure Sonar to exclude files from Maven pom.xml 如何从 Maven 项目中的 pom.xml 中排除已签名的 jar - How to exclude signed jars from pom.xml in Maven Project 从 Gradle “compileOnly” 在 pom.xml 中生成 Maven “提供的”依赖项 - Generate Maven “provided” dependency in pom.xml from Gradle “compileOnly” Maven 依赖 jar 版本不同于 pom.xml 规范 - Maven dependency jar version is different from pom.xml specification Drools-从pom.xml中相关的类路径或依赖项加载KJAR - Drools - load KJAR from classpath or dependency related at pom.xml 查找pom.xml中可用的所有依赖关系更高版本 - Find all the dependency higher versions available from pom.xml
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM