Exclude httpclient dependency from plugin in pom.xml

Question

Using Spring Boot 2.4.4 Version and Maven for dependency management.

We are using Twistlock for container security purposes and we could able to see the vulnerabilities listed for the "httpclient".

Generally, We will exclude and update the latest version of dependencies if any issues faced in the dependencies mentioned in the tag in pom.xml

1. We could able to see a dependency "org.apache.httpcomponents.httpclient-4.5.13" getting loaded from artifactory URL "custom artifactory/plugin/release/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.15.pom" from the CICD build URL.

Moreover, this "httpclient" is not listed in the "Dependency Hierarchy" of the POM.xml file in STS IDE too.

2. We are using the following plugins in our POM.xml file

maven-resources-plugin, spring-boot-maven-plugin, jacoco-maven-plugin, maven-surefire-plugin.

We suspect that this "httpclient" may be loaded from any of the plugins listed above because of the URL "plugin/release..."

We tried to look at the pom.xml and "Dependency Hierarchy" of the above plugin for the "httpclient" dependency but no luck.

• Is there any way to find, from which plugin this "httpclient" is getting loaded?
• Is there any way to exclude the "httpclient" alone from the plugin management section of the POM.xml?

Could someone share some input here?

Answer 1

You can add below plugin to pom.xml to list dependencies from other plugins. Once added, the dependency tree now will show what you are looking for.

<build>
    <plugins>
        <plugin>
            <artifactId>maven-dependency-plugin</artifactId>
            <configuration>
                <source>1.8</source>
                <target>1.8</target>
            </configuration>
        </plugin>
    </plugins>
</build>

Once added..

mvn dependency:tree -Dverbose -Dincludes=org.apache.httpcomponents:httpclient