Dependency convergence and the Maven enforcer plugin

|

Another great plugin for security and application stability is the Maven Enforcer plugin. You don't want to end up in JAR hell :)

You can use the Enforcer plugin for the following tasks.

Dependency convergence

Requires that dependency version numbers converge. If a project has two dependencies, A and B, both depending on the same artifact, C, this rule will fail the build if A depends on a different version of C then the version of C depended on by B.

Read more about dependency convergence in Tim Steffen's blog post. For me, adding specific versions to the pom.xmls dependencyManagement section works best, I favor active management over exclusion.

Ban circular dependencies

Checks the dependencies and fails if the groupId:artifactId combination exists in the list of direct or transitive dependencies.

I haven't really come across any occurence of this, however it is nice to have.

Ban duplicate classes

Checks the dependencies and fails if any class is present in more than one dependency.

For example two classes could be identical after the package of one class has been renamed. You should not blindly ignore duplicate classes. You should try to

  • exclude classes by excluding dependencies
  • update a library (if possible)
  • look for alternative splitted dependencies

If you add something make sure the ignored classes are binary identical!

Enforce bytecode version

Checks the dependencies transitively and fails if any class of any dependency is having its bytecode version higher than the one specified.

Example

Here's a draft for your pom.xml. You might want to add this to a dedicated build profile so it will not slow down your regular build.

<?xml version="1.0" encoding="UTF-8"?>
<plugin>
   <groupId>org.apache.maven.plugins</groupId>
   <artifactId>maven-enforcer-plugin</artifactId>
   <configuration>
      <rules>
         <!--
            Requires that dependency version numbers converge.
            If a project has two dependencies, A and B, both depending on the same artifact, C,
            this rule will fail the build if A depends on a different version of C then the
            version of C depended on by B.
        -->
         <dependencyConvergence>
            <uniqueVersions>false</uniqueVersions>
         </dependencyConvergence>
      </rules>
   </configuration>
   <executions>
      <execution>
         <id>enforce</id>
         <goals>
            <goal>enforce</goal>
         </goals>
         <phase>validate</phase>
      </execution>
      <!--
        Checks the dependencies and fails if the groupId:artifactId combination exists in the
        list of direct or transitive dependencies.
    -->
      <execution>
         <id>enforce-ban-circular-dependencies</id>
         <goals>
            <goal>enforce</goal>
         </goals>
         <configuration>
            <rules>
               <banCircularDependencies />
            </rules>
            <fail>true</fail>
         </configuration>
      </execution>
      <!--
        Checks the dependencies and fails if any class is present in more than one
        dependency.
    -->
      <execution>
         <id>enforce-ban-duplicate-classes</id>
         <goals>
            <goal>enforce</goal>
         </goals>
         <configuration>
            <rules>
               <banDuplicateClasses>
                  <ignoreClasses>
                     <!--
                            Don't just add classes here! add them as a last resort.
                            Before doing so try to:
                                * exclude classes by excluding dependencies
                                * update a library (if possible)
                                * look for alternative splitted dependencies
                            If you add something make sure the ignored classes are binary
                            identical!
                         -->
                     <ignoreClass>org.apache.juli.*</ignoreClass>
                     <ignoreClass>org.apache.commons.*</ignoreClass>
                     <ignoreClass>org.aspectj.*</ignoreClass>
                  </ignoreClasses>
                  <findAllDuplicates>true</findAllDuplicates>
               </banDuplicateClasses>
            </rules>
            <fail>true</fail>
         </configuration>
      </execution>
      <!--
        checks the dependencies transitively and fails if any class of any dependency is having
        its bytecode version higher than the one specified.
    -->
      <execution>
         <id>enforce-bytecode-version</id>
         <goals>
            <goal>enforce</goal>
         </goals>
         <configuration>
            <rules>
               <enforceBytecodeVersion>
                  <ignoredScopes>
                     <scope>test</scope>
                  </ignoredScopes>
                  <maxJdkVersion>${java.version}</maxJdkVersion>
               </enforceBytecodeVersion>
            </rules>
            <fail>true</fail>
         </configuration>
      </execution>
   </executions>
   <dependencies>
      <dependency>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>extra-enforcer-rules</artifactId>
         <version>1.0-beta-3</version>
      </dependency>
   </dependencies>
</plugin>
blog comments powered by Disqus