Maven Dependency Conflict: org.w3c.dom.ElementTrav

2019-03-11 19:21发布

问题:

I have a Java codebase which is using Maven for both dependency resolution and running tests on CI. After a recent batch of development (big enough to make it hard to identify the breaking change), some of my tests now fail when run via Maven with a NoClassDefFoundError for org.w3c.dom.ElementTraversal. When run from within my IDE (IntelliJ IDEA), the same tests pass, so it is possible to arrange the classpath in such as way as to satisfy all dependencies.

I believe org.w3c.dom.ElementTraversal exists in xml-apis jar 1.4.01 (which is what I'm depending on - see dependency tree below - as is in my classpath when I run mvn dependency:build-classpath), so I don't see why it apparently doesn't exist. I've tried explicitly adding xml-apis 1.4.01 to my dependencyManagement section (in the parent pom, with a dependency in the child pom, and with all other transitive dependencies on xml-apis excluded) but I still have the same issue, so I'm starting to think I'm trying to fix the wrong problem.

Can anyone suggest what's wrong, or how I can debug this further?

Exception stack trace

You can see the full error I'm getting on Travis, but the snippet is:

org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/security-app-context.xml]; nested exception is java.lang.NoClassDefFoundError: org/w3c/dom/ElementTraversal
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:412)
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
    at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)
    at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)
    at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:180)
    at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125)
    at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:94)
    at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
    at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:522)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:436)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:384)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:283)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
    at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:746)
    at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:238)
    at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1240)
    at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:689)
    at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:482)
    at org.mortbay.jetty.plugin.JettyWebAppContext.doStart(JettyWebAppContext.java:256)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
    at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
    at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
    at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
    at org.eclipse.jetty.server.Server.doStart(Server.java:279)
    at org.mortbay.jetty.plugin.JettyServer.doStart(JettyServer.java:65)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
    at org.mortbay.jetty.plugin.AbstractJettyMojo.startJetty(AbstractJettyMojo.java:520)
    at org.mortbay.jetty.plugin.AbstractJettyMojo.execute(AbstractJettyMojo.java:365)
    at org.mortbay.jetty.plugin.JettyRunWarExplodedMojo.execute(JettyRunWarExplodedMojo.java:164)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executojo(DefaultBuildPluginManager.java:101)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
    at org.apache.maven.lifecycle.internal.LifecycloduleBuilder.buildProject(LifecycloduleBuilder.java:84)
    at org.apache.maven.lifecycle.internal.LifecycloduleBuilder.buildProject(LifecycloduleBuilder.java:59)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
    at sun.reflect.NativethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativethodAccessorImpl.invoke(NativethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:290)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:230)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:409)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:352)
Caused by: java.lang.NoClassDefFoundError: org/w3c/dom/ElementTraversal
    at java.lang.ClassLoader.defineClass1(Native Method)
    at java.lang.ClassLoader.defineClass(ClassLoader.java:634)
    at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
    at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
    at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
    at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:421)
    at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
    at org.apache.xerces.parsers.AbstractDOMParser.startDocument(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.startDocument(Unknown Source)
    at org.apache.xerces.impl.dtd.XMLDTDValidator.startDocument(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentScannerImpl.startEntity(Unknown Source)
    at org.apache.xerces.impl.XMLVersionDetector.startDocumentParsing(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at org.springframework.beans.factory.xml.DefaultDocumentLoader.loadDocument(DefaultDocumentLoader.java:75)
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:388)
    ... 53 more
Caused by: java.lang.ClassNotFoundException: org.w3c.dom.ElementTraversal
    at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
    at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:421)
    at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
    ... 75 more

mvn dependency:tree

The dependency tree for the failing module is below. You can see the full pom files on GitHub (parent, child) but I won't include them here to avoid going over the SO post size limit. You can see below that xml-apis is in a few places, but Maven is managing it to 1.4.01.

--- maven-dependency-plugin:2.1:tree (default-cli) @ xssfinder-test ---
org.xssfinder:xssfinder-test:war:1.0-SNAPSHOT
+- org.xssfinder:xssfinder-executor-java:jar:1.0-SNAPSHOT:compile
|  +- org.xssfinder:xssfinder-executor:jar:1.0-SNAPSHOT:compile
|  |  \- (org.apache.thrift:libthrift:jar:0.8.0:compile - omitted for duplicate)
|  +- org.xssfinder:xssfinder-annotations:jar:1.0-SNAPSHOT:compile
|  +- org.apache.thrift:libthrift:jar:0.8.0:compile
|  |  +- (org.slf4j:slf4j-api:jar:1.7.5:compile - version managed from 1.5.8; omitted for duplicate)
|  |  +- commons-lang:commons-lang:jar:2.5:compile
|  |  \- (org.apache.httpcomponents:httpcore:jar:4.2.2:test - version managed from 4.2.1; scope managed from compile; omitted for duplicate)
|  +- org.seleniumhq.selenium:selenium-java:jar:2.32.0:compile
|  |  +- org.seleniumhq.selenium:selenium-android-driver:jar:2.32.0:compile
|  |  |  \- org.seleniumhq.selenium:selenium-remote-driver:jar:2.32.0:compile
|  |  |     +- cglib:cglib-nodep:jar:2.1_3:compile
|  |  |     +- org.json:json:jar:20080701:compile
|  |  |     +- (org.seleniumhq.selenium:selenium-api:jar:2.32.0:compile - omitted for duplicate)
|  |  |     +- (org.apache.httpcomponents:httpclient:jar:4.2.1:compile - omitted for duplicate)
|  |  |     +- (com.google.guava:guava:jar:14.0:compile - version managed from 11.0.2; omitted for duplicate)
|  |  |     +- (org.apache.commons:commons-exec:jar:1.1:compile - omitted for duplicate)
|  |  |     +- (net.java.dev.jna:jna:jar:3.4.0:compile - omitted for duplicate)
|  |  |     \- (net.java.dev.jna:platform:jar:3.4.0:compile - omitted for duplicate)
|  |  +- org.seleniumhq.selenium:selenium-chrome-driver:jar:2.32.0:compile
|  |  |  \- (org.seleniumhq.selenium:selenium-remote-driver:jar:2.32.0:compile - omitted for duplicate)
|  |  +- org.seleniumhq.selenium:selenium-htmlunit-driver:jar:2.32.0:compile
|  |  |  +- org.seleniumhq.selenium:selenium-api:jar:2.32.0:compile
|  |  |  |  +- (com.google.guava:guava:jar:14.0:compile - omitted for duplicate)
|  |  |  |  \- (org.json:json:jar:20080701:compile - omitted for duplicate)
|  |  |  +- net.sourceforge.htmlunit:htmlunit:jar:2.12:compile
|  |  |  |  +- xalan:xalan:jar:2.7.1:compile
|  |  |  |  |  \- xalan:serializer:jar:2.7.1:compile
|  |  |  |  |     \- (xml-apis:xml-apis:jar:1.4.01:test - version managed from 1.3.04; scope managed from compile; omitted for duplicate)
|  |  |  |  +- commons-collections:commons-collections:jar:3.2.1:compile
|  |  |  |  +- org.apache.commons:commons-lang3:jar:3.1:compile
|  |  |  |  +- (org.apache.httpcomponents:httpclient:jar:4.2.3:compile - omitted for conflict with 4.2.1)
|  |  |  |  +- org.apache.httpcomponents:httpmime:jar:4.2.3:compile
|  |  |  |  |  \- (org.apache.httpcomponents:httpcore:jar:4.2.2:test - version managed from 4.2.1; scope managed from compile; omitted for duplicate)
|  |  |  |  +- commons-codec:commons-codec:jar:1.7:compile
|  |  |  |  +- net.sourceforge.htmlunit:htmlunit-core-js:jar:2.12:compile
|  |  |  |  +- xerces:xercesImpl:jar:2.10.0:compile
|  |  |  |  |  \- (xml-apis:xml-apis:jar:1.4.01:test - version managed from 1.0.b2; scope managed from compile; omitted for duplicate)
|  |  |  |  +- net.sourceforge.nekohtml:nekohtml:jar:1.9.18:compile
|  |  |  |  +- net.sourceforge.cssparser:cssparser:jar:0.9.9:compile
|  |  |  |  |  \- org.w3c.css:sac:jar:1.3:compile
|  |  |  |  +- (commons-io:commons-io:jar:2.4:compile - omitted for conflict with 2.2)
|  |  |  |  +- (commons-logging:commons-logging:jar:1.1.1:compile - omitted for duplicate)
|  |  |  |  \- org.eclipse.jetty:jetty-websocket:jar:8.1.9.v20130131:compile
|  |  |  |     +- (org.eclipse.jetty:jetty-util:jar:8.1.9.v20130131:compile - omitted for conflict with 7.6.10.v20130312)
|  |  |  |     +- (org.eclipse.jetty:jetty-io:jar:8.1.9.v20130131:compile - omitted for conflict with 7.6.10.v20130312)
|  |  |  |     \- (org.eclipse.jetty:jetty-http:jar:8.1.9.v20130131:compile - omitted for conflict with 7.6.10.v20130312)
|  |  |  \- org.apache.httpcomponents:httpclient:jar:4.2.1:compile
|  |  |     +- (org.apache.httpcomponents:httpcore:jar:4.2.2:test - version managed from 4.2.1; scope managed from compile; omitted for duplicate)
|  |  |     +- (commons-logging:commons-logging:jar:1.1.1:compile - omitted for duplicate)
|  |  |     \- (commons-codec:commons-codec:jar:1.6:compile - omitted for conflict with 1.7)
|  |  +- org.seleniumhq.selenium:selenium-firefox-driver:jar:2.32.0:compile
|  |  |  +- (org.seleniumhq.selenium:selenium-remote-driver:jar:2.32.0:compile - omitted for duplicate)
|  |  |  +- commons-io:commons-io:jar:2.2:compile
|  |  |  \- org.apache.commons:commons-exec:jar:1.1:compile
|  |  +- org.seleniumhq.selenium:selenium-ie-driver:jar:2.32.0:compile
|  |  |  +- net.java.dev.jna:jna:jar:3.4.0:compile
|  |  |  +- net.java.dev.jna:platform:jar:3.4.0:compile
|  |  |  \- (org.seleniumhq.selenium:selenium-remote-driver:jar:2.32.0:compile - omitted for duplicate)
|  |  +- org.seleniumhq.selenium:selenium-iphone-driver:jar:2.32.0:compile
|  |  |  \- (org.seleniumhq.selenium:selenium-remote-driver:jar:2.32.0:compile - omitted for duplicate)
|  |  +- org.seleniumhq.selenium:selenium-safari-driver:jar:2.32.0:compile
|  |  |  +- (org.seleniumhq.selenium:selenium-remote-driver:jar:2.32.0:compile - omitted for duplicate)
|  |  |  \- (org.webbitserver:webbit:jar:0.4.14:compile - omitted for duplicate)
|  |  +- org.seleniumhq.selenium:selenium-support:jar:2.32.0:compile
|  |  |  \- (org.seleniumhq.selenium:selenium-api:jar:2.32.0:compile - omitted for duplicate)
|  |  \- org.webbitserver:webbit:jar:0.4.14:compile
|  |     \- io.netty:netty:jar:3.5.2.Final:compile
|  +- org.reflections:reflections-maven:jar:0.9.8:compile
|  |  +- org.reflections:reflections:jar:0.9.8:compile
|  |  |  +- com.google.guava:guava:jar:14.0:compile
|  |  |  +- javassist:javassist:jar:3.12.1.GA:compile
|  |  |  \- dom4j:dom4j:jar:1.6.1:compile
|  |  |     \- xml-apis:xml-apis:jar:1.4.01:test
|  |  +- org.jfrog.maven.annomojo:maven-plugin-anno:jar:1.4.1:compile
|  |  \- org.jfrog.jade.plugins.common:jade-plugin-common:jar:1.3.8:compile
|  |     +- (org.jfrog.maven.annomojo:maven-plugin-anno:jar:1.3.0:compile - omitted for conflict with 1.4.1)
|  |     +- ant:ant:jar:1.6.5:compile
|  |     +- org.apache.maven:maven-plugin-api:jar:2.0.5:compile
|  |     +- org.apache.maven:maven-project:jar:2.0.5:compile
|  |     |  +- org.apache.maven:maven-settings:jar:2.0.5:compile
|  |     |  |  +- (org.apache.maven:maven-model:jar:2.0.5:compile - omitted for duplicate)
|  |     |  |  +- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     |  |  \- (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9:compile - omitted for duplicate)
|  |     |  +- org.apache.maven:maven-profile:jar:2.0.5:compile
|  |     |  |  +- (org.apache.maven:maven-model:jar:2.0.5:compile - omitted for duplicate)
|  |     |  |  +- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     |  |  \- (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9:compile - omitted for duplicate)
|  |     |  +- (org.apache.maven:maven-model:jar:2.0.5:compile - omitted for duplicate)
|  |     |  +- org.apache.maven:maven-artifact-manager:jar:2.0.5:compile
|  |     |  |  +- org.apache.maven:maven-repository-metadata:jar:2.0.5:compile
|  |     |  |  |  \- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     |  |  +- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     |  |  +- (org.apache.maven:maven-artifact:jar:2.0.5:compile - omitted for duplicate)
|  |     |  |  +- (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9:compile - omitted for duplicate)
|  |     |  |  \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:compile
|  |     |  |     \- (org.codehaus.plexus:plexus-utils:jar:1.0.4:compile - omitted for conflict with 1.1)
|  |     |  +- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     |  +- (org.apache.maven:maven-artifact:jar:2.0.5:compile - omitted for duplicate)
|  |     |  \- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9:compile
|  |     |     +- (junit:junit:jar:4.11:test - version managed from 3.8.1; scope managed from compile; omitted for duplicate)
|  |     |     +- (org.codehaus.plexus:plexus-utils:jar:1.0.4:compile - omitted for conflict with 1.1)
|  |     |     \- classworlds:classworlds:jar:1.1-alpha-2:compile
|  |     +- org.apache.maven:maven-artifact:jar:2.0.5:compile
|  |     |  \- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     +- org.apache.maven:maven-model:jar:2.0.5:compile
|  |     |  \- (org.codehaus.plexus:plexus-utils:jar:1.1:compile - omitted for duplicate)
|  |     +- org.codehaus.plexus:plexus-utils:jar:1.1:compile
|  |     +- xstream:xstream:jar:1.1.3:compile
|  |     \- xpp3:xpp3:jar:1.1.3.4-RC8:runtime
|  +- org.slf4j:slf4j-api:jar:1.7.5:compile
|  \- ch.qos.logback:logback-classic:jar:1.0.13:compile
|     +- ch.qos.logback:logback-core:jar:1.0.13:compile
|     \- (org.slf4j:slf4j-api:jar:1.7.5:compile - version managed from 1.5.8; omitted for duplicate)
+- org.springframework:spring-webmvc:jar:3.1.0.RELEASE:compile
|  +- org.springframework:spring-asm:jar:3.1.0.RELEASE:compile
|  +- org.springframework:spring-beans:jar:3.1.0.RELEASE:compile
|  |  \- (org.springframework:spring-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  +- org.springframework:spring-context:jar:3.1.0.RELEASE:compile
|  |  +- (org.springframework:spring-aop:jar:3.1.0.RELEASE:compile - omitted for conflict with 3.0.6.RELEASE)
|  |  +- (org.springframework:spring-beans:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  |  +- (org.springframework:spring-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  |  +- (org.springframework:spring-expression:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  |  \- (org.springframework:spring-asm:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  +- org.springframework:spring-context-support:jar:3.1.0.RELEASE:compile
|  |  +- (org.springframework:spring-beans:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  |  +- (org.springframework:spring-context:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  |  \- (org.springframework:spring-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  +- org.springframework:spring-core:jar:3.1.0.RELEASE:compile
|  |  +- (org.springframework:spring-asm:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  |  \- commons-logging:commons-logging:jar:1.1.1:compile
|  +- org.springframework:spring-expression:jar:3.1.0.RELEASE:compile
|  |  \- (org.springframework:spring-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  \- org.springframework:spring-web:jar:3.1.0.RELEASE:compile
|     +- (aopalliance:aopalliance:jar:1.0:compile - omitted for duplicate)
|     +- (org.springframework:spring-beans:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|     +- (org.springframework:spring-context:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|     \- (org.springframework:spring-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
+- org.springframework.security:spring-security-core:jar:3.1.0.RELEASE:compile
|  +- aopalliance:aopalliance:jar:1.0:compile
|  +- (org.springframework:spring-expression:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- org.springframework:spring-aop:jar:3.0.6.RELEASE:compile
|  |  +- (aopalliance:aopalliance:jar:1.0:compile - omitted for duplicate)
|  |  +- (org.springframework:spring-asm:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  |  +- (org.springframework:spring-beans:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  |  \- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-context:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-beans:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  \- org.springframework.security:spring-security-crypto:jar:3.1.0.RELEASE:compile
|     \- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
+- org.springframework.security:spring-security-config:jar:3.1.0.RELEASE:compile
|  +- (org.springframework:spring-context:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-beans:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (aopalliance:aopalliance:jar:1.0:compile - omitted for duplicate)
|  +- (org.springframework:spring-aop:jar:3.0.6.RELEASE:compile - omitted for duplicate)
|  +- (org.springframework.security:spring-security-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  \- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
+- org.springframework.security:spring-security-web:jar:3.1.0.RELEASE:compile
|  +- org.springframework:spring-tx:jar:3.0.6.RELEASE:compile
|  |  +- (aopalliance:aopalliance:jar:1.0:compile - omitted for duplicate)
|  |  +- (org.springframework:spring-aop:jar:3.0.6.RELEASE:compile - omitted for duplicate)
|  |  +- (org.springframework:spring-beans:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  |  +- (org.springframework:spring-context:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  |  \- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-web:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (aopalliance:aopalliance:jar:1.0:compile - omitted for duplicate)
|  +- (org.springframework:spring-expression:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-aop:jar:3.0.6.RELEASE:compile - omitted for duplicate)
|  +- (org.springframework.security:spring-security-core:jar:3.1.0.RELEASE:compile - omitted for duplicate)
|  +- org.springframework:spring-jdbc:jar:3.0.6.RELEASE:compile
|  |  +- (org.springframework:spring-beans:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  |  +- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  |  \- (org.springframework:spring-tx:jar:3.0.6.RELEASE:compile - omitted for duplicate)
|  +- (org.springframework:spring-context:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  +- (org.springframework:spring-beans:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
|  \- (org.springframework:spring-core:jar:3.0.6.RELEASE:compile - omitted for conflict with 3.1.0.RELEASE)
+- junit:junit:jar:4.11:test
|  \- org.hamcrest:hamcrest-core:jar:1.3:test
+- org.xssfinder:xssfinder-core:jar:1.0-SNAPSHOT:test
|  +- (org.xssfinder:xssfinder-executor:jar:1.0-SNAPSHOT:test - omitted for duplicate)
|  +- (org.slf4j:slf4j-api:jar:1.7.5:test - version managed from 1.5.8; omitted for duplicate)
|  +- (ch.qos.logback:logback-classic:jar:1.0.13:test - omitted for duplicate)
|  \- (com.google.guava:guava:jar:14.0:compile - version managed from 11.0.2; scope updated from test; omitted for duplicate)
+- org.apache.httpcomponents:httpcore:jar:4.2.2:test
+- org.eclipse.jetty:jetty-server:jar:7.6.10.v20130312:compile
|  +- org.eclipse.jetty.orbit:javax.servlet:jar:2.5.0.v201103041518:compile
|  +- org.eclipse.jetty:jetty-continuation:jar:7.6.10.v20130312:compile
|  \- org.eclipse.jetty:jetty-http:jar:7.6.10.v20130312:compile
|     \- org.eclipse.jetty:jetty-io:jar:7.6.10.v20130312:compile
|        \- (org.eclipse.jetty:jetty-util:jar:7.6.10.v20130312:compile - omitted for duplicate)
+- org.eclipse.jetty:jetty-servlet:jar:7.6.10.v20130312:compile
|  \- org.eclipse.jetty:jetty-security:jar:7.6.10.v20130312:compile
|     \- (org.eclipse.jetty:jetty-server:jar:7.6.10.v20130312:compile - omitted for duplicate)
+- org.eclipse.jetty:jetty-webapp:jar:7.6.10.v20130312:compile
|  +- org.eclipse.jetty:jetty-xml:jar:7.6.10.v20130312:compile
|  |  \- (org.eclipse.jetty:jetty-util:jar:7.6.10.v20130312:compile - omitted for duplicate)
|  \- (org.eclipse.jetty:jetty-servlet:jar:7.6.10.v20130312:compile - omitted for duplicate)
+- org.eclipse.jetty:jetty-servlets:jar:7.6.10.v20130312:compile
|  +- (org.eclipse.jetty:jetty-continuation:jar:7.6.10.v20130312:compile - omitted for duplicate)
|  +- org.eclipse.jetty:jetty-client:jar:7.6.10.v20130312:compile
|  |  \- (org.eclipse.jetty:jetty-http:jar:7.6.10.v20130312:compile - omitted for duplicate)
|  \- org.eclipse.jetty:jetty-util:jar:7.6.10.v20130312:compile
+- org.eclipse.jetty:jetty-jsp:jar:7.6.10.v20130312:compile
|  +- org.eclipse.jetty.orbit:javax.servlet.jsp:jar:2.1.0.v201105211820:compile
|  |  \- (org.eclipse.jetty.orbit:javax.servlet:jar:2.5.0.v201103041518:compile - omitted for duplicate)
|  +- org.eclipse.jetty.orbit:org.apache.jasper.glassfish:jar:2.1.0.v201110031002:compile
|  |  +- (org.eclipse.jetty.orbit:javax.servlet:jar:2.5.0.v201103041518:compile - omitted for duplicate)
|  |  \- (org.eclipse.jetty.orbit:javax.servlet.jsp:jar:2.1.0.v201105211820:compile - omitted for duplicate)
|  +- org.eclipse.jetty.orbit:javax.servlet.jsp.jstl:jar:1.2.0.v201105211821:compile
|  |  +- (org.eclipse.jetty.orbit:javax.servlet:jar:2.5.0.v201103041518:compile - omitted for duplicate)
|  |  \- (org.eclipse.jetty.orbit:javax.servlet.jsp:jar:2.1.0.v201105211820:compile - omitted for duplicate)
|  +- org.eclipse.jetty.orbit:org.apache.taglibs.standard.glassfish:jar:1.2.0.v201112081803:compile
|  |  \- (org.eclipse.jetty.orbit:javax.servlet.jsp.jstl:jar:1.2.0.v201105211821:compile - omitted for duplicate)
|  +- org.eclipse.jetty.orbit:javax.el:jar:2.1.0.v201105211819:compile
|  +- org.eclipse.jetty.orbit:com.sun.el:jar:1.0.0.v201105211818:compile
|  \- org.eclipse.jetty.orbit:org.eclipse.jdt.core:jar:3.7.1:compile
\- javax.servlet:jstl:jar:1.2:provided

回答1:

In my case the problem was fixed by changing the version of xml-apis from 1.3.04 to 1.4.01



回答2:

It looks as though you don't have the xml-apis dependency specified in your child pom. The <dependencyManagement> section does not cause dependencies to be included, it just supplies configuration which can be inherited. It looks like some of the dependencies in your child pom are pulling in xml-apis transitively, but for some weird Maven quirk, the one that's winning (version 1.4.01) is in test scope; presumably it is in test scope in whichever dependency specifies it. Transitive dependencies in test scope in the pom that specifies them will not be pulled in by your project's dependencies that are in test scope - that's quite a tricky sentence to parse, but there's a good explanation of Dependency Scope which might make things clearer.

Essentially what I'm looking at is your dependency-tree that shows one included version of xml-apis, as can be seen in this edited version of your output:

org.xssfinder:xssfinder-test:war:1.0-SNAPSHOT
+- org.xssfinder:xssfinder-executor-java:jar:1.0-SNAPSHOT:compile
   +- org.reflections:reflections-maven:jar:0.9.8:compile
      +- org.reflections:reflections:jar:0.9.8:compile
         +- com.google.guava:guava:jar:14.0:compile
         +- javassist:javassist:jar:3.12.1.GA:compile
         \- dom4j:dom4j:jar:1.6.1:compile
            \- xml-apis:xml-apis:jar:1.4.01:test

I'm not completely sure why that's coming through as test scope, but I'm guessing that's the problem. I'd recommend adding the xml-apis dependency explicitly into your child pom, and seeing if it affects the dependency-tree - you're trying to avoid pulling it in as a transitive dependency, to see if you can resolve the problem.



回答3:

I have resolved this in the end, but fairly unsatisfactorily. The fix was to mark xml-apis as in the runtime scope in the dependencyManagement section of the parent pom.

I'm not entirely clear on why this works (and in particular, why it works whereas specifying the dependency as in the compile scope does not work). If anyone thinks they can adequately explain that, I'd like to know.