Blacklist Maven dependencies

2020-02-25 07:45发布

站内问答 / Java
699 2 6

Is there a way e.g. a Maven plug in that can take a list of unwanted/black listed dependencies (direct and transitive) and fails the build if it detects one of listed dependencies?

In my project we strictly want to get rid of Apache Commons Logging and replace it with the SLF4J JCL Bridge. I am aware that we have to exclude the unwanted deps ourselfs but I would like to have the build failed if someone adds a dependency that brings in blacklisted dependency.

2条回答
Ridiculous、
2楼-- · 2020-02-25 07:56

Yes, the enforcer plugin supports this with its bannedDependencies rule.

查看更多
0人赞 添加讨论(0) 举报
Ridiculous、
3楼-- · 2020-02-25 08:06

You can ban some dependencies using the maven-enforcer-plugin.

Here is their example with updates for your exclusion of Apache Commons Logging.

<project>
  [...]
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>1.1.1</version>
        <executions>
          <execution>
            <id>enforce-banned-dependencies</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <bannedDependencies>
                  <excludes>
                    <exclude>commons-logging:commons-logging</exclude>
                  </excludes>
                </bannedDependencies>
              </rules>
              <fail>true</fail>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  [...]
</project>

The output when running mvn install will be:

[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Found Banned Dependency: commons-logging:commons-logging:jar:1.1.1
Use 'mvn dependency:tree' to locate the source of the banned dependencies.

It all ends with a BUILD FAILURE.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)