schema-core transitive dependency on jdom --> jaxen now broken

[jodygarnett]

Building with a schema such as iso19139.nl.geografie.2.0.0 and iso19139.nl.services.2.0.0 results in a very odd build failure!

 The following artifacts could not be resolved: maven-plugins:maven-cobertura-plugin:plugin:1.3, maven-plugins:maven-findbugs-plugin:plugin:1.3.1: Could not find artifact maven-plugins:maven-cobertura-plugin:plugin:1.3 in central (https://repo.maven.apache.org/maven2) -> [Help 1]

What on earth could this mean?

After several hours I have an answer (using mvn install -X to bring up debug output).

[DEBUG]    org.geonetwork-opensource:schema-iso19139.nl.geografie.2.0.0:jar:3.7:compile
[DEBUG]       org.geonetwork-opensource:schema-core:jar:3.7:compile
[DEBUG]          org.jdom:jdom:jar:1.1.2:compile
[DEBUG]             jaxen:jaxen:jar:1.1.3:compile
[DEBUG]                dom4j:dom4j:jar:1.6.1:compile
[DEBUG]                jdom:jdom:jar:1.0:compile
[DEBUG]                xml-apis:xml-apis:jar:1.3.02:compile
[DEBUG]                maven-plugins:maven-cobertura-plugin:plugin:1.3:compile
[DEBUG]                   cobertura:cobertura:jar:1.8:compile
[DEBUG]                   oro:oro:jar:2.0.8:compile
[DEBUG]                   asm:asm:jar:2.2.1:compile
[DEBUG]                   commons-jelly:commons-jelly-tags-log:jar:1.0:compile
[DEBUG]                maven-plugins:maven-findbugs-plugin:plugin:1.3.1:compile
[DEBUG]                   findbugs:bcel:jar:5.1:compile
[DEBUG]                   findbugs:coreplugin:jar:1.0.0:compile
[DEBUG]                   findbugs:findbugs:jar:1.0.0:compile
[DEBUG]                      findbugs:annotations:jar:1.0.0:compile
[DEBUG]                      bcel:bcel:jar:5.1:compile
[DEBUG]                         regexp:regexp:jar:1.2:compile
[DEBUG]                      findbugs:findbugsGUI:jar:1.0.0:compile
[DEBUG]                   findbugs:findbugs-ant:jar:1.0.0:compile

How did it happen

The jaxen 1.1.3 dependencies are wrong, you can see so here: https://mvnrepository.com/artifact/jaxen/jaxen/1.1.3 It somehow got a compile dependency on two maven plugins and has been dragging them into a our build.

When we depended on repo.boundlessgeo.com it had combined releases, snapshots and plugins into a single location .... so our build worked!

Now that we use repo.osgeo.org we are only getting releases. Plugins are stored in a serperate repository, they cannot be found, and so we do not run!

How to fix

The correct action is to exclude these in transitive dependency in schema-core:

                <dependency>
                   <groupId>org.jdom</groupId>
                   <artifactId>jdom</artifactId>
                    <exclusions>
                       <exclusion>
                         <groupId>maven-plugins</groupId>
                         <artifactId>maven-cobertura-plugin</artifactId>
                       </exclusion>
                       <exclusion>
                         <groupId>maven-plugins</groupId>
                         <artifactId>maven-findbugs-plugin</artifactId>
                       </exclusion>
                    </exclusions>
                </dependency>

Or use a newer version of jdom?

[pvgenuchten]

It happens specifically to this schema? Because it is based in org.geonetwork-opensource:schema-core:jar:3.7? Would love to see this fixed as generic as possible, so we can use this version of the schema-plugin in as many geonetwork versions as possible

[jodygarnett]

Because schema-core is not published to a repository anywhere, ... can I just fix it? Or will that mess up folks that have built it previously on their machine ...

[jodygarnett]

After further thought, this is a mistake in jaxen, not our code; we only noticed because of a recent environment change.

Since this is a build change, and not something that affects geonetwork at runtime, I would like to ask that we patch all active branches (and backport as far back as folks care to).