geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.
http://geonetwork-opensource.org/
GNU General Public License v2.0
433 stars 489 forks source link

schema-core transitive dependency on jdom --> jaxen now broken #4684

Open jodygarnett opened 4 years ago

jodygarnett commented 4 years ago

Building with a schema such as iso19139.nl.geografie.2.0.0 and iso19139.nl.services.2.0.0 results in a very odd build failure!

 The following artifacts could not be resolved: maven-plugins:maven-cobertura-plugin:plugin:1.3, maven-plugins:maven-findbugs-plugin:plugin:1.3.1: Could not find artifact maven-plugins:maven-cobertura-plugin:plugin:1.3 in central (https://repo.maven.apache.org/maven2) -> [Help 1]

What on earth could this mean?

After several hours I have an answer (using mvn install -X to bring up debug output).

[DEBUG]    org.geonetwork-opensource:schema-iso19139.nl.geografie.2.0.0:jar:3.7:compile
[DEBUG]       org.geonetwork-opensource:schema-core:jar:3.7:compile
[DEBUG]          org.jdom:jdom:jar:1.1.2:compile
[DEBUG]             jaxen:jaxen:jar:1.1.3:compile
[DEBUG]                dom4j:dom4j:jar:1.6.1:compile
[DEBUG]                jdom:jdom:jar:1.0:compile
[DEBUG]                xml-apis:xml-apis:jar:1.3.02:compile
[DEBUG]                maven-plugins:maven-cobertura-plugin:plugin:1.3:compile
[DEBUG]                   cobertura:cobertura:jar:1.8:compile
[DEBUG]                   oro:oro:jar:2.0.8:compile
[DEBUG]                   asm:asm:jar:2.2.1:compile
[DEBUG]                   commons-jelly:commons-jelly-tags-log:jar:1.0:compile
[DEBUG]                maven-plugins:maven-findbugs-plugin:plugin:1.3.1:compile
[DEBUG]                   findbugs:bcel:jar:5.1:compile
[DEBUG]                   findbugs:coreplugin:jar:1.0.0:compile
[DEBUG]                   findbugs:findbugs:jar:1.0.0:compile
[DEBUG]                      findbugs:annotations:jar:1.0.0:compile
[DEBUG]                      bcel:bcel:jar:5.1:compile
[DEBUG]                         regexp:regexp:jar:1.2:compile
[DEBUG]                      findbugs:findbugsGUI:jar:1.0.0:compile
[DEBUG]                   findbugs:findbugs-ant:jar:1.0.0:compile

How did it happen

The jaxen 1.1.3 dependencies are wrong, you can see so here: https://mvnrepository.com/artifact/jaxen/jaxen/1.1.3 It somehow got a compile dependency on two maven plugins and has been dragging them into a our build.

When we depended on repo.boundlessgeo.com it had combined releases, snapshots and plugins into a single location .... so our build worked!

Now that we use repo.osgeo.org we are only getting releases. Plugins are stored in a serperate repository, they cannot be found, and so we do not run!

How to fix

The correct action is to exclude these in transitive dependency in schema-core:

                <dependency>
                   <groupId>org.jdom</groupId>
                   <artifactId>jdom</artifactId>
                    <exclusions>
                       <exclusion>
                         <groupId>maven-plugins</groupId>
                         <artifactId>maven-cobertura-plugin</artifactId>
                       </exclusion>
                       <exclusion>
                         <groupId>maven-plugins</groupId>
                         <artifactId>maven-findbugs-plugin</artifactId>
                       </exclusion>
                    </exclusions>
                </dependency>

Or use a newer version of jdom?

pvgenuchten commented 4 years ago

It happens specifically to this schema? Because it is based in org.geonetwork-opensource:schema-core:jar:3.7? Would love to see this fixed as generic as possible, so we can use this version of the schema-plugin in as many geonetwork versions as possible

jodygarnett commented 4 years ago

Because schema-core is not published to a repository anywhere, ... can I just fix it? Or will that mess up folks that have built it previously on their machine ...

jodygarnett commented 4 years ago

After further thought, this is a mistake in jaxen, not our code; we only noticed because of a recent environment change.

Since this is a build change, and not something that affects geonetwork at runtime, I would like to ask that we patch all active branches (and backport as far back as folks care to).