How do I best handle banned dependencies for Confluence development?

I’m building a Confluence plugin with the following dependency:

<dependency>
    <groupId>com.google.auth</groupId>
    <artifactId>google-auth-library-oauth2-http</artifactId>
    <version>1.12.1</version>
</dependency>

When this is added, I get an error from banned dependencies:

[INFO] --- confluence-maven-plugin:8.2.3:validate-banned-dependencies (default-validate-banned-dependencies) @ google-analytics-for-confluence ---
[INFO] validate banned dependencies
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
make sure platform artifacts are not bundled into plugin
Found Banned Dependency: com.google.code.findbugs:jsr305:jar:3.0.2
Found Banned Dependency: com.google.guava:guava:jar:26.0-jre
Found Banned Dependency: javax.annotation:javax.annotation-api:jar:1.3.2
Found Banned Dependency: org.apache.httpcomponents:httpclient:jar:4.5.13
Found Banned Dependency: org.apache.httpcomponents:httpcore:jar:4.4.13
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.834 s
[INFO] Finished at: 2022-11-03T15:54:11Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.atlassian.maven.plugins:confluence-maven-plugin:8.2.3:validate-banned-dependencies (default-validate-banned-dependencies) on project google-analytics-for-confluence: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Each of the banned dependencies comes from a dependency in com.google.http-client:google-http-client (which com.google.auth:google-auth-library-oauth2-http is dependent on).

:point_right: Whats the best way around this?

@aswan says in
Maven bans dependencies with no configuration
:

When you have a legitimate reason for disabling this check, as in your situation, you can so do by adding this to your AMPS configuration:

<banningExcludes>
    <exclude>commons-io:commons-io</exclude>
    <exclude>com.foo:bar</exclude>
    ...
</banningExcludes>

But I’ll just reiterate that most AMPS users should not do this, they should use the dependencies that the platform provides.

So I could do this:

<banningExcludes>
    <exclude>com.google.code.findbugs:jsr305</exclude>
    <exclude>com.google.guava:guava</exclude>
    <exclude>javax.annotation:javax.annotation-api</exclude>
    <exclude>org.apache.httpcomponents:httpclient</exclude>
    <exclude>org.apache.httpcomponents:httpcore</exclude>
</banningExcludes>

:point_right: …but the question is, is there a better way?

Hello @david , this error means that your plugin is bundling artifacts that are already provided in the product through its platform.

You should apply the hint there use mvn dependency:tree to see what dependency is bringing in these artifacts, for instance :

mvn dependency:tree -Dincludes=com.google.guava:guava

In your case , you already know which dependency is bringing in those, so you can apply maven exclusions as follow

        <dependency>
            <groupId>com.google.auth</groupId>
            <artifactId>google-auth-library-oauth2-http</artifactId>
            <version>1.12.1</version>
            <exclusions>
                <exclusion>
                    <groupId>com.google.guava</groupId>
                    <artifactId>guava</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>com.google.code.findbugs</groupId>
                    <artifactId>jsr305</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpclient</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpcore</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

Now the question is, would that impact the behaviour of your plugin ? most likely not , it should have those platform artifacts out of the box.

I hope this helps

Cheers

Hasnae R.
former Confluence person

2 Likes

giphy-3690544079

Thnx @viqueen-hasnae. Seems obvious now.

:man_facepalming: Of course I have done this before, but it has been a while.

1 Like

@viqueen-hasnae Just as another update here, after adding the exclusions, I then got this osgi wiring problem on atlas-package

[INFO] [talledLocalContainer] Caused by: org.osgi.framework.BundleException: 
    Unable to resolve me.davidsimpson.confluence.addon.example-app [312](R 312.0): 
    missing requirement [me.davidsimpson.confluence.addon.example-app [312](R 312.0)] 
    osgi.wiring.package; (osgi.wiring.package=com.aayushatharva.brotli4j) 
    Unresolved requirements: 
    [[me.davidsimpson.confluence.addon.example-app [312](R 312.0)] 
osgi.wiring.package; 
    (osgi.wiring.package=com.aayushatharva.brotli4j)]
[INFO] [talledLocalContainer] 	at org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4149)
[INFO] [talledLocalContainer] 	at org.apache.felix.framework.Felix.startBundle(Felix.java:2119)
[INFO] [talledLocalContainer] 	at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:998)
[INFO] [talledLocalContainer] 	at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:984)
[INFO] [talledLocalContainer] 	at com.atlassian.plugin.osgi.factory.OsgiPlugin.enableInternal(OsgiPlugin.java:405)
[INFO] [talledLocalContainer] 	... 113 more
[INFO] [talledLocalContainer] 2022-11-04 10:36:07,210 UpmAsynchronousTaskManager:thread-2 ERROR [com.atlassian.plugin.manager.PluginEnabler] Unable to enable plugin me.davidsimpson.confluence.addon.example-app
[INFO] [talledLocalContainer] com.atlassian.plugin.osgi.container.OsgiContainerException: Cannot start plugin: me.davidsimpson.confluence.addon.example-app

So I added this com.aayushatharva.brotli4j to the <Import-Package> like so:

<Import-Package>
    !com.atlassian.plugin.web,
    com.atlassian.confluence.plugin.descriptor.web.conditions.*;resolution:="optional",
    org.springframework.osgi.*;resolution:="optional",
    org.eclipse.gemini.blueprint.*;resolution:="optional",

    com.aayushatharva.brotli4j.*;resolution:="optional",
    
    *
</Import-Package>

Then run atlas-package and similarly get error after error, so I kept on adding to the <Import-Package> for each unresolved requirement until I had something which allowed me to compile:

<Import-Package>
    !com.atlassian.plugin.web,
    com.atlassian.confluence.plugin.descriptor.web.conditions.*;resolution:="optional",
    org.springframework.osgi.*;resolution:="optional",
    org.eclipse.gemini.blueprint.*;resolution:="optional",

    com.aayushatharva.brotli4j.*;resolution:="optional",
    com.github.luben.zstd.*;resolution:="optional",
    com.google.protobuf.nano.*;resolution:="optional",
    com.jcraft.jzlib.*;resolution:="optional",
    com.ning.compress.*;resolution:="optional",
    com.oracle.svm.core.annotate.*;resolution:="optional",
    lzma.sdk.*;resolution:="optional",
    net.jpountz.lz4.*;resolution:="optional",
    net.jpountz.xxhash.*;resolution:="optional",
    org.apache.avalon.framework.logger.*;resolution:="optional",
    org.apache.log.*;resolution:="optional",
    org.apache.logging.log4j.*;resolution:="optional",
    org.eclipse.jetty.alpn.*;resolution:="optional",
    org.eclipse.jetty.npn.*;resolution:="optional",
    org.graalvm.nativeimage.hosted.*;resolution:="optional",
    org.jboss.marshalling.*;resolution:="optional",
    org.slf4j.helpers.*;resolution:="optional",
    reactor.blockhound.*;resolution:="optional",
    sun.misc.*;resolution:="optional",
    sun.security.x509.*;resolution:="optional",
    
    *
</Import-Package>

This looks pretty poor to me as there’s lots that need importing, but I’ll see how things progress.

Hei hei @david ,

which Confluence version are you running ? and also which Java version ? and which Tomcat … , basically what does your environment look like ?

I see that you’re adding imports for org.graalvm.nativeimage.hosted. which seem a bit interesting :thinking:

@viqueen-hasnae yeah, all these look somewhat odd, but these Google authored artifacts can be weird. At least they’ve now stopped releasing multiple incompatible versions with the same version number (they really did use to do that).

Here’s my environment (MacOS m1):

% atlas-version

ATLAS Version:    8.2.7
ATLAS Home:       /opt/homebrew/Cellar/atlassian-plugin-sdk/8.2.7/libexec
ATLAS Scripts:    /opt/homebrew/Cellar/atlassian-plugin-sdk/8.2.7/libexec/bin
ATLAS Maven Home: /opt/homebrew/Cellar/atlassian-plugin-sdk/8.2.7/libexec/apache-maven-3.5.4
AMPS Version:     8.1.2
--------
Executing: /opt/homebrew/Cellar/atlassian-plugin-sdk/8.2.7/libexec/apache-maven-3.5.4/bin/mvn --version -gs /opt/homebrew/Cellar/atlassian-plugin-sdk/8.2.7/libexec/apache-maven-3.5.4/conf/settings.xml
Colorizing console...
Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T19:33:14+01:00)
Maven home: /opt/homebrew/Cellar/atlassian-plugin-sdk/8.2.7/libexec/apache-maven-3.5.4
Java version: 1.8.0_345, vendor: Temurin, runtime: /Library/Java/JavaVirtualMachines/temurin-8.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac"

…and the relevant goodness from my pom.xml

    <properties>
        <confluence.version>7.13.2</confluence.version>
        <confluence.data.version>7.13.2</confluence.data.version>
        <amps.version>8.2.3</amps.version>
        <upm.license.compatibility.version>2.15</upm.license.compatibility.version>
        <plugin.testrunner.version>2.0.2</plugin.testrunner.version>
        <atlassian.spring.scanner.version>2.1.13</atlassian.spring.scanner.version>
        <atlassian.plugin.key>${project.groupId}.${project.artifactId}</atlassian.plugin.key>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

The target directory contains container/tomcat9x/apache-tomcat-9.0.45, so it looks like Tomcat 9.0.45 :slight_smile: