More Info on AMPS Banned Plugin Dependency

Hi there, In our Bamboo plugins we are updating the AMPS version from 6.3.15 to 8.2.1, but we then fail to compile due to the “validate-banned-dependencies” goal:

Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
make sure platform artifacts are not bundled into plugin
Found Banned Dependency: org.springframework:spring-expression:jar:5.0.10.RELEASE
Found Banned Dependency: org.springframework:spring-context:jar:5.0.10.RELEASE
Found Banned Dependency: org.springframework:spring-core:jar:5.0.10.RELEASE
Found Banned Dependency: org.springframework:spring-beans:jar:5.0.10.RELEASE
Found Banned Dependency: org.springframework:spring-aop:jar:5.0.10.RELEASE
Found Banned Dependency: org.springframework:spring-web:jar:4.3.25.RELEASE

Failed to execute goal com.atlassian.maven.plugins:bamboo-maven-plugin:8.2.1:validate-banned-dependencies (default-validate-banned-dependencies) on project secrets-mgmt-plugin: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed.

We were hoping for more info on what the list of banned dependencies are, why they are banned, and any recommendations on how to move past this. The only doc we could find is Maven bans dependencies with no configuration and while it has been helpful in some instances, we’re still feeling a bit in the dark. We can provide any plugin code if that helps.

Thank you,
James

Hi James,

Thanks for your question.

That check, which was added in AMPS 8.1.0, aims to prevent P2 developers from shooting themselves (and possibly others) in the foot by inadvertently bundling dependencies that are meant to be provided by the Atlassian platform (which means the host product itself, via the system bundle, or one of its bundled plugins). I could go into more detail on what problems arise when you bundle things you shouldn’t, but to cut a long story short, the fix is to assign provided scope to the dependencies in this list.

We don’t publish a list of banned dependencies, because it’s liable to go out of date pretty quickly. The workflow we envisage is that if you accidentally do bundle a platform artifact, you would simply fix the error and move on. This is a similar philosophy to how the compiler doesn’t teach you Java, it just tells you when you make a mistake. But since you asked, here is the current list of the banned dependencies:

<< N.B. this is not documentation, it’s a snapshot of the current list >>

            "biz.aQute.bnd:biz.aQute.bndlib",
            "com.atlassian:atlassian-failure-cache-plugin",
            "com.atlassian.activeobjects:activeobjects-bamboo-spi",
            "com.atlassian.activeobjects:activeobjects-confluence-spi",
            "com.atlassian.activeobjects:activeobjects-jira-spi",
            "com.atlassian.activeobjects:activeobjects-plugin",
            "com.atlassian.activeobjects:activeobjects-refapp-spi",
            "com.atlassian.activeobjects:activeobjects-spi",
            "com.atlassian.activeobjects:activeobjects-test",
            "com.atlassian.annotations:atlassian-annotations",
            "com.atlassian.applinks:applinks-api",
            "com.atlassian.applinks:applinks-basicauth-plugin",
            "com.atlassian.applinks:applinks-cors-plugin",
            "com.atlassian.applinks:applinks-host",
            "com.atlassian.applinks:applinks-oauth-plugin",
            "com.atlassian.applinks:applinks-pageobjects",
            "com.atlassian.applinks:applinks-plugin",
            "com.atlassian.applinks:applinks-spi",
            "com.atlassian.applinks:applinks-trustedapps-plugin",
            "com.atlassian.beehive:beehive-api",
            "com.atlassian.beehive:beehive-core",
            "com.atlassian.beehive:beehive-core-tck",
            "com.atlassian.beehive:beehive-db",
            "com.atlassian.beehive:beehive-hazelcast",
            "com.atlassian.beehive:beehive-single-node",
            "com.atlassian.cache:atlassian-cache-api",
            "com.atlassian.cache:atlassian-cache-ehcache",
            "com.atlassian.cache:atlassian-cache-memory",
            "com.atlassian.event:atlassian-event",
            "com.atlassian.gadgets:atlassian-gadgets",
            "com.atlassian.healthcheck:atlassian-healthcheck-in-product-test-support",
            "com.atlassian.healthcheck:atlassian-healthcheck-spi",
            "com.atlassian.healthcheck:atlassian-healthcheck",
            "com.atlassian.http:atlassian-http",
            "com.atlassian.httpclient:atlassian-httpclient-api",
            "com.atlassian.httpclient:atlassian-httpclient-plugin",
            "com.atlassian.marshalling:atlassian-marshalling-api",
            "com.atlassian.oauth:atlassian-oauth-admin-plugin",
            "com.atlassian.oauth:atlassian-oauth-api",
            "com.atlassian.oauth:atlassian-oauth-bridge",
            "com.atlassian.oauth:atlassian-oauth-consumer-core",
            "com.atlassian.oauth:atlassian-oauth-consumer-plugin",
            "com.atlassian.oauth:atlassian-oauth-consumer-sal-plugin",
            "com.atlassian.oauth:atlassian-oauth-consumer-spi",
            "com.atlassian.oauth:atlassian-oauth-service-provider-plugin",
            "com.atlassian.oauth:atlassian-oauth-service-provider-sal-plugin",
            "com.atlassian.oauth:atlassian-oauth-service-provider-spi",
            "com.atlassian.oauth:atlassian-oauth-signature-generator-plugin",
            "com.atlassian.plugin:atlassian-spring-scanner-annotation:2",
            "com.atlassian.plugin:atlassian-spring-scanner-runtime",
            "com.atlassian.plugins:atlassian-landlord-plugin",
            "com.atlassian.plugins:atlassian-landlord-spi",
            "com.atlassian.plugins:atlassian-plugins-api",
            "com.atlassian.plugins:atlassian-plugins-core",
            "com.atlassian.plugins:atlassian-plugins-eventlistener",
            "com.atlassian.plugins:atlassian-plugins-framework-bundles",
            "com.atlassian.plugins:atlassian-plugins-main",
            "com.atlassian.plugins:atlassian-plugins-osgi-bridge",
            "com.atlassian.plugins:atlassian-plugins-osgi",
            "com.atlassian.plugins:atlassian-plugins-osgi-events",
            "com.atlassian.plugins:atlassian-plugins-schema",
            "com.atlassian.plugins:atlassian-plugins-servlet",
            "com.atlassian.plugins:atlassian-plugins-spring",
            "com.atlassian.plugins:atlassian-plugins-webfragment-api",
            "com.atlassian.plugins:atlassian-plugins-webfragment",
            "com.atlassian.plugins:atlassian-plugins-webresource-api",
            "com.atlassian.plugins:atlassian-plugins-webresource-common",
            "com.atlassian.plugins:atlassian-plugins-webresource-plugin",
            "com.atlassian.plugins:atlassian-plugins-webresource-rest",
            "com.atlassian.plugins:atlassian-plugins-webresource",
            "com.atlassian.plugins:jquery",
            "com.atlassian.plugins.rest:atlassian-rest-common",
            "com.atlassian.plugins.rest:atlassian-rest-doclet",
            "com.atlassian.plugins.rest:atlassian-rest-module",
            "com.atlassian.plugins.rest:com.atlassian.jersey-library",
            "com.atlassian.plugins.test:atlassian-plugins-test",
            "com.atlassian.prettyurls:atlassian-pretty-urls-plugin",
            "com.atlassian.sal:auiplugin-integration-sal",
            "com.atlassian.sal:sal-api",
            "com.atlassian.sal:sal-core",
            "com.atlassian.sal:sal-spi",
            "com.atlassian.sal:sal-spring",
            "com.atlassian.sal:sal-test-resources",
            "com.atlassian.sal:sal-trust-api",
            "com.atlassian.sal:sal-trusted-apps-plugin-support",
            "com.atlassian.scheduler:atlassian-scheduler-api",
            "com.atlassian.scheduler:atlassian-scheduler-core-test",
            "com.atlassian.scheduler:atlassian-scheduler-core",
            "com.atlassian.scheduler:atlassian-scheduler-quartz1",
            "com.atlassian.scheduler:atlassian-scheduler-quartz2",
            "com.atlassian.scheduler.caesium:atlassian-scheduler-caesium",
            "com.atlassian.security.auth.trustedapps:atlassian-trusted-apps-core",
            "com.atlassian.security.auth.trustedapps:atlassian-trusted-apps-seraph-integration",
            "com.atlassian.soy:atlassian-soy-cli-support",
            "com.atlassian.soy:atlassian-soy-core",
            "com.atlassian.soy:atlassian-soy-spring-boot-support",
            "com.atlassian.soy:atlassian-soy-spring-mvc-support",
            "com.atlassian.soy:atlassian-soy-spring-support",
            "com.atlassian.soy:soy-template-plugin",
            "com.atlassian.soy:soy-template-renderer-api",
            "com.atlassian.soy:soy-template-renderer-plugin-api",
            "com.atlassian.streams:streams-aggregator-plugin",
            "com.atlassian.streams:streams-api",
            "com.atlassian.streams:streams-bamboo-plugin",
            "com.atlassian.streams:streams-core-plugin",
            "com.atlassian.streams:streams-crucible-plugin",
            "com.atlassian.streams:streams-fisheye-plugin",
            "com.atlassian.streams:streams-inline-actions-plugin",
            "com.atlassian.streams:streams-jira-inline-actions-plugin",
            "com.atlassian.streams:streams-jira-plugin",
            "com.atlassian.streams:streams-spi",
            "com.atlassian.streams:streams-thirdparty-plugin",
            "com.atlassian.templaterenderer:atlassian-template-renderer-api",
            "com.atlassian.templaterenderer:atlassian-template-renderer-velocity16-plugin",
            "com.atlassian.tenancy:atlassian-tenancy-api",
            "com.atlassian.tenancy:atlassian-tenancy-compatibility-plugin",
            "com.atlassian.vcache:atlassian-vcache-api",
            "com.atlassian.vcache:atlassian-vcache-internal-api",
            "com.atlassian.vcache:atlassian-vcache-internal-core",
            "com.atlassian.vcache:atlassian-vcache-internal-guava",
            "com.atlassian.vcache:atlassian-vcache-internal-harness",
            "com.atlassian.vcache:atlassian-vcache-internal-legacy",
            "com.atlassian.vcache:atlassian-vcache-internal-memcached",
            "com.atlassian.vcache:atlassian-vcache-internal-redis",
            "com.atlassian.vcache:atlassian-vcache-internal-test-utils",
            "com.atlassian.vcache:atlassian-vcache-internal-test",
            "com.atlassian.velocity.htmlsafe:velocity-htmlsafe",
            "com.atlassian.webhooks:atlassian-webhooks-api",
            "com.atlassian.webhooks:atlassian-webhooks-plugin",
            "com.atlassian.webhooks:atlassian-webhooks-spi",
            "com.google.code.findbugs:jsr305",
            "com.google.guava:guava",
            "com.sun.activation:javax.activation",
            "commons-fileupload:commons-fileupload",
            "commons-io:commons-io",
            "dom4j:dom4j",
            "io.atlassian.fugue:fugue",
            "io.atlassian.fugue:fugue-guava",
            "io.atlassian.fugue:fugue-optics",
            "io.atlassian.fugue:fugue-retry",
            "io.atlassian.fugue:fugue-scala",
            "io.atlassian.util.concurrent:atlassian-util-concurrent",
            "javax.annotation:javax.annotation-api",
            "javax.servlet:javax.servlet-api",
            "javax.validation:validation-api",
            "javax.ws.rs:javax.ws.rs-api",
            "org.apache.commons:commons-lang3",
            "org.apache.httpcomponents:httpclient-cache",
            "org.apache.httpcomponents:httpclient",
            "org.apache.httpcomponents:httpcore",
            "org.apache.httpcomponents:httpmime",
            "org.slf4j:jcl-over-slf4j",
            "org.slf4j:jul-to-slf4j",
            "org.slf4j:slf4j-api",
            "org.slf4j:slf4j-log4j12",
            "org.slf4j:slf4j-nop",
            "org.slf4j:slf4j-simple",
            "org.springframework:spring-aop",
            "org.springframework:spring-beans",
            "org.springframework:spring-context-support",
            "org.springframework:spring-context",
            "org.springframework:spring-core",
            "org.springframework:spring-expression",
            "org.springframework:spring-test",
            "org.springframework:spring-tx",
            "org.springframework:spring-web",
            "org.springframework:spring-webmvc"

<< repeat disclaimer: this list is a snapshot and WILL change between AMPS releases >>

I hope that answers your question, let me know if you need more detail or can’t apply the recommended fix for some reason.

Cheers,

Andrew
AMPS committer

In my experience, this occurs when you are including a compile time dependency as a provided dependency. If you can show your pom.xml file portion that includes these dependencies, it may shed more light on what the issue is. This seems related to this topic: Maven bans dependencies with no configuration

Thank you for your reply, Andrew! This certainly helps. I think part of the trouble was our plugins worked on the particular version of Spring that we included in the project pom, but when we marked the dependency as provided the actual version of Spring that Bamboo provided led to errors at runtime. We’ll take a closer look at that to be sure though. Thanks again! James

Hi Aswan,

AMPS bans commons-io. However, we’re using Apache POI 5.1.0 which requires commons-io 2.11, and Confluence only provides commons-io 2.8.0. Therefore, we’d like to use our own commons-io, and override AMPS’s rules, otherwise we might get sudden exceptions in our plugins about a mismatching version.

Can we do this in any way?

Thank you,
Adrien Ragot

When you have a legitimate reason for disabling this check, as in your situation, you can so do by adding this to your AMPS configuration:

<banningExcludes>
    <exclude>commons-io:commons-io</exclude>
    <exclude>com.foo:bar</exclude>
    ...
</banningExcludes>

But I’ll just reiterate that most AMPS users should not do this, they should use the dependencies that the platform provides.

I am facing a slightly different scenario where we have no direct dependency on commons-io yet the dependency is recognized as banned. This seems to be caused by a compile scoped dependency that depends on commons-io. In this case, Maven seems to then fall back to the compile scope for the transitive commons-io dependency which triggers the verification error.

I am not quite sure when it is ok to exclude a dependency from the banned list. @aswan could you advise if it’s ok to exclude commons-io in this case? Does this fall into the same scenario as what @aragot described above?

In your situation, I would exclude commons-io as a transitive dependency of your compile-scoped direct dependency.

Hi @tbinna , if a compile dependency requires commons-io, it is as if you depended directly on it. The dependency may be using it in a random place, you must ensure that all the features of this dependency keep working well.

You can exclude commons-io from that dependency and assume that Confluence will provide it, but if you do so, check the version numbers (using mvn dependency:tree) to see whether there is a risk that the Confluence version of commons-io doesn’t have breaking changes. That still means you must test all the features you are using in your dependency.

Hi @aragot, @aswan

With the Jira 10 transition, we are facing the same issue. The libraries contained in common-compress, which comes transitively within Apache-poi, are being blocked under the AMPS banned dependency validation. In Jira 8 and 9 runtimes, we were able to add apache-common-compress as provided since it existed, but it has been removed from the Jira 10 runtime.

In this case, we haven’t been able to come up with a solution other than using banningExcludes. However, we cannot predict the possible runtime effects of this. Have you encountered any unexpected issues when running it with banningExcludes? Or have you found another solution for this situation?

Thanks,

I’m on Amps 8.13.1 and for the moment I don’t have any problem compiling our PSEA plugin (which uses Apache POI). So I don’t have information for you, sorry.