So I've seen other posts (eg. Can't use hbase-shaded-client jar because of its internal dependency to log4j-1.2.17(CVE-2019-1757)) stating that they have a way to exclude the transitive dependency of log4j:log4j:1.2.17 however if I run ./gradlew app:dependencies I can still see that the transitive dependency exists.
I have tried referring to the following migration doc https://logging.apache.org/log4j/2.x/manual/migration.html but Im not sure if this is just transferring the calls over from log4j 1.x over to 2.x at runtime or if its supposed to update the transitive dependency all together. I tried even excluding the transitive dependency and using slf4j instead in my build.gradle file like so:
compile ('custom-library-that-I-cant-change-code-in'), {
exclude group: 'log4j', module: 'log4j'
}
// https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j
implementation 'org.slf4j:log4j-over-slf4j:1.7.35'
How can I make sure if this is even working, or at least not using that older log4j:log4j:1.2.17 or am I going about this all wrong and there is an easier way of doing this
To answer you first question the following exclude wasn't working for me as well,
compile ('custom-library-that-I-cant-change-code-in'), {
exclude group: 'log4j', module: 'log4j'
}
try this in your build.gradle it should work
configurations {
compile.exclude group: "log4j", module: "log4j"
}
Related
I am posting here to understand how does JHipster work with Gradle dependencies, in particular with regards to the fact that I am unable to copy some of them into a Gradle submodule I have created inside my JH project.
For example, the following doesn't work in a Gradle submodule
compile "junit:junit"
Error is
Could not resolve: junit:junit
However, the classic one copied from mvnrepository works great
compile group: 'junit', name: 'junit', version: '4.12'
Some additional information: I am creating a submodule that contains a set of classes related to testing, mainly a large load of custom Hamcrest matchers copied from another project from the Ant world. The original project had a lot of spaghetti code mess, so now I am refactoring into an isolated Gradle module. The testlib module shall depend on the testing frameworks and contain everything required for writing good tests. It can be compared to spring-test project you would use to write your own Spring-based tests.
At the moment, the gradle file looks like
plugins {
id "java"
}
configurations {
providedRuntime
implementation.exclude module: "spring-boot-starter-tomcat"
}
repositories {
mavenLocal()
mavenCentral()
jcenter()
}
group 'org.example' //different from com.acme of super-project
version '0.0.1-SNAPSHOT'
sourceCompatibility = 1.8
dependencies {
compile group: 'org.assertj', name: 'assertj-core', version: '3.13.2'
compile group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: '5.5.2'
compile group: 'org.hamcrest', name: 'hamcrest', version: '2.1'
compile group: 'org.mockito', name: 'mockito-core', version: '3.0.0'
compile group: 'org.springframework.boot', name: 'spring-boot', version: spring_boot_version
compile "junit:junit" //Fails
}
Question
So the question is in two parts:
why does the scope "orgId:name" syntax work in the JHipster-generated module but not in submodules? Is it part of standard Gradle syntax?
why is that not working in a sub-module? Does JHipster apply a custom plugin to apply the correct version number that is clearly missing? How I do the same in a sub-module that is supposed to contain only Java library code?
With regards to JHipster, a little of more investigation helped. According to this answer, there is a trick in Gradle called Bill Of Materials project, so...
TL;DR
Add the following to the sub-project
// import JHipster dependencies BOM
implementation platform("io.github.jhipster:jhipster-dependencies:${jhipster_dependencies_version}")
So that the whole block looks like
dependencies {
// import JHipster dependencies BOM
implementation platform("io.github.jhipster:jhipster-dependencies:${jhipster_dependencies_version}")
compile "org.assertj:assertj-core"
compile "org.junit.jupiter:junit-jupiter-api"
compile "org.hamcrest:hamcrest"
compile "org.mockito:mockito-core"
compile "org.springframework.boot:spring-boot"
compile "junit:junit"
}
Long answer
Maybe in the future when I will understand Gradle more. Or just edit this answer 😁 to contribute
The bom defines the versions (besides other things) of 3rd party dependencies to be used so you can omit the explicit version. If you do not use the bom you can also write compile "junit:junit:4.12" but keep in mind jhipster uses already junit5 for all tests by default.
Regarding the import of the bom you can do it like you proposed or try to apply that dependency to all gradle subprojects in your main gradle file.
Is there a way to exclude specific jars from a group using Gradle? I have tried below code, but this removed all the jars of that group
configurations {
all*.exclude group: 'org.xxxx.xxxx'
}
My requirement is to remove only specific jars from the group, not all jars. This exercise we are doing to exclude transitive dependencies during runtime in our system.
thanks.
You can exclude all dependencies from a group, or only some modules of a group, in dependencies block:
dependencies {
/* -------------- SpringBoot without Tomcat ------------------- */
compile('org.springframework.boot:spring-boot-starter-web') {
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-tomcat'
}
}
I add link to the Gradle documentation explaining transitive dependencies in detail: https://docs.gradle.org/current/userguide/managing_transitive_dependencies.html
I have conflict problem with dependencies.
My project has two dependencies like this:
dependencies {
provided group: 'javax.servlet', name: 'javax.servlet-api', version: '3.1.0'
compile files('path/to/ABC.jar')
}
ABC.jar has its own dependency to javax.servlet:servlet-api:
dependencies {
provided group: 'javax.servlet', name: 'servlet-api', version: '2.5'
}
Here is the problem I am dealing with; I need to use ServletContext interface which is provided by both servlet-api libraries and the compiler uses wrong one.
Gradle auto-resolves version conflicts as described here.
But in my case it doesn't help, because it only works when a dependency has two different versions. In this case; although it's a newer version issue, the name has changed from javax.servlet:servlet-api to javax.servlet:javax.servlet-api. So gradle doesn't auto-resolve this conflict, because it doesn't seem to be a version issue.
The thing I tried was using excluding transitive dependency as described here.
compile files('path/to/ABC.jar') {
exclude group: 'javax.servlet'
}
But it didn't work, it seems exclude doesn't work on local 'jar' files.
Now, I don't know what else to do.
How can I exclude a dependency of a dependency which is added as a local file?
(If the first question doesn't have any answer yet) How can I say to the compiler to use the correct ServletContext interface?
compile files('path/to/ABC.jar') is a file dependency, a file dependency does not have any dependency information, so it does not introduce transitive dependencies. If this ABC.jar is a "fat" jar that has the dependency-classes included in the JAR, it is not suited for usage in something like Gradle, Maven or Ant/Ivy that is supposed to handle the dependencies. You would have to use a proper "thin" version of the dependency with the dependencies properly declared, or you need to "repackage" that JAR in your build script to exclude the dependency classes you don't want to pull in. No dependency management can do this for you.
You can execute gradlew dependencyInsight --configuration runtime --dependency javax.servlet:servlet-api or gradlew dependencies --configuration runtime to find out where the dependency really comes from.
Actually your example should not even compile if I see it correctly, because it should most probably be
compile files('path/to/ABC.jar'), {
exclude group: 'javax.servlet'
}
or
compile(files('path/to/ABC.jar')) {
exclude group: 'javax.servlet'
}
But as I said, with a local file dependency there are no transitive dependencies, so an exclude does not make sense at all anyway.
To make the Gradle version conflict magic work, you can simply tell Gradle that those libraries are actually the same library just with different coordinates by using a module replacement like
dependencies {
modules {
module('javax.servlet:servlet-api') {
replacedBy 'javax.servlet:javax.servlet-api'
}
}
}
Then Gradle sees them as the same library and can do its version conflict resolution magic. Whether the library that needs the old version still works with the new version is a different topic that you have to check and / or try yourself. This like always depends on whether the new version is backwards compatible to the old version.
I have no way to test this now, but I believe your syntax is wrong. I have some examples here that look different, in your case it would be:
compile(files('path/to/ABC.jar')) {
exclude group: 'javax.servlet'
}
As I say, I cannot test it now, check if it helps and give a comment.
In my Android project which use firebase the gradle build shows this annoying warning:
WARNING: Dependency org.apache.httpcomponents:httpclient:4.0.1 is ignored for devDebug as it may be conflicting with the internal version provided by Android.
In case of problem, please repackage it with jarjar to change the class packages
i tryed adding the exclude option on the build.gradle but i had no luck
compile ('com.firebase:firebase-client-android:2.2.1') {
exclude module: 'org.apache.httpcomponents:httpclient:4.0.1' //IGNORED
}
i also tryed removing the version like suggested but the warning remains
compile ('com.firebase:firebase-client-android:2.2.1') {
exclude group:'org.apache.httpcomponents', module: 'httpclient' //SAME
}
I found the option to remove the warning
configurations {
compile.exclude group: "org.apache.httpcomponents", module: "httpclient"
}
If I am not mistaken this should be
compile ('com.firebase:firebase-client-android:2.2.1') {
exclude group:'org.apache.httpcomponents', module: 'httpclient'
}
version can be omitted.
My gradle project uses the application plugin to build a jar file. As part of the runtime transitive dependencies, I end up pulling in org.slf4j:slf4j-log4j12. (It's referenced as a sub-transitive dependency in at least 5 or 6 other transitive dependencies - this project is using spring and hadoop, so everything but the kitchen sink is getting pulled in... no wait... that's there too :) ).
I want to globally exclude the slf4j-log4j12 jar from my built jar. So I've tried this:
configurations {
runtime.exclude group: "org.slf4j", name: "slf4j-log4j12"
}
However, this seems to exclude all org.slf4j artifacts including slf4j-api. When running under debug mode I see lines such as:
org.slf4j#slf4j-api is excluded from com.pivotal.gfxd:gfxd-demo-mapreduce:1.0(runtime).
org.slf4j#slf4j-simple is excluded from com.pivotal.gfxd:gfxd-demo-mapreduce:1.0(runtime).
org.slf4j#slf4j-log4j12 is excluded from org.apache.hadoop:hadoop-common:2.2.0(runtime).
I do not want to have to look up the source of each slf4j-log4j12 transitive dependency and then have individual compile foo { exclude slf4j... } statements in my dependencies block.
Update:
I did also try this:
configurations {
runtime.exclude name: "slf4j-log4j12"
}
Which ends up excluding everything from the build! As though I specified group: "*".
Update 2:
I'm using Gradle version 1.10 for this.
Ah, the following works and does what I want:
configurations {
runtime.exclude group: "org.slf4j", module: "slf4j-log4j12"
}
It seems that an Exclude Rule only has two attributes - group and module.
Hence for excluding from only an individual dependency, we can do something like:
dependencies {
compile ('org.springframework.data:spring-data-hadoop-core:2.0.0.M4-hadoop22') {
exclude group: "org.slf4j", module: "slf4j-log4j12"
}
}
However, the above syntax doesn't prevent you from specifying any arbitrary property as a predicate. When trying to exclude from an individual dependency you cannot specify arbitrary properties. For example, this fails:
dependencies {
compile ('org.springframework.data:spring-data-hadoop-core:2.0.0.M4-hadoop22') {
exclude group: "org.slf4j", name: "slf4j-log4j12"
}
}
with
No such property: name for class: org.gradle.api.internal.artifacts.DefaultExcludeRule
So even though you can specify a dependency with a group: and name: you can't specify an exclusion with a name:!?!
Perhaps a separate question, but what exactly is a module then? I can understand the Maven notion of groupId:artifactId:version, which I understand translates to group:name:version in Gradle. But then, how do I know what module (in gradle-speak) a particular Maven artifact belongs to?
For excluding one or more library globally add the following to your build.gradle
configurations.all {
exclude group:"org.apache.geronimo.specs", module: "geronimo-servlet_2.5_spec"
exclude group:"ch.qos.logback", module:"logback-core"
}
Now the exclude block has two properties group and module. For those of you coming from maven background, group is same as groupId and module is same as artifactId.
Example: To exclude com.mchange:c3p0:0.9.2.1 following should be exclude block
exclude group:"com.mchange", module:"c3p0"
Your approach is correct. (Depending on the circumstances, you might want to use configurations.all { exclude ... }.) If these excludes really exclude more than a single dependency (I haven't ever noticed that when using them), please file a bug at http://forums.gradle.org, ideally with a reproducible example.
in the example below I exclude
spring-boot-starter-tomcat
compile("org.springframework.boot:spring-boot-starter-web") {
//by both name and group
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-tomcat'
}
I was using spring boot 1.5.10 and tries to exclude logback, the given solution above did not work well, I use configurations instead
configurations.all {
exclude group: "org.springframework.boot", module:"spring-boot-starter-logging"
}
In addition to what #berguiga-mohamed-amine stated, I just found that a wildcard requires leaving the module argument the empty string:
compile ("com.github.jsonld-java:jsonld-java:$jsonldJavaVersion") {
exclude group: 'org.apache.httpcomponents', module: ''
exclude group: 'org.slf4j', module: ''
}
compile is deprecated and it was replaced by implementation. Therefore, the solution for those running newer versions of gradle:
implementation("org.springframework.boot:spring-boot-starter-web") {
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-tomcat'
}
This is for Kotlin DSL (build.gradle.kts) which prevents you from using wrong properties.
Exclude the library from all configrations (implementation, runtimeOnly, etc.):
configurations.all {
exclude(group = "ir.mahozad.android", module = "pie-chart")
// OR exclude("ir.mahozad.android", "pie-chart")
}
// Another notation:
// configurations {
// all {
// exclude(group = "ir.mahozad.android", module = "pie-chart")
// }
// }
Exclude the library from a single configuration (like implementation):
configurations.implementation {
exclude(group = "ir.mahozad.android", module = "pie-chart")
}
// Another notation:
// configurations {
// implementation {
// exclude(group = "ir.mahozad.android", module = "pie-chart")
// }
// }
Exclude the library for a single dependency:
dependencies {
// ...
implementation("ir.mahozad.android:charts:1.2.3") {
exclude(group = "ir.mahozad.android", module = "pie-chart")
}
}