Develop Reference

Maven - display-dependency-updates- list transitive dependency versions

I'd like to be able to see if any of the dependencies of my project - including transitive ones - have updates available.
Take the following pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.me</groupId>
<artifactId>test</artifactId>
<version>0.0.1-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>5.1.0</version>
</dependency>
</dependencies>
</project>
When I run goal versions:display-dependency-updates I get:
[INFO] Scanning for projects...
[INFO]
[INFO] ----------------------------< org.me:test >-----------------------------
[INFO] Building test 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.8.1:display-dependency-updates (default-cli) # test ---
[INFO] No dependencies in Dependencies have newer versions.
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.939 s
[INFO] Finished at: 2022-01-12T17:09:39Z
[INFO] ------------------------------------------------------------------------
But when I run dependency:tree, I can now see:
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # test ---
[INFO] org.me:test:jar:0.0.1-SNAPSHOT
[INFO] \- org.apache.poi:poi:jar:5.1.0:compile
[INFO] +- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- com.zaxxer:SparseBitSet:jar:1.2:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
And an outdated version of log4j appears.
Is there a way of doing this that's not manual?
I've also tried dependency-updates-report with the processDependencyManagementTransitive option enabled (which is the default) and the transitive dependencies aren't listed.

Why does resolved dependencies differ between Java 8 and Java 11?

Given a very simple Maven project with a single pom-file containing a single dependency:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>maven-test</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>org.apache.cxf.xjc-utils</groupId>
<artifactId>cxf-xjc-runtime</artifactId>
<version>3.3.0</version>
</dependency>
</dependencies>
</project>
When running mvn dependency:tree different results are given depending on Java version.
With Java 8:
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< org.example:maven-test >-----------------------
[INFO] Building maven-test 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # maven-test ---
[INFO] org.example:maven-test:jar:1.0-SNAPSHOT
[INFO] \- org.apache.cxf.xjc-utils:cxf-xjc-runtime:jar:3.3.0:compile
[INFO] \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.982 s
[INFO] Finished at: 2020-06-22T15:05:56+02:00
[INFO] ------------------------------------------------------------------------
With Java 11:
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< org.example:maven-test >-----------------------
[INFO] Building maven-test 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # maven-test ---
[INFO] org.example:maven-test:jar:1.0-SNAPSHOT
[INFO] \- org.apache.cxf.xjc-utils:cxf-xjc-runtime:jar:3.3.0:compile
[INFO] +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] +- javax.annotation:javax.annotation-api:jar:1.3.1:compile <-- This and below only with Java 11
[INFO] +- javax.xml.ws:jaxws-api:jar:2.3.0:compile
[INFO] | +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] | \- javax.xml.soap:javax.xml.soap-api:jar:1.4.0:compile
[INFO] \- javax.activation:activation:jar:1.1.1:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.261 s
[INFO] Finished at: 2020-06-22T15:05:51+02:00
[INFO] ------------------------------------------------------------------------
I would have expected the trees to be the same under the two Java versions.
Maven version is 3.6.0.
Why do the resolved dependencies differ between the Java versions?

The reason why the dependency tree differs between the Java versions is found in the dependency:
<dependency>
<groupId>org.apache.cxf.xjc-utils</groupId>
<artifactId>cxf-xjc-runtime</artifactId>
<version>3.3.0</version>
</dependency>
This in turn has xjc-utils as its parent:
<parent>
<groupId>org.apache.cxf.xjc-utils</groupId>
<artifactId>xjc-utils</artifactId>
<version>3.3.0</version>
</parent>
In this POM file, we find the dependencies that are excluded when building with Java 8:
<profile>
<id>java9-plus</id>
<activation>
<jdk>[9,)</jdk>
</activation>
<dependencies>
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>javax.annotation-api</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>javax.xml.ws</groupId>
<artifactId>jaxws-api</artifactId>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
</dependency>
</dependencies>
</profile>
This pretty much speacks for itself, the dependencies will only be included if Java 9 or above is used, as stated in this range: <jdk>[9,)</jdk>. The documentation for the tag states:
Specifies that this profile will be activated when a matching JDK is detected. For example, 1.4 only activates on JDKs versioned 1.4, while !1.4 matches any JDK that is not version 1.4.
This activation profile makes sure these dependencies are included when Java 11 is used:
[INFO] +- javax.annotation:javax.annotation-api:jar:1.3.1:compile
[INFO] +- javax.xml.ws:jaxws-api:jar:2.3.0:compile
[INFO] | +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] | \- javax.xml.soap:javax.xml.soap-api:jar:1.4.0:compile
[INFO] \- javax.activation:activation:jar:1.1.1:compile
More info about activation can be found in the official Maven documentation:
Activations are the key of a profile. The power of a profile comes from its ability to modify the basic POM only under certain circumstances. Those circumstances are specified via an activation element.
Together with another example of activation based on Java version:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
https://maven.apache.org/xsd/maven-4.0.0.xsd">
...
<profiles>
<profile>
<id>test</id>
<activation>
<activeByDefault>false</activeByDefault>
<jdk>1.5</jdk>
<os>
<name>Windows XP</name>
<family>Windows</family>
<arch>x86</arch>
<version>5.1.2600</version>
</os>
<property>
<name>sparrow-type</name>
<value>African</value>
</property>
<file>
<exists>${basedir}/file2.properties</exists>
<missing>${basedir}/file1.properties</missing>
</file>
</activation>
...
</profile>
</profiles>
</project>

Dependency tree mojo trims lower level dependencies if the dependency is already present higher in the tree.
We can use verbose flag (-Dverbose) to show the excluded dependencies.
To find a specific artifact : mvn dependency:tree -Dverbose -Dincludes=[groupId]:[artifactId]:[type]:[version]
Please visit Maven Dependency Tree to know more.

How to let maven resolve transitive dependency for local dependency

We have a project A which depends on project B which depends on library C. A and B are local projects while C is a public library in maven central repo.
pom.xml for A:
<name>ProjA/name>
...
<dependency>
<groupId>com.abc</groupId>
<artifactId>ProjB</artifactId>
<version>1.0</version>
</dependency>
pom.xml for B:
<name>ProjB/name>
...
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>C</artifactId>
<version>2.23.2</version>
</dependency>
When run mvn dependency:tree -Dverbose in A, it does not resolve the dependencies of B and such dependencies used in B is not shown in A's Maven Dependencies as well. This is fine for compilation but will fail in runtime because of NoClassDefFound error.
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building ProjA 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # ProjA ---
[INFO] com.abc.projA:jar:1.0
[INFO] +- com.abc.projB:jar:1.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.326 s
[INFO] Finished at: 2016-09-15T16:29:49-07:00
[INFO] Final Memory: 13M/309M
[INFO] ------------------------------------------------------------------------
Is there any way to let maven resolve transitive dependency for such local dependency as B?

I think the problem here is B does not exist in the local repo .m2
You need to run mvn install for B, to install the package into .m2 which can be picked up by A locally.
Then running mvn dependency:tree -Dverbose in A won't cause problem

Maven Versions Plugin: versions:use-releases does nothing

I need change all snapshots dependency of my project before pass to release. I'm trying versions:use-releases from commandline mvn versions:use-releases, but it doesn't work for me. I'm using Nexus repository for releases and the releases versions are deployed correcly and with public access
<dependencyManagement>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.efx.util</groupId>
<artifactId>efx-util</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
</dependencies>
</dependencyManagement>
When I execute: mvn versions:use-releases, it does nothing.
[INFO] ------------------------------------------------------------------------
[INFO] Building efx-clientesocket 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.2:use-releases (default-cli) # efx-clientesocket ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building efx-clientesocket-api 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.2:use-releases (default-cli) # efx-clientesocket-api ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building efx-clientesocket-impl 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.2:use-releases (default-cli) # efx-clientesocket-impl ---
[INFO] Ignoring reactor dependency: com.efx.clientesocket:efx-clientesocket-api:jar:0.0.1-SNAPSHOT
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building efx-clientesocket-conf 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.2:use-releases (default-cli) # efx-clientesocket-conf ---
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] efx-clientesocket .................................. SUCCESS [ 1.539 s]
[INFO] efx-clientesocket-api .............................. SUCCESS [ 0.031 s]
[INFO] efx-clientesocket-impl ............................. SUCCESS [ 0.016 s]
[INFO] efx-clientesocket-conf ............................. SUCCESS [ 0.015 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
However versions:display-dependency-updates detect the corresponding release
------------------------------------------------------------------------
[INFO] Building efx-clientesocket-conf 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.2:display-dependency-updates (default-cli) # efx-clientesocket-conf ---
[INFO] artifact junit:junit: checking for updates from nexus
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] com.efx.util:efx-util ................ 0.0.1-SNAPSHOT -> 1.0.0-RELEASE
[INFO] junit:junit ............................................. 4.11 -> 4.12
[INFO]
[INFO] ------------------------------------------------------------------------
And I'm also trying versions:use-last-releases as alternative and it goes OK. I'm using -Dincludes= in this case to avoid updating no-snapshot versions. But, I would like to use versions:use-releases to assure updating only all-snapshot versions and cover versions in property at once
Maven version I'm using is 3.3.1 the plugin version is 2.2
Someone have any idea why does not working??

1- versions:use-releases searches the pom for all -SNAPSHOT versions which have been released and replaces them with the corresponding release version.
com.efx.util:efx-util ................ 0.0.1-SNAPSHOT -> 1.0.0-RELEASE
This means efx-util-0.0.1-SNAPSHOT should have a corresponding Release efx-util-0.0.1-RELEASE or efx-util-0.0.1 (a released version of 0.0.1) otherwise it won't work. 1.0.0-RELEASE is not a corresponding release
2- versions:use-latest-releases searches the pom for all non-SNAPSHOT versions which have been a newer release and replaces them with the latest release version.
In this case it's not restricted to the corresponding release of (0.0.1-SNAPSHOT). So the release may have a different version number (1.0.0-RELEASE).
hope this helps.

Maven: Combining multiple module jars into one war file?

I have a project babybird which has 3 components persistence, business and service
in babybird's pom.xml I have following
<modules>
<module>persistence</module>
<module>business</module>
<module>service</module>
</modules>
when I run mvn clean install, I see
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] babybird ......................................... SUCCESS [2.801s]
[INFO] persistence ....................................... SUCCESS [3.321s]
[INFO] business .......................................... SUCCESS [0.832s]
[INFO] service ........................................... SUCCESS [0.694s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.168s
[INFO] Finished at: Tue Jan 22 12:09:48 PST 2013
[INFO] Final Memory: 18M/50M
[INFO] ------------------------------------------------------------------------
and each one of these modules generate a jar file.
Question: How can I combine them into one babybird.war?
I am new to Maven and do not know what to look for to accomplish this task, please provide the pointers

That's fairly simple. Create another module named web or similar:
<modules>
<module>persistence</module>
<module>business</module>
<module>service</module>
<module>web</module>
</modules>
web module should depend on all others:
<dependencies>
<dependency>
<groupId>...</groupId>
<artifactId>persistence</artifactId>
</dependency>
...
</dependencies>
and have war packaging:
<packaging>war</packaging>
You'll also need web.xml in /src/main/webapp/WEB-INF. That's it.