Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
1.6.3
-
None
-
None
Description
This also affects the maven-resolver-provider which is part of Maven core. I still file the bug here because it is easier to explain.
I have a repository setup like this:
<profiles>
<profile>
<id>repo</id>
<repositories>
<repository>
<id>snapshots</id>
<url>https://.../maven-public/</url>
<releases>
<enabled>false</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>warn</checksumPolicy>
</releases>
<snapshots>
<enabled>true</enabled>
<updatePolicy>interval:180</updatePolicy>
<checksumPolicy>fail</checksumPolicy>
</snapshots>
<layout>default</layout>
</repository>
<repository>
<id>central</id>
<url>https://.../maven-public/</url>
<releases>
<enabled>true</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>warn</checksumPolicy>
</releases>
<snapshots>
<enabled>false</enabled>
<updatePolicy>interval:180</updatePolicy>
<checksumPolicy>fail</checksumPolicy>
</snapshots>
<layout>default</layout>
</repository>
</repositories>
Maven is trying to resolve the metadata from this component: https://repo1.maven.org/maven2/com/googlecode/owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/owasp-java-html-sanitizer-20220608.1.pom
which contains (after resolution):
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
<version>[2.0.1,)</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
<version>[2.0.1,)</version>
<scope>provided</scope>
</dependency>
what happens now is that maven uses the DefaultVersionRangeResolver, which contains this line:
Metadata metadata = new DefaultMetadata( request.getArtifact().getGroupId(), request.getArtifact().getArtifactId(), MAVEN_METADATA_XML, Metadata.Nature.RELEASE_OR_SNAPSHOT );
So it tries to resolve the dependency range against all the repositories.
By searching for "Nature.RELEASE_OR_SNAPSHOT", both configured repositories (snapshot and central) are eligible and selected. And by the order, the snapshot repository is chosen first.
Because both remote repositories map to the same local repository, the following version check in lines 210 - 231 iterates over the local versions and finds the matching version in the "snapshots" repository.
All of this code is called from the ProjectDependenciesResolver (which is injected into a mojo as a component), when calling resolve() on a DependencyResolutionRequest for this specific component (com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:bundle:20220608.1). It results in the following (slightly obscure) error message:
Could not resolve dependencies for project com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:bundle:20220608.1: The following artifacts could not be resolved: com.google.code.findbugs:jsr305:jar:3.0.2, com.google.code.findbugs:annotations:jar:3.0.1u2: Could not find artifact com.google.code.findbugs:jsr305:jar:3.0.2
However, that artifact is clearly present both in the local and remote repository.
What happens is that the ProjectDependenciesResolver tries to resolve the (release) artifact om.google.code.findbugs:jsr305:jar:3.0.2 against the resolved repository (which is a snapshot only repository) and that repository rightfully refuses to resolve it. Hence the error message.
I can fix this (which confirms this behavior) by removing the snapshot repository from the maven_settings.xml and enable snapshots for the "central" repository.
Expected resolution: The DefaultVersionRangeResolver will not select the "first repository that contains the version" but looks at snapshot/release enabled and choose based on that information.
I might find time to whip up a bug fix.
Attachments
Issue Links
- duplicates
-
MNG-7529 Maven resolver makes bad repository choices when resolving version ranges
- Closed