如何在 Maven 构建期间删除或排除传递 Log4j?
How to remove or exclude transitive Log4j during maven build?
在我的构建过程中(使用 maven 命令 mvn clean install),我的 maven 编译器会自动下载 log4j 依赖项 1.2.12 (repository/log4j/log4j/) 但是因为这存在漏洞问题我需要排除这个传递依赖下载。
这是我的 POM(但实际上并不需要,因为我猜空 pom 也会使用默认的 mvn 编译器下载它?)
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.dsm</groupId>
<artifactId>testing</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<cucumber.version>7.3.3</cucumber.version>
<selenium.version>4.1.4</selenium.version>
<awaitility.version>4.2.0</awaitility.version>
<assertj.version>3.22.0</assertj.version>
<commonsmodel.version>5.3.3</commonsmodel.version>
<maven.surefire.version>3.0.0-M5</maven.surefire.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<junit-jupiter-engine.version>5.8.2</junit-jupiter-engine.version>
<maven-cucumber-reporting.version>5.7.0</maven-cucumber-reporting.version>
</properties>
<dependencies>
<dependency>
<groupId>io.cucumber</groupId>
<artifactId>cucumber-java</artifactId>
<version>${cucumber.version}</version>
</dependency>
<dependency>
<groupId>io.cucumber</groupId>
<artifactId>cucumber-junit-platform-engine</artifactId>
<version>${cucumber.version}</version>
</dependency>
<dependency>
<groupId>org.junit.platform</groupId>
<artifactId>junit-platform-suite</artifactId>
<version>1.8.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit-jupiter-engine.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>net.jodah</groupId>
<artifactId>failsafe</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<version>${selenium.version}</version>
</dependency>
<dependency>
<groupId>org.awaitility</groupId>
<artifactId>awaitility</artifactId>
<version>${awaitility.version}</version>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<version>${assertj.version}</version>
</dependency>
<dependency>
<groupId>io.cucumber</groupId>
<artifactId>cucumber-picocontainer</artifactId>
<version>${cucumber.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>net.masterthought</groupId>
<artifactId>maven-cucumber-reporting</artifactId>
<version>${maven-cucumber-reporting.version}</version>
</dependency>
</dependencies>
<profiles>
<profile>
<id>TestExecutor</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven.surefire.version}</version>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit-jupiter-engine.version}</version>
</dependency>
</dependencies>
<configuration>
<includes>
<includes>**/ExecutorTest.java</includes>
</includes>
</configuration>
</plugin>
<!--cucumber report plugin-->
<plugin>
<groupId>net.masterthought</groupId>
<artifactId>maven-cucumber-reporting</artifactId>
<version>${maven-cucumber-reporting.version}</version>
<executions>
<execution>
<id>generate-cucumber-reports</id>
<phase>test</phase>
<goals>
<goal>generate</goal>
</goals>
<configuration>
<projectName>Automation report</projectName>
<outputDirectory>${project.build.directory}/cucumber-reports</outputDirectory>
<inputDirectory>${project.build.directory}/cucumber</inputDirectory>
<jsonFiles>
<param>**/*.json</param>
</jsonFiles>
<checkBuildResult>false</checkBuildResult>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
您自己已经给出了一半的答案:您需要更改maven-compiler-plugin的版本。说明可在 https://maven.apache.org/plugins/maven-compiler-plugin/usage.html 找到
在你的 pom 中锁定插件版本始终是一个最佳实践,只是为了确保你也可以在 X 年内重建你的项目。
在我的构建过程中(使用 maven 命令 mvn clean install),我的 maven 编译器会自动下载 log4j 依赖项 1.2.12 (repository/log4j/log4j/) 但是因为这存在漏洞问题我需要排除这个传递依赖下载。
这是我的 POM(但实际上并不需要,因为我猜空 pom 也会使用默认的 mvn 编译器下载它?)
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.dsm</groupId>
<artifactId>testing</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<cucumber.version>7.3.3</cucumber.version>
<selenium.version>4.1.4</selenium.version>
<awaitility.version>4.2.0</awaitility.version>
<assertj.version>3.22.0</assertj.version>
<commonsmodel.version>5.3.3</commonsmodel.version>
<maven.surefire.version>3.0.0-M5</maven.surefire.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<junit-jupiter-engine.version>5.8.2</junit-jupiter-engine.version>
<maven-cucumber-reporting.version>5.7.0</maven-cucumber-reporting.version>
</properties>
<dependencies>
<dependency>
<groupId>io.cucumber</groupId>
<artifactId>cucumber-java</artifactId>
<version>${cucumber.version}</version>
</dependency>
<dependency>
<groupId>io.cucumber</groupId>
<artifactId>cucumber-junit-platform-engine</artifactId>
<version>${cucumber.version}</version>
</dependency>
<dependency>
<groupId>org.junit.platform</groupId>
<artifactId>junit-platform-suite</artifactId>
<version>1.8.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit-jupiter-engine.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>net.jodah</groupId>
<artifactId>failsafe</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<version>${selenium.version}</version>
</dependency>
<dependency>
<groupId>org.awaitility</groupId>
<artifactId>awaitility</artifactId>
<version>${awaitility.version}</version>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<version>${assertj.version}</version>
</dependency>
<dependency>
<groupId>io.cucumber</groupId>
<artifactId>cucumber-picocontainer</artifactId>
<version>${cucumber.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>net.masterthought</groupId>
<artifactId>maven-cucumber-reporting</artifactId>
<version>${maven-cucumber-reporting.version}</version>
</dependency>
</dependencies>
<profiles>
<profile>
<id>TestExecutor</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${maven.surefire.version}</version>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit-jupiter-engine.version}</version>
</dependency>
</dependencies>
<configuration>
<includes>
<includes>**/ExecutorTest.java</includes>
</includes>
</configuration>
</plugin>
<!--cucumber report plugin-->
<plugin>
<groupId>net.masterthought</groupId>
<artifactId>maven-cucumber-reporting</artifactId>
<version>${maven-cucumber-reporting.version}</version>
<executions>
<execution>
<id>generate-cucumber-reports</id>
<phase>test</phase>
<goals>
<goal>generate</goal>
</goals>
<configuration>
<projectName>Automation report</projectName>
<outputDirectory>${project.build.directory}/cucumber-reports</outputDirectory>
<inputDirectory>${project.build.directory}/cucumber</inputDirectory>
<jsonFiles>
<param>**/*.json</param>
</jsonFiles>
<checkBuildResult>false</checkBuildResult>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
您自己已经给出了一半的答案:您需要更改maven-compiler-plugin的版本。说明可在 https://maven.apache.org/plugins/maven-compiler-plugin/usage.html 找到 在你的 pom 中锁定插件版本始终是一个最佳实践,只是为了确保你也可以在 X 年内重建你的项目。