[JIRA] (JENKINS-53957) hpi bundles transitive dependencies of test scope dependencies

17 views
Skip to first unread message

jnord@cloudbees.com (JIRA)

unread,
Oct 9, 2018, 6:28:02 AM10/9/18
to jenkinsc...@googlegroups.com
James Nord created an issue
 
Jenkins / Bug JENKINS-53957
hpi bundles transitive dependencies of test scope dependencies
Issue Type: Bug Bug
Assignee: Unassigned
Components: maven-hpi-plugin
Created: 2018-10-09 10:27
Priority: Major Major
Reporter: James Nord

I have a plugin that depends on the test jar of org.jenkins-ci.plugins.workflow:workflow-support:jar with scope test

When I package this plugin I find that the transitive dependencies of that dependency are included in the hpi archive when they should be ignored as they come from a test dependency.

[INFO] +- org.jenkins-ci.plugins.workflow:workflow-support:jar:tests:2.19:test
[INFO] |  \- org.jboss.marshalling:jboss-marshalling-river:jar:1.4.12.jenkins-3:compile
[INFO] |     \- org.jboss.marshalling:jboss-marshalling:jar:1.4.12.jenkins-3:compile

this code is most likely wrong as it is filtering the individual artifacts after the building of the tree.
This is incorrect as the exclusion should be happening before the building of the tree, or the filtering should accept that the library is a decendant of something else that has been filtered meaning it should not include this.

FWIW I code (private source, but could possibly open up) based on maven 3 that can correctly build and filter the tree which may be of use.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

jglick@cloudbees.com (JIRA)

unread,
Oct 9, 2018, 9:06:01 AM10/9/18
to jenkinsc...@googlegroups.com
Jesse Glick commented on Bug JENKINS-53957
 
Re: hpi bundles transitive dependencies of test scope dependencies

Is there a test case to reproduce? I have not seen this. For example, the mercurial plugin has a similar test dep, and its .hpi does not bundle JBoss Marshalling. Of course the dep is on a different version and the maven-hpi-plugin version is likely different as well.

jnord@cloudbees.com (JIRA)

unread,
Oct 9, 2018, 11:51:01 AM10/9/18
to jenkinsc...@googlegroups.com

Currently it is in a proprietary plugin. I will recreate in an OSS repo somewhere when I have time (but the code looked wrong to me when it does the filtering so I am supposed that this is not reproducible).

jnord@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 4:29:02 AM10/11/18
to jenkinsc...@googlegroups.com
James Nord updated an issue
 
Change By: James Nord
Attachment: JENKINS-53957.zip

jnord@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 4:30:02 AM10/11/18
to jenkinsc...@googlegroups.com
 
Re: hpi bundles transitive dependencies of test scope dependencies

Jesse Glick trivial project attached that shows the issue.

jnord@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 4:30:02 AM10/11/18
to jenkinsc...@googlegroups.com
James Nord edited a comment on Bug JENKINS-53957
[~jglick] trivial project attached that shows the issue . with the latest plugin-pom

jnord@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 4:31:03 AM10/11/18
to jenkinsc...@googlegroups.com

FWIW:

Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T08:58:13+01:00)
Maven home: c:\Java\maven-3.5.2\bin\..
Java version: 1.8.0_162, vendor: Oracle Corporation
Java home: c:\Java\jdk1.8.0_162\jre
Default locale: en_GB, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"

jnord@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 4:35:02 AM10/11/18
to jenkinsc...@googlegroups.com
James Nord updated an issue
Change By: James Nord
I have a plugin that depends on the test jar of {{org.jenkins-ci.plugins.workflow:workflow-support:jar}} with scope {{test}}

When I package this plugin I find that the transitive dependencies of that dependency are included in the hpi archive when they should be ignored as they come from a test dependency.

{noformat}

[INFO] +- org.jenkins-ci.plugins.workflow:workflow-support:jar:tests:2.19:test
[INFO] |  \- org.jboss.marshalling:jboss-marshalling-river:jar:1.4.12.jenkins-3:compile
[INFO] |     \- org.jboss.marshalling:jboss-marshalling:jar:1.4.12.jenkins-3:compile
{noformat}

[this code|https://github.com/jenkinsci/maven-hpi-plugin/blob/602d838752ba7f83ed2d2f0b415b2900ba5563fc/src/main/java/org/jenkinsci/maven/plugins/hpi/AbstractHpiMojo.java#L553-L577] is most likely wrong as it is filtering the individual artifacts after the building of the tree.  

This is incorrect as the exclusion should be happening before the building of the tree, or the filtering should accept that the library is a decendant of something else that has been filtered meaning it should not include this.

FWIW I code (private source, but could possibly open up) based on maven 3 that can correctly build and filter the tree which may be of use.

jglick@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 10:08:01 AM10/11/18
to jenkinsc...@googlegroups.com
Jesse Glick started work on Bug JENKINS-53957
 
Change By: Jesse Glick
Status: Open In Progress

jglick@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 10:08:02 AM10/11/18
to jenkinsc...@googlegroups.com
Jesse Glick assigned an issue to Jesse Glick
Change By: Jesse Glick
Assignee: Jesse Glick

jglick@cloudbees.com (JIRA)

unread,
Oct 11, 2018, 10:25:01 AM10/11/18
to jenkinsc...@googlegroups.com
Jesse Glick resolved as Won't Fix
 

You should avoid using optional dependencies, though (to my surprise) that was not the issue here. Rather, it was that you need to have a direct dependency on a plugin if you also include its tests. So for example

<workflow-support-plugin.version>2.19</workflow-support-plugin.version>
<!-- … -->
<dependency>
    <groupId>org.jenkins-ci.plugins.workflow</groupId>
    <artifactId>workflow-job</artifactId>
    <version>2.23</version>
    <optional>true</optional>
</dependency>
<dependency>
    <groupId>org.jenkins-ci.plugins.workflow</groupId>
    <artifactId>workflow-support</artifactId>
    <version>${workflow-support-plugin.version}</version>
    <optional>true</optional>
</dependency>
<dependency>
    <groupId>org.jenkins-ci.plugins.workflow</groupId>
    <artifactId>workflow-support</artifactId>
    <version>${workflow-support-plugin.version}</version>
    <classifier>tests</classifier>
    <scope>test</scope>
</dependency>

There are lots of things fishy about the dependency chain management in this plugin. Some would perhaps be fixed by my aborted PR 23, but in general it needs to be rewritten to get rid of *.hpi secondary artifacts and just pack everything into a single JAR file with the usual classpath rules, as Stephen Connolly has long proposed (but which would also require Jenkins core changes). Too risky to touch for now.
Change By: Jesse Glick
Status: In Progress Resolved
Resolution: Won't Fix

jnord@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 10:27:03 AM10/19/18
to jenkinsc...@googlegroups.com
 
Re: hpi bundles transitive dependencies of test scope dependencies

There is another occurrence of this that I have found.

 

maven-plugin 3.1.2 includes findbugs-annotations which is from a test scope dependency.

 

org.jenkins-ci.main:maven-plugin:hpi:3.1.2
+- org.jenkins-ci.plugins:javadoc:jar:1.0:compile
+- org.jenkins-ci.plugins:mailer:jar:1.7:compile
+- org.jenkins-ci.plugins:junit:jar:1.6:compile
+- org.jenkins-ci.main.maven:maven-agent:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven-interceptor:jar:1.12-alpha-1:compile
+- org.jvnet.hudson:maven2.1-interceptor:jar:1.2:compile
+- org.jenkins-ci.main.maven:maven3-agent:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven31-agent:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven32-agent:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven33-agent:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven35-agent:jar:1.12-alpha-1:compile
| - org.apache.maven:maven-repository-metadata:jar:3.5.0:compile
+- org.jenkins-ci.main.maven:maven3-interceptor:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven31-interceptor:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven32-interceptor:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven33-interceptor:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven35-interceptor:jar:1.12-alpha-1:compile
+- org.jenkins-ci.main.maven:maven3-interceptor-commons:jar:1.12-alpha-1:compile
+- org.apache.maven:maven-core:jar:3.1.0:compile
| +- org.apache.maven:maven-model:jar:3.1.0:compile
| +- org.apache.maven:maven-settings:jar:3.1.0:compile
| +- org.apache.maven:maven-settings-builder:jar:3.1.0:compile
| +- org.apache.maven:maven-artifact:jar:3.1.0:compile
| +- org.apache.maven:maven-plugin-api:jar:3.1.0:compile
| +- org.apache.maven:maven-model-builder:jar:3.1.0:compile
| +- org.codehaus.plexus:plexus-interpolation:jar:1.16:compile
| - org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
+- org.apache.maven:maven-compat:jar:3.1.0:compile
+- org.apache.maven:maven-aether-provider:jar:3.1.0:compile
+- org.apache.maven:maven-embedder:jar:3.1.0:compile
| +- org.sonatype.plexus:plexus-cipher:jar:1.7:compile
| - commons-cli:commons-cli:jar:1.2:compile
+- org.eclipse.aether:aether-api:jar:1.1.0:compile
+- org.eclipse.aether:aether-impl:jar:1.1.0:compile
+- org.eclipse.aether:aether-spi:jar:1.1.0:compile
+- org.eclipse.aether:aether-util:jar:1.1.0:compile
+- org.eclipse.aether:aether-transport-wagon:jar:1.1.0:compile
+- org.eclipse.aether:aether-connector-basic:jar:1.1.0:compile
+- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.3:compile
| +- javax.enterprise:cdi-api:jar:1.0:compile
| | +- javax.annotation:jsr250-api:jar:1.0:compile
| | - javax.inject:javax.inject:jar:1:compile
| - org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.3:compile
+- org.apache.maven.wagon:wagon-http:jar:3.0.0:compile
| - org.apache.maven.wagon:wagon-http-shared:jar:3.0.0:compile
| - org.jsoup:jsoup:jar:1.7.2:compile
+- org.jenkins-ci.plugins:apache-httpcomponents-client-4-api:jar:4.5.3-2.1:compile
| +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
| | - org.apache.httpcomponents:httpcore:jar:4.4.6:compile
| +- org.apache.httpcomponents:httpmime:jar:4.5.3:compile
| +- org.apache.httpcomponents:fluent-hc:jar:4.5.3:compile
| - org.apache.httpcomponents:httpclient-cache:jar:4.5.3:compile
+- org.jenkins-ci.plugins:jsch:jar:0.1.54.1:compile
| +- com.jcraft:jsch:jar:0.1.54:compile
| - org.jenkins-ci.plugins:ssh-credentials:jar:1.12:compile
| - org.jenkins-ci.plugins:credentials:jar:1.21:compile
+- org.apache.maven.wagon:wagon-file:jar:3.0.0:compile
+- org.apache.maven.wagon:wagon-ftp:jar:3.0.0:compile
| - commons-net:commons-net:jar:3.5:compile
+- org.apache.maven.wagon:wagon-ssh:jar:3.0.0:compile
| +- com.jcraft:jsch.agentproxy.connector-factory:jar:0.0.9:compile
| | +- com.jcraft:jsch.agentproxy.core:jar:0.0.9:compile
| | +- com.jcraft:jsch.agentproxy.usocket-jna:jar:0.0.9:compile
| | | - net.java.dev.jna:jna-platform:jar:4.1.0:compile
| | +- com.jcraft:jsch.agentproxy.usocket-nc:jar:0.0.9:compile
| | +- com.jcraft:jsch.agentproxy.sshagent:jar:0.0.9:compile
| | - com.jcraft:jsch.agentproxy.pageant:jar:0.0.9:compile
| +- com.jcraft:jsch.agentproxy.jsch:jar:0.0.9:compile
| +- org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-6:compile
| - org.apache.maven.wagon:wagon-ssh-common:jar:3.0.0:compile
+- org.apache.maven.wagon:wagon-ssh-external:jar:3.0.0:compile
+- org.apache.maven.wagon:wagon-provider-api:jar:3.0.0:compile
+- org.apache.maven.reporting:maven-reporting-api:jar:3.0:compile
| - org.apache.maven.doxia:doxia-sink-api:jar:1.0:compile
+- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
+- org.codehaus.plexus:plexus-utils:jar:3.0.24:compile
+- org.codehaus.plexus:plexus-component-annotations:jar:1.7.1:compile
+- org.jenkins-ci.lib:lib-jenkins-maven-artifact-manager:jar:1.2:compile
+- org.jenkins-ci.lib:lib-jenkins-maven-embedder:jar:3.13:compile
+- org.apache.maven.wagon:wagon-webdav-jackrabbit:jar:3.0.0:compile
| - org.apache.jackrabbit:jackrabbit-webdav:jar:2.14.1:compile
{{+- org.jenkins-ci.plugins:token-macro:jar:1.10:compile (optional) }}
+- org.jenkins-ci.main:jenkins-test-harness-tools:jar:2.0:test
| - org.jenkins-ci.plugins:ant:jar:1.2:test
+- org.mockito:mockito-core:jar:1.10.19:test
| - org.objenesis:objenesis:jar:2.1:test
+- org.powermock:powermock-module-junit4:jar:1.6.4:test
| - org.powermock:powermock-module-junit4-common:jar:1.6.4:test
| +- org.powermock:powermock-core:jar:1.6.4:test
| | - org.javassist:javassist:jar:3.20.0-GA:test
| - org.powermock:powermock-reflect:jar:1.6.4:test
+- org.powermock:powermock-api-mockito:jar:1.6.4:test
| +- org.hamcrest:hamcrest-core:jar:1.3:test
| - org.powermock:powermock-api-support:jar:1.6.4:test
+- org.jvnet.mock-javamail:mock-javamail:jar:1.9:test
+- org.jenkins-ci.test:sample-plexus-component:jar:1.0:test
+- org.jenkins-ci.plugins:promoted-builds:jar:2.23:test
{{+- com.google.code.findbugs:annotations:jar:3.0.0:provided (optional) }}
{{+- net.jcip:jcip-annotations:jar:1.0:provided (optional) }}
{{+- org.codehaus.mojo:animal-sniffer-annotations:jar:1.16:provided (optional) }}
+- javax.servlet:javax.servlet-api:jar:3.1.0:provided
+- org.jenkins-ci.main:jenkins-core:jar:1.625.3:provided
| +- org.jenkins-ci.plugins.icon-shim:icon-set:jar:1.0.5:provided
| +- org.jenkins-ci.main:remoting:jar:2.53.2:provided
| | - org.jenkins-ci:constant-pool-scanner:jar:1.2:provided
| +- org.jenkins-ci.main:cli:jar:1.625.3:provided
| +- org.jenkins-ci:version-number:jar:1.1:provided
| +- org.jenkins-ci:crypto-util:jar:1.1:provided
| +- org.jvnet.hudson:jtidy:jar:4aug2000r7-dev-hudson-1:provided
| +- com.google.inject:guice:jar:4.0-beta:provided
| | - aopalliance:aopalliance:jar:1.0:provided
| +- org.jruby.ext.posix:jna-posix:jar:1.0.3-jenkins-1:provided
| +- com.github.jnr:jnr-posix:jar:3.0.1:provided
| | +- com.github.jnr:jnr-ffi:jar:1.0.7:provided
| | | +- com.github.jnr:jffi:jar:1.2.7:provided
| | | +- com.github.jnr:jffi:jar:native:1.2.7:provided
| | | +- org.ow2.asm:asm:jar:4.0:provided
| | | +- org.ow2.asm:asm-commons:jar:4.0:provided
| | | +- org.ow2.asm:asm-analysis:jar:4.0:provided
| | | +- org.ow2.asm:asm-tree:jar:4.0:provided
| | | +- org.ow2.asm:asm-util:jar:4.0:provided
| | | - com.github.jnr:jnr-x86asm:jar:1.0.2:provided
| | - com.github.jnr:jnr-constants:jar:0.8.5:provided
| +- org.kohsuke:trilead-putty-extension:jar:1.2:provided
| +- org.jenkins-ci:trilead-ssh2:jar:build217-jenkins-8:provided
| +- org.kohsuke.stapler:stapler-groovy:jar:1.237:provided
| | - org.kohsuke.stapler:stapler-jelly:jar:1.237:provided
| | +- org.jenkins-ci:commons-jelly:jar:1.1-jenkins-20120928:provided
| | - org.jenkins-ci.dom4j:dom4j:jar:1.6.1-jenkins-4:provided
| +- org.kohsuke.stapler:stapler-jrebel:jar:1.237:provided
| | - org.kohsuke.stapler:stapler:jar:1.237:provided
| | +- javax.annotation:javax.annotation-api:jar:1.2:provided
| | +- commons-discovery:commons-discovery:jar:0.4:provided
| | - org.jvnet:tiger-types:jar:1.3:provided
| +- org.kohsuke:windows-package-checker:jar:1.0:provided
| +- org.kohsuke.stapler:stapler-adjunct-zeroclipboard:jar:1.3.5-1:provided
| +- org.kohsuke.stapler:stapler-adjunct-timeline:jar:1.4:provided
| +- org.kohsuke.stapler:stapler-adjunct-codemirror:jar:1.3:provided
| +- com.infradna.tool:bridge-method-annotation:jar:1.13:provided
| +- org.kohsuke.stapler:json-lib:jar:2.4-jenkins-2:provided
| | - net.sf.ezmorph:ezmorph:jar:1.0.6:provided
| +- commons-httpclient:commons-httpclient:jar:3.1:provided
| +- args4j:args4j:jar:2.0.31:provided
| +- org.jenkins-ci:annotation-indexer:jar:1.7:provided
| +- org.jenkins-ci:bytecode-compatibility-transformer:jar:1.5:provided
| | - org.kohsuke:asm5:jar:5.0.1:provided
| +- org.jenkins-ci:task-reactor:jar:1.4:provided
| +- org.jvnet.localizer:localizer:jar:1.23:provided
| +- antlr:antlr:jar:2.7.6:provided
| +- org.jvnet.hudson:xstream:jar:1.4.7-jenkins-1:provided
| +- jfree:jfreechart:jar:1.0.9:provided
| | - jfree:jcommon:jar:1.0.12:provided
| +- org.apache.ant:ant:jar:1.8.4:provided
| | - org.apache.ant:ant-launcher:jar:1.8.4:provided
| +- commons-io:commons-io:jar:2.4:provided
| +- commons-lang:commons-lang:jar:2.6:provided
| +- commons-digester:commons-digester:jar:2.1:provided
| +- commons-beanutils:commons-beanutils:jar:1.8.3:provided
| +- org.apache.commons:commons-compress:jar:1.10:provided
| +- javax.mail:mail:jar:1.4.4:provided
| +- org.jvnet.hudson:activation:jar:1.1.1-hudson-1:provided
| +- jaxen:jaxen:jar:1.1-beta-11:provided
| +- commons-jelly:commons-jelly-tags-fmt:jar:1.0:provided
| +- commons-jelly:commons-jelly-tags-xml:jar:1.1:provided
| +- org.jvnet.hudson:commons-jelly-tags-define:jar:1.0.1-hudson-20071021:provided
| +- org.jenkins-ci:commons-jexl:jar:1.1-jenkins-20111212:provided
| +- org.acegisecurity:acegi-security:jar:1.0.7:provided
| | +- org.springframework:spring-jdbc:jar:1.2.9:provided
| | | - org.springframework:spring-dao:jar:1.2.9:provided
| | - oro:oro:jar:2.0.8:provided
| +- org.codehaus.groovy:groovy-all:jar:1.8.9:provided
| +- jline:jline:jar:0.9.94:provided
| +- org.fusesource.jansi:jansi:jar:1.9:provided
| +- org.springframework:spring-webmvc:jar:2.5.6.SEC03:provided
| | +- org.springframework:spring-beans:jar:2.5.6.SEC03:provided
| | +- org.springframework:spring-context:jar:2.5.6.SEC03:provided
| | +- org.springframework:spring-context-support:jar:2.5.6.SEC03:provided
| | - org.springframework:spring-web:jar:2.5.6.SEC03:provided
| +- org.springframework:spring-core:jar:2.5.6.SEC03:provided
| +- org.springframework:spring-aop:jar:2.5.6.SEC03:provided
| +- xpp3:xpp3:jar:1.1.4c:provided
| +- javax.servlet:jstl:jar:1.1.0:provided
| +- commons-logging:commons-logging:jar:1.2:provided
| +- com.sun.xml.txw2:txw2:jar:20110809:provided
| | +- javax.xml.stream:stax-api:jar:1.0-2:provided
| | - relaxngDatatype:relaxngDatatype:jar:20020414:provided
| +- commons-collections:commons-collections:jar:3.2.1:provided
| +- org.jvnet.winp:winp:jar:1.22:provided
| +- org.jenkins-ci:memory-monitor:jar:1.9:provided
| +- org.codehaus.woodstox:wstx-asl:jar:3.2.9:provided
| | - stax:stax-api:jar:1.0.1:provided
| +- org.jenkins-ci:jmdns:jar:3.4.0-jenkins-3:provided
| +- net.java.dev.jna:jna:jar:4.1.0:compile
| +- org.kohsuke:akuma:jar:1.10:provided
| +- org.kohsuke:libpam4j:jar:1.8:provided
| +- org.jvnet.libzfs:libzfs:jar:0.5:provided
| +- com.sun.solaris:embedded_su4j:jar:1.1:provided
| +- net.java.sezpoz:sezpoz:jar:1.9:provided
| +- org.kohsuke.jinterop:j-interop:jar:2.0.6-kohsuke-1:provided
| | - org.kohsuke.jinterop:j-interopdeps:jar:2.0.6-kohsuke-1:provided
| | - org.samba.jcifs:jcifs:jar:1.2.19:provided
| +- org.jvnet.robust-http-client:robust-http-client:jar:1.2:provided
| +- commons-codec:commons-codec:jar:1.8:provided
| +- org.kohsuke:access-modifier-annotation:jar:1.4:provided
| +- commons-fileupload:commons-fileupload:jar:1.3.1-jenkins-1:provided
| +- org.mindrot:jbcrypt:jar:0.3m:provided
| +- com.google.guava:guava:jar:11.0.1:provided
| | - com.google.code.findbugs:jsr305:jar:1.3.9:compile
| - com.jcraft:jzlib:jar:1.1.3-kohsuke-1:provided
+- org.jenkins-ci.main:jenkins-war:executable-war:1.625.3:test
| +- org.jenkins-ci.modules:instance-identity:jar:1.4:test
| | - org.bouncycastle:bcpkix-jdk15on:jar:1.47:test
| | - org.bouncycastle:bcprov-jdk15on:jar:1.47:test
| +- org.jenkins-ci.modules:ssh-cli-auth:jar:1.2:test
| +- org.jenkins-ci.modules:slave-installer:jar:1.5:test
| +- org.jenkins-ci.modules:windows-slave-installer:jar:1.4:test
| +- org.jenkins-ci.modules:launchd-slave-installer:jar:1.2:test
| +- org.jenkins-ci.modules:upstart-slave-installer:jar:1.1:test
| +- org.jenkins-ci.modules:systemd-slave-installer:jar:1.1:test
| - org.jenkins-ci.modules:sshd:jar:1.6:test
| - org.apache.sshd:sshd-core:jar:0.8.0:test
| - org.apache.mina:mina-core:jar:2.0.5:test
+- org.jenkins-ci.main:jenkins-test-harness:jar:2.34:test
| +- org.eclipse.jetty:jetty-webapp:jar:9.4.5.v20170502:test
| | +- org.eclipse.jetty:jetty-xml:jar:9.4.5.v20170502:test
| | | - org.eclipse.jetty:jetty-util:jar:9.4.5.v20170502:test
| | - org.eclipse.jetty:jetty-servlet:jar:9.4.5.v20170502:test
| +- org.eclipse.jetty:jetty-security:jar:9.4.5.v20170502:test
| | - org.eclipse.jetty:jetty-server:jar:9.4.5.v20170502:test
| | +- org.eclipse.jetty:jetty-http:jar:9.4.5.v20170502:test
| | - org.eclipse.jetty:jetty-io:jar:9.4.5.v20170502:test
| +- org.hamcrest:hamcrest-library:jar:1.3:test
| +- org.jenkins-ci.main:jenkins-test-harness-htmlunit:jar:2.18-1:test    <--- test dependency
| | +- xalan:xalan:jar:2.7.2:test
| | +- xalan:serializer:jar:2.7.2:test
| | +- org.apache.commons:commons-lang3:jar:3.4:test
| | +- xerces:xercesImpl:jar:2.11.0:test
| | +- xml-apis:xml-apis:jar:1.4.01:test
| | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:test
| | +- net.sourceforge.cssparser:cssparser:jar:0.9.16:test
| | +- org.w3c.css:sac:jar:1.3:test
| | +- org.eclipse.jetty.websocket:websocket-client:jar:9.2.12.v20150709:test
| | +- org.eclipse.jetty.websocket:websocket-common:jar:9.2.12.v20150709:test
| | - org.eclipse.jetty.websocket:websocket-api:jar:9.2.12.v20150709:test
| +- org.jvnet.hudson:embedded-rhino-debugger:jar:1.2:test
| +- org.netbeans.modules:org-netbeans-insane:jar:RELEASE72:test
| - com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile     <-- transitive dep of test dependency
+- org.jenkins-ci:test-annotations:jar:1.2:test
+- junit:junit:jar:4.12:test
{{+- org.slf4j:slf4j-api:jar:1.7.25:compile (optional) }}
+- org.slf4j:log4j-over-slf4j:jar:1.7.25:test
+- org.slf4j:jcl-over-slf4j:jar:1.7.25:test
- org.slf4j:slf4j-jdk14:jar:1.7.25:test

 

This seems to be another occurrence but with a different root cause (jenkins-test-harness is not a test-jar)

 

jnord@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 10:28:06 AM10/19/18
to jenkinsc...@googlegroups.com
James Nord reopened an issue
 
Change By: James Nord
Resolution: Won't Fix
Status: Resolved Reopened
Assignee: Jesse Glick

jglick@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 10:45:02 AM10/19/18
to jenkinsc...@googlegroups.com
Jesse Glick commented on Bug JENKINS-53957
 
Re: hpi bundles transitive dependencies of test scope dependencies

maven-plugin has a quite complex POM. I suspect you will find there is some more “interesting” explanation for this JAR’s presence, which is not normally present in plugin archives despite all having the same jenkins-test-harness test dep.

jnord@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 10:54:01 AM10/19/18
to jenkinsc...@googlegroups.com

I have no doubt that the maven-plugin has a hairy pom (which is why I was using it as an internal test case for some tooling - hence why I found this error ).   Just flagging as another case I found for prosperity.  Now if I can work out why the optional handling in my Maven / my tool is wrong I may just go an try and complete maven-hpi-plugin#23

jglick@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 10:56:02 AM10/19/18
to jenkinsc...@googlegroups.com
Jesse Glick resolved as Won't Fix
 

maven-hpi-plugin was behaving correctly in this case; it was the maven-plugin POM which was wrong (indirectly, via another POM). I offered a fix.
Change By: Jesse Glick
Status: Reopened Resolved
Resolution: Won't Fix

jnord@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 11:16:02 AM10/19/18
to jenkinsc...@googlegroups.com
 
Re: hpi bundles transitive dependencies of test scope dependencies

is there a link to the fix?

 

I do not think closing this as WONT_FIX is correct.  when {{mvn -Dverbose org.apache.maven.plugins:maven-dependency-plugin:3.1.1:tree -Dscope=compile }}does not list an artifact yet it is included in the hpi this says something is very wrong.

developers are used to the standard tools provided by Maven, if you are saying they are wrong then that is one thing but please report issues upstream about why they are wrong as well.

jnord@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 11:18:03 AM10/19/18
to jenkinsc...@googlegroups.com
James Nord edited a comment on Bug JENKINS-53957
is there a [ link to the fix for above case|https://github.com/jenkinsci/maven-plugin/pull/121] ?


 

I do not think closing this as WONT_FIX is correct.  when
\ {{mvn -Dverbose org.apache.maven.plugins:maven-dependency-plugin:3.1.1:tree -Dscope=compile }}does not list an artifact yet it is included in the hpi this says something is very wrong.


developers are used to the standard tools provided by Maven, if you are saying they are wrong then that is one thing but please report issues upstream about why they are wrong as well.

jglick@cloudbees.com (JIRA)

unread,
Oct 19, 2018, 11:26:02 AM10/19/18
to jenkinsc...@googlegroups.com

I do not know exactly what -Dscope=compile is supposed to do, but without that option the artifact does appear in compile scope, and if you either exclude the transitive dependency chain via the jsch plugin or update the plugin to a version without a dependency on that library, it appears in test scope. When I look at the help for the option you gave, I see

Note that this feature does not currently work due to MSHARED-4

whether or not that message is still accurate.

tobias-jenkins@23.gs (JIRA)

unread,
Nov 10, 2018, 4:23:01 PM11/10/18
to jenkinsc...@googlegroups.com

I'm not sure if this is the same issue, but the git-plugin (master) includes the apache-httpcomponents-client-4-api plugin in it's test scope, which puts dependencies of that plugin into the final hpi. Here is a workaround using "optional" (which makes the thing even more ugly): https://github.com/jenkinsci/git-plugin/pull/606

 

 

jnord@cloudbees.com (JIRA)

unread,
May 15, 2019, 12:07:02 PM5/15/19
to jenkinsc...@googlegroups.com

got yet another example today of a plugin including pipeline-model-json-shaded-1.2.jar seemingly because it dependend on workflow-aggregator at scope test.

jnord@cloudbees.com (JIRA)

unread,
May 15, 2019, 12:15:02 PM5/15/19
to jenkinsc...@googlegroups.com
James Nord edited a comment on Bug JENKINS-53957
got yet another example today of a plugin including {{pipeline-model-json-shaded-1.2.jar}} seemingly because it dependend depended on workflow-aggregator at scope {{test}}.
 Hard to tell from the tooling what promoted it to compile scope, but i's not a direct dependency on {{pipeline-model-definition}} and given {{pipeline-model-definition}} is a plugin this should break the link.

{noformat}
[INFO] |  +- org.jenkins-ci.plugins:pipeline-milestone-step:jar:1.3.1:test
[INFO] |  \- org.jenkinsci.plugins:pipeline-model-definition:jar:1.2:compile
[INFO] |     +- org.jenkinsci.plugins:pipeline-model-api:jar:1.2:compile
[INFO] |     |  \- org.jenkins-ci.lib:pipeline-model-json-shaded:jar:1.2:compile
{noformat}

jglick@cloudbees.com (JIRA)

unread,
Jun 3, 2019, 3:40:02 PM6/3/19
to jenkinsc...@googlegroups.com

it depended on workflow-aggregator at scope test

Do not do this.

plroskin@gmail.com (JIRA)

unread,
Jul 30, 2019, 10:55:03 PM7/30/19
to jenkinsc...@googlegroups.com

Bitbucket Server Notifier Plugin version 1.9 is also affected. It packages sshd-core-0.14.0.jar unnecessarily. "mvn dependency:tree" shows:

 

[INFO] +- org.jenkins-ci.main:jenkins-war:executable-war:2.60.3:test
[INFO] |  +- org.jenkins-ci.modules:instance-identity:jar:2.1:test
[INFO] |  |  \- io.github.stephenc.crypto:self-signed-cert-generator:jar:1.0.0:test
[INFO] |  +- org.jenkins-ci.modules:ssh-cli-auth:jar:1.4:test
[INFO] |  +- org.jenkins-ci.modules:slave-installer:jar:1.5:test
[INFO] |  +- org.jenkins-ci.modules:windows-slave-installer:jar:1.9:test
[INFO] |  +- org.jenkins-ci.modules:launchd-slave-installer:jar:1.2:test
[INFO] |  +- org.jenkins-ci.modules:upstart-slave-installer:jar:1.1:test
[INFO] |  +- org.jenkins-ci.modules:systemd-slave-installer:jar:1.1:test
[INFO] |  +- org.jenkins-ci.modules:sshd:jar:1.11:test
[INFO] |  |  \- org.apache.sshd:sshd-core:jar:0.14.0:compile

That goes against the rule that the dependencies of test dependencies are either test dependencies or not dependencies at all.

A way to remove that dependency from the hpi is to declare it explicitly as a test dependency. However, that would be a hack, not a solution.

maven-hpi-plugin should either follow the dependency rule or warn loudly (and fail optionally) if it cannot follow that rule for whatever reason, so that the issue could be mitigated right away.

Please reopen the ticket, I don't see any reason to close it.

 

jglick@cloudbees.com (JIRA)

unread,
Jul 31, 2019, 9:09:03 AM7/31/19
to jenkinsc...@googlegroups.com

Pavel Roskin I suppose you mean 1.19, not 1.9. Your use of dependency:tree shows clearly that the problem is in your POM, not in the plugin. (maven-hpi-plugin simply follows Maven’s directions here about what scope a dependency is in.) It seems to stem from having a dependency on an ancient version of the git plugin which itself had a faulty POM, in turn due to a faulty POM in git-client. (As far back as I can easily follow history, this seems to have been fixed in 2013. The ssh-agent plugin’s POM does bundle sshd-core.jar, but in that case it is correct since it sets pluginFirstClassLoader: it is not using the copy from the core module. But any plugin depending on ssh-agent must exclude this dependency since Maven does not grok that situation. Maybe could be fixed by making it optional in ssh-agent, not sure.) Short of updating the git dependency, it can be worked around easily:

diff --git a/pom.xml b/pom.xml
index 2d6ca7b..dd133c8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -92,6 +92,12 @@
             <artifactId>git</artifactId>
             <version>2.0</version>
             <type>jar</type>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.sshd</groupId>
+                    <artifactId>sshd-core</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>

What would be useful, I think, is for maven-hpi-plugin to at least issue a notice in the build log when it is bundling something other than the plugin JAR in WEB-INF/lib/*.jar. Perhaps this should at logged at info level for direct (expressed) dependencies and warning level for indirect dependencies.

jglick@cloudbees.com (JIRA)

unread,
Jul 31, 2019, 10:15:02 AM7/31/19
to jenkinsc...@googlegroups.com

I filed a PR for that last suggestion.

plroskin@gmail.com (JIRA)

unread,
Aug 1, 2019, 2:10:02 AM8/1/19
to jenkinsc...@googlegroups.com

Thank you, Jesse Glick! I was able to fix the issue in stash notifier with sshd-core bundling by updating the git dependency.

It's very nice to see your PR merged already!

jglick@cloudbees.com (JIRA)

unread,
Aug 1, 2019, 12:21:01 PM8/1/19
to jenkinsc...@googlegroups.com

Note that while poking around I did discover what looks like a proper bug in the mojo: JENKINS-58771.

plroskin@gmail.com (JIRA)

unread,
Aug 1, 2019, 3:17:03 PM8/1/19
to jenkinsc...@googlegroups.com

OK, I think I understand it. Posting here to help others understand similar issues. The dependency chain (without test dependencies) was:
 
stashNotifier -> git 2.0 -> git-client 1.4.4 -> ssh-agent 1.3 -> sshd-core 0.8.0

Now it is:
 
stashNotifier 1.19 -> git 3.0.0 -> git-client 2.0.0

git-client 2.0.0 doesn't depend on ssh-agent, so that cuts the non-test dependency chain and stops the bundling.

The version of sshd-core (0.14.0) was determined by a shorter chain that involved test dependencies:

stashNotifier 1.19 => plugin 3.40 -> jenkins-war 2.60.3 ~> sshd 1.11 -> sshd-core 0.14.0

I'm using => for a child-parent relationship (which doesn't count towards the length of the dependency chain) and ~> for a test dependency.

mvn dependency:tree was showing a shorter dependency chain, but with the scope based on analyzing the whole tree, which made it look like a test dependency was pulling in a compile dependency.

I don't see a way to make maven omit test dependencies or to show all paths leading to a transitive dependency. It would have helped with debugging the issue.
Reply all
Reply to author
Forward
0 new messages