Not able to find and override a transitive dependency in Maven plugins

Question

I am using 4 plugin in my spring boot service - Maven-compiler plugin, surefire plugin, spring-boot-maven-plugin and Maven-deploy plugin but I can't able to locate some transitive dependency like plexus, plexus-archive, commons-compress etc due to which I am getting build failure as these dependency is blocked by my company due to vulnerabilities. Is there way to find and override these dependencies on these plugins. As mvn dependency tree and mv. resolve plugin aren't helping to find any of these dependencies.

Answer 1

To view your project's dependency tree from the command line, use the

Command:

mvn dependency:tree 

For multi-module projects.

Command:

mvn compile dependency:tree 

---

You can exclude transitive dependencies in your pom.xml using the tag within the dependency declaration.

Example:

<dependency>
    <groupId>group-id-of-the-dependency-you-want-to-exclude-from</groupId>
    <artifactId>artifact-id-of-the-dependency-you-want-to-exclude-from</artifactId>
    <version>version-of-the-dependency-you-want-to-exclude-from</version>
    <exclusions>
      <exclusion>
        <groupId>group-id-of-the-transitive-dependency-to-exclude</groupId>
        <artifactId>artifact-id-of-the-transitive-dependency-to-exclude</artifactId>
      </exclusion>
      </exclusions>
</dependency>

Consequences of exclusion:

If your application actually relies on the functionality provided by the excluded transitive dependency, you'll get ClassNotFoundException, NoSuchMethodError, or similar errors at runtime. This is the most common and problematic consequence

Optimal Solution:

Upgrading to the latest version of your dependencies should be your first course of action. It's the safest and often the most effective way to manage transitive dependencies. Excluding dependencies should be considered only after you've explored upgrading and understand the potential consequences.