Home > Enterprise >  How to resolve invalid packaging for parent POM, must be "pom" but is "jar"
How to resolve invalid packaging for parent POM, must be "pom" but is "jar"

Time:04-13

To resolve spring-framework vulnerability posted by spring.io

I tried upgrading spring-boot version from 2.4.5 to 2.5.12 and with gradle-6.8 version, on running ./gradlew clean build task is failing with error

Invalid packaging for parent POM org.apache.logging.log4j:log4j-api:2.17.2, must be "pom" but is "jar" in org.apache.logging.log4j:log4j-api:2.17.2

The dependency org.springframework.boot:spring-boot-starter-webflux loads the internal dependency log4j-api:2.17.2

How to resolve invalid parent POM packaging for internal dependencies?

build.gradle

buildscript {
    ext {
        springBootVersion = '2.5.12'
    }
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
                {
                    exclude group: 'org.slf4j', module: 'slf4j-ext'
                }
    }
}

apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'

group = 'com.service'
version = ''
sourceCompatibility = 11
def logbackVersion = '1.2.3' 

repositories {
    mavenCentral()
}

configurations.all {
    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
        if (details.requested.group == 'org.apache.logging.log4j') {
            details.useVersion '2.17.1'
        }
    }
}

dependencies {
    implementation ('org.springframework.boot:spring-boot-starter-webflux')
    developmentOnly('org.springframework.boot:spring-boot-devtools')
    testImplementation('org.springframework.boot:spring-boot-starter-test')
    testImplementation('io.projectreactor:reactor-test')
    implementation("ch.qos.logback:logback-core:${logbackVersion}")
    implementation("ch.qos.logback:logback-classic:${logbackVersion}")
    implementation('org.apache.httpcomponents:httpclient:4.5.11')
    implementation('org.apache.commons:commons-collections4:4.4')
    implementation("org.springframework.cloud:spring-cloud-vault-config:2.1.3.RELEASE")
    implementation("org.springframework.cloud:spring-cloud-vault-config-consul:2.1.3.RELEASE")
    implementation group: 'org.springframework.cloud', name: 'spring-cloud-consul-dependencies', version: '1.0.0.RELEASE', ext: 'pom'

    implementation('com.amazonaws:aws-java-sdk-sqs:1.11.634')
    implementation('org.projectlombok:lombok:1.18.12')
    implementation('org.yaml:snakeyaml:1.26')
    implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
    annotationProcessor('org.projectlombok:lombok:1.18.12')

    implementation group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
    implementation group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.11'
}

CodePudding user response:

Adding mavenBom spring-cloud-dependencies helped resolve this issue. Suspecting webflux pulled in a transitive dependency to an older release and adding spring-cloud-dependencies bom in dependencyManagement ensured all Spring dependencies are at the same version

Here's update build.gradle file that worked

plugins {
    id 'org.springframework.boot' version '2.6.6'
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
    id 'java'
    id 'application'
}

group = 'com.service'
version = '1.0.0-SNAPSHOT'
sourceCompatibility = '11'

application {
    mainClass = 'com.service.scheduler.SchedulerApplication'
}

repositories {
    mavenCentral()
}

ext {
    set('springCloudVersion', "2021.0.1")
    set('logbackVersion', "1.2.11")
}

bootJar {
    archiveFileName = 'scheduler.jar'
}

bootRun {
    systemProperties = System.properties
}

dependencies {
    /*---spring dependencies---*/
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'org.springframework.cloud:spring-cloud-starter-vault-config'
    implementation 'org.springframework.cloud:spring-cloud-vault-config-consul'
    developmentOnly 'org.springframework.boot:spring-boot-devtools'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation 'io.projectreactor:reactor-test'


    implementation 'com.amazonaws:aws-java-sdk-sqs:1.12.187'
    implementation 'org.apache.httpcomponents:httpclient:4.5.13'
    implementation 'org.apache.commons:commons-collections4:4.4'
    implementation 'org.yaml:snakeyaml:1.30'
    implementation 'com.google.code.gson:gson:2.9.0'

    /*---fips dependencies---*/
    implementation group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
    implementation group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.11'

    /*---lombok dependencies---*/
    implementation 'org.projectlombok:lombok:1.18.22'
    annotationProcessor 'org.projectlombok:lombok:1.18.22'

    /*---logback dependencies---*/
    implementation("ch.qos.logback:logback-core:${logbackVersion}")
    implementation("ch.qos.logback:logback-classic:${logbackVersion}")


}

dependencyManagement {
    imports {
        mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
    }
}


  • Related