Skip to content

Instantly share code, notes, and snippets.

@cgruber cgruber/pom.xml
Last active Sep 11, 2017

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Example enforcer rule to exclude commons-collections 3.2.1 from the build
Raw
pom.xml
<!-- Avoid the M.A.D. Gadget vulnerability in certain apache commons-collections versions -->
<project>
<!-- ... -->
<build>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<goals><goal>enforce</goal></goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>commons-collections:commons-collections:[3.0,3.2.1]</exclude>
<exclude>commons-collections:commons-collections:4.0</exclude>
</excludes>
</bannedDependencies>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
@TobiX

This comment has been minimized.

Sign in to view
Copy link

commented Sep 5, 2017
edited

Unfortunatly, the second exclude is wrong, since the GAV for commons-collections 4 is different from older versions. The correct syntax is:

 <exclude>org.apache.commons:commons-collections4:[4.0]</exclude>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.