Skip to content

Instantly share code, notes, and snippets.

@cgruber cgruber/pom.xml
Last active Sep 11, 2017

Embed
What would you like to do?
Example enforcer rule to exclude commons-collections 3.2.1 from the build
<!-- Avoid the M.A.D. Gadget vulnerability in certain apache commons-collections versions -->
<project>
<!-- ... -->
<build>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<goals><goal>enforce</goal></goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>commons-collections:commons-collections:[3.0,3.2.1]</exclude>
<exclude>commons-collections:commons-collections:4.0</exclude>
</excludes>
</bannedDependencies>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
@TobiX

This comment has been minimized.

Copy link

TobiX commented Sep 5, 2017

Unfortunatly, the second exclude is wrong, since the GAV for commons-collections 4 is different from older versions. The correct syntax is:

 <exclude>org.apache.commons:commons-collections4:[4.0]</exclude>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.