Git Product home page Git Product logo

external-maven-plugin's Introduction

No longer maintained

This plugin is no longer maintained, and is vulnerable to potential abuse as a result of not updating dependencies. At the time of writing, CVE-2018-1002200 is one such example.

External Dependency Maven Plugin

This Maven plugin can be used to manage external dependencies that are not available in public Maven repositories or not mavenized at all. The plugin can download and install these dependencies as Maven artifacts in your local Maven repository so that they are available for Maven as any other dependencies and also deploy them to a remote repository.

This is a fork of [com.savage7.maven.plugins:maven-external-dependency-plugin] (https://code.google.com/p/maven-external-dependency-plugin/) that is updated for Maven 3.x. Its use has also been simplified slightly.

Maven 3.x introduced changes in dependency resolution that makes it impossible for this plugin to function optimally. In Maven 3.x all dependencies are resolved before the lifecycle phases are started, making it impossible for a plugin to download and install the external dependencies before Maven resolves the project's dependencies. Any dependencies needed during the build lifecycle, e.g. for the compile phase, must be resolved before Maven will start the lifecycle. That means that the external dependencies must be given as dependencies in pom.xml, or the compile phase will fail. At the same time, including them as dependencies prevents Maven from starting the lifecycle as the dependencies can not be resolved.

There are multiple ways to get around this, but none of them are as elegant as if this plugin could run before dependency resolution (as is possible in Maven 2.x). Basicly, there are 3 options:

  • Run this plugin from a parent POM so that the dependencies are already installed when the child POM starts.
  • Bind this plugin to the clean phase and build with mvn clean install each time the external dependencies need to be installed or updated. This will install the external dependencies during the clean lifecycle so that they are already in place when the build lifecycle begins.
  • Manually run mvn external:install each time the external dependencies need to be installed or updated before starting the build lifcycle with e.g. mvn package or maven install.

Configuration

Artifact configuration

External dependencies have to be turned into Maven artifacts to be accessable for Maven. This is done by creating artifactItems in the configuration section for this plugin like this:

<project>
  ...
  <build>
    ...
    <plugins>
      ...
      <plugin>
        <groupId>com.universalmediaserver</groupId>
        <artifactId>external-maven-plugin</artifactId>
        <version>x.y.z</version>
        ...
        <configuration>
          ...
          <artifactItems>
            <artifactItem>
              <groupId>...</groupId>
              <artifactId>...</artifactId>
              <version>...</version>
              <classifier>...</classifier>
              <localFile>...<localFile>
              <stagingDirectory>...</stagingDirectory>
              <downloadUrl>...</downloadUrl>
              <timeout>...</timeout>
              <packaging>...</packaging>
              <install>...</install>
              <deploy>...</deploy>
              <force>...</force>
              <pomFile>...</pomFile>
              <generatePom>...</generatePom>
              <createChecksum>...</createChecksum>
              <centralChecksumVerification>...</centralChecksumVerification>
              <checksum>...</checksum>
              <extractFile>...</extractFile>
              <extractFileChecksum>...</extractFileChecksum>
              <repack>...</repack>
            </artifactItem>
          </artifactItems>
          ...
        </configuration>
        ...
      </plugin>
      ...
    </plugins>
    ...
  </build>
...
</project>

Most of these parameteres are optional.

Artifact parameter description

Parameter Mandatory Default value Description
groupId Yes The group id for the generated artifact. If none exists for the dependency, you can make one up.
artifactId Yes The artifact id for the generated artifact. If none exists for the dependency, you can make one up, but it's natural to use the dependency name here.
version Yes Anything will work, but you should use the actual version of the dependency.
classifier No Classifier for the artifact (tests, sources, etc.)
localFile No {artifactId}-{version}- {classifier}.{packaging} The name of the created local artifact.
stagingDirectory No The plugin configured stagingDirectory The folder to which the external dependency should be downloaded.
downloadUrl Yes The URL to get the dependency from.
timeout No No timeout Timeout in milliseconds for artifact download.
packaging No jar The packaging type of the artifact.
install No True Should the artifact be installed to the local Maven repository during install and localinstall goals?
deploy No True Should the artifact be deployed to an external Maven repository during the deploy goal?
force No False Should download, install and deploy be forced for this external dependency? Force means that the action is performed even though it's deemed not necessary.
pomFile No Location of an existing POM file to be installed alongside the main artifact.
generatePom No True Should a minimal POM be generated for the artifact if none is specified in pomFile?
createChecksum No The plugin configured createChecksum Should MD5 and SHA-1 checksums be generated for the artifact during installation and deployment?
centralChecksumVerification No False If this is true, the downloaded file's checksum will be verified with a query against Maven central repository to make sure the artifact isn't already there.
checksum No A checksum for the downloaded file used for verification.
extractFile If the downloaded file is an archive, the name of the file to extract from the archive.
extractFileChecksum No A checksum for the extracted file used for verification.
repack No False Should a folder be repacked as a new artifact?

Plugin configuration

The plugin configuration is done in the configuration for the plugin like this:

<project>
  ...
  <build>
    ...
    <plugins>
      ...
      <plugin>
        <groupId>com.universalmediaserver</groupId>
        <artifactId>external-maven-plugin</artifactId>
        <version>x.y.z</version>
        ...
        <configuration>
          <project>...</project>
          <userSettings>...</userSettings>
          <globalSettings>...</globalSettings>
          <localRepository>...</localRepository>
          <stagingDirectory>...</stagingDirectory>
          <force>...</force>
          <centralChecksumVerification>...</centralChecksumVerification>
          <createChecksum>...</createChecksum>
          <remoteRepositories>
            ..
          </remoteRepositories>
          <artifactItems>
            ...
          </artifactItems>
        </configuration>
        ...
      </plugin>
      ...
    </plugins>
    ...
  </build>
...
</project>

Plugin parameter description

Parameter Mandatory Default value Description
project No ${project} The maven project
userSettings No ${user.home}/.m2/settings.xml Location of the user settings.xml if needed.
globalSettings No ${env.M2_HOME}/conf/settings.xml Location of the global settings.xml if needed.
localRepository No ${localRepository} The local Maven repository.
stagingDirectory No ${project.build.directory} /external-dependencies The staging directory for external dependencies where it's not specified on the artifactItem.
force No False Should download, install and deploy be forced for all external dependencies? Force means that the action is performed even though it's deemed not necessary.
centralChecksumVerification No False If this is true, the downloaded files' checksums will be verified with queries against Maven central repository to make sure the artifacts aren't already there.
createChecksum No True Should MD5 and SHA-1 checksums be generated for the artifacts during installation and deployment?
disableSSLValidation No False Should SSL/HTTPS validation be disabled when downloading external dependencies?
remoteRepositories No A list of remote repositories to be used when resolving external dependencies.
artifactItems Yes A list of artifactItems for this plugin as described above.

Using the plugin

Given that the parameters are configured correctly, goals can be executed with:

mvn external:<goal>

Goals can also be bound to lifecycle phases to automatic execution.

Goals description

Goal Bindable phases Command Description
resolve generate-sources, clean mvn external:resolve Resolves and downloads the configured artifactItems to the stagingDirectory.
localinstall generate-sources, clean mvn external:localinstall Installs already staged artifactItems to the local Maven repository.
install generate-sources, clean mvn external:install A combination of resolve and localinstall. Resolves, downloads and installes the configured artifactItems.
clean clean mvn external:clean Cleans the staging directory.

Binding goals to lifecycle phases

Binding the goals to the bindable lifecycle phases is done in a standard way under executions. A typical example is given below:

<project>
  ...
  <build>
    ...
    <plugins>
      ...
      <plugin>
        <groupId>com.universalmediaserver</groupId>
        <artifactId>external-maven-plugin</artifactId>
        <version>x.y.z</version>
        ...
        <configuration>
          ...
        </configuration>
        ...
        <executions>
          <execution>
            <id>clean-external-dependencies</id>
            <phase>clean</phase>
            <goals>
              <goal>clean</goal>
            </goals>
          </execution>
          <execution>
            <id>install-external-dependencies</id>
            <phase>clean</phase>
            <goals>
              <goal>install</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      ...
    </plugins>
    ...
  </build>
...
</project>

external-maven-plugin's People

Contributors

nadahar avatar savageautomate avatar sewe avatar velo avatar vharseko avatar

Stargazers

avatar

Watchers

avatar avatar avatar

external-maven-plugin's Issues

Make the plugin available on maven central 

Hey,

I did noticed you are using sonatype oss server to deploy releases, would be 
nice to promote this releases to maven central repository 
http://repo1.maven.org/maven2/

Right now it is only available at:
https://oss.sonatype.org/content/repositories/releases/


VELO

Original issue reported on code.google.com by [email protected] on 6 Oct 2010 at 9:05

Checksum validation fails for extracted file 

I'm trying to extract a jar from a zip file:

    <dependency>
        <groupId>de.innosystec</groupId>
        <artifactId>java-unrar</artifactId>
        <version>0.3</version>
    </dependency>

    <artifactItem>
        <groupId>de.innosystec</groupId>
        <artifactId>java-unrar</artifactId>
        <version>0.3</version>
        <packaging>jar</packaging>
        <downloadUrl>
            http://github.com/downloads/edmund-wagner/junrar/java-unrar-{version}.zip
        </downloadUrl>
        <install>true</install>
        <force>false</force>
        <extractFile>java-unrar/java-unrar-{version}.jar</extractFile>
        <checksum>530351609180152cff40fa1c79a28193185aba83</checksum>
    </artifactItem>

Whatever I place in the checksum, the build fails. If I use the checksum of the 
zip (530351609180152cff40fa1c79a28193185aba83), the resolve-external phase 
passes:

    [INFO] testing for SHA1 checksum on artifact: de.innosystec:java-unrar:0.3:jar
    [INFO] verification passed on SHA1 checksum for artifact: de.innosystec:java-unrar:0.3:jar

- but then validation fails for the jar in the install-external phase.

If I use the jar's SHA1 (bce51f76274c41ddac3ca8e99378ff2893108049), validation 
fails for the zip during the resolve-external phase.

If this is a bug (rather than a user error), perhaps an optional 
per-extracted-file checksum attribute could be added:

    <downloadUrl>http://www.example.com/foo.zip</downloadUrl>
    <checksum>123</checksum> <!-- for foo.zip -->
    <extractFile checksum="abc">bar.jar</extractFile> <!-- for bar.jar -->

maven-external-dependency-plugin 0.2-SNAPSHOT
Maven: 2.2.1
Java: 1.6.0_20
OS: Ubuntu 10.04

Original issue reported on code.google.com by [email protected] on 22 Sep 2010 at 11:35

Smarter heuristic to pick checksum algorithm 

Currently, the maven-external-dependency-plugin is not overly smart about 
picking the right checksum algorithm straight-away; it always tries MD5 first 
and only if that fails does it try SHA1. Depending on the size of the external 
dependency, computing the ckecksum may take a few seconds, which could be saved 
if the plugin would apply the following heuristic:

  40 hex digits => 160 bit SHA-1 checksum
  otherwise => 128 bit MD5 checksum first, then 160 bit SHA-1 checksum

Alternatively, the plugin's goal would use two distinct parameters: md5checksum 
and sha1checksum, probably with checksum retained for compatibility.

Original issue reported on code.google.com by [email protected] on 18 Apr 2012 at 8:37

Add timeout for artifact download 

Hi,

This is a very useful plugin, thank you :-)

Unfortunately we are using the plugin behind a proxy server which for reasons 
beyond out control makes downloads slow and frequently pause. As it is, the 
plugin times-out the connection before it has finished downloading.

We have checked out a copy of the code and fixed the problem locally by adding 
an Integer 'timeout' to the ArtifactItem and then using...

wagon.setTimeout(artifactItem.getTimeout());

...in the ResolveExternalDependencyMojo. This allows us to put  
<timeout>60000</timeout> within the relevant artifactItem element in the pom 
and then everything works nicely.

I attach the files we have amended in the hope that you can incorporate this 
(or something similar into the code base).

Many thanks
Rob

Original issue reported on code.google.com by [email protected] on 18 Sep 2013 at 10:35

Attachments:

intelligent deployment 

Optimize the deploy-external goal to be a little more intelligent about only 
deploying files that it needs to.  The current implementation will deploy all 
external defined artifacts when the deploy-external goal is invoked.

Original issue reported on code.google.com by [email protected] on 11 Feb 2010 at 3:06

Handle redirects transparently 

What steps will reproduce the problem?
Use plugin with the following configuration
            <artifactItem>
              <groupId>com.github.voldemort</groupId>
              <artifactId>voldemort</artifactId>
              <version>0.90.1</version>
              <packaging>tar.gz</packaging>
              <downloadUrl>https//github.com/downloads/voldemort/voldemort/voldemort-0.90.1.tar.gz</downloadUrl>
              <extractFile>voldemort-0.90.1/dist/voldemort-0.90.1.jar</extractFile>
            </artifactItem>

What is the expected output? What do you see instead?
The plugin doesn't handle the HTTP status code 302 redirect and reports an 
invalid GZIP file.  It should handle the redirect transparently.

What version of the product are you using? On what operating system?
0.5

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 27 Sep 2012 at 9:19

plugin won't use a proxy configured in maven's settings.xml 

What steps will reproduce the problem?
1. Get yourself behind a proxy
2. Disable all other internet connections
3. try to download something with maven-external-dependency-plugin

What is the expected output? What do you see instead?
Expected: Download works, because my (http) proxy is configured in the 
settings.xml for maven.
Instead, i get a "Connection timed out" message.

What version of the product are you using? On what operating system?
Windows 7 x64, Plugin version 0.5-SONATYPE-r116

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 8 Sep 2011 at 4:07

Make plugin @threadSafe 

Currently, the maven-external-dependency-plugin is not marked @threadSafe; 
Maven 3 parallel builds thus issue a warning.

Original issue reported on code.google.com by [email protected] on 28 Sep 2010 at 12:13

Support for tar.gz files 

Hey, I made a patch to make possible unzip tar.gz files as well, it is not as 
efficient as the ZipFile, but it makes possible use a new set of compression 
formats.

Lemme know what you think about it.

VELO

Original issue reported on code.google.com by [email protected] on 6 Oct 2010 at 11:56

Attachments:

Check if the artifact isn't already hosted on maven repo 

This is a bit wilder idea, but I think would be a nice add to your plugin,
specially if you really wanna follow that line of not screwing up the
artifacts already hosted on maven repo.

Let's say users put an entry to download an artifact.

And this artifact checksum is 'dcab88fc2a043c2479a6de676a2f8179e9ea2167' it
could be know ahead if user did inform this or calculated after the
artifact doesn't really matter.

Now, let's say user gave this artifact the following GAV
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.5</version>

But this checksum bellows to an artifact with a different GAV:
http://repository.sonatype.org/service/local/data_index?sha1=dcab88fc2a043c2479a
6de676a2f8179e9ea2167

I think you could use sonatype rest API to validate that.  And I would say
to fail the build if the artifact is already hosted on a know maven
repository.... specially if it's GAV doesn't match the repository GAV.


VELO

Original issue reported on code.google.com by [email protected] on 11 Feb 2010 at 11:05

Extracting multiple files for the same archive causes multiple downloads 

Several artifactItems sharing the *same* downloadUrl (using different values 
for extractFile, of course) cause multiple downloads. This can be really 
annoying when extracting many small JARs from one very large archive. Thus, it 
would be nice if the maven-external-dependency-plugin could be smarter about 
this and hit each downloadUrl just once.

Original issue reported on code.google.com by [email protected] on 26 Sep 2010 at 3:24

  • Merged into: #1

Deployment not implemented 

The current checked in source will download a file from URL and install it as 
an artifact into the local M2 repository but the optional deployment of that 
artifact to a team M2 repository has not yet been implemented.

Currently working on adding support for this feature.

Original issue reported on code.google.com by [email protected] on 8 Feb 2010 at 6:46

Add an checksum option 

In order to prevent people from using the wrong artifact, would be nice to
have a checksum along with the url.

VELO

Original issue reported on code.google.com by [email protected] on 9 Feb 2010 at 12:53

NPE while executing external-dependency:deploy-external 

While running the plugin with Maven 2.2.1 I always run into NPE:


[INFO] [external-dependency:deploy-external {execution:
deploy-external-dependencies}]
[INFO] starting to deploy external dependencies to distribution repository
[INFO] resolving artifact in locale repository for deployment:
esi:common-content:12.2010.WEB10-SNAPSHOT:jar
[INFO] ------------------------------------------------------------------------
[ERROR] FATAL ERROR
[INFO] ------------------------------------------------------------------------
[INFO] null
[INFO] ------------------------------------------------------------------------
[INFO] Trace
java.lang.NullPointerException
        at
org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager.m
ergeMetadata(DefaultRepositoryMetadataManager.java:191)
        at
org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager.r
esolve(DefaultRepositoryMetadataManager.java:166)
        at
org.apache.maven.artifact.transform.AbstractVersionTransformation.resolveVersion
(AbstractVersionTransformation.java:65)
        at
org.apache.maven.artifact.transform.SnapshotTransformation.transformForResolve(S
napshotTransformation.java:63)
        at
org.apache.maven.artifact.transform.DefaultArtifactTransformationManager.transfo
rmForResolve(DefaultArtifactTransformationManager.java:55)
        at
org.apache.maven.artifact.resolver.DefaultArtifactResolver.resolve(DefaultArtifa
ctResolver.java:145)
        at
org.apache.maven.artifact.resolver.DefaultArtifactResolver.resolve(DefaultArtifa
ctResolver.java:90)
        at
com.savage7.maven.plugin.dependency.DeployExternalDependencyMojo.execute(DeployE
xternalDependencyMojo.java:95)
        at
org.apache.maven.plugin.DefaultPluginManager.executeMojo(DefaultPluginManager.ja
va:490)
        at
org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoals(DefaultLifecycl
eExecutor.java:694)
        at
org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalWithLifecycle(Def
aultLifecycleExecutor.java:556)
        at
org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoal(DefaultLifecycle
Executor.java:535)
        at
org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalAndHandleFailures
(DefaultLifecycleExecutor.java:387)
        at
org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeTaskSegments(DefaultL
ifecycleExecutor.java:348)
        at
org.apache.maven.lifecycle.DefaultLifecycleExecutor.execute(DefaultLifecycleExec
utor.java:181)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:328)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:138)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:362)
        at
org.apache.maven.cli.compat.CompatibleMain.main(CompatibleMain.java:60)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav
a:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.codehaus.classworlds.Launcher.launchEnhanced(Launcher.java:315)
        at org.codehaus.classworlds.Launcher.launch(Launcher.java:255)
        at
org.codehaus.classworlds.Launcher.mainWithExitCode(Launcher.java:430)
        at org.codehaus.classworlds.Launcher.main(Launcher.java:376)

As it turns out, RemoteRepositories cannot be null, so I added the one from
current project settings.

Patch as attachment.

Original issue reported on code.google.com by [email protected] on 29 Apr 2010 at 11:47

Attachments:

Doesn't work with Maven 3.0-beta-1 

The maven-external-dependency-plugin does work with Maven 2.2, but fails
with 3.0-beta-1: It doesn't get a chance to resolve or install an external
dependency if it is declared as a project dependency under <dependencies>;
you get a MultipleArtifactsNotFoundException first.

Original issue reported on code.google.com by [email protected] on 27 May 2010 at 2:18

Support ZIP files 

Some projects are shipped as ZIP files, like GAE...

Would be awesome seeing it downloading it once
http://googleappengine.googlecode.com/files/appengine-java-sdk-1.3.0.zip
then unpacking and slicing it.

VELO

Original issue reported on code.google.com by [email protected] on 8 Feb 2010 at 1:03

0.5-SNAPSHOT POM no longer available 

maven-external-dependency-plugin-0.5-SNAPSHOT.pom is no longer available on the 
Sonatype OSS site:

https://oss.sonatype.org/content/groups/public/com/savage7/maven/plugins/maven-e
xternal-dependency-plugin/0.5-SNAPSHOT/

Original issue reported on code.google.com by [email protected] on 8 Feb 2012 at 7:20

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.