使用Outdated Maven插件确保项目安全与更新
作者:Shaaf’s blog
发布日期:2024年7月14日
这不是一个周日的清晨。我一边喝着咖啡,一边浏览我的订阅内容,发现了Markus Eisele刚刚发布的这篇宝藏文章。
起初,我看到标题是“Outdated Maven Plugin”,心想这是什么意思?不管怎样,我进入Git仓库查看,发现这是Giovanni van der Schelde的一个新项目。
使用Outdated Maven插件保持项目更新和安全!
Outdated Maven插件是一个工具,旨在帮助开发者识别Maven项目中过时的依赖项。通过扫描项目的依赖项,该插件根据用户定义的不活跃年限阈值,判断它们是否不再被积极维护。这确保您的项目始终使用最新、最安全的依赖版本。
这确实解决了一个普遍问题。在许多环境中,旧的二进制文件仍在被使用。此外,如果用户可以指定检查阈值以跟上二进制文件的更新步伐,这将是一个巨大的帮助。快速在线搜索会显示如何通过Maven依赖插件找到未使用的库。很容易失去对正在使用的依赖项的跟踪。这也是一个很大的帮助。
然而,这个插件检查更新,并向开发者和用户提供数据,提示可能有重要内容需要关注,特别是如果库很旧或可能存在安全风险。
开始使用
我只需将以下插件拖入我的项目pom.xml中。实际上,这不是我的项目,我只是克隆了GitHub上的Apache Struts示例仓库并进行了尝试。抱歉,Apache Struts,但当我想到十多年前编程Web系统时,它是我首先想到的之一。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
<plugin>
<groupId>com.giovds</groupId>
<artifactId>outdated-maven-plugin</artifactId>
<version>1.0.0</version>
<configuration>
<!-- 允许的最大不活跃年限 -->
<years>1</years>
<!-- 如果发现过时的依赖项,是否使构建失败 -->
<shouldFailBuild>false</shouldFailBuild>
</configuration>
<executions>
<execution>
<id>outdated-check</id>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
|
请注意,在上述插件的<configuration>中有两个参数。
<years>:任何库如果超过1年未更新<shouldFailBuild>:我们不希望构建失败,因此设置为false
然后,为了在我的项目上运行此插件,我运行以下命令。
1
|
mvn com.giovds:outdated-maven-plugin:check
|
输出示例
以下是一个有趣的输出。根据上述标准,模块rest-angular有过时的依赖项。(1年)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[INFO] -------------------< org.apache.struts:rest-angular >-------------------
[INFO] Building REST Plugin based application with AngularJS 1.1.0 [33/47]
[INFO] from rest-angular/pom.xml
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- outdated:1.0.0:check (default-cli) @ rest-angular ---
[WARNING] Dependency 'org.hamcrest:hamcrest-all:1.3' has not received an update since version '1.3' was last uploaded '2012-07-09'.
[WARNING] Dependency 'org.hibernate.validator:hibernate-validator:6.2.3.Final' has not received an update since version '6.2.3.Final' was last uploaded '2022-03-03'.
[WARNING] Dependency 'org.glassfish:javax.el:3.0.1-b12' has not received an update since version '3.0.1-b12' was last uploaded '2020-10-12'.
[WARNING] Dependency 'com.fasterxml.jackson.core:jackson-core:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'com.fasterxml.jackson.core:jackson-databind:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'junit:junit:4.13.2' has not received an update since version '4.13.2' was last uploaded '2021-02-13'.
[WARNING] Dependency 'com.jayway.jsonpath:json-path:2.7.0' has not received an update since version '2.7.0' was last uploaded '2022-01-30'.
[WARNING] Dependency 'javax.servlet:javax.servlet-api:4.0.1' has not received an update since version '4.0.1' was last uploaded '2018-04-20'.
[WARNING] Dependency 'javax.servlet:jsp-api:2.0' has not received an update since version '2.0' was last uploaded '2005-11-08'.
|
输出清晰明了。依赖项名称、版本以及最后上传到Maven仓库的时间。
遇到的问题
我遇到了一个问题。我运行的是Java 17,但该插件是用最新的Java LTS版本21编译的。
1
2
3
4
5
6
|
Execution default-cli of goal com.giovds:outdated-maven-plugin:1.0.0:check failed:
Unable to load the mojo 'check' in the plugin 'com.giovds:outdated-maven-plugin:1.0.
0' due to an API incompatibility: org.codehaus.plexus.component.repository.exception.
ComponentLookupException: com/giovds/OutdatedMavenPluginMojo has been compiled by a
more recent version of the Java Runtime (class file version 65.0), this version of
the Java Runtime only recognizes class file versions up to 61.0
|
我认为会有许多项目使用版本17或更早的版本。New Relic的Java生态系统状态报告也指出了一些正在使用的版本。我认为许多旧的Java环境正是这种工具会非常有用的环境,可以进一步帮助用户。
2024年7月18日更新
项目作者已添加对LTS -1版本(即Java 17)的支持。