如何解决父POM的无效打包，必须是"pom“而不是"jar”。

Question

解决由spring.io发布的spring框架漏洞

我尝试将春启动版本从2.4.5升级到新的2.5.12，使用gradle-6.8版本时，运行./gradlew clean build任务时出错。

Invalid packaging for parent POM org.apache.logging.log4j:log4j-api:2.17.2, must be "pom" but is "jar" in org.apache.logging.log4j:log4j-api:2.17.2

依赖关系org.springframework.boot:spring-boot-starter-webflux加载内部依赖项log4j-api:2.17.2。

如何解决内部依赖项的无效父POM打包？

build.gradle

buildscript {
    ext {
        springBootVersion = '2.5.12'
    }
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
                {
                    exclude group: 'org.slf4j', module: 'slf4j-ext'
                }
    }
}

apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'

group = 'com.service'
version = ''
sourceCompatibility = 11
def logbackVersion = '1.2.3' 

repositories {
    mavenCentral()
}

configurations.all {
    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
        if (details.requested.group == 'org.apache.logging.log4j') {
            details.useVersion '2.17.1'
        }
    }
}

dependencies {
    implementation ('org.springframework.boot:spring-boot-starter-webflux')
    developmentOnly('org.springframework.boot:spring-boot-devtools')
    testImplementation('org.springframework.boot:spring-boot-starter-test')
    testImplementation('io.projectreactor:reactor-test')
    implementation("ch.qos.logback:logback-core:${logbackVersion}")
    implementation("ch.qos.logback:logback-classic:${logbackVersion}")
    implementation('org.apache.httpcomponents:httpclient:4.5.11')
    implementation('org.apache.commons:commons-collections4:4.4')
    implementation("org.springframework.cloud:spring-cloud-vault-config:2.1.3.RELEASE")
    implementation("org.springframework.cloud:spring-cloud-vault-config-consul:2.1.3.RELEASE")
    implementation group: 'org.springframework.cloud', name: 'spring-cloud-consul-dependencies', version: '1.0.0.RELEASE', ext: 'pom'

    implementation('com.amazonaws:aws-java-sdk-sqs:1.11.634')
    implementation('org.projectlombok:lombok:1.18.12')
    implementation('org.yaml:snakeyaml:1.26')
    implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
    annotationProcessor('org.projectlombok:lombok:1.18.12')

    implementation group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
    implementation group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.11'
}

Answer 1

添加mavenBom春季云依赖有助于解决这个问题。在dependencyManagement中怀疑webflux引入了传递到旧版本的依赖项，并添加了Spring云依赖项bom，确保了所有的Spring依赖项都在相同的版本中。

下面是工作的更新build.gradle文件

plugins {
    id 'org.springframework.boot' version '2.6.6'
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
    id 'java'
    id 'application'
}

group = 'com.service'
version = '1.0.0-SNAPSHOT'
sourceCompatibility = '11'

application {
    mainClass = 'com.service.scheduler.SchedulerApplication'
}

repositories {
    mavenCentral()
}

ext {
    set('springCloudVersion', "2021.0.1")
    set('logbackVersion', "1.2.11")
}

bootJar {
    archiveFileName = 'scheduler.jar'
}

bootRun {
    systemProperties = System.properties
}

dependencies {
    /*---spring dependencies---*/
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'org.springframework.cloud:spring-cloud-starter-vault-config'
    implementation 'org.springframework.cloud:spring-cloud-vault-config-consul'
    developmentOnly 'org.springframework.boot:spring-boot-devtools'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation 'io.projectreactor:reactor-test'


    implementation 'com.amazonaws:aws-java-sdk-sqs:1.12.187'
    implementation 'org.apache.httpcomponents:httpclient:4.5.13'
    implementation 'org.apache.commons:commons-collections4:4.4'
    implementation 'org.yaml:snakeyaml:1.30'
    implementation 'com.google.code.gson:gson:2.9.0'

    /*---fips dependencies---*/
    implementation group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
    implementation group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.11'

    /*---lombok dependencies---*/
    implementation 'org.projectlombok:lombok:1.18.22'
    annotationProcessor 'org.projectlombok:lombok:1.18.22'

    /*---logback dependencies---*/
    implementation("ch.qos.logback:logback-core:${logbackVersion}")
    implementation("ch.qos.logback:logback-classic:${logbackVersion}")


}

dependencyManagement {
    imports {
        mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
    }
}