Artifact is resolved incorrectly - v5.46.3

[torsten-liermann]

I am working on a larger Maven project and would find it difficult to provide the problem as a test case. However, perhaps the implementers of the Maven plugin might have an idea where the root cause of the issue lies. The task is the migration of pom.xml files.

The Maven plugin is invoked via the command line:
mvn org.openrewrite.maven:rewrite-maven-plugin:5.46.3:run -Drewrite.configLocation=https://raw.githubusercontent.com/torsten-liermann/openrewrite-pom-manipulation/refs/heads/main/rewrite.yml -Drewrite.activeRecipes=MigrateEAPDependencies

At the 80th pom.xml file, OpenRewrite fails with the following error:

[ERROR] Failed to execute goal org.openrewrite.maven:rewrite-maven-plugin:5.46.3:run (default-cli) on project ok-cash-produkt: Failed to parse or resolve the Maven POM file or one of its dependencies; We can not reliably continue without this information. Failed to parse or resolve the Maven POM file or one of its dependencies; We can not reliably continue without this information. 

The actual issue is that OpenRewrite uses an incorrect version number for this artifact. The correct version, set via a property in a parent pom.xml, is 1.6.1.

In the dependency management section of the parent pom.xml, it is defined as follows:

<dependency>
    <groupId>org.swinglabs</groupId>
    <artifactId>swingx</artifactId>
    <version>${version.org.swinglabs.swingx}</version>
</dependency>

The version property is defined in the same parent pom.xml as:

<version.org.swinglabs.swingx>1.6.1</version.org.swinglabs.swingx>

It's not an issue with the version property in dependency management. Even when I specify a fixed version there, the problem persists unchanged.

If the version is specified explicitly, it works.

The build runs successfully without OpenRewrite and correctly uses version 1.6.1 as expected.

It is worth mentioning this transitive dependency (from the effective-pom):

<dependency>
    <groupId>de.domain.bundles.org.swinglabs</groupId>
    <artifactId>swingx</artifactId>
    <version>1.6.5</version>
    <scope>provided</scope>
</dependency>

Is it possible that the artifact being checked is only identified by the artifactId and/or that the groupId is only checked using "contains"?

[timtebeek]

hi @torsten-liermann ; that "We can not reliably continue without this information." error is something we have addressed in
https://github.com/openrewrite/rewrite-maven-plugin/releases/tag/v5.47.0

That specific message such no longer occur when it was previously caused by dependencies where the .jar was present, but the pom.xml file is missing.

I hope that already helps you there!

[torsten-liermann]

Hi Tim,

This is not the cause of the issue reported here. The problem is that OpenRewrite attempts to check a dependency, org.swinglabs:swingx:1.6.5, which is not part of the build.
In the build, there is org.swinglabs:swingx:1.6.1 and de.domain.bundles.org.swinglabs:swingx:1.6.5.

What is noteworthy about these two artifacts is that they have the same artifactId and similar groupIds.

I tested version 5.47.0 with the same result. Even different maven versions, 3.8.8 and 3.9.9, show the same error pattern.

I believe I have a good understanding of maven and was trying to avoid debugging the maven process. But if you have no idea, I suppose I have no choice but to bite the bullet and dive into debugging. :-(

Here’s the stack trace as the maven plugin outputs it to the console as an ERROR:

[ERROR] org.openrewrite.maven.MavenDownloadingException: org.swinglabs:swingx:1.6.5 failed. Unable to download POM: org.swinglabs:swingx:1.6.5. Tried repositories: 
[ERROR] https://repo-domain.de/repository/allrepos/: HTTP 404 
[ERROR]   org.openrewrite.maven.internal.MavenPomDownloader.download(MavenPomDownloader.java:660) 
[ERROR]   org.openrewrite.maven.tree.ResolvedPom.resolveDependencies(ResolvedPom.java:929) 
[ERROR]   org.openrewrite.maven.tree.ResolvedPom.resolveDependencies(ResolvedPom.java:851) 
[ERROR]   org.openrewrite.maven.tree.MavenResolutionResult.resolveDependencies(MavenResolutionResult.java:175) 

[torsten-liermann]

So far, I have not been able to reproduce the issue in a small example. This small example here https://github.com/torsten-liermann/swingx-reproduce was meant to demonstrate the problem, but it is not sufficient yet.

In the actual project, the parent hierarchy consists of four parents, with the two topmost parents being external. In the topmost parent, a property version.org.swinglabs.swingx is defined with the value 1.6.5. This property is not intended to be overridden by a child. I know this is not ideal, but let's set that aside for now.

In the project's parent, the property version.org.swinglabs.swingx is redefined with the value 1.6.1—which might be a workaround for the aforementioned issue. This value is correct. Maven itself resolves the property correctly, giving priority to the property defined in the project. Unfortunately, in OpenRewrite, the property from the external parent takes precedence.

The project is so large that I cannot fully analyze the hundreds of calls to the mergeProperties() method in ResolvedPom.java.

[dtrembovetsk1]

I'm getting similar issue, also on a large project (so it's hard to minimize). openrewrite complains about dependency the same way.
Running this check, for example, produces the error (but so does any other openrewrite plugin):

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-java-dependencies:RELEASE -Drewrite.activeRecipes=org.openrewrite.java.dependencies.DependencyResolutionDiagnostic -Drewrite.exportDatatables=true

...

[main] [ERROR] Failed to execute goal org.openrewrite.maven:rewrite-maven-plugin:5.47.3:run (default-cli) on project confluence-webapp: Failed to parse or resolve the Maven POM file or one of its dependencies; We can not reliably continue without this information.: Failed to parse or resolve the Maven POM file or one of its dependencies; We can not reliably continue without this information. 
[main] [ERROR] <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

Further in the error message it indicates that a few modules failed due to "No version provided":

... <!--~~(oro:oro failed. No version provided)~~>--><dependency>  ... 

A couple of these modules do have a version, set via property. And the other few are not (explicitly) used in the project, I can't figure out where they are coming from: mvn dependency:tree doesn't list them as dependencies.

Note that this happens on some modules in the project, but not others.

I've checked that I'm using 5.47.3 .

[torsten-liermann]

For more information about the origin of dependencies, use the option verbose = true, such as dependency:tree -Dverbose=true or, even better, help:effective-pom -Dverbose=true. If warnings appear during your regular Maven build, address those issues first.

[torsten-liermann]

I have not been able to solve my problem yet because I have not taken the time to provide an example. A quick debug session did not reveal the actual root cause, but I have the impression that it is related to the order in which a more complex parent hierarchy is processed by OpenRewrite. Most of the parents come from external POMs. In the project, a property with the same name is used, but for different dependencies. In the Maven reactor, it works because the property in the child POM takes precedence. Unfortunately, in OpenRewrite, the property from the parent takes precedence. At first glance, the code in OpenRewrite looks fine, but somewhere along the line, it is not.

[dtrembovetsk1]

For more information about the origin of dependencies, use the option verbose = true, such as dependency:tree -Dverbose=true or, even better, help:effective-pom -Dverbose=true. If warnings appear during your regular Maven build, address those issues first.

Thanks. No warnings in regular Maven build, or help:effective-pom.
The latter shows that a couple of modules OpenRewrite complains about are not actually used, so not sure where it's pulling them from.
And contrary, some of the dependencies are indeed used, but their version is set.

So I do think it's related to this problem where somehow openrewrite finds/uses different dependencies from the actual maven build.