google / guava

Google core libraries for Java

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

com.googlecode.owasp-java-html-sanitizer download incorrect guava parent (failing to find com.google.guava:guava-parent:pom:31.1.0.redhat-00001)

prashanthparsi opened this issue · comments

We are seeing issues with our builds failing to find com.google.guava:guava-parent:pom:31.1.0.redhat-00001

com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:20160628.1 -> com.google.guava:guava:jar:31.1.0.redhat-00001: Failed to read artifact descriptor for com.google.guava:guava:jar:31.1.0.redhat-00001: Failure to find com.google.guava:guava-parent:pom:31.1.0.redhat-00001

Is this the issue with new guava publish? Sounds like the redhat version is not published correctly.

This doesn't even exists in maven redhat repo - https://maven.repository.redhat.com/ga/com/google/guava/guava-parent/

Who could fix the publish issue of guava-parent?

We are getting the same. Can someone please take a look into this issue?

Yep. Same issue :(
Can someone help please.

commented

Was facing the same issue
updated the library

com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20211018.2

Now its working

Getting the same issue
com.github.rholder:guava-retrying:jar:2.0.0 -> com.google.guava:guava:jar:31.1.0.redhat-00001: Failed to read artifact descriptor for com.google.guava:guava:jar:31.1.0.redhat-00001: com.google.guava:guava-parent:pom:31.1.0.redhat-00001 was not found in https://repo.maven.apache.org/maven2/ during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of maven has elapsed or updates are forced -> [Help 1]

We have seen the same, albeit through a different dependency tree.

A temp workaround for local builds until this is resolved is to add the following code to your parent pom under dependencyManagement

			<dependency>
				<groupId>com.google.guava</groupId>
				<artifactId>guava</artifactId>
				<version>30.1.0.redhat-00001</version>
				<scope>compile</scope>
			</dependency>

Guava does not release whatever these redhat dependencies you're having problems with are. These are the only versions of Guava we've released.

@cgdecker yes but how do you explain these errors? we're several ones to have them, and so this is not an isolated problem.
What are your suggestions to fix this?

@byahia Looking at mvnrepository.com, it looks like version "31.1.0.redhat-00001" is provided by Red Hat's Maven repository. Do you have this repository in your build? Furthermore, do you import Guava with dynamic versions? If so, does removing the Red Hat repository or pinning your Guava version to 31.1-jre (or 31.1-android if you're on Java 7 or Android) fix things?

For clarity, any versions of Guava in that Red Hat repository are not released by Google. They're probably released by a team at Red Hat who need their own built version of Guava, for whatever reason.

thanks @jbduncan for your reply, but even with the link you provided, they don't have the version the error claims

Failed to collect dependencies at com.matthewcasperson:parameter_validation_filter:jar:1.2.1 -> com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r239 -> com.google.guava:guava:jar:31.1.0.redhat-00001: Failed to read artifact descriptor for com.google.guava:guava:jar:31.1.0.redhat-00001: Could not find artifact com.google.guava:guava-parent:pom:31.1.0.redhat-00001 in artifactory-maven

@byahia Sorry, I've not understood yet. Who is "they" in this context? I ask because when I look in https://maven.repository.redhat.com/earlyaccess/all/com/google/guava/guava/31.1.0.redhat-00001/, I see the offending Red Hat version of Guava there.

Ah, I see that you're transitively importing a dynamic version of Guava, because according to Maven Central, your "owasp-java-html-sanitizer" dependency in turn imports an unspecified version of Guava, so your build tool chooses what it thinks is the latest version of Guava, which is the Red Hat one in this case.

If you have any Red Hat Maven repositories in your build, try removing those first, as that will force the build to import the real version of Guava instead.

If not, then it's an issue you need to raise with the maintainers of "owasp-java-html-sanitizer".

Regardless, "owasp-java-html-sanitizer" shouldn't be using a dynamic version of Guava anyway, so I suggest raising an issue with them anyway. :)

Also it looks like you're importing "owasp-java-html-sanitizer" through https://github.com/mcasperson/ParameterValidationFilter, which hasn't been maintained since 2016, so I strongly encourage you to move away from that library too.

I've also just seen that you're using Artifactory. Does your company's Artifactory instance mirror Red Hat's repositories, by any chance? If so, and if you don't have control over that, then I strongly encourage you to pin your Guava version to a specific version like 31.1-jre or 31.1-android in the short term, and raising an issue with "owasp-java-html-sanitizer" in the long term.

What is the fix for this issue? We're experiencing the same problem with log below:

Could not resolve dependencies for project XX.XXX.XXX: Failed to collect dependencies at com.github.rholder:guava-retrying:jar:2.0.0 -> com.google.guava:guava:jar:31.1.0.redhat-00001: Failed to read artifact descriptor for com.google.guava:guava:jar:31.1.0.redhat-00001: Could not find artifact com.google.guava:guava-parent:pom:31.1.0.redhat-00001 in central (https://repo1.maven.org/maven2)

@nicodmt See my messages above. This most likely isn't a problem with Guava but with the Maven repositories your project is using, as you could very well be using a company-internal repository like Artifactory that is in turn using Red Hat's repository, in turn confusing your build into using Red Hat's version of Guava over the official one. If so, this needs to be raised with the team responsible for your internal repo or with your repo provider. Otherwise, you may be importing the Red Hat repo directly, which should be removed if possible. If neither of these can be done, do some research on how to exclude the Red Hat version of Guava from your build.