Banned Dependencies

This rule checks the dependencies and fails if any of the matching excludes are found.

The following parameters are supported by this rule:

  • searchTransitive - if transitive dependencies should be checked.
  • excludes - a list of artifacts to ban. The format is groupId[:artifactId][:version][:type][:scope] where artifactId, version, type, and scope are optional. Wildcards may be used to replace an entire section. Examples:
    • org.apache.maven
    • org.apache.maven:badArtifact
    • org.apache.maven:artifact:badVersion
    • org.apache.maven:*:1.2
    • org.apache.maven:*:*:jar:test
  • includes - a list of artifacts to include. These are exceptions to the excludes. It is meant to allow wide exclusion rules with wildcards and fine tune using includes. If nothing has been excluded, then the includes have no effect. In otherwords, includes only subtract from artifacts that matched an exclude rule.

    For example, to ban all xerces except xerces-api you would exclude "xerces" (groupId) and include "xerces:xerces-api"

  • message - an optional message to the user if the rule fails.

Sample Plugin Configuration:

<project>
  [...]
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>1.1.1</version>
        <executions>
          <execution>
            <id>enforce-banned-dependencies</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <bannedDependencies>
                  <excludes>
                    <exclude>org.apache.maven</exclude>
                    <exclude>org.apache.maven:badArtifact</exclude>
                    <exclude>*:badArtifact</exclude>
                  </excludes>
                  <includes>
                    <!--only 1.0 of badArtifact is allowed-->
                    <include>org.apache.maven:badArtifact:1.0</include>
                  </includes>
                </bannedDependencies>
              </rules>
              <fail>true</fail>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  [...]
</project>