Require upper bound dependencies error for org.ow2.asm:asm:9.5

[basil]

While trying to upgrade workflow-job to the 5.0 release in jenkinsci/workflow-job-plugin#471, I am getting this bizarre Enforcer error:

Require upper bound dependencies error for org.ow2.asm:asm:9.5 paths to dependency are:
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
  +-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
    +-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
      +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
        +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
  +-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
    +-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
      +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
        +-org.ow2.asm:asm-commons:9.7
          +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
  +-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
    +-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
      +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
        +-org.ow2.asm:asm-tree:9.7
          +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins.workflow:workflow-job:999999-SNAPSHOT
  +-org.jenkins-ci.plugins.workflow:workflow-api:1322.v857eeeea_9902
    +-org.jenkins-ci.plugins:scm-api:690.vfc8b_54395023 (managed) <-- org.jenkins-ci.plugins:scm-api:683.vb_16722fb_b_80b_
      +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8 (managed) <-- io.jenkins.plugins:asm-api:9.6-3.v2e1fa_b_338cd7
        +-org.ow2.asm:asm-util:9.7
          +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7

I cannot figure out where ASM 9.5 is coming from in the above dependency tree. Does anyone have any idea what is going on here?

[basil]

A more minimal reproducible example (MRE) can be seen in scm-api with

diff --git a/pom.xml b/pom.xml
index e957746..f0eff46 100644
--- a/pom.xml
+++ b/pom.xml
@@ -29,7 +29,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>4.88</version>
+    <version>5.0</version>
     <relativePath/>
   </parent>
 
@@ -56,7 +56,7 @@
 
   <properties>
     <changelist>999999-SNAPSHOT</changelist>
-    <jenkins.version>2.426.3</jenkins.version>
+    <jenkins.version>2.479</jenkins.version>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     <no-test-jar>false</no-test-jar>
     <hpi.compatibleSinceVersion>2.0.0</hpi.compatibleSinceVersion>
@@ -79,8 +79,8 @@
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.426.x</artifactId>
-        <version>2839.v003b_4d9d24fd</version>
+        <artifactId>bom-2.452.x</artifactId>
+        <version>3413.v0d896b_76a_30d</version>
         <scope>import</scope>
         <type>pom</type>
       </dependency>

which produces

Require upper bound dependencies error for org.ow2.asm:asm:9.5 paths to dependency are:
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
  +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
    +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
  +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
    +-org.ow2.asm:asm-commons:9.7
      +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
  +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
    +-org.ow2.asm:asm-tree:9.7
      +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7
and
+-org.jenkins-ci.plugins:scm-api:999999-SNAPSHOT
  +-io.jenkins.plugins:asm-api:9.7-33.v4d23ef79fcc8
    +-org.ow2.asm:asm-util:9.7
      +-org.ow2.asm:asm:9.5 (managed) <-- org.ow2.asm:asm:9.7

The relevant portion of mvn dependency:tree -Dverbose:

[INFO] org.jenkins-ci.plugins:scm-api:hpi:999999-SNAPSHOT
[INFO] +- io.jenkins.plugins:asm-api:jar:9.7-33.v4d23ef79fcc8:compile
[INFO] |  +- org.ow2.asm:asm:jar:9.5:compile (version managed from 9.7)
[INFO] |  +- org.ow2.asm:asm-analysis:jar:9.7:compile
[INFO] |  |  \- (org.ow2.asm:asm-tree:jar:9.7:compile - omitted for duplicate)
[INFO] |  +- org.ow2.asm:asm-commons:jar:9.7:compile
[INFO] |  |  +- (org.ow2.asm:asm:jar:9.5:compile - version managed from 9.7; omitted for duplicate)
[INFO] |  |  \- (org.ow2.asm:asm-tree:jar:9.7:compile - omitted for duplicate)
[INFO] |  +- org.ow2.asm:asm-tree:jar:9.7:compile
[INFO] |  |  \- (org.ow2.asm:asm:jar:9.5:compile - version managed from 9.7; omitted for duplicate)
[INFO] |  \- org.ow2.asm:asm-util:jar:9.7:compile
[INFO] |     +- (org.ow2.asm:asm:jar:9.5:compile - version managed from 9.7; omitted for duplicate)
[INFO] |     +- (org.ow2.asm:asm-tree:jar:9.7:compile - omitted for duplicate)
[INFO] |     \- (org.ow2.asm:asm-analysis:jar:9.7:compile - omitted for duplicate)

For the life of me I cannot understand where 9.5 is coming from. When I run the same mvn dependency:tree -Dverbose command in that repository, at the same tag (9.7-33.v4d23ef79fcc8), everything looks right:

[INFO] io.jenkins.plugins:asm-api:hpi:9.7-999999-SNAPSHOT
[INFO] +- org.ow2.asm:asm:jar:9.7:compile
[INFO] +- org.ow2.asm:asm-analysis:jar:9.7:compile
[INFO] |  \- (org.ow2.asm:asm-tree:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] +- org.ow2.asm:asm-commons:jar:9.7:compile
[INFO] |  +- (org.ow2.asm:asm:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] |  \- (org.ow2.asm:asm-tree:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] +- org.ow2.asm:asm-tree:jar:9.7:compile
[INFO] |  \- (org.ow2.asm:asm:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] +- org.ow2.asm:asm-util:jar:9.7:compile
[INFO] |  +- (org.ow2.asm:asm:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] |  +- (org.ow2.asm:asm-tree:jar:9.7:compile - version managed from 9.7; omitted for duplicate)
[INFO] |  \- (org.ow2.asm:asm-analysis:jar:9.7:compile - version managed from 9.7; omitted for duplicate)

So why is the version set to 9.5 when this plugin is consumed in e.g. scm-api?

[basil]

So why is the version set to 9.5 when this plugin is consumed in e.g. scm-api?

After reading https://stackoverflow.com/questions/38245795/detect-versions-origin-of-a-managed-maven-dependency I ran mvn help:effective-pom -Dverbose which revealed the answer:

      <dependency>
        <groupId>org.ow2.asm</groupId>  <!-- com.google.inject:guice-parent:6.0.0, line 170 -->
        <artifactId>asm</artifactId>  <!-- com.google.inject:guice-parent:6.0.0, line 171 -->
        <version>9.5</version>  <!-- com.google.inject:guice-parent:6.0.0, line 172 -->
      </dependency>

which is coming from core. This looks like yet another case of #705.

[basil]

For the life of me, I can't figure out how to get Jenkins core to stop delivering a managed dependency on ASM 9.5. I tried this in core:

diff --git a/bom/pom.xml b/bom/pom.xml
index a8c184ead7..070b5d7afd 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -51,6 +51,12 @@ THE SOFTWARE.
         <version>6.0.0</version>
         <type>pom</type>
         <scope>import</scope>
+        <exclusions>
+          <exclusion>
+            <groupId>org.ow2.asm</groupId>
+            <artifactId>asm</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>org.slf4j</groupId>
diff --git a/core/pom.xml b/core/pom.xml
index 9bff5e5ad0..422c42cec6 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -109,6 +109,10 @@ THE SOFTWARE.
           <groupId>aopalliance</groupId>
           <artifactId>aopalliance</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.ow2.asm</groupId>
+          <artifactId>asm</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>

But ASM 9.5 still shows up in mvn help:effective-pom -Dverbose:

        <dependency>
          <groupId>org.ow2.asm</groupId>  <!-- com.google.inject:guice-parent:6.0.0, line 170 -->
          <artifactId>asm</artifactId>  <!-- com.google.inject:guice-parent:6.0.0, line 171 -->
          <version>9.5</version>  <!-- com.google.inject:guice-parent:6.0.0, line 172 -->
        </dependency>

Not sure what to do at this point.

[basil]

I managed to get things to work in scm-api by moving guice-bom from bom/pom.xml to core/pom.xml in core:

diff --git a/bom/pom.xml b/bom/pom.xml
index a8c184ead7..d9a7cb81b0 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -45,13 +45,6 @@ THE SOFTWARE.
 
   <dependencyManagement>
     <dependencies>
-      <dependency>
-        <groupId>com.google.inject</groupId>
-        <artifactId>guice-bom</artifactId>
-        <version>6.0.0</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-bom</artifactId>
diff --git a/core/pom.xml b/core/pom.xml
index 9bff5e5ad0..cded39da00 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -48,6 +48,13 @@ THE SOFTWARE.
 
   <dependencyManagement>
     <dependencies>
+      <dependency>
+        <groupId>com.google.inject</groupId>
+        <artifactId>guice-bom</artifactId>
+        <version>6.0.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.jenkins-ci.main</groupId>
         <artifactId>jenkins-bom</artifactId>

though this may have negative consequences for things like artifact-manager-s3-plugin that use com.google.inject.extensions:guice-assistedinject.

[basil]

jenkinsci/workflow-job-plugin@554c796 demonstrates that jenkinsci/jenkins#9826 chases away the problem in workflow-job, but I am not satisfied with that solution because the problem is still visible in artifact-manager-s3-plugin.

[basil]

jenkinsci/workflow-job-plugin@1df4ccc demonstrates that jenkinsci/jenkins#9827 chases away the problem in workflow-job. At this time, I believe this is my most promising lead, as it is a strict improvement over the status quo, which cannot make the problem any worse, but makes the problem better in some cases. It is still not a full solution, and I cannot think of a full solution at this time.

[basil]

I intend to deliver jenkinsci/jenkins#9827 in 2.479.1.