将J2ee项目升级到最新库

Question

为了安全起见,我完成了整理j2ee应用程序并升级所有库的任务(一些旧罐子得到安全问题报告)

我们正在使用maven,我有几个问题:
是否有可能找到未使用的罐子？
如何升级图书馆？
如果库A升级了如何查找相关库的最低版本？

m2/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
m2/asm/asm/3.3.1/asm-3.3.1.jar
m2/cglib/cglib-nodep/2.2.2/cglib-nodep-2.2.2.jar
m2/cglib/cglib/2.2.2/cglib-2.2.2.jar
m2/com/google/code/gson/gson/2.7/gson-2.7.jar
m2/com/ibm/icu/icu4j/53.1/icu4j-53.1.jar
m2/com/thoughtworks/proxytoys/proxytoys/1.0/proxytoys-1.0.jar
m2/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar
m2/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
m2/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
m2/commons-io/commons-io/2.4/commons-io-2.4.jar
m2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
m2/junit/junit/4.11/junit-4.11.jar
m2/org/apache/commons/commons-collections4/4.0/commons-collections4-4.0.jar
m2/org/apache/commons/commons-digester3/3.2/commons-digester3-3.2.jar
m2/org/apache/commons/commons-email/1.3.3/commons-email-1.3.3.jar
m2/org/apache/commons/commons-lang3/3.3.2/commons-lang3-3.3.2.jar
m2/org/apache/logging/log4j/log4j-api/2.1/log4j-api-2.1.jar
m2/org/apache/logging/log4j/log4j-core/2.1/log4j-core-2.1.jar
m2/org/apache/taglibs/taglibs-standard-impl/1.2.1/taglibs-standard-impl-1.2.1.jar
m2/org/apache/taglibs/taglibs-standard-spec/1.2.1/taglibs-standard-spec-1.2.1.jar
m2/org/mongodb/mongo-java-driver/2.12.4/mongo-java-driver-2.12.4.jar
m2/org/mongodb/morphia/morphia/1.3.2/morphia-1.3.2.jar
m2/org/slf4j/jcl-over-slf4j/1.7.7/jcl-over-slf4j-1.7.7.jar
m2/org/slf4j/slf4j-api/1.7.7/slf4j-api-1.7.7.jar
m2/org/springframework/data/spring-data-commons/1.8.0.RELEASE/spring-data-commons-1.8.0.RELEASE.jar
m2/org/springframework/data/spring-data-mongodb/1.5.0.RELEASE/spring-data-mongodb-1.5.0.RELEASE.jar
m2/org/springframework/spring-aop/4.0.5.RELEASE/spring-aop-4.0.5.RELEASE.jar
m2/org/springframework/spring-beans/4.0.5.RELEASE/spring-beans-4.0.5.RELEASE.jar
m2/org/springframework/spring-context/4.0.5.RELEASE/spring-context-4.0.5.RELEASE.jar
m2/org/springframework/spring-core/4.0.5.RELEASE/spring-core-4.0.5.RELEASE.jar
m2/org/springframework/spring-expression/4.0.5.RELEASE/spring-expression-4.0.5.RELEASE.jar
m2/org/springframework/spring-tx/3.2.9.RELEASE/spring-tx-3.2.9.RELEASE.jar
m2/org/springframework/spring-web/4.0.5.RELEASE/spring-web-4.0.5.RELEASE.jar
m2/org/springframework/spring-webmvc/4.0.5.RELEASE/spring-webmvc-4.0.5.RELEASE.jar
m2/xalan/serializer/2.7.1/serializer-2.7.1.jar
m2/xalan/xalan/2.7.1/xalan-2.7.1.jar
m2/xml-apis/xml-apis/1.3.04/xml-apis-1.3.04.jar

Answer 1

• 有没有可能找到未使用的罐子？

  是的!,您可以使用Apache Maven Dependency Plugin.

  您可以执行a mvn dependency:analyze -DignoreNonCompile查找未使用但已声明和已使用但未声明的依赖项.请查看完整的文档,因为您可以自定义排除项,您希望在哪个阶段执行验证以及此插件中的其他主题.

  您可以尽可能严格,检查此插件的可用目标,使用<goal>analyze-duplicate</goal>您还可以捕获重复的依赖项,例如,如果您希望构建在"依赖性错误"上失败,您可以在pom.xml中定义此插件,如:

  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
      <execution>
        <id>analyze-dependencies</id>
        <goals>
          <goal>analyze-duplicate</goal>
          <goal>analyze-only</goal>
        </goals>
      </execution>
    </executions>
    <configuration>
      <failBuild>true</failBuild>
    </configuration>
  </plugin>
  

• 升级库怎么样？

  是! 对于此任务,您可以使用Versions Maven插件.

  要查找可以使用的新依赖项更新mvn versions:display-dependency-updates,它将为您提供pom.xml中依赖项的最新版本列表

  您还可以执行mvn versions:display-plugin-updates查找插件更新.

  默认情况下,这将以递归方式执行,如果您不想让它递归,您可以使用该-N标志.

  把它们放在一起: mvn -N versions:display-dependency-updates versions:display-plugin-updates