framework/base/ivy.xml
<?xml version="1.0" encoding="UTF-8"?>
<ivy-module version="2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://ant.apache.org/ivy/schemas/ivy.xsd">
<info module="base" organisation="com.ilscipio.scipio.ce"/>
<!--
SCIPIO BASE IVY CONFIGURATIONS AND DEPENDENCIES
NOTICE: 2018-03-19: All prior (framework|applications|specialpurpose)/*/lib ivy dependencies
are now defined in this file (framework/base/ivy.xml) except for start component.
This file contains the base/core/common framework dependencies for stock ScipioCE/EE
as well as (now) the dependencies for nearly all framework, applications and specialpurpose
components, some themes dependencies, and even some (in temporary fashion) addons dependencies.
Use of single file allows centralized editing of stock Scipio dependencies
and exploiting transitive dependency resolution using ivy.
Custom/client configurations and dependencies may be added at the end of each section below.
NOTE: Adding new configurations requires updating the framework/base/build.xml
file (lib.resolve(.build).confs property and do-lib-update task overrides).
NOTE: If a library is not available in central, it may be added to the project
locally using the local-ivy resolver (ivy/localRepo/, see ivy/ivysettings.xml).
Some original stock libraries may still be handled this way at this time (2018-03-20).
-->
<configurations defaultconfmapping="sources->sources;%->default">
<!--
BASE FRAMEWORK COMPONENT CONFIGURATIONS
These configurations were already defined in this file (framework/base/ivy.xml) prior to 2018-03-19.
-->
<!-- general configurations -->
<conf name="base" description="download all framework/base/lib (root dir) jars required for build"/>
<conf name="base-jdk8" description="download all framework/base/lib (root dir) jars required for build - jdk8 only"/>
<conf name="base-jdk11" description="download all framework/base/lib (root dir) jars required for build - jdk11 only"/>
<!-- legacy categories (these each had a folder, no longer useful) -->
<conf name="commons" description="download all framework/base/commons jars required for build"/>
<conf name="j2eespecs" description="download all framework/base/j2eespecs jars required for build"/>
<conf name="scripting" description="download all framework/base/scripting jars required for build"/>
<conf name="media" description="download all framework/base/media jars required for build"/>
<!-- specific library downloads (NOTE: these may have deletion excludes in base/build.xml) -->
<conf name="groovy" description="download groovy jars required for build"/>
<!-- sources -->
<conf name="sources" description="download all available source jars"/>
<conf name="sources-jdk8" description="download all available source jars - jdk8 only"/>
<conf name="sources-jdk11" description="download all available source jars - jdk11 only"/>
<!--
ON-DEMAND OPTIONAL STOCK CONFIGURATIONS
These are special configurations for stock Scipio code and ant tasks which are only fetched
on user request and/or by special ant tasks, e.g. the "download-xxx" tasks in the main Scipio build.xml.
NOTE: These must NOT be included in the framework/base/build.xml resolution and update overrides.
-->
<!-- shared external ant deps -->
<conf name="ant-ext" description="download common external Ant scripting jars"/>
<!-- deps for main build.xml ant task: download-activemq -->
<conf name="activemq" description="download the ActiveMQ jars"/>
<!-- deps for main build.xml ant task: download-cobertura -->
<conf name="cobertura" description="download cobertura (GPL2.0) http://cobertura.sourceforge.net/"/>
<!-- deps for main build.xml ant task: download-jacoco -->
<conf name="jacoco" description="download JaCoCo (APL 2.0) https://www.jacoco.org"/>
<!-- deps for main build.xml ant task: download-sonar-ant-task -->
<conf name="sonar-ant-task" description="download the ant sonar task (need sonar)
http://docs.codehaus.org/display/SONAR/Analyzing+with+SonarQube+Ant+Task"/>
<!-- deps for main build.xml ant task: download-ant-js-nashorn -->
<conf name="ant-js-nashorn" description="download nashorn js engine for ant (JDK 15+)"/>
<!--
CUSTOM/CLIENT CONFIGURATIONS
Custom/client configurations which are required by several modules
or by patches to the framework or any stock Scipio components or code
may be added below this comment.
NOTE: If you add new confs here, you must modify the lib.resolve.confs property
and do-lib-update target in framework/base/build.xml.
It is recommended to simply reuse the "base" conf instead if possible.
-->
<!-- /CUSTOM/CLIENT CONFIGURATIONS (END) -->
</configurations>
<dependencies>
<!--
BASE FRAMEWORK COMPONENT DEPENDENCIES
These dependencies were already defined in this file (framework/base/ivy.xml) prior to 2018-03-19.
NOTE: Some of these dependencies (from stock ofbiz) were not originally available in central
and may still be being fetched only locally from the local-ivy repo (ivy/localRepo/) at this time (2018-03-20).
-->
<!-- base jars -->
<dependency org="net.sf.barcode4j" name="barcode4j" rev="2.1" conf="base,sources"/>
<dependency org="net.sf.barcode4j" name="barcode4j-fop-ext" rev="2.1" conf="base,sources"/>
<dependency org="org.apache.xmlgraphics" name="batik-all" rev="1.17" conf="base,sources"/><!-- NOTE: deps are excluded further below -->
<dependency org="org.apache.xmlgraphics" name="fop" rev="2.9" conf="base,sources"/>
<dependency org="org.apache.xmlgraphics" name="xmlgraphics-commons" rev="2.9" conf="base,sources"/>
<dependency org="org.apache.httpcomponents" name="httpclient" rev="4.5.14" conf="base,sources"/>
<dependency org="org.apache.httpcomponents" name="httpclient-cache" rev="4.5.14" conf="base,sources"/>
<dependency org="org.apache.httpcomponents" name="httpcore" rev="4.4.16" conf="base,sources"/>
<dependency org="org.apache.httpcomponents" name="httpcore-nio" rev="4.4.16" conf="base,sources"/>
<dependency org="org.apache.httpcomponents" name="httpmime" rev="4.5.14" conf="base,sources"/>
<!-- SCIPIO: 2020-01-14: Added Apache HTTP Client async -->
<dependency org="org.apache.httpcomponents" name="httpasyncclient" rev="4.1.5" conf="base,sources" />
<dependency org="net.sourceforge.nekohtml" name="nekohtml" rev="1.9.22" conf="base,sources"/>
<dependency org="com.ibm.icu" name="icu4j" rev="74.2" conf="base,sources"/>
<dependency org="javolution" name="javolution" rev="5.5.1" conf="base,sources"/><!-- TODO: increase: blocked by EntitySaxReader -->
<dependency org="org.freemarker" name="freemarker" rev="2.3.32" conf="base,sources"/>
<dependency org="com.google.guava" name="guava" rev="32.1.3-jre" conf="base,sources"/>
<dependency org="com.google.code.findbugs" name="jsr305" rev="3.0.2" conf="base,sources"/>
<dependency org="de.odysseus.juel" name="juel-impl" rev="2.2.7" conf="base,sources"/>
<dependency org="de.odysseus.juel" name="juel-spi" rev="2.2.7" conf="base,sources"/>
<dependency org="org.apache.logging.log4j" name="log4j-1.2-api" rev="2.22.0" conf="base,sources"/>
<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.22.0" conf="base,sources"/>
<dependency org="org.apache.logging.log4j" name="log4j-core" rev="2.22.0" conf="base,sources"/>
<dependency org="org.apache.logging.log4j" name="log4j-nosql" rev="2.9.1" conf="base,sources"/>
<dependency org="org.apache.logging.log4j" name="log4j-slf4j-impl" rev="2.22.0" conf="base,sources"/>
<dependency org="org.apache.xmlbeans" name="xmlbeans" rev="4.0.0" conf="base,sources"/><!-- FIXME: Last version supported by axis2 -->
<dependency org="org.slf4j" name="slf4j-api" rev="2.0.9" conf="base,sources"/><!-- 1.8 required by log4j 2.11+ (https://www.slf4j.org/faq.html#changesInVersion18) -->
<dependency org="io.sentry" name="sentry-log4j2" rev="7.0.0" conf="base,sources"/><!-- Error reporting: https://sentry.io -->
<dependency org="com.sun.mail" name="jakarta.mail" rev="1.6.7" conf="base,sources"/><!-- TODO: 2.0.1 -->
<dependency org="xerces" name="xercesImpl" rev="2.12.2" conf="base,sources"/>
<dependency org="xml-apis" name="xml-apis" rev="2.0.2" conf="base,sources"/>
<dependency org="xml-apis" name="xml-apis-ext" rev="1.3.04" conf="base,sources"/><!-- FIXME?: should be same version as xml-apis -->
<dependency org="xalan" name="xalan" rev="2.7.3" conf="base,sources"/>
<dependency org="xalan" name="serializer" rev="2.7.3" conf="base,sources"/><!-- NOTE: orig ofbiz jar "serializer-2.9.1" (?) had MANIFEST.MF 2.7.1 -->
<dependency org="com.thoughtworks.xstream" name="xstream" rev="1.4.20" conf="base,sources"/>
<!--<dependency org="xpp3" name="xpp3" rev="1.1.4c" conf="base,sources"/> xstream dep: now fetched via xpp3-core + xmlpull transitive deps -->
<dependency org="org.owasp.esapi" name="esapi" rev="2.5.3.1" conf="base,sources"/>
<dependency org="org.owasp.antisamy" name="antisamy" rev="1.7.4" conf="base,sources"/><!-- esapi dependency -->
<dependency org="com.googlecode.owasp-java-html-sanitizer" name="owasp-java-html-sanitizer" rev="20220608.1" conf="base,sources"/>
<dependency org="com.fasterxml.jackson.core" name="jackson-annotations" rev="2.16.0" conf="base,sources"/>
<dependency org="com.fasterxml.jackson.core" name="jackson-core" rev="2.16.0" conf="base,sources"/>
<dependency org="com.fasterxml.jackson.core" name="jackson-databind" rev="2.16.0" conf="base,sources"/>
<dependency org="org.jdom" name="jdom" rev="1.1.3" conf="base,sources"/><!-- TODO: REVIEW: not used in any code; but some libs _might_ have it as optional dependency -->
<dependency org="joda-time" name="joda-time" rev="2.12.5" conf="base,sources" />
<dependency org="org.apache.avalon.framework" name="avalon-framework-impl" rev="4.3.1" conf="base,sources"/>
<dependency org="org.apache.avalon.framework" name="avalon-framework-api" rev="4.3.1" conf="base,sources"/>
<dependency org="org.apache.tika" name="tika-core" rev="1.28.5" conf="base,sources"/>
<dependency org="org.apache.tika" name="tika-parsers" rev="1.28.5" transitive="false" conf="base,sources"/><!-- NOTE: intentional transitive="false"; too many deps -->
<dependency org="com.googlecode.juniversalchardet" name="juniversalchardet" rev="1.0.3" conf="base,sources"/>
<dependency org="com.googlecode.concurrentlinkedhashmap" name="concurrentlinkedhashmap-lru" rev="1.4.2" conf="base,sources"/>
<dependency org="org.hamcrest" name="hamcrest-all" rev="1.3" conf="base,sources"/>
<!-- 2018-03-20: Not yet needed for framework (is shadowed in Camel addon)
<dependency org="com.github.ben-manes.caffeine" name="caffeine" rev="2.6.2" conf="base,sources"/>-->
<!-- Source expanded: framework/base/src/com/redfin/sitemapgenerator/
<dependency org="com.github.dfabulich" name="sitemapgen4j" rev="1.1.2" conf="base,sources"/>-->
<dependency org="org.mnode.ical4j" name="ical4j" rev="2.2.7" conf="base,sources"/><!-- TODO?: there is now 2.x.x line; incompatible API -->
<dependency org="org.apache.shiro" name="shiro-core" rev="1.4.2" conf="base,sources"/>
<dependency org="com.google.code.gson" name="gson" rev="2.10.1" conf="base,sources"/>
<dependency org="com.googlecode.libphonenumber" name="libphonenumber" rev="8.13.27" conf="base,sources"/>
<dependency org="org.apache.sshd" name="sshd-common" rev="2.1.0" conf="base,sources"/>
<dependency org="org.apache.sshd" name="sshd-core" rev="2.1.0" conf="base,sources"/>
<dependency org="org.apache.sshd" name="sshd-sftp" rev="2.1.0" conf="base,sources"/>
<dependency org="com.googlecode.ez-vcard" name="ez-vcard" rev="0.12.1" conf="base,sources"/><!-- stock qrcode -->
<!-- FIXME: Original Reflections library has fatal errors, so temporarily use its fork
<dependency org="org.reflections" name="reflections" rev="0.9.12" conf="base,sources"/>-->
<dependency org="net.oneandone.reflections8" name="reflections8" rev="0.11.7" conf="base,sources"/>
<dependency org="org.dom4j" name="dom4j" rev="2.1.4" conf="base,sources"/><!-- needed by: maileon -->
<!-- jdk11 removed JDK packages -->
<dependency org="javax.xml.bind" name="jaxb-api" rev="2.4.0-b180830.0359" conf="base-jdk11,sources-jdk11"/>
<dependency org="com.sun.xml.bind" name="jaxb-core" rev="4.0.4" conf="base-jdk11,sources-jdk11"/>
<dependency org="com.sun.xml.bind" name="jaxb-impl" rev="4.0.4" conf="base-jdk11,sources-jdk11"/>
<!-- base qrcode jars -->
<dependency org="com.google.zxing" name="core" rev="3.5.2" conf="base,sources"/><!-- stock qrcode -->
<!-- base testing jars -->
<dependency org="junit" name="junit" rev="4.13.2" conf="base,sources"/>
<dependency org="org.mockito" name="mockito-core" rev="2.23.4" conf="base,sources"/><!-- added at r41761440 ofbiz trunk 2016-09-19 09:36:32 -->
<!-- 2018-03-26: omitting httpunit for now because no current usage and its dependencies create class conflicts;
however, may use it or a substitute in future...
<dependency org="httpunit" name="httpunit" rev="1.7" conf="base,sources">
<!- - FIXME?: jtidy is dep of httpunit, but it has class conflicts with several
libs (javolution, xml-apis) and was not shipped with ofbiz 14/15 - ->
<exclude module="jtidy"/>
</dependency>-->
<dependency org="org.jsoup" name="jsoup" rev="1.17.1" conf="base,sources"/><!-- security: CVE-2015-6748 (transitive dep) -->
<!-- commons jars -->
<!-- NOTE: these should generally be updated together (some deps between them and historical compat issues) -->
<dependency org="commons-beanutils" name="commons-beanutils" rev="1.9.4" conf="base,commons,sources"/>
<dependency org="commons-codec" name="commons-codec" rev="1.16.0" conf="base,commons,sources"/>
<dependency org="commons-collections" name="commons-collections" rev="3.2.2" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-collections4" rev="4.4" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-compress" rev="1.25.0" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-csv" rev="1.10.0" conf="base,commons,sources"/>
<dependency org="commons-el" name="commons-el" rev="1.0" conf="base,commons,sources"/>
<dependency org="commons-fileupload" name="commons-fileupload" rev="1.5" conf="base,commons,sources"/>
<dependency org="commons-io" name="commons-io" rev="2.15.1" conf="base,commons,sources"/>
<dependency org="commons-lang" name="commons-lang" rev="2.6" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-lang3" rev="3.14.0" conf="base,commons,sources"/>
<dependency org="commons-logging" name="commons-logging" rev="1.3.0" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-math3" rev="3.6.1" conf="base,commons,sources"/>
<dependency org="commons-net" name="commons-net" rev="3.10.0" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-pool2" rev="2.12.0" conf="base,commons,sources"/>
<dependency org="org.apache.commons" name="commons-text" rev="1.11.0" conf="base,commons,sources"/>
<dependency org="commons-validator" name="commons-validator" rev="1.8.0" conf="base,commons,sources"/>
<!-- j2eespecs jars -->
<dependency org="org.apache.geronimo.specs" name="geronimo-activation_1.1_spec" rev="1.1" conf="base,j2eespecs,sources"/><!-- WARN: conflict with javax.activation#activation -->
<dependency org="org.apache.geronimo.specs" name="geronimo-j2ee-connector_1.6_spec" rev="1.0" conf="base,j2eespecs,sources"/>
<dependency org="org.apache.geronimo.specs" name="geronimo-jaxr_1.0_spec" rev="2.1" conf="base,j2eespecs,sources"/>
<dependency org="org.apache.geronimo.specs" name="geronimo-jaxrpc_1.1_spec" rev="2.1" conf="base,j2eespecs,sources"/>
<dependency org="org.apache.geronimo.specs" name="geronimo-jms_1.1_spec" rev="1.1.1" conf="base,j2eespecs,sources"/>
<dependency org="org.apache.geronimo.specs" name="geronimo-jta_1.1_spec" rev="1.1.1" conf="base,j2eespecs,sources"/>
<dependency org="org.apache.geronimo.specs" name="geronimo-saaj_1.3_spec" rev="1.1" conf="base,j2eespecs,sources"/>
<!--<dependency org="org.apache.geronimo.specs" name="geronimo-stax-api_1.0_spec" rev="1.0.1" conf="base,j2eespecs,sources"/> EXCLUDED - see excludes -->
<!-- scripting jars -->
<!--<dependency org="antlr" name="antlr" rev="2.7.6" conf="base,scripting,sources"/> unused in code and version quite old -->
<dependency org="bsf" name="bsf" rev="2.4.0" conf="base,scripting,sources"/><!-- NOTE: 2.x is different API than 3.x; keeping latest 2.x; see ant-apache-bsf deps -->
<dependency org="org.codehaus.groovy" name="groovy-all" rev="3.0.19" conf="base,scripting,groovy,sources"/>
<dependency org="org.codehaus.groovy" name="groovy-dateutil" rev="3.0.19" conf="base,scripting,groovy,sources"/><!-- NOTE: Not included in groovy-all since 2.5 -->
<!-- The following groovy compiled JARs are included by groovy-all, but must be explicit here for the sources (since 2.5) -->
<dependency org="org.codehaus.groovy" name="groovy" rev="3.0.19" conf="sources"/>
<!-- These are not accessed directly in Scipio sources, so omitting for now
<dependency org="org.codehaus.groovy" name="groovy-ant" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-cli-commons" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-cli-picocli" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-console" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-datetime" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-docgenerator" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-groovydoc" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-groovysh" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-jmx" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-json" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-jsr223" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-macro" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-nio" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-servlet" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-sql" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-swing" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-templates" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-test" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-test-junit5" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-testng" rev="3.0.19" conf="sources"/>
<dependency org="org.codehaus.groovy" name="groovy-xml" rev="3.0.19" conf="sources"/>-->
<!-- Jakarta ORO is provided in filesystem due to ivy dependency, and excluded below NOTE: Jakarta ORO is a closed project
<dependency org="oro" name="oro" rev="2.0.8" conf="base,scripting,sources"/>-->
<!-- scripting jars - special and/or known to be missing/broken in central (2018-03-20) -->
<!-- (none) -->
<!-- media jars -->
<dependency org="net.coobird" name="thumbnailator" rev="0.4.20" conf="base,media,sources"/>
<dependency org="com.mortennobel" name="java-image-scaling" rev="0.8.6" conf="base,media,sources"/>
<dependency org="com.jhlabs" name="filters" rev="2.0.235-1" conf="base,sources"/><!-- transitive dep for mortennobel (was outdated) -->
<dependency org="org.imgscalr" name="imgscalr-lib" rev="4.2" conf="base,media,sources"/>
<dependency org="com.twelvemonkeys.common" name="common-image" rev="3.10.1" conf="base,media,sources"/>
<dependency org="com.tinify" name="tinify" rev="1.8.3" conf="base,media,sources"/>
<!-- ImageIO plugin jars - these plug directly into java's ImageIO and may affect the system globally
NOTE: Usually only one of these should be uncommented per image format -->
<!-- webp -->
<dependency org="org.sejda.imageio" name="webp-imageio" rev="0.1.6" conf="base,media,sources"/>
<!--<dependency org="com.github.gotson" name="webp-imageio" rev="0.2.2" conf="base,media,sources"/>-->
<!--<dependency org="com.twelvemonkeys.imageio" name="imageio-webp" rev="3.7.0" conf="base,media,sources"/>-->
<!-- TODO?: Uncomment this for limited JPEG2000 and TIFF support
<dependency org="com.github.jai-imageio" name="jai-imageio-core" rev="1.4.0" conf="base,media,sources"/>
<dependency org="com.github.jai-imageio" name="jai-imageio-jpeg2000" rev="1.4.0" conf="base,media,sources"/>
-->
<!--
OTHER FRAMEWORK COMPONENT DEPENDENCIES
These dependencies were defined in framework/*/ivy.xml prior to 2018-03-19,
excluding base and start components.
-->
<!-- catalina component (framework/catalina/ivy.xml) -->
<!-- catalina: tomcat -->
<dependency org="org.apache.tomcat" name="tomcat-api" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-catalina" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-catalina-ha" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-coyote" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-jasper" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-jni" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-tribes" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-util" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-util-scan" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-websocket" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-websocket-api" rev="9.0.84" conf="base,sources"/>
<!-- gone since 8.5.3+?
<dependency org="org.apache.tomcat.extras" name="tomcat-extras-juli" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat.extras" name="tomcat-extras-juli-adapters" rev="9.0.84" conf="base,sources"/>-->
<!-- let the jasper compile dep give us the version it wants (NOTE: its version numbers are unrelated to org.eclipse.jdt.core.compiler! very confusing!)
<dependency org="org.eclipse.jdt" name="ecj" rev="xxx" conf="base,sources"/>-->
<!-- catalina: j2eespecs servlet API jars -->
<!-- 2018-04-13: NEW SETUP: For the actual JARs loaded by ofbiz (base conf), we download the tomcat-provided
libs into base/lib, so we should never get any runtime problems.
But for sources, the tomcat files have unusable documentation, so we use the official java API files instead;
so we put the official servlet API jars in j2eespecs-ref dir (see build/base.xml for the renaming).
NOTE: the tomcat-provided jar are renamed in base/build.xml so they match the API ones in name (TODO: REVIEW: still necessary?) -->
<dependency org="org.apache.tomcat" name="tomcat-servlet-api" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-jsp-api" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-el-api" rev="9.0.84" conf="base,sources"/>
<dependency org="org.apache.tomcat" name="tomcat-annotations-api" rev="9.0.84" conf="base,sources"/>
<dependency org="javax.servlet" name="javax.servlet-api" rev="4.0.1" conf="base,j2eespecs,sources"/>
<dependency org="javax.servlet.jsp" name="javax.servlet.jsp-api" rev="2.3.3" conf="base,j2eespecs,sources"/>
<dependency org="javax.el" name="javax.el-api" rev="3.0.1-b06" conf="base,j2eespecs,sources"/>
<dependency org="javax.annotation" name="javax.annotation-api" rev="1.3.2" conf="base,j2eespecs,sources"/>
<!-- SCIPIO: 21-02-04: Added javax.json-api as two addons (matomo and lightning) are currently using it -->
<dependency org="javax.json" name="javax.json-api" rev="1.1.4" conf="base,j2eespecs,sources"/>
<dependency org="org.glassfish" name="javax.json" rev="1.1.4" conf="base,j2eespecs,sources"/>
<!-- entity component (framework/entity/ivy.xml) -->
<dependency org="org.apache.commons" name="commons-dbcp2" rev="2.11.0" conf="base,sources"/>
<!-- geronimo component (framework/geronimo/ivy.xml) -->
<dependency org="org.apache.geronimo.components" name="geronimo-transaction" rev="3.1.5" conf="base,sources"/><!-- TODO?: 4.0.0+ -->
<!-- service component (framework/service/ivy.xml) -->
<dependency org="org.apache.axis2" name="axis2-adb" rev="1.7.9" conf="base,sources"/>
<dependency org="org.apache.axis2" name="axis2-kernel" rev="1.7.9" conf="base,sources"/>
<dependency org="org.apache.axis2" name="axis2-transport-http" rev="1.7.9" conf="base,sources"/>
<dependency org="org.apache.axis2" name="axis2-transport-local" rev="1.7.9" conf="base,sources"/>
<dependency org="org.apache.axis2" name="axis2-saaj" rev="1.7.9" conf="base,sources"/>
<dependency org="org.apache.axis2" name="axis2-codegen" rev="1.7.9" conf="base,sources"/>
<dependency org="org.apache.axis2" name="axis2-xmlbeans" rev="1.7.9" conf="base,sources"/>
<!-- TODO?: axis2 warns about this being missing in log, but it pulls in too many dependencies and impact
on other libraries is unknown, so revisit this later if we have a real functional use for this module.
<dependency org="org.apache.axis2" name="axis2-jaxws" rev="1.7.9" conf="base,sources"/>-->
<dependency org="org.apache.ws.commons.axiom" name="axiom-api" rev="1.2.22" conf="base,sources"/>
<dependency org="org.apache.ws.commons.axiom" name="axiom-impl" rev="1.2.22" conf="base,sources"/>
<dependency org="org.apache.ws.xmlschema" name="xmlschema-core" rev="2.3.1" conf="base,sources"/>
<dependency org="wsdl4j" name="wsdl4j" rev="1.6.3" conf="base,sources"/>
<!-- testtools component (framework/testtools/ivy.xml) -->
<dependency org="org.springframework" name="spring-core" rev="5.3.31" conf="base,sources">
<exclude module="spring-jcl"/><!-- interferes with commons-logging -->
</dependency>
<dependency org="org.springframework" name="spring-test" rev="5.3.31" conf="base,sources">
<exclude module="spring-jcl"/><!-- interferes with commons-logging -->
</dependency>
<!-- webapp component (framework/webapp/ivy.xml) -->
<!-- TODO: itext 2.x is finished; 5.x or 7.x is available as com.itextpdf#itextpdf, but API changes means
parts of PdfSurveyServices.buildSurveyFromPdf have to be rewritten to upgrade (changing package names not enough) -->
<dependency org="com.lowagie" name="itext" rev="2.1.7" conf="base,sources">
<exclude module="bctsp-jdk14"/>
<exclude module="bcmail-jdk14"/>
<exclude module="bcprov-jdk14"/>
</dependency>
<!-- SCIPIO: 3.0.0: bouncycastle is not a strict dependency of itext and may be used by other/client code, so these
have been updated here even though they are probably not compatible with itext, which is currently unused and getting too old -->
<!--<dependency org="org.bouncycastle" name="bctsp-jdk14" rev="1.46" conf="base,sources"/>-->
<dependency org="org.bouncycastle" name="bcpkix-jdk18on" rev="1.77" conf="base,sources"/>
<dependency org="org.bouncycastle" name="bcmail-jdk18on" rev="1.77" conf="base,sources"/>
<dependency org="org.bouncycastle" name="bcprov-jdk18on" rev="1.77" conf="base,sources"/>
<dependency org="com.rometools" name="rome" rev="2.1.0" conf="base,sources"/>
<dependency org="org.tuckey" name="urlrewritefilter" rev="4.0.4" conf="base,sources"/><!-- TODO: 5.1.3+ for servlet5 -->
<!--
APPLICATIONS COMPONENT DEPENDENCIES
These dependencies were defined in framework/*/ivy.xml prior to 2018-03-19.
-->
<!-- content component (applications/content/ivy.xml) -->
<!-- TODO: REVIEW: pdfbox was no longer in use by code at time of this writing (2018-03), but it may have future use... -->
<dependency org="org.apache.pdfbox" name="fontbox" rev="2.0.30" conf="base,sources"/><!-- TODO: 3.0.1+ -->
<dependency org="org.apache.pdfbox" name="jempbox" rev="1.8.17" conf="base,sources"/>
<dependency org="org.apache.pdfbox" name="pdfbox" rev="2.0.30" conf="base,sources"/><!-- TODO: 3.0.1+ -->
<dependency org="org.apache.poi" name="poi" rev="5.0.0" conf="base,sources"><!-- TODO: 5.2.5+ - dep issues due to xmlbeans held back to 4.0.0 by axis 2 -->
<!-- TODO: REVIEW: we cannot allow jcl-over-slf4j on the classpath just like that;
it intentionally tries to replace (has same class names as) apache commons-logging classes -->
<exclude org="org.slf4j" module="jcl-over-slf4j"/>
</dependency>
<dependency org="org.apache.poi" name="poi-ooxml" rev="5.0.0" conf="base,sources"/><!-- TODO: 5.2.5+ - dep issues due to xmlbeans held back to 4.0.0 by axis 2 -->
<!-- solr component (applications/solr/ivy.xml)
Based on solr-provided JAR libraries found in solr-7.x.x.tgz package (solr-7.x.x/server/lib/)
and enhanced with Scipio security patches. -->
<dependency org="org.apache.solr" name="solr-solrj" rev="7.7.3" conf="base,sources"><!-- NOTE: at least 10 deps -->
<!-- TODO: REVIEW: we cannot allow jcl-over-slf4j on the classpath just like that;
it intentionally tries to replace (has same class names as) apache commons-logging classes -->
<exclude org="org.slf4j" module="jcl-over-slf4j"/>
</dependency>
<dependency org="info.ganglia.gmetric4j" name="gmetric4j" rev="1.0.7" conf="base,sources"/><!-- undeclared solr dependency -->
<dependency org="io.dropwizard.metrics" name="metrics-core" rev="3.2.6" conf="base,sources"/><!-- undeclared solr dependency -->
<dependency org="io.dropwizard.metrics" name="metrics-ganglia" rev="3.2.6" conf="base,sources"/><!-- undeclared solr dependency -->
<dependency org="io.dropwizard.metrics" name="metrics-graphite" rev="3.2.6" conf="base,sources"/><!-- undeclared solr dependency -->
<dependency org="io.dropwizard.metrics" name="metrics-jvm" rev="3.2.6" conf="base,sources"/><!-- undeclared solr dependency -->
<!-- Gravatar -->
<dependency org="de.bripkens" name="gravatar4java" rev="1.2" conf="base,sources"/>
<!--
SPECIALPURPOSE COMPONENT DEPENDENCIES
These dependencies were defined in framework/*/ivy.xml prior to 2018-03-19.
-->
<!-- demosuite component (specialpurpose/demosuite/ivy.xml) -->
<dependency org="io.codearte.jfairy" name="jfairy" rev="0.5.9" conf="base,sources" />
<!--
ADDONS COMPONENT DEPENDENCIES (TEMPORARY)
These dependencies reflect libraries needed to be shared between
several addons/*/ivy.xml.
This section is for TEMPORARY dependency includes subject to further review.
FIXME: Some addons libraries are very special in purpose and
should theoretically not be included in base/stock ScipioCE (here) or in most addons.
A different mechanism may be needed to handle this...
NOTE: When a library is confirmed as general-enough-use such that other
non-addons components use it or highly likely to use it, it can be moved
into one of the sections above.
-->
<!--
THEMES COMPONENT DEPENDENCIES
These dependencies reflect libraries needed to be shared between
several themes/*/ivy.xml.
This section is for share and temporary dependency includes subject to further review.
FIXME: Some themes libraries are very special in purpose and
should theoretically not be included in base/stock ScipioCE (here) or in most addons.
A different mechanism may be needed to handle this...
NOTE: When a library is confirmed as general-enough-use such that other
non-themes components use it or highly likely to use it, it can be moved
into one of the sections above.
-->
<!--
ON-DEMAND OPTIONAL STOCK DEPENDENCIES
These are special dependencies for stock Scipio code and ant tasks which are only fetched
on user request and/or by special ant tasks, e.g. the "download-xxx" tasks in the main Scipio build.xml.
-->
<!-- common ext dependencies -->
<!-- NOTE: these may be part of "base" purely in order to simplify build, because many targets
assume things from the main project "build" task; see base/build.xml for the relocations -->
<!-- 2018-07-06: removed: appears only cobertura needs this (junit dep was an error?), so will leave it under ant-opt/cobertura
<dependency org="asm" name="asm" rev="3.2" conf="base,ant-ext"/>
<dependency org="asm" name="asm-tree" rev="3.2" conf="base,ant-ext"/>
-->
<!-- deps for main build.xml ant task: download-activemq -->
<dependency org="org.apache.activemq" name="activemq-all" rev="5.17.4" conf="activemq"/>
<!-- deps for main build.xml ant task: download-cobertura -->
<dependency org="net.sourceforge.cobertura" name="cobertura" rev="2.1.1" conf="cobertura">
<!-- NOTE: see root macros.xml cobertura.class.path for these inclusions -->
<exclude module="ant"/>
<exclude module="ant-junit"/>
<exclude module="junit"/>
<exclude module="log4j"/>
<!--<exclude module="slf4j-api"/> version compatibility issues -->
<exclude module="oro"/>
</dependency>
<!-- deps for main build.xml ant task: download-jacoco -->
<dependency org="org.jacoco" name="org.jacoco.ant" rev="0.8.1" conf="jacoco">
<exclude module="log4j"/>
</dependency>
<!-- deps for main build.xml ant task: download-sonar-ant-task -->
<dependency org="org.codehaus.sonar-plugins" name="sonar-ant-task" rev="2.2" conf="sonar-ant-task"/>
<!-- deps for main build.xml ant task: download-ant-js-nashorn -->
<dependency org="org.openjdk.nashorn" name="nashorn-core" rev="15.4" conf="ant-js-nashorn"/>
<!--
CUSTOM/CLIENT DEPENDENCIES
Custom/client dependencies which are required by several modules
or by patches to the framework or any stock Scipio components or code
may be added below this comment.
-->
<!-- SCIPIO 2.1.0: OkHttpClient 2.7.5 libraries -->
<dependency org="com.squareup.okhttp" name="okhttp" rev="2.7.5" conf="base,sources"/>
<dependency org="com.squareup.okhttp" name="logging-interceptor" rev="2.7.5" conf="base,sources"/>
<!-- /CUSTOM/CLIENT DEPENDENCIES (END) -->
<!--
CUSTOM/CLIENT EXCLUDES
Custom/client excludes may be added below.
-->
<!-- /CUSTOM/CLIENT EXCLUDES (END) -->
<!--
EXCLUDED LIBRARIES (STOCK)
These are libraries directly committed to project, deprecated org/module names
in central, etc.
NOTE: In some cases, like providing a combined lib like batik-all,
artifact= exclude must be used instead of module=, otherwise some deps
may be lost.
-->
<!-- exclude ant & ivy, already committed in lib/ant -->
<exclude org="org\.apache\.ant" module="ant.*" matcher="regexp"/>
<exclude org="ant-contrib" module="ant-contrib"/>
<exclude org="org.apache.ivy" module="ivy"/>
<!-- exclude log4j 1.x.x -->
<exclude org="log4j" module="log4j"/>
<!-- renamed/deprecated artifact org/names (causing conflicts) -->
<exclude org="avalon-framework"/><!-- now org="org.apache.avalon.framework" -->
<exclude org="javax.servlet" module="servlet-api"/><!-- now org="javax.servlet" name="javax.servlet-api" -->
<exclude org="org.hamcrest" module="hamcrest-core" /><!-- covered by org="org.hamcrest" name="hamcrest-all" (hamcrest-core is from junit) -->
<exclude org="junit" module="junit-dep"/><!-- now org="junit" name="junit" -->
<exclude org="org.beanshell" module="bsh.*" matcher="regexp"/><!-- 2018-09-19: Beanshell is removed; but keep excluded until true need is found -->
<exclude org="jython" module="jython"/><!-- now org="org.python" -->
<exclude org="bouncycastle"/><!-- now org="org.bouncycastle" (NOTE: these had poor version numbers, like "138") -->
<exclude org="commons-beanutils" module="commons-beanutils-core"/><!-- now org="commons-beanutils" name="commons-beanutils" -->
<!--<exclude org="asm" module="asm"/> TODO?: this moved to org="org.ow2.asm"; conflict inevitable -->
<!--<exclude org="rome" module="rome"/> exclude NOT required! developer changed class package name -->
<!-- aggregate libs -->
<exclude org="org\.apache\.xmlgraphics" artifact="batik-(?!all$).*" matcher="regexp"/><!-- batik-all includes all -->
<!-- artifacts provided by different providers
2018-04-13: we now download these separately ourselves, so don't exclude - see j2eespecs above
<exclude org="javax.servlet" module="javax.servlet-api"/>
<exclude org="javax.servlet.jsp" module="javax.servlet.jsp-api"/>
<exclude org="javax.el" module="javax.el-api"/>
<exclude org="javax.annotation" module="javax.annotation-api"/> -->
<!-- artifacts provided in filesystem directly (should be very few!) -->
<exclude org="oro" module="oro"/>
<!-- problem libraries -->
<!-- jython (dep of batik-script) includes too many extras in its JAR; for now we
still provide the old ofbiz jython-nooro which excludes them, but is deprecated (FIXME) -->
<exclude org="org.python" module="jython"/>
<!-- conflicts with geronimo-activation (WARN: this one had slightly more classes! FIXME?) -->
<exclude org="javax.activation" module="activation"/>
<!-- newer version of stax 1.0 spec found in xml-apis-1.4.01 -->
<exclude org="org.apache.geronimo.specs" module="geronimo-stax-api_1.0_spec"/>
</dependencies>
</ivy-module>