Maven Multi-Module Dependency Graph: Depgraph Maven Plugin
Use the depgraph-maven-plugin to aggregate the output as an image. I used this in the FHIR project to see if there were any unknown dependencies – https://github.com/IBM/FHIR/issues/87 .
mvn com.github.ferstl:depgraph-maven-plugin:3.3.0:aggregate -f fhir-parent/pom.xml -DshowAllAttributesForJson=true -DcreateImage=true -DreduceEdges=true -DmergeClassifiers=true -DmergeTypes=true -Dexcludes=testng:: -DgraphFormat=json
Maven Check Security Versions
As many know, the projects I work on are typically maven projects. These projects have a variety of requirements, and I started experimenting with static analysis tools. I found a cool one based on the Red Hat victims project. I ran this and found two embedded and out of date jars. Below, one sees the command runs, and highlights the vulnerabilities and CVEs that correspond. Further, it puts a report in the target directory for each module (great for reporting and seeing where/how it’s vulnerable.
$ mvn com.redhat.victims.maven:security-versions:check -f parent/pom.xml
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] parent [pom]
[INFO] api [jar]
[INFO] webapp [webapp]
[INFO]
[INFO] ---------------< group:parent >----------------
[INFO] Building parent 99-SNAPSHOT [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- security-versions:1.0.6:check (default-cli) @ parent ---
[INFO] Analyzing the dependencies for group:parent
[INFO] Syncing with the victims repository (based on the atom feed)
[INFO] Downloading: https://github.com/victims/victims-cve-db/commits.atom
[INFO] Already to the latest version.
INFO] Analyzing the dependencies for group:api
[ERROR] com.fasterxml.jackson.core:jackson-databind is vulnerable to CVE-2017-7525
[INFO] Analyzing the dependencies for group:webapp
[ERROR] commons-collections:commons-collections is vulnerable to CVE-2015-7501
------------------------------------------------------------------------
[INFO] Reactor Summary for parent 99-SNAPSHOT:
[INFO]
[INFO] parent ......... SUCCESS [ 3.170 s]
[INFO] api ...................................... SKIPPED
[INFO] webapp .............................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.636 s
[INFO] Finished at: 2019-08-13T07:04:08-04:00
[INFO] ------------------------------------------------------------------------
$
Maven Animal Sniffer Plugin: Traceability
For the past few years, most of my personal and professional projects are built using Maven. The dependency management and corresponding build lifecycle enable me to do some complex builds (for instance HBase 1.2.5 Client Jars).
Command
mvn dependency:tree -f demo-app/pom.xml
Result
[INFO] demo.app:demo-app:jar:1.0-SNAPSHOT [INFO] +- junit:junit:jar:4.12:test [INFO] | – org.hamcrest:hamcrest-core:jar:1.3:test [INFO] – org.apache.hbase:hbase:pom:1.2.5:compile [INFO] +- com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile [INFO] – log4j:log4j:jar:1.2.17:compile
When these dependencies change underlying the build change, the build and debugging is a pain. I ran into this plugin Maven Animal Sniffer Plugin. I did have to enable a specific configuration <configuration><includeJavaHome>false</includeJavaHome></configuration>
Command
mvn animal-sniffer:build -f demo-app/pom.xml
Result
[INFO] — animal-sniffer-maven-plugin:1.16:build (default-cli) @ demo-app — [INFO] Parsing signatures from com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 [INFO] Parsing signatures from log4j:log4j:jar:1.2.17 [INFO] Parsing signatures from /Users/paulbastide/Downloads/animal/demo-app/target/classes [INFO] Wrote signatures for 337 classes.
I can now store this along with my build. The generated file demo-app/target/demo-app-1.0-SNAPSHOT.signature can then be used to check plugin.
Solution: XStream Illegal Reflective Access
If you are compiling with AdoptOpenJDK 11, you might hit – "Illegal reflective access" com.thoughtworks.xstream.converters.collections.TreeMapConverter
If your build and your dependencies don’t show xstream in it, check your plugins:
mvn dependency:resolve-plugins -f fhir-parent/pom.xml | grep -B20 -i xst
[INFO] Plugin Resolved: maven-war-plugin-3.2.3.jar
[INFO] Plugin Dependency Resolved: maven-plugin-api-3.0.jar
[INFO] Plugin Dependency Resolved: maven-core-3.0.jar
[INFO] Plugin Dependency Resolved: maven-archiver-3.4.0.jar
[INFO] Plugin Dependency Resolved: commons-io-2.5.jar
[INFO] Plugin Dependency Resolved: plexus-archiver-4.1.0.jar
[INFO] Plugin Dependency Resolved: plexus-interpolation-1.25.jar
[INFO] Plugin Dependency Resolved: xstream-1.4.10.jar
I upgraded to the latest maven-war-plugin (3.1.0) and it was solved.

Solution: Maven Surefire runs out of memory
I’m running a complicated integration test, and needed to allocate memory appropriately – MAVEN_OPTS was used to increase memory, and I still ran into an issue with MAVEN out-of-memory. To fix the issue, I had to use the Surefire argsline:
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Xms2G -Xmx2G</argLine>
</configuration>
</plugin>
</plugins>
Solution: Go Offline with Dependencies
My team uses the pom.xml
to generate a repository which is handed off to the secondary developers. For instance, I have a custom db2 jar.
Update your localRepository
- Start a Shell
- cd
~/.m2
vim settings.xml
- add
<localRepository>/Users/userid/git/client-app/documentation/repo/local_repo</localRepository>
Note: the path is relative to the location of my repo You may have to create the folder local_repo - Save the file to where it makes most sense
Take the Repo Offline
- Change directory to the
repo
folder mvn dependency:go-offline
- cd local_repo
- remove any previous zip
- Run
zip -9 -v -r repo.zip 'base-path-for-jars-you-want/'
(Only archives into the zip the dependencies you want) - Upload the zip to the
client-app
wiki
Remove your local repository line
- Start a shell
- cd
~/.m2
- vim settings.xml
- remove the
<localRepository>
node - Save the file
An alternative is to to package with the dependency plugin or download to a specific folder.
This is not my favorite approach.
Solution: Speeding up Maven
Like many developers, I have tons of jobs running to compile, unit and integration test my code. These jobs take anywhere from 30 seconds to 30 minutes.
Some simple operations took a while…. I wondered why… Thanks to Oleg @ ZeroTurnAround I have an answer – Your Maven build is slow. Speed it up!
I applied the setting to speed up my build (30 minutes dropped to 10 minutes)
mvn clean package -T 4 -S local-m2/settings.xml
I hope this helps others.
Solution: Fat HBase Dependencies: Use This Handy Exclusion List from the Lily Project
I have been developing and delivering HBase related code for a few years now. The amount of extra libraries in the deliverables are high. The Lily Project has a very nice exclusion list (we had to develop our own) – Exclusion List in Pom.
<dependency>
<groupId>org.lilyproject</groupId>
<artifactId>lily-hbase-client</artifactId>
<version>2.6.1</version>
</dependency>
Solution: License Management via Maven Plugin
Keeping a license current is luckily addressed by the mycila license maven plugin. This plugin scans the project files in src files and updates the files with the license.txt format. To configure the plugin refer to Format Mojo.
To check the current status of the copyrights and see what needs to be updated: mvn com.mycila:license-maven-plugin:check -f my-parent/pom.xml
To format the current missing copyrights and update: mvn com.mycila:license-maven-plugin:format -f my-parent/pom.xml
Results are:
[INFO] ————————————————————————
[INFO] Building my-project 99-SNAPSHOT
[INFO] ————————————————————————
[INFO]
[INFO] — license-maven-plugin:3.0:format (default-cli) @ my-project —
[INFO] Updating license headers…
[WARNING] Unknown file extension: /Users/paulbastide/git/wffh/my/my-project/.factorypath
[INFO] Updating license header in: /Users/paulbastide/git/wffh/my/my-project/src/main/webapp/WEB-INF/ibm-web-ext.xml
[WARNING] Unable to find a comment style definition for some files. You may want to add a custom mapping for the relevant file extensions.
[INFO]
Once you run the copyright format, you see the change in the files.
Plugin for your pom.xml. The plugin snippet as follows and that goes in <build><plugins></plugins></build>
:
<plugin>
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<properties>
<year>2019</year>
</properties>
<excludes>
<exclude>src/test/**</exclude>
<exclude>src/main/resources/**</exclude>
<exclude>liberty-config/**</exclude>
<exclude>docker/**</exclude>
</excludes>
<failIfMissing>false</failIfMissing>
<skipExistingHeaders>true</skipExistingHeaders>
<header>license.txt</header>
</configuration>
</plugin>
To run the mojo independently use:
mvn com.mycila:license-maven-plugin:check -f my-project/pom.xml -Dlicense.header=./license.txt -license.skipExistingHeaders=true
Solution: Maven Dependency Version Management
To check the version of a dependency (and subsequently all dependencies), and see if there is a need to update the dependency:
1 – Change to cd my-project 2 – Run mvn versions:display-dependency-updates 3 – Locate the section in the output:
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] com.cloudant:cloudant-client ......................... 2.4.1 -> 2.16.0
4 – For each of the entries, update the core dependency to the latest version on the right.
08:57:36-mymachine:~/git/my-project$ mvn versions:display-dependency-updates
[INFO] Scanning for projects...
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/plugins/maven-failsafe-plugin/2.20.1/maven-failsafe-plugin-2.20.1.pom
...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building my-project 99-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.3:display-dependency-updates (default-cli) @ my-project ---
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-provider-api/2.5/wagon-provider-api-2.5.pom
Downloaded: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-provider-api/2.5/wagon-provider-api-2.5.pom (2 KB at 0.8 KB/sec)
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon/2.5/wagon-2.5.pom
Downloaded: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon/2.5/wagon-2.5.pom (20 KB at 8.7 KB/sec)
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-file/2.5/wagon-file-2.5.pom
Downloaded: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-file/2.5/wagon-file-2.5.pom (2 KB at 0.8 KB/sec)
...
[INFO] artifact com.google.collections:google-collections: checking for updates from public
[INFO] artifact com.google.code.gson:gson: checking for updates from public
[INFO] artifact com.cloudant:cloudant-client: checking for updates from public
[INFO] artifact com.googlecode.json-simple:json-simple: checking for updates from public
[INFO] artifact com.ibm.db2:db2jcc4: checking for updates from public
[INFO] artifact com.ibm.websphere.appserver.runtime:wlp-base-embeddable: checking for updates from public
[INFO] artifact com.ibm.java:ibm-java-sdk: checking for updates from public
[INFO] artifact com.ibm.whc:audittrail-retrieve-api: checking for updates from public
[INFO] artifact commons-beanutils:commons-beanutils: checking for updates from public
[INFO] artifact commons-cli:commons-cli: checking for updates from public
[INFO] artifact commons-codec:commons-codec: checking for updates from public
[INFO] artifact commons-io:commons-io: checking for updates from public
[INFO] artifact javax.json:javax.json-api: checking for updates from public
[INFO] artifact javax.mail:mail: checking for updates from public
...
[INFO] artifact org.owasp.encoder:encoder: checking for updates from public
[INFO] artifact org.skyscreamer:jsonassert: checking for updates from public
[INFO] artifact org.testng:testng: checking for updates from public
[INFO] artifact xmlunit:xmlunit: checking for updates from public
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] com.cloudant:cloudant-client ......................... 2.4.1 -> 2.16.0
[INFO] com.google.code.gson:gson ............................. 2.8.1 -> 2.8.5
[INFO] com.googlecode.json-simple:json-simple .................. 1.1 -> 1.1.1
[INFO] com.ibm.java:ibm-java-sdk .......... 8.0-5.35-linux-x86_64 -> 8.0.2.10
[INFO] commons-codec:commons-codec ............................. 1.10 -> 1.12
[INFO] commons-io:commons-io ..................................... 2.4 -> 2.6
[INFO] org.testng:testng .............................. 6.9.10 -> 7.0.0-beta4
[INFO]
[INFO] No dependencies in Dependencies have newer versions.
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:39 min
[INFO] Finished at: 2019-05-21T09:03:55-04:00
[INFO] Final Memory: 15M/182M
[INFO] ------------------------------------------------------------------------
Links
Handy Plugin: Spot Bugs Plugin
If you are looking to automate the discovery of common issues in Java code, like me, use the spotbugs plugin. I run the mvn command (with a specific heap).
mvn com.github.spotbugs:spotbugs-maven-plugin:3.1.8:spotbugs \
-f fhir-parent/pom.xml -Dspotbugs.maxHeap=2048
Outputs:
[INFO] ———————< com.ibm.fhir:fhir-task-api >———————
[INFO] Building fhir-task-api 4.0.0-SNAPSHOT [3/37]
[INFO] ——————————–[ jar ]—————————–—-
[INFO]
[INFO] — spotbugs-maven-plugin:3.1.8:spotbugs (default-cli) @ fhir-task-api —
[INFO] Fork Value is true
[INFO] Done SpotBugs Analysis….
[INFO] ———————-< com.ibm.fhir:fhir-audit >———————–
[INFO] Building fhir-audit 4.0.0-SNAPSHOT [7/37]
[INFO] ——————————–[ jar ]—————————–—-
[INFO]
[INFO] — spotbugs-maven-plugin:3.1.8:spotbugs (default-cli) @ fhir-audit —
[INFO] Fork Value is true
[java] Warnings generated: 22
[INFO] Done SpotBugs Analysis….
[INFO]
[INFO]
Look for the spotbugs.xml such as /fhir-task-core/target/spotbugsXml.xml It contains a wealth of information
<BugCollection sequence=’0′ release=” analysisTimestamp=’1570751830498′ version=’3.1.8′ timestamp=’1570747471677′><Project projectName=’fhir-task-core’><Jar>/Users//git/wffh/FHIR/fhir-task-core/target/classes</Jar><AuxClasspathEntry>/.m2/repository/com/ibm/fhir/fhir-task-api/4.0.0-SNAPSHOT/fhir-task-api-4.0.0-SNAPSHOT.jar</AuxClasspathEntry><SrcDir>/Users//git/wffh/FHIR/fhir-task-core/src/main/java</SrcDir><WrkDir>/Users//git/wffh/FHIR/fhir-task-core/target</WrkDir></Project><Errors missingClasses=’0′ errors=’0′></Errors><FindBugsSummary num_packages=’2′ total_classes=’3′ total_size=’151′ clock_seconds=’1.83′ referenced_classes=’43’ vm_version=’11.0.4+11′ total_bugs=’0′ java_version=’11.0.4′ gc_seconds=’0.04′ alloc_mbytes=’2048.00′ cpu_seconds=’6.49′ peak_mbytes=’170.15′ timestamp=’Thu, 10 Oct 2019 18:44:31 -0400′><FileStats path=’com/ibm/fhir/task/core/impl/TaskGroup.java’ size=’66’ bugCount=’0′></FileStats><FileStats path=’com/ibm/fhir/task/core/impl/TaskManager.java’ size=’80’ bugCount=’0′></FileStats><FileStats path=’com/ibm/fhir/task/core/service/TaskService.java’ size=’5′ bugCount=’0′></FileStats><PackageStats package=’com.ibm.fhir.task.core.impl’ total_bugs=’0′ total_size=’146′ total_types=’2′><ClassStats bugs=’0′ size=’66’ interface=’false’ sourceFile=’TaskGroup.java’ class=’com.ibm.fhir.task.core.impl.TaskGroup’></ClassStats><ClassStats bugs=’0′ size=’80’ interface=’false’ sourceFile=’TaskManager.java’ class=’com.ibm.fhir.task.core.impl.TaskManager’></ClassStats></PackageStats><PackageStats package=’com.ibm.fhir.task.core.service’ total_bugs=’0′ total_size=’5′ total_types=’1′><ClassStats bugs=’0′ size=’5′ interface=’false’ sourceFile=’TaskService.java’ class=’com.ibm.fhir.task.core.service.TaskService’></ClassStats></PackageStats><FindBugsProfile><ClassProfile avgMicrosecondsPerInvocation=’799′ totalMilliseconds=’423′ name=’edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine’ maxMicrosecondsPerInvocation=’19514′ standardDeviationMicrosecondsPerInvocation=’1641′ invocations=’530′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’2237′ totalMilliseconds=’96’ name=’edu.umd.cs.findbugs.detect.FieldItemSummary’ maxMicrosecondsPerInvocation=’16801′ standardDeviationMicrosecondsPerInvocation=’3891′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’125′ totalMilliseconds=’66’ name=’edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine’ maxMicrosecondsPerInvocation=’2775′ standardDeviationMicrosecondsPerInvocation=’165′ invocations=’532′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1276′ totalMilliseconds=’54’ name=’edu.umd.cs.findbugs.detect.FindNoSideEffectMethods’ maxMicrosecondsPerInvocation=’7402′ standardDeviationMicrosecondsPerInvocation=’1809′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’315′ totalMilliseconds=’51’ name=’edu.umd.cs.findbugs.OpcodeStack$JumpInfoFactory’ maxMicrosecondsPerInvocation=’3493′ standardDeviationMicrosecondsPerInvocation=’435′ invocations=’162′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’89′ totalMilliseconds=’44’ name=’edu.umd.cs.findbugs.util.TopologicalSort’ maxMicrosecondsPerInvocation=’1522′ standardDeviationMicrosecondsPerInvocation=’164′ invocations=’493′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1399′ totalMilliseconds=’33’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.MethodGenFactory’ maxMicrosecondsPerInvocation=’28227′ standardDeviationMicrosecondsPerInvocation=’5597′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1276′ totalMilliseconds=’33’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.ValueNumberDataflowFactory’ maxMicrosecondsPerInvocation=’11157′ standardDeviationMicrosecondsPerInvocation=’2187′ invocations=’26’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1357′ totalMilliseconds=’32’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.TypeDataflowFactory’ maxMicrosecondsPerInvocation=’11718′ standardDeviationMicrosecondsPerInvocation=’2383′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’740′ totalMilliseconds=’31’ name=’edu.umd.cs.findbugs.detect.NoteDirectlyRelevantTypeQualifiers’ maxMicrosecondsPerInvocation=’7105′ standardDeviationMicrosecondsPerInvocation=’1250′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’457′ totalMilliseconds=’31’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.JavaClassAnalysisEngine’ maxMicrosecondsPerInvocation=’11558′ standardDeviationMicrosecondsPerInvocation=’1457′ invocations=’69’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1310′ totalMilliseconds=’31’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.IsNullValueDataflowFactory’ maxMicrosecondsPerInvocation=’6290′ standardDeviationMicrosecondsPerInvocation=’1487′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’604′ totalMilliseconds=’26’ name=’edu.umd.cs.findbugs.detect.FunctionsThatMightBeMistakenForProcedures’ maxMicrosecondsPerInvocation=’5171′ standardDeviationMicrosecondsPerInvocation=’1052′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1025′ totalMilliseconds=’24’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.UnconditionalValueDerefDataflowFactory’ maxMicrosecondsPerInvocation=’5722′ standardDeviationMicrosecondsPerInvocation=’1207′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’993′ totalMilliseconds=’23’ name=’edu.umd.cs.findbugs.ba.npe.NullDerefAndRedundantComparisonFinder’ maxMicrosecondsPerInvocation=’3609′ standardDeviationMicrosecondsPerInvocation=’983′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’523′ totalMilliseconds=’22’ name=’edu.umd.cs.findbugs.detect.BuildObligationPolicyDatabase’ maxMicrosecondsPerInvocation=’3748′ standardDeviationMicrosecondsPerInvocation=’790′ invocations=’43’></ClassProfile></FindBugsProfile></FindBugsSummary><ClassFeatures></ClassFeatures><History></History></BugCollection>
Solution: Multi-module Javadocs where Search doesn’t resolve the context properly
Multi-module Javadocs where Search doesn’t resolve the context properly
<additionalJOption>--no-module-directories</additionalJOption>
or
<additionalOption>--no-module-directories</additionalOption>
Search will generate which avoid the <undefined>, and use the root folder.
Links
Solution: LC_ALL
If you see the warning…
Exception = javax.resource.spi.ResourceAllocationException
Source = com.ibm.ws.rsadapter.jdbc.WSJdbcDataSource.getConnection
probeid = 299
Stack Dump = javax.resource.spi.ResourceAllocationException:
DSRA8100E: Unable to get a XAConnection from the DataSource.
with SQL State : XJ041 SQL Code : 40000
at com.ibm.ejs.j2c.FreePool.createManagedConnectionWithMCWrapper
(FreePool.java:1578)
LC_ALL
is the way to fix.
Before executing the Java application.
export LC_ALL=en_US.UTF-8
Links
Wagon Settings
I ran into an issue with Maven performance -Dmaven.wagon.http.retryHandler.count=3
to avoid failures.
Rebuild with a Clean Repo
The machine I build the jars on was not the same as my source repository.
I chose to purge:
mvn dependency:purge-local-repository -DmanualInclude=com.ibm.fhir
I then rebuilt the validation jars.
mvn clean package -Pfhir-validation-distribution,fhir-ig-carin-bb,fhir-ig-davinci-pdex-plan-net,fhir-ig-mcode,fhir-ig-us-core -DskipTests=true
Which pulls from the BinTray Repo
<repositories>
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>bintray-ibm-watson-health-ibm-fhir-server-releases</id>
<name>bintray</name>
<url>https://dl.bintray.com/ibm-watson-health/ibm-fhir-server-releases</url>
</repository>
</repositories>