Maven Multi-Module Dependency Graph: Depgraph Maven Plugin

Use the depgraph-maven-plugin to aggregate the output as an image. I used this in the FHIR project to see if there were any unknown dependencies – https://github.com/IBM/FHIR/issues/87 .

mvn com.github.ferstl:depgraph-maven-plugin:3.3.0:aggregate -f fhir-parent/pom.xml -DshowAllAttributesForJson=true -DcreateImage=true -DreduceEdges=true -DmergeClassifiers=true -DmergeTypes=true -Dexcludes=testng:: -DgraphFormat=json

Maven Check Security Versions

As many know, the projects I work on are typically maven projects. These projects have a variety of requirements, and I started experimenting with static analysis tools. I found a cool one based on the Red Hat victims project. I ran this and found two embedded and out of date jars. Below, one sees the command runs, and highlights the vulnerabilities and CVEs that correspond. Further, it puts a report in the target directory for each module (great for reporting and seeing where/how it’s vulnerable.

$ mvn com.redhat.victims.maven:security-versions:check -f parent/pom.xml
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] parent [pom]
[INFO] api [jar]
[INFO] webapp [webapp]
[INFO]
[INFO] ---------------< group:parent >----------------
[INFO] Building parent 99-SNAPSHOT [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- security-versions:1.0.6:check (default-cli) @ parent ---
[INFO] Analyzing the dependencies for group:parent
[INFO] Syncing with the victims repository (based on the atom feed)
[INFO] Downloading: https://github.com/victims/victims-cve-db/commits.atom
[INFO] Already to the latest version.
INFO] Analyzing the dependencies for group:api
[ERROR] com.fasterxml.jackson.core:jackson-databind is vulnerable to CVE-2017-7525
[INFO] Analyzing the dependencies for group:webapp
[ERROR] commons-collections:commons-collections is vulnerable to CVE-2015-7501
------------------------------------------------------------------------
[INFO] Reactor Summary for parent 99-SNAPSHOT:
[INFO]
[INFO] parent ......... SUCCESS [ 3.170 s]
[INFO] api ...................................... SKIPPED
[INFO] webapp .............................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.636 s
[INFO] Finished at: 2019-08-13T07:04:08-04:00
[INFO] ------------------------------------------------------------------------
$

Maven Animal Sniffer Plugin: Traceability

For the past few years, most of my personal and professional projects are built using Maven.  The dependency management and corresponding build lifecycle enable me to do some complex builds (for instance HBase 1.2.5 Client Jars).

Command

mvn dependency:tree -f demo-app/pom.xml

Result

[INFO] demo.app:demo-app:jar:1.0-SNAPSHOT [INFO] +- junit:junit:jar:4.12:test [INFO] | – org.hamcrest:hamcrest-core:jar:1.3:test [INFO] – org.apache.hbase:hbase:pom:1.2.5:compile [INFO] +- com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile [INFO] – log4j:log4j:jar:1.2.17:compile

When these dependencies change underlying the build change, the build and debugging is a pain. I ran into this plugin Maven Animal Sniffer Plugin. I did have to enable a specific configuration <configuration><includeJavaHome>false</includeJavaHome></configuration>

Command

mvn animal-sniffer:build -f demo-app/pom.xml

Result

[INFO] — animal-sniffer-maven-plugin:1.16:build (default-cli) @ demo-app — [INFO] Parsing signatures from com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1 [INFO] Parsing signatures from log4j:log4j:jar:1.2.17 [INFO] Parsing signatures from /Users/paulbastide/Downloads/animal/demo-app/target/classes [INFO] Wrote signatures for 337 classes.

I can now store this along with my build. The generated file demo-app/target/demo-app-1.0-SNAPSHOT.signature can then be used to check plugin.

Solution: XStream Illegal Reflective Access

If you are compiling with AdoptOpenJDK 11, you might hit –  "Illegal reflective access" com.thoughtworks.xstream.converters.collections.TreeMapConverter

If your build and your dependencies don’t show xstream in it, check your plugins:

mvn dependency:resolve-plugins -f fhir-parent/pom.xml | grep -B20 -i xst
[INFO] Plugin Resolved: maven-war-plugin-3.2.3.jar
[INFO] Plugin Dependency Resolved: maven-plugin-api-3.0.jar
[INFO] Plugin Dependency Resolved: maven-core-3.0.jar
[INFO] Plugin Dependency Resolved: maven-archiver-3.4.0.jar
[INFO] Plugin Dependency Resolved: commons-io-2.5.jar
[INFO] Plugin Dependency Resolved: plexus-archiver-4.1.0.jar
[INFO] Plugin Dependency Resolved: plexus-interpolation-1.25.jar
[INFO] Plugin Dependency Resolved: xstream-1.4.10.jar

I upgraded to the latest maven-war-plugin (3.1.0) and it was solved.

Solution: Maven Surefire runs out of memory

I’m running a complicated integration test, and needed to allocate memory appropriately – MAVEN_OPTS was used to increase memory, and I still ran into an issue with MAVEN out-of-memory.  To fix the issue, I had to use the Surefire argsline:

<plugins>
   <plugin>
      <groupId>org.apache.maven.plugins</groupId>
      <artifactId>maven-surefire-plugin</artifactId>
      <configuration>
         <argLine>-Xms2G -Xmx2G</argLine>
      </configuration>
   </plugin>
</plugins>

Solution: Go Offline with Dependencies

My team uses the pom.xml to generate a repository which is handed off to the secondary developers. For instance, I have a custom db2 jar.

Update your localRepository

• Start a Shell
• cd ~/.m2
• vim settings.xml
• add <localRepository>/Users/userid/git/client-app/documentation/repo/local_repo</localRepository> Note: the path is relative to the location of my repo You may have to create the folder local_repo
• Save the file to where it makes most sense

Take the Repo Offline

• Change directory to the repo folder
• mvn dependency:go-offline
• cd local_repo
• remove any previous zip
• Run zip -9 -v -r repo.zip 'base-path-for-jars-you-want/' (Only archives into the zip the dependencies you want)
• Upload the zip to the client-app wiki

Remove your local repository line

• Start a shell
• cd ~/.m2
• vim settings.xml
• remove the <localRepository> node
• Save the file

An alternative is to to package with the dependency plugin or download to a specific folder.

This is not my favorite approach.

Solution: Speeding up Maven

Like many developers, I have tons of jobs running to compile, unit and integration test my code.  These jobs take anywhere from 30 seconds to 30 minutes.

Some simple operations took a while…. I wondered why… Thanks to Oleg @ ZeroTurnAround I have an answer – Your Maven build is slow. Speed it up!

I applied the setting to speed up my build (30 minutes dropped to 10 minutes)

mvn clean package -T 4 -S local-m2/settings.xml

I hope this helps others.

Solution: Fat HBase Dependencies: Use This Handy Exclusion List from the Lily Project

I have been developing and delivering HBase related code for a few years now. The amount of extra libraries in the deliverables are high. The Lily Project has a very nice exclusion list (we had to develop our own) – Exclusion List in Pom.

<dependency>
    <groupId>org.lilyproject</groupId>
    <artifactId>lily-hbase-client</artifactId>
    <version>2.6.1</version>
</dependency>

Solution: License Management via Maven Plugin

Keeping a license current is luckily addressed by the mycila license maven plugin. This plugin scans the project files in src files and updates the files with the license.txt format. To configure the plugin refer to Format Mojo.

To check the current status of the copyrights and see what needs to be updated: mvn com.mycila:license-maven-plugin:check -f my-parent/pom.xml

To format the current missing copyrights and update: mvn com.mycila:license-maven-plugin:format -f my-parent/pom.xml

Results are:

[INFO] ————————————————————————
[INFO] Building my-project 99-SNAPSHOT
[INFO] ————————————————————————
[INFO]
[INFO] — license-maven-plugin:3.0:format (default-cli) @ my-project —
[INFO] Updating license headers…
[WARNING] Unknown file extension: /Users/paulbastide/git/wffh/my/my-project/.factorypath
[INFO] Updating license header in: /Users/paulbastide/git/wffh/my/my-project/src/main/webapp/WEB-INF/ibm-web-ext.xml
[WARNING] Unable to find a comment style definition for some files. You may want to add a custom mapping for the relevant file extensions.
[INFO]

Once you run the copyright format, you see the change in the files. Plugin for your pom.xml. The plugin snippet as follows and that goes in <build><plugins></plugins></build>:

<plugin>
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<properties>
<year>2019</year>
</properties>
<excludes>
<exclude>src/test/**</exclude>
<exclude>src/main/resources/**</exclude>
<exclude>liberty-config/**</exclude>
<exclude>docker/**</exclude>
</excludes>
<failIfMissing>false</failIfMissing>
<skipExistingHeaders>true</skipExistingHeaders>
<header>license.txt</header>
</configuration>
</plugin>

To run the mojo independently use: mvn com.mycila:license-maven-plugin:check -f my-project/pom.xml -Dlicense.header=./license.txt -license.skipExistingHeaders=true

Solution: Maven Dependency Version Management

To check the version of a dependency (and subsequently all dependencies), and see if there is a need to update the dependency:

1 – Change to cd my-project 2 – Run mvn versions:display-dependency-updates 3 – Locate the section in the output:

[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] com.cloudant:cloudant-client ......................... 2.4.1 -> 2.16.0

4 – For each of the entries, update the core dependency to the latest version on the right.

08:57:36-mymachine:~/git/my-project$ mvn versions:display-dependency-updates
[INFO] Scanning for projects...
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/plugins/maven-failsafe-plugin/2.20.1/maven-failsafe-plugin-2.20.1.pom
...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building my-project 99-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- versions-maven-plugin:2.3:display-dependency-updates (default-cli) @ my-project ---
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-provider-api/2.5/wagon-provider-api-2.5.pom
Downloaded: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-provider-api/2.5/wagon-provider-api-2.5.pom (2 KB at 0.8 KB/sec)
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon/2.5/wagon-2.5.pom
Downloaded: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon/2.5/wagon-2.5.pom (20 KB at 8.7 KB/sec)
Downloading: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-file/2.5/wagon-file-2.5.pom
Downloaded: https://repo1.maven.org/nexus/wh/content/groups/public/org/apache/maven/wagon/wagon-file/2.5/wagon-file-2.5.pom (2 KB at 0.8 KB/sec)
...
[INFO] artifact com.google.collections:google-collections: checking for updates from public
[INFO] artifact com.google.code.gson:gson: checking for updates from public
[INFO] artifact com.cloudant:cloudant-client: checking for updates from public
[INFO] artifact com.googlecode.json-simple:json-simple: checking for updates from public
[INFO] artifact com.ibm.db2:db2jcc4: checking for updates from public
[INFO] artifact com.ibm.websphere.appserver.runtime:wlp-base-embeddable: checking for updates from public
[INFO] artifact com.ibm.java:ibm-java-sdk: checking for updates from public
[INFO] artifact com.ibm.whc:audittrail-retrieve-api: checking for updates from public
[INFO] artifact commons-beanutils:commons-beanutils: checking for updates from public
[INFO] artifact commons-cli:commons-cli: checking for updates from public
[INFO] artifact commons-codec:commons-codec: checking for updates from public
[INFO] artifact commons-io:commons-io: checking for updates from public
[INFO] artifact javax.json:javax.json-api: checking for updates from public
[INFO] artifact javax.mail:mail: checking for updates from public
...
[INFO] artifact org.owasp.encoder:encoder: checking for updates from public
[INFO] artifact org.skyscreamer:jsonassert: checking for updates from public
[INFO] artifact org.testng:testng: checking for updates from public
[INFO] artifact xmlunit:xmlunit: checking for updates from public
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] com.cloudant:cloudant-client ......................... 2.4.1 -> 2.16.0
[INFO] com.google.code.gson:gson ............................. 2.8.1 -> 2.8.5
[INFO] com.googlecode.json-simple:json-simple .................. 1.1 -> 1.1.1
[INFO] com.ibm.java:ibm-java-sdk .......... 8.0-5.35-linux-x86_64 -> 8.0.2.10
[INFO] commons-codec:commons-codec ............................. 1.10 -> 1.12
[INFO] commons-io:commons-io ..................................... 2.4 -> 2.6
[INFO] org.testng:testng .............................. 6.9.10 -> 7.0.0-beta4
[INFO] 
[INFO] No dependencies in Dependencies have newer versions.
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:39 min
[INFO] Finished at: 2019-05-21T09:03:55-04:00
[INFO] Final Memory: 15M/182M
[INFO] ------------------------------------------------------------------------

Links

• StackOverflow: Check for Updated Dependencies

If you are looking to automate the discovery of common issues in Java code, like me, use the spotbugs plugin. I run the mvn command (with a specific heap).

mvn com.github.spotbugs:spotbugs-maven-plugin:3.1.8:spotbugs \
    -f fhir-parent/pom.xml -Dspotbugs.maxHeap=2048

Outputs:

[INFO] ———————< com.ibm.fhir:fhir-task-api >———————
[INFO] Building fhir-task-api 4.0.0-SNAPSHOT [3/37]
[INFO] ——————————–[ jar ]—————————–—-
[INFO]
[INFO] — spotbugs-maven-plugin:3.1.8:spotbugs (default-cli) @ fhir-task-api —
[INFO] Fork Value is true
[INFO] Done SpotBugs Analysis….
[INFO] ———————-< com.ibm.fhir:fhir-audit >———————–
[INFO] Building fhir-audit 4.0.0-SNAPSHOT [7/37]
[INFO] ——————————–[ jar ]—————————–—-
[INFO]
[INFO] — spotbugs-maven-plugin:3.1.8:spotbugs (default-cli) @ fhir-audit —
[INFO] Fork Value is true
[java] Warnings generated: 22
[INFO] Done SpotBugs Analysis….
[INFO]
[INFO]

Look for the spotbugs.xml such as /fhir-task-core/target/spotbugsXml.xml It contains a wealth of information

<BugCollection sequence=’0′ release=” analysisTimestamp=’1570751830498′ version=’3.1.8′ timestamp=’1570747471677′><Project projectName=’fhir-task-core’><Jar>/Users//git/wffh/FHIR/fhir-task-core/target/classes</Jar><AuxClasspathEntry>/.m2/repository/com/ibm/fhir/fhir-task-api/4.0.0-SNAPSHOT/fhir-task-api-4.0.0-SNAPSHOT.jar</AuxClasspathEntry><SrcDir>/Users//git/wffh/FHIR/fhir-task-core/src/main/java</SrcDir><WrkDir>/Users//git/wffh/FHIR/fhir-task-core/target</WrkDir></Project><Errors missingClasses=’0′ errors=’0′></Errors><FindBugsSummary num_packages=’2′ total_classes=’3′ total_size=’151′ clock_seconds=’1.83′ referenced_classes=’43’ vm_version=’11.0.4+11′ total_bugs=’0′ java_version=’11.0.4′ gc_seconds=’0.04′ alloc_mbytes=’2048.00′ cpu_seconds=’6.49′ peak_mbytes=’170.15′ timestamp=’Thu, 10 Oct 2019 18:44:31 -0400′><FileStats path=’com/ibm/fhir/task/core/impl/TaskGroup.java’ size=’66’ bugCount=’0′></FileStats><FileStats path=’com/ibm/fhir/task/core/impl/TaskManager.java’ size=’80’ bugCount=’0′></FileStats><FileStats path=’com/ibm/fhir/task/core/service/TaskService.java’ size=’5′ bugCount=’0′></FileStats><PackageStats package=’com.ibm.fhir.task.core.impl’ total_bugs=’0′ total_size=’146′ total_types=’2′><ClassStats bugs=’0′ size=’66’ interface=’false’ sourceFile=’TaskGroup.java’ class=’com.ibm.fhir.task.core.impl.TaskGroup’></ClassStats><ClassStats bugs=’0′ size=’80’ interface=’false’ sourceFile=’TaskManager.java’ class=’com.ibm.fhir.task.core.impl.TaskManager’></ClassStats></PackageStats><PackageStats package=’com.ibm.fhir.task.core.service’ total_bugs=’0′ total_size=’5′ total_types=’1′><ClassStats bugs=’0′ size=’5′ interface=’false’ sourceFile=’TaskService.java’ class=’com.ibm.fhir.task.core.service.TaskService’></ClassStats></PackageStats><FindBugsProfile><ClassProfile avgMicrosecondsPerInvocation=’799′ totalMilliseconds=’423′ name=’edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine’ maxMicrosecondsPerInvocation=’19514′ standardDeviationMicrosecondsPerInvocation=’1641′ invocations=’530′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’2237′ totalMilliseconds=’96’ name=’edu.umd.cs.findbugs.detect.FieldItemSummary’ maxMicrosecondsPerInvocation=’16801′ standardDeviationMicrosecondsPerInvocation=’3891′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’125′ totalMilliseconds=’66’ name=’edu.umd.cs.findbugs.classfile.engine.ClassDataAnalysisEngine’ maxMicrosecondsPerInvocation=’2775′ standardDeviationMicrosecondsPerInvocation=’165′ invocations=’532′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1276′ totalMilliseconds=’54’ name=’edu.umd.cs.findbugs.detect.FindNoSideEffectMethods’ maxMicrosecondsPerInvocation=’7402′ standardDeviationMicrosecondsPerInvocation=’1809′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’315′ totalMilliseconds=’51’ name=’edu.umd.cs.findbugs.OpcodeStack$JumpInfoFactory’ maxMicrosecondsPerInvocation=’3493′ standardDeviationMicrosecondsPerInvocation=’435′ invocations=’162′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’89′ totalMilliseconds=’44’ name=’edu.umd.cs.findbugs.util.TopologicalSort’ maxMicrosecondsPerInvocation=’1522′ standardDeviationMicrosecondsPerInvocation=’164′ invocations=’493′></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1399′ totalMilliseconds=’33’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.MethodGenFactory’ maxMicrosecondsPerInvocation=’28227′ standardDeviationMicrosecondsPerInvocation=’5597′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1276′ totalMilliseconds=’33’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.ValueNumberDataflowFactory’ maxMicrosecondsPerInvocation=’11157′ standardDeviationMicrosecondsPerInvocation=’2187′ invocations=’26’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1357′ totalMilliseconds=’32’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.TypeDataflowFactory’ maxMicrosecondsPerInvocation=’11718′ standardDeviationMicrosecondsPerInvocation=’2383′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’740′ totalMilliseconds=’31’ name=’edu.umd.cs.findbugs.detect.NoteDirectlyRelevantTypeQualifiers’ maxMicrosecondsPerInvocation=’7105′ standardDeviationMicrosecondsPerInvocation=’1250′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’457′ totalMilliseconds=’31’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.JavaClassAnalysisEngine’ maxMicrosecondsPerInvocation=’11558′ standardDeviationMicrosecondsPerInvocation=’1457′ invocations=’69’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1310′ totalMilliseconds=’31’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.IsNullValueDataflowFactory’ maxMicrosecondsPerInvocation=’6290′ standardDeviationMicrosecondsPerInvocation=’1487′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’604′ totalMilliseconds=’26’ name=’edu.umd.cs.findbugs.detect.FunctionsThatMightBeMistakenForProcedures’ maxMicrosecondsPerInvocation=’5171′ standardDeviationMicrosecondsPerInvocation=’1052′ invocations=’43’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’1025′ totalMilliseconds=’24’ name=’edu.umd.cs.findbugs.classfile.engine.bcel.UnconditionalValueDerefDataflowFactory’ maxMicrosecondsPerInvocation=’5722′ standardDeviationMicrosecondsPerInvocation=’1207′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’993′ totalMilliseconds=’23’ name=’edu.umd.cs.findbugs.ba.npe.NullDerefAndRedundantComparisonFinder’ maxMicrosecondsPerInvocation=’3609′ standardDeviationMicrosecondsPerInvocation=’983′ invocations=’24’></ClassProfile><ClassProfile avgMicrosecondsPerInvocation=’523′ totalMilliseconds=’22’ name=’edu.umd.cs.findbugs.detect.BuildObligationPolicyDatabase’ maxMicrosecondsPerInvocation=’3748′ standardDeviationMicrosecondsPerInvocation=’790′ invocations=’43’></ClassProfile></FindBugsProfile></FindBugsSummary><ClassFeatures></ClassFeatures><History></History></BugCollection>

Multi-module Javadocs where Search doesn’t resolve the context properly

<additionalJOption>--no-module-directories</additionalJOption>

or

<additionalOption>--no-module-directories</additionalOption>

Search will generate which avoid the <undefined>, and use the root folder.

Links

• Maven Javadoc

If you see the warning…

Exception = javax.resource.spi.ResourceAllocationException
Source = com.ibm.ws.rsadapter.jdbc.WSJdbcDataSource.getConnection
probeid = 299
Stack Dump = javax.resource.spi.ResourceAllocationException: 
DSRA8100E: Unable to get a XAConnection from the DataSource. 
with SQL State : XJ041 SQL Code : 40000
    at com.ibm.ejs.j2c.FreePool.createManagedConnectionWithMCWrapper
(FreePool.java:1578)

LC_ALL is the way to fix.

Before executing the Java application.

export LC_ALL=en_US.UTF-8

Links

• StackOverflow
• Derby Tools
• Locales

Wagon Settings

I ran into an issue with Maven performance -Dmaven.wagon.http.retryHandler.count=3 to avoid failures.

• Maven Retry
• My Build
• My Pull Request
• Wagon Settings
• Package Registry Failure

Rebuild with a Clean Repo

The machine I build the jars on was not the same as my source repository.

I chose to purge:

mvn dependency:purge-local-repository -DmanualInclude=com.ibm.fhir

I then rebuilt the validation jars.

mvn clean package -Pfhir-validation-distribution,fhir-ig-carin-bb,fhir-ig-davinci-pdex-plan-net,fhir-ig-mcode,fhir-ig-us-core -DskipTests=true

Which pulls from the BinTray Repo

<repositories>
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>bintray-ibm-watson-health-ibm-fhir-server-releases</id>
<name>bintray</name>
<url>https://dl.bintray.com/ibm-watson-health/ibm-fhir-server-releases</url>
</repository>
</repositories>