Conflicting versions of proguard-base in plugin classpath

[br3no]

I have the following plugin configuration

<plugin>
  <groupId>com.github.wvengen</groupId>
  <artifactId>proguard-maven-plugin</artifactId>
  <version>2.6.0</version>
  <executions>
    <execution>
      <phase>package</phase>
      <goals>
        <goal>proguard</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <proguardInclude>${proguard.conf}</proguardInclude>
    <options>
      <option>-printmapping obfuscation.map</option>
      <option>-libraryjars  ${java.home}/jmods/java.base.jmod(!**.jar;!module-info.class)</option>
      <option>-libraryjars  ${java.home}/jmods/java.desktop.jmod(!**.jar;!module-info.class)</option>
    </options>
  </configuration>
</plugin>

Running the proguard maven goal with the -X option yields the following dependency resolution:

...
[INFO] --- proguard-maven-plugin:2.6.0:proguard (default-cli) @ if-pl-lisa ---
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=334659, ConflictMarker.markTime=171655, ConflictMarker.nodeCount=83, ConflictIdSorter.graphTime=87706, ConflictIdSorter.topsortTime=34818, ConflictIdSorter.conflictIdCount=39, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=1202169, ConflictResolver.conflictItemCount=70, DefaultDependencyCollector.collectTime=172538325, DefaultDependencyCollector.transformTime=1870156}
[DEBUG] com.github.wvengen:proguard-maven-plugin:jar:2.6.0
[DEBUG]    net.sf.proguard:proguard-base:jar:6.1.1:runtime
[DEBUG]    com.guardsquare:proguard-base:jar:7.2.2:runtime (optional)
[DEBUG]       org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.10:runtime (optional)
[DEBUG]          org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.10:runtime (optional)
[DEBUG]       com.google.code.gson:gson:jar:2.8.5:runtime (optional)
[DEBUG]       org.apache.logging.log4j:log4j-api:jar:2.17.1:runtime (optional)
[DEBUG]       org.apache.logging.log4j:log4j-core:jar:2.17.1:runtime (optional)
[DEBUG]       org.json:json:jar:20211205:runtime (optional)
[DEBUG]    com.guardsquare:proguard-core:jar:9.0.1:runtime (optional)
[DEBUG]       org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.10:runtime (optional)
[DEBUG]          org.jetbrains:annotations:jar:13.0:runtime (optional)
[DEBUG]       org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.10:runtime (optional)
[DEBUG]       org.jetbrains.kotlinx:kotlinx-metadata-jvm:jar:0.4.1:runtime (optional)
[DEBUG]    org.apache.ant:ant:jar:1.10.12:compile
[DEBUG]       org.apache.ant:ant-launcher:jar:1.10.12:compile
[DEBUG]    org.apache.maven:maven-archiver:jar:2.4:compile
[DEBUG]       org.apache.maven:maven-artifact:jar:2.0:compile
[DEBUG]       org.apache.maven:maven-model:jar:2.0:compile
[DEBUG]       org.apache.maven:maven-project:jar:2.0:compile
[DEBUG]          org.apache.maven:maven-profile:jar:2.0:compile
[DEBUG]          org.apache.maven:maven-artifact-manager:jar:2.0:compile
[DEBUG]             org.apache.maven:maven-repository-metadata:jar:2.0:compile
[DEBUG]          org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-8:compile
[DEBUG]             junit:junit:jar:3.8.1:compile
[DEBUG]             classworlds:classworlds:jar:1.1-alpha-2:compile
[DEBUG]       org.codehaus.plexus:plexus-archiver:jar:1.0-alpha-11:compile
[DEBUG]          org.codehaus.plexus:plexus-component-api:jar:1.0-alpha-15:compile
[DEBUG]          org.codehaus.plexus:plexus-io:jar:1.0-alpha-3:compile
[DEBUG]       org.codehaus.plexus:plexus-utils:jar:1.4.9:compile
[DEBUG]       org.codehaus.plexus:plexus-interpolation:jar:1.6:compile
[DEBUG]    commons-io:commons-io:jar:2.11.0:compile
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.8.6:compile
[DEBUG]       org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.5:compile
[DEBUG]          javax.annotation:javax.annotation-api:jar:1.2:compile
[DEBUG]          org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.5:compile
[DEBUG]          org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[DEBUG]       org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[DEBUG] Created new class realm plugin>com.github.wvengen:proguard-maven-plugin:2.6.0
...

Which leads to

[DEBUG] Populating class realm plugin>com.github.wvengen:proguard-maven-plugin:2.6.0
[DEBUG]   Included: com.github.wvengen:proguard-maven-plugin:jar:2.6.0
[DEBUG]   Included: net.sf.proguard:proguard-base:jar:6.1.1
[DEBUG]   Included: com.guardsquare:proguard-base:jar:7.2.2
[DEBUG]   Included: org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.10
[DEBUG]   Included: org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.10
[DEBUG]   Included: com.google.code.gson:gson:jar:2.8.5
[DEBUG]   Included: org.apache.logging.log4j:log4j-api:jar:2.17.1
[DEBUG]   Included: org.apache.logging.log4j:log4j-core:jar:2.17.1
[DEBUG]   Included: org.json:json:jar:20211205
[DEBUG]   Included: com.guardsquare:proguard-core:jar:9.0.1
[DEBUG]   Included: org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.10
[DEBUG]   Included: org.jetbrains:annotations:jar:13.0
[DEBUG]   Included: org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.10
[DEBUG]   Included: org.jetbrains.kotlinx:kotlinx-metadata-jvm:jar:0.4.1
[DEBUG]   Included: org.apache.ant:ant:jar:1.10.12
[DEBUG]   Included: org.apache.ant:ant-launcher:jar:1.10.12
[DEBUG]   Included: org.apache.maven:maven-archiver:jar:2.4
[DEBUG]   Included: junit:junit:jar:3.8.1
[DEBUG]   Included: org.codehaus.plexus:plexus-archiver:jar:1.0-alpha-11
[DEBUG]   Included: org.codehaus.plexus:plexus-io:jar:1.0-alpha-3
[DEBUG]   Included: org.codehaus.plexus:plexus-utils:jar:1.4.9
[DEBUG]   Included: org.codehaus.plexus:plexus-interpolation:jar:1.6
[DEBUG]   Included: commons-io:commons-io:jar:2.11.0
[DEBUG]   Included: javax.annotation:javax.annotation-api:jar:1.2
[DEBUG]   Included: org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.5
[DEBUG]   Included: org.codehaus.plexus:plexus-component-annotations:jar:1.5.5

Both proguard-base artifacts (com.guardsquare and net.sf.proguard) are in the plugin classpath.

On some machines I have observed, that the proguard goal logs out the version 6.1.1, even though the log states it's using the 7.2.0 jar. This may lead to obfuscation failing:

11:27:58  [INFO] proguard jar: [/home/breno/.m2/repository/com/guardsquare/proguard-base/7.2.0/proguard-base-7.2.0.jar]
11:27:59   [proguard] Picked up JAVA_TOOL_OPTIONS: -Dmaven.ext.class.path="/home/breno/jenkins/workspace/_2877-insight-plugin-licensing_3@tmp/withMavendae6d79d/pipeline-maven-spy.jar" -Dorg.jenkinsci.plugins.pipeline.maven.reportsFolder="/home/breno/jenkins/workspace/_2877-insight-plugin-licensing_3@tmp/withMavendae6d79d" 
11:27:59   [proguard] ProGuard, version 6.1.1
11:27:59   [proguard] Exception in thread "main" java.lang.NoSuchMethodError: 'void proguard.io.ClassReader.<init>(boolean, boolean, boolean, proguard.classfile.util.WarningPrinter, proguard.classfile.visitor.ClassVisitor)'
11:27:59   [proguard] 	at proguard.InputReader.execute(InputReader.java:95)
11:27:59   [proguard] 	at proguard.ProGuard.readInput(ProGuard.java:266)
11:27:59   [proguard] 	at proguard.ProGuard.execute(ProGuard.java:97)
11:27:59   [proguard] 	at proguard.ProGuard.main(ProGuard.java:591)

I haven't found any dependency declaration on net.sf.proguard:proguard-base in the plugin code, and am really confused about where this is coming from.

I have reproduced the above with different JDK versions (17, 11) and with maven 3.6.3.

This issue could be related with #235 and #141.

[barisunsalhn]

Any solution did you find?