In large Maven-based projects consisting of several high-level frameworks sooner or later there will come the time, when there are two versions of the same dependency in the classpath. For example: two versions of the same logging framework.
One approach to solve such ambiguity is to choose one of the versions (which is hopefully compatible) and to use it as an explicit dependency. Nevertheless other dependencies may still introduce other version as transitive dependencies. This may be caused by different groupIds, which will result in two similar named jar.
Once you got a candidate you can start finding all the possible sources of the dependency.
mvn dependency:tree -Dverbose -Dincludes=log4j:log4j
will show you the dependency-tree, but only the relevant excerpt. Using this information you can now add your exclusions to the affected pom.xml files.
Exclusions are configured via the exclusion-tag , which excludes specific transitive dependencies. For example:
<dependency> <groupId>sample.ProjectB</groupId> <artifactId>Project-B</artifactId> <version>1.0-SNAPSHOT</version> <exclusions> <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> </exclusions> </dependency>
By the way: Java IDEs can help you doing this.
After that you can make sure the faulty dependency versions will never ever be included again. This can be done using the maven-enforcer-plugin 
<build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>1.3.1</version> <executions> <execution> <id>enforce-version</id> <goals> <goal>enforce</goal> </goals> <configuration> <rules> <bannedDependencies> <excludes> <!-- exclude all versions lower than 1.2.17--> <exclude>log4j:log4j:[0.0,1.2.17)</exclude> </excludes> </bannedDependencies> </rules> </configuration> </execution> </executions> </plugin> </plugins> </build>