Raman Gupta created KARAF-4306:
----------------------------------
Summary: karaf-maven-plugin is not assembling the correct version
of dependencies
Key: KARAF-4306
URL: https://issues.apache.org/jira/browse/KARAF-4306
Project: Karaf
Issue Type: Bug
Components: karaf-tooling
Affects Versions: 4.0.4
Reporter: Raman Gupta
This is similar to KARAF-3994.
I see that the commit for that issue added the following TODO:
* TODO Need to also check for version ranges. Currently ranges are ignored and
all features matching the name
I have a similar problem -- the generated system repo contains all versions of
a feature that is matched by a range, not just the highest one that fulfills
all of the requirements of the boot features. This is an issue because the
generated repo may contain older (or newer) versions of libraries that have
CVEs against them, which is then flagged by ops.
For example:
My feature depends on spring-dm which depends on spring range [2.5.6,4). At
runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains
Spring 3.1.4 (as well as three versions of Spring 4), all of which are defined
in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs against it, so
the system is flagged by ops as using jars with security problems (even though
those jars are not actually used by the app).
Shouldn't the Builder apply the same resolution logic as is used by Karaf
itself, and assemble only those jars?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
