[jira] [Comment Edited] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies

Tue, 02 Feb 2016 23:47:24 -0800 

    [ 
https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129976#comment-15129976
 ] 

Raman Gupta edited comment on KARAF-4306 at 2/3/16 7:45 AM:
------------------------------------------------------------

Note that I have a runtime issue with this too: see 
http://karaf.922171.n3.nabble.com/Karaf-insisting-on-loading-older-version-of-feature-td4045071.html.
 Probably a separate issue though.


was (Author: rocketraman):
Note that I have a runtime issue with this too: see 
http://karaf.922171.n3.nabble.com/Karaf-insisting-on-loading-older-version-of-feature-td4045071.html

> karaf-maven-plugin is not assembling the correct version of dependencies
> ------------------------------------------------------------------------
>
>                 Key: KARAF-4306
>                 URL: https://issues.apache.org/jira/browse/KARAF-4306
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-tooling
>    Affects Versions: 4.0.4
>            Reporter: Raman Gupta
>
> This is similar to KARAF-3994.
> I see that the commit for that issue added the following TODO:
> * TODO Need to also check for version ranges. Currently ranges are ignored 
> and all features matching the name
> I have a similar problem -- the generated system repo contains all versions 
> of a feature that is matched by a range, not just the highest one that 
> fulfills all of the requirements of the boot features. This is an issue 
> because the generated repo may contain older (or newer) versions of libraries 
> that have CVEs against them, which is then flagged by ops.
> For example:
> My feature depends on spring-dm which depends on spring range [2.5.6,4). At 
> runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains 
> Spring 3.1.4 (as well as three versions of Spring 4), all of which are 
> defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs 
> against it, so the system is flagged by ops as using jars with security 
> problems (even though those jars are not actually used by the app).
> Shouldn't the Builder apply the same resolution logic as is used by Karaf 
> itself, and assemble only those jars?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to