[ 
https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16280362#comment-16280362
 ] 

Grzegorz Grzybek commented on KARAF-4306:
-----------------------------------------

Works fine with 4.0.7, fixed with KARAF-4712. When I used 4.0.7 in your 
example, I got only Spring versions:
* {{3.1.4.RELEASE}} from {{org.springframework}} groupId as dependencies of 
{{spring-dm}}
* {{3.2.17.RELEASE_1}} from {{org.apache.servicemix.bundles}} groupId as 
dependencies of {{spring-dm}} (included in range) and of your 
{{feature-with-spring-dm}}

> karaf-maven-plugin is not assembling the correct version of dependencies
> ------------------------------------------------------------------------
>
>                 Key: KARAF-4306
>                 URL: https://issues.apache.org/jira/browse/KARAF-4306
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-tooling
>    Affects Versions: 4.0.4
>            Reporter: Raman Gupta
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.0.7, 4.1.4, 4.2.0
>
>
> This is similar to KARAF-3994.
> I see that the commit for that issue added the following TODO:
> * TODO Need to also check for version ranges. Currently ranges are ignored 
> and all features matching the name
> I have a similar problem -- the generated system repo contains all versions 
> of a feature that is matched by a range, not just the highest one that 
> fulfills all of the requirements of the boot features. This is an issue 
> because the generated repo may contain older (or newer) versions of libraries 
> that have CVEs against them, which is then flagged by ops.
> For example:
> My feature depends on spring-dm which depends on spring range [2.5.6,4). At 
> runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains 
> Spring 3.1.4 (as well as three versions of Spring 4), all of which are 
> defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs 
> against it, so the system is flagged by ops as using jars with security 
> problems (even though those jars are not actually used by the app).
> Shouldn't the Builder apply the same resolution logic as is used by Karaf 
> itself, and assemble only those jars?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to