Lida Zhao created MASFRES-50:
--------------------------------
Summary: how could we resolve the transitive provided dependencies
in maven?
Key: MASFRES-50
URL: https://issues.apache.org/jira/browse/MASFRES-50
Project: Apache Maven Resource Bundles
Issue Type: Improvement
Reporter: Lida Zhao
Recently detecting log4j in programs is an urgent job for many companies. I
know many SCA tools such as OWASP, Steady, snyk support doing this. But many
log4j deps are included as "provided" in transitive dependencies. such as
log4j in `com.alibaba:druid`, lets consider the following condition:
my-company:my-app2:v1.0
\- com.alibaba:druid:jar:1.2.8:compile
\-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
In this case, none of the above tools can detect log4j. But log4j is actually
called in durid, and some of the vulnerable codes might be compiled into druid,
yet we don't know it if we didn't checking druid's pom manually.
my question is:
# Why doesn't maven list the transitive provided dependencies in the tree?
Just for a better understanding of the dependency relationship.
# Without checking poms one by one manually, how could we resolve the
relationship such as log4j to my-app2?
more detailed description is in:
https://stackoverflow.com/questions/70337939/how-could-we-resolve-the-transitive-provided-dependencies-in-maven
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
