[
https://issues.apache.org/jira/browse/MASFRES-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov resolved MASFRES-50.
-----------------------------------
Resolution: Invalid
Wrong forum. Ask the 40 thieves.
> how could we resolve the transitive provided dependencies in maven?
> -------------------------------------------------------------------
>
> Key: MASFRES-50
> URL: https://issues.apache.org/jira/browse/MASFRES-50
> Project: Apache Maven Resource Bundles
> Issue Type: Improvement
> Reporter: Lida Zhao
> Priority: Major
>
> Recently detecting log4j in programs is an urgent job for many companies. I
> know many SCA tools such as OWASP, Steady, snyk support doing this. But many
> log4j deps are included as "provided" in transitive dependencies. such as
> log4j in `com.alibaba:druid`, lets consider the following condition:
> my-company:my-app2:v1.0
> \- com.alibaba:druid:jar:1.2.8:compile
> \-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
> In this case, none of the above tools can detect log4j. But log4j is actually
> called in durid, and some of the vulnerable codes might be compiled into
> druid, yet we don't know it if we didn't checking druid's pom manually.
> my question is:
> # Why doesn't maven list the transitive provided dependencies in the tree?
> Just for a better understanding of the dependency relationship.
> # Without checking poms one by one manually, how could we resolve the
> relationship such as log4j to my-app2?
>
> more detailed description is in:
> https://stackoverflow.com/questions/70337939/how-could-we-resolve-the-transitive-provided-dependencies-in-maven
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
