Hi,
we're hunting vulnerabilities in our dependency tree and I have a
question that came up while doing so.
We are using HBase (I'm a committer there as well) and HBase has (had)
a dependency on the now retired HTrace:
<dependency>
<groupId>org.apache.htrace</groupId>
<artifactId>htrace-core4</artifactId>
</dependency>
HTrace in version 4.2.0-incubating has a dependency on
jackson-databind 2.4.0[1, 2] but it also uses the shade plugin to
relocate all of its dependencies[3].
The published POM of HTrace contains no trace of these dependencies[4].
A vulnerability scanner like Trivy[5] does find the code via the
META-INF/maven/ files but if HTrace is included via various levels
(e.g. Phoenix -> HBase -> HTrace) it is very hard to follow along and
find the actual place a dependency comes from.
I also tried the Maven CycloneDX generator and that also does not list
jackson-databind as a dependency.
My question: Is this expected? How can I build an accurate dependency
tree that includes all dependencies?
I feel like I must be doing something obvious wrong.
Thank you for your help.
Cheers,
Lars
[1]
<https://github.com/apache/incubator-retired-htrace/blob/2ce9d3b25a49d371a7b48e389b56d50a0164c8a0/pom.xml#L308-L312>
[2]
<https://github.com/apache/incubator-retired-htrace/blob/2ce9d3b25a49d371a7b48e389b56d50a0164c8a0/htrace-core4/pom.xml#L98-L101>
[3]
<https://github.com/apache/incubator-retired-htrace/blob/2ce9d3b25a49d371a7b48e389b56d50a0164c8a0/htrace-core4/pom.xml#L52-L59>
[4]
<https://repo1.maven.org/maven2/org/apache/htrace/htrace-core4/4.2.0-incubating/htrace-core4-4.2.0-incubating.pom>
[5] <https://github.com/aquasecurity/trivy>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
