Skip to content
This repository has been archived by the owner on Nov 6, 2018. It is now read-only.

transitively depending on vulnerable version of commons-collections #338

Open
jkremser opened this issue Aug 22, 2018 · 0 comments
Open

transitively depending on vulnerable version of commons-collections #338

jkremser opened this issue Aug 22, 2018 · 0 comments

Comments

@jkremser
Copy link

jkremser commented Aug 22, 2018
edited
Loading

for the builder-annotations dependency consider adding something like

                <exclusions>
                    <exclusion>
                        <groupId>commons-collections</groupId>
                        <artifactId>commons-collections</artifactId>
                    </exclusion>
                </exclusions>

and then bringing back the dependency

            <dependency>
                <groupId>commons-collections</groupId>
                <artifactId>commons-collections</artifactId>
                <scope>provided</scope>
                <version>3.2.2</version>
            </dependency>

Because currently your library is being reported by tools like snyk.io that are not smart enough to figure out that commons-collections in that broken 3.2.1 version will not end up at the class path at the end... the scope (provided) was declared in the parent pom and the tool wasn't probably good enough to get it.

see the screenshot:
https://i.imgur.com/ehUTAfU.png

same holds for:

  • com.fasterxml.jackson.core:jackson-databind:2.7.7
  • com.fasterxml.jackson.core:jackson-core:2.7.7
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkremser