0
I have a maven project "Project-1". This project uses some dependencies, let's consider jackson databind 2.9.8

Another maven project "Project-2" uses "Project-1" as a dependency.

"Project-3" uses "Project-2" as a dependency.

In the "Project-3", I used jackson databind 2.10.0 using the dependency management tag. Additionally, under the dependency tag of "Project-2" inside the pom of "Project-1", I added the exclusion tag of jackson databind.

In the dependency tree of "Project-3", only one version of jackson databind is getting resolved which is 2.10.0

But, In a security scan in the pipeline, it is still reporting some security issue for the jackson databind 2.9.8

I am not sure how come this version is getting resolved even though it is not mentioned in the dependency tree.

I am trying to add the exclusion in the "Project-1" now. But, is there any better way to exclude it in "Project-3"?

Prabhakaran
  • 177
  • 1
  • 1
  • 11
  • Have a look at `mvn dependency:list` and see if it is still there. – J Fabian Meier May 04 '21 at 10:04
  • It is not showing in the dependencies list as well. But, I scanned again. It is there in the scan. – Prabhakaran May 04 '21 at 10:32
  • So, what does the scanner scan? Project dependencies, maven plugin dependencies? Maybe the scanner also scans excluded dependencies? – J Fabian Meier May 04 '21 at 10:33
  • The scanner scans the final jar that the maven builds. Though the dependency list doesn't show the older version, somehow maven packs the old jars as well. That's why I am trying to exclude it in the pom – Prabhakaran May 04 '21 at 10:38
  • So, where does it appear in the maven logs? – J Fabian Meier May 04 '21 at 11:43
  • It doesn't appear in maven logs. When the "Project 3" is added as a dependency jar in the classpath, that particular jar has the jackson-databind in the form of packages. – Prabhakaran May 04 '21 at 13:07
  • So, if it is not in the dependency list and not in the logs that Maven writes during the build, then it is not pulled by Maven and you will not be able to "exclude" it in Maven. – J Fabian Meier May 04 '21 at 13:41
  • There are logs in maven of pulling project 3 as a dependency. But there is no log of Jackson databind being resolved from project 3. Ideally, when I open the project 3 jar from the classpath, it has the Jackson databind inside it. – Prabhakaran May 04 '21 at 15:46

1 Answers1

0

It seems like the dependency "jackson databind" is not pulled by Maven, so their is no way to exclude it in Maven.

It may be the dependency of a Maven plugin you run, and you can try to find that out by running Maven with the debug flag -X. Then you might need to remove that plugin.

It may as well be the case that your "scanner" does not only scan the dependencies of the project, but other things as well. Maybe it is a bug in the scanner so that excluded artifacts are also scanned.

J Fabian Meier
  • 33,516
  • 10
  • 64
  • 142