1

I am working on a task to remove issues identified by JFrog plug-in that identifies the entries in the POM by risk category - high, medium etc.

In my POM, I am getting the red squiggly lines for these entries and I am trying to figure out the cause of those as well as how to fix it.

enter image description here

Adding text for POM. The reason for adding image earlier was to show the red squigglies. They show up only for the 3 dependencies in the image

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.apache.avro</groupId>
        <artifactId>avro</artifactId>
        <version>1.9.1</version>
    </dependency>
    <dependency>
        <groupId>org.jsonschema2pojo</groupId>
        <artifactId>jsonschema2pojo-maven-plugin</artifactId>
        <version>1.1.1</version>
    </dependency>

Also, when I look at the JFrog output, I would like to cleanup even the non-critical issues, like those shown in yellow in the below screen-shot.

I have not found a way to identify what the fix is in these situations and then apply the fix. This is a brand new application that I am working on, but using a POM from an existing application as it is a big pom and i would need to implement most of the similar functionality, but for a new pom, would like to start as clean as possible

In the image below, the version that is showing up is for downpath version of another jar. Also, for the spring-boot-starter-web, in JFrog, it doesn't show any critical issues, but in the pom it has the red squigglys.

That is what I am wondering, how can I fix the downpath version dependencies.

enter image description here enter image description here

enter image description here

TylerH
  • 20,799
  • 66
  • 75
  • 101
adbdkb
  • 1,897
  • 6
  • 37
  • 66
  • First do not post picture better post text here... second why are you using a plugin as a dependency that does not make sense (-maven-plugin)... ? – khmarbaise May 06 '21 at 18:58
  • 1
    Thanks. I will add the text. This particular project is supposed to generate java classes from json using the jsonschema2pojo plugin and that is why the existing project is using the maven plug-in ( I think ). I just copied the POM and now trying to cleanup. – adbdkb May 06 '21 at 19:15
  • 1
    @khmarbaise - Any suggestions on how I can go about cleaning up the POM to also make it security scan compliant? Thanks – adbdkb May 08 '21 at 14:50
  • First step remove the plugin from the dependencies. – khmarbaise May 08 '21 at 15:01
  • 1
    Thanks @khmarbaise. Yes, I did remove it already after you suggested it earlier. Next How do I find out what the problem with the squigglys under **spring-boot-starter-web** and **org.apache.avro** are? And then how to fix my POM so that the versions in the dependdent POMs don't show as critical or high – adbdkb May 08 '21 at 15:25

2 Answers2

1

To see more details about a vulnerable component, click on the yellow bulb and then "Show in dependency tree". The yellow bulb should appear when standing on the dependency or by clicking alt+enter.

Show in dependency tree

Under "Component Issue Details", you can review the issues related to the selected component and to its transitive components. The issues in bold are directly related to your component. In the following example, upgrading org.jenkins-ci.plugins:jira to 3.0.11 will resolve a critical level issue:

JFrog tool window

To filter out non-critical issues remove all severities except "Critical" in the Severity filter: Filter

Read more about scanning local projects in the JFrog IDEA plugin here.

yahavi
  • 5,149
  • 4
  • 23
  • 39
  • Thanks. If the version is not in your pom, but in a downpath dependent pom, how do we fix it. I am also updating the question with an image. Hope you can help me there – adbdkb May 11 '21 at 18:24
  • If the transitive dependency version didn't change after updating the direct dependency version, do the following: 1. Add the transitive dependency as a direct dependency with the fixed version. 2. Right-click on the transitive dependency -> "Exclude dependency". – yahavi May 12 '21 at 06:35
  • I saw somewhere that a Property was added with the correct version for Transitive dependency. I tried it instead of adding it as a direct dependency and that also fixed it. But do not know if that is correct approach or if it would cause any other issues – adbdkb May 13 '21 at 11:21
  • You can check in the dependency tree under "Components" (after refresh) the true version of the transitive dependency. – yahavi May 13 '21 at 12:01
  • Thanks. That is where I got the versions. My question was more about adding it to tag in POM.xml - Whether that is the correct approach. Adding this way does remove the item from showing up in vulnerability list 2.10.5.1 3.0.24 Not sure how we add code or other tags in comment – adbdkb May 13 '21 at 14:25
  • - I have accepted the answer because it definitely helped. Please let me know, if you know, if defining the version in properties tag is the right approach to take. Thanks. – adbdkb May 14 '21 at 11:40
0

I would recommend to check the dependency hierarchy and and exclude the one's not required

refer this:

https://www.educba.com/maven-exclude-dependency/

Shreyank Byadagi
  • 1
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 07 '22 at 13:07