My application uses Maven to build, and among its dependencies are LibA and LibB. Both of them in turn depend on the same library, com.thoughtworks.xstream:xstream, but LibA depends on version 1.4.16 and LibB depends on 1.4.8. When I run mvn dependency:tree, I can see that only the 1.4.16 version is being used, and when I unzip the built JAR file, I see that only xstream-1.4.16.jar is present. But Xray reports that my application has security issues because it depends on xstream version 1.4.8, through LibB.
Has anyone else run into this behavior? Is there a way to make Xray realize that our binary has nothing to do with the old 1.4.8 version?
