0

Currently my project uses spring boot starter test as so:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-test</artifactId>
    <version>2.3.8.RELEASE</version>
    <scope>test</scope>
</dependency>

However, despite the test scope, it pulls in spring-core (which is a vulnerable tpl in this version) as a compile scope transitive dependency and it appears inside my compiled binary.

I'm aware that I can fix this by pulling spring-core explicitly with test scope:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>5.2.12.RELEASE</version>
    <scope>test</scope>
</dependency>

However this shouldn't be necessary. Why is a dependency that's only available in tests pulling dependencies into the compile scope?

Bryan Tan
  • 221
  • 1
  • 11
  • 1
    A test dependency cannot pull compile scope dependencies. The problematic dependency is likely coming from somewhere else. Check the `mvn dependency:tree`. It might also be the case that dependencyManagement entries override the scope. – J Fabian Meier Feb 18 '22 at 09:47

1 Answers1

0

I double checked after the comment from J Fabian Meyer. While spring core was appearing under spring-boot-starter-test in the dependency tree, it was being pulled into the compile scope by spring-boot-starter-web.

My guess is spring-boot-starter-test pulls a later version of spring-core which is why it appeared in the tree as so

Bryan Tan
  • 221
  • 1
  • 11