You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Grzegorz Grzybek (JIRA)" <ji...@apache.org> on 2017/12/06 15:57:00 UTC

[jira] [Commented] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies

    [ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16280362#comment-16280362 ] 

Grzegorz Grzybek commented on KARAF-4306:
-----------------------------------------

Works fine with 4.0.7, fixed with KARAF-4712. When I used 4.0.7 in your example, I got only Spring versions:
* {{3.1.4.RELEASE}} from {{org.springframework}} groupId as dependencies of {{spring-dm}}
* {{3.2.17.RELEASE_1}} from {{org.apache.servicemix.bundles}} groupId as dependencies of {{spring-dm}} (included in range) and of your {{feature-with-spring-dm}}

> karaf-maven-plugin is not assembling the correct version of dependencies
> ------------------------------------------------------------------------
>
>                 Key: KARAF-4306
>                 URL: https://issues.apache.org/jira/browse/KARAF-4306
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-tooling
>    Affects Versions: 4.0.4
>            Reporter: Raman Gupta
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.0.7, 4.1.4, 4.2.0
>
>
> This is similar to KARAF-3994.
> I see that the commit for that issue added the following TODO:
> * TODO Need to also check for version ranges. Currently ranges are ignored and all features matching the name
> I have a similar problem -- the generated system repo contains all versions of a feature that is matched by a range, not just the highest one that fulfills all of the requirements of the boot features. This is an issue because the generated repo may contain older (or newer) versions of libraries that have CVEs against them, which is then flagged by ops.
> For example:
> My feature depends on spring-dm which depends on spring range [2.5.6,4). At runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains Spring 3.1.4 (as well as three versions of Spring 4), all of which are defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs against it, so the system is flagged by ops as using jars with security problems (even though those jars are not actually used by the app).
> Shouldn't the Builder apply the same resolution logic as is used by Karaf itself, and assemble only those jars?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)