You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Lida Zhao (Jira)" <ji...@apache.org> on 2021/12/14 02:15:00 UTC

[jira] [Commented] (MASFRES-50) how could we resolve the transitive provided dependencies in maven?

    [ https://issues.apache.org/jira/browse/MASFRES-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458859#comment-17458859 ] 

Lida Zhao commented on MASFRES-50:
----------------------------------

[~michael-o] sorry, but I didn't get it. Do you mean I should ask Alibaba? Actually `alibab:druid` is just an example, my real question is maven dependency tree is hiding the relationship between `log4j` and `my-app2`. I am wondering why do maven hide it? Since "provided" dependencies participates in compiling, part of its code is compiled in the target project, which can introduce vulnerability in the target project. It is necessary for users to know if there are any vulnerable codes introduced into their compilation.

> how could we resolve the transitive provided dependencies in maven?
> -------------------------------------------------------------------
>
>                 Key: MASFRES-50
>                 URL: https://issues.apache.org/jira/browse/MASFRES-50
>             Project: Apache Maven Resource Bundles
>          Issue Type: Improvement
>            Reporter: Lida Zhao
>            Priority: Major
>
> Recently detecting log4j in programs is an urgent job for many companies. I know many SCA tools such as OWASP, Steady, snyk support doing this. But many log4j deps are included as "provided" in transitive dependencies.  such as log4j in `com.alibaba:druid`, lets consider the following condition:
> my-company:my-app2:v1.0
> \- com.alibaba:druid:jar:1.2.8:compile
>     \-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
> In this case, none of the above tools can detect log4j. But log4j is actually called in durid, and some of the vulnerable codes might be compiled into druid, yet we don't know it if we didn't checking druid's pom manually.  
> my question is: 
>  # Why doesn't maven list the transitive provided dependencies in the tree? Just for a better understanding of the dependency relationship.
>  # Without checking poms one by one manually, how could we resolve the relationship such as log4j to my-app2?
>  
> more detailed description is in:
> https://stackoverflow.com/questions/70337939/how-could-we-resolve-the-transitive-provided-dependencies-in-maven



--
This message was sent by Atlassian Jira
(v8.20.1#820001)