You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2017/12/15 09:34:00 UTC

[jira] [Resolved] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies

     [ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré resolved KARAF-4306.
-----------------------------------------
       Resolution: Not A Problem
    Fix Version/s:     (was: 4.2.0)
                       (was: 4.1.4)
                       (was: 4.0.7)

I tested and it works fine with 4.0.7.

> karaf-maven-plugin is not assembling the correct version of dependencies
> ------------------------------------------------------------------------
>
>                 Key: KARAF-4306
>                 URL: https://issues.apache.org/jira/browse/KARAF-4306
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-tooling
>    Affects Versions: 4.0.4
>            Reporter: Raman Gupta
>            Assignee: Jean-Baptiste Onofré
>
> This is similar to KARAF-3994.
> I see that the commit for that issue added the following TODO:
> * TODO Need to also check for version ranges. Currently ranges are ignored and all features matching the name
> I have a similar problem -- the generated system repo contains all versions of a feature that is matched by a range, not just the highest one that fulfills all of the requirements of the boot features. This is an issue because the generated repo may contain older (or newer) versions of libraries that have CVEs against them, which is then flagged by ops.
> For example:
> My feature depends on spring-dm which depends on spring range [2.5.6,4). At runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains Spring 3.1.4 (as well as three versions of Spring 4), all of which are defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs against it, so the system is flagged by ops as using jars with security problems (even though those jars are not actually used by the app).
> Shouldn't the Builder apply the same resolution logic as is used by Karaf itself, and assemble only those jars?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)