Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependency Graph missing transitive dependencies when dependency has multiple sources

See original GitHub issue

When cyclonedx-maven-plugin 2.5.1 generates a BOM for a project that has direct dependencies X and Y and X and Y both have Z as a transitive dependency, then the dependency graph will describe Z as only being a dependency of X and will ignore it also being a dependency of Y.

This causes problems when Z has a vulnerability and X has an update available that contains a fixed version of Z, but Y does not. The dependency graph would suggest that updating X is sufficient to deal with the vulnerability. But it is not… and only AFTER the upgrade is completed and a new BOM generated will the dependency graph now show the dependency of Y on Z.

The problem can be illustrated by setting up a simple project with the following two dependencies


Both have com.fasterxml.jackson.core:jackson-databind as a dependency.

In plugin 2.5.1 BOM graph, jackson-databind is only reported as being a dependency of activemq-broker

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (7 by maintainers)

github_iconTop GitHub Comments

ThomGeGcommented, May 5, 2022

Alright, I’m back after finding the problem and it’s unfortunately in the org.apache.maven.shared:maven-dependency-tree being used:

The fix has thankfully already been made back in December last year and I’ve confirmed it resolves our issue of no dependency graph in the BOMs, however they haven’t done a release since way back in July of 2021.

I’m not too familiar with how the Apache ecosystem works, so it’ll take me some time to figure out their process and try get them to do a release. If anybody else is more familiar with it, feel free to let me know or take a crack yourself

ThomGeGcommented, May 6, 2022

Alright, I’ve emailed the Apache dev mailing list asking if somebody can release the latest version of maven-dependency-tree so we can move to it (hopefully I’ve done it right). Apparently releases are something only a PMC can do and they’re quite an involved process, so if somebody is kind enough to help us it would still be a while before we can get our hands on it.

In the meantime I’ve also had a look at the degraph-maven-plugin Steve and Mark were previously talking about. It looks like this is the bit of code actually grabbing the dependency graph before walking it, which is just directly using the same classes from maven that maven-dependency-tree uses, so they’re bypassing the problem.

It’s probably also worth mentioning that the -Dverbose parameter on dependency:tree breaking trees for WARs is only a ‘recent’ issue. Part of why it took me so long to find the problem was that I was actually using a much older version of maven-dependency-plugin (and therefore maven-dependency-tree) for some testing which led me astray. Back in at least v2.8 the TreeMojo worked differently and would at least build trees.

If nothing comes of Apache releasing the latest version of maven-dependency-tree, I’ll take a crack at bypassing it like degraph-maven-plugin has done and raise a PR.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Some of the transitive dependencies are missing compared to ...
I've read the CONTRIBUTING guidelines steps files Under project directory, named sbt-issue. build.sbt name := "sbt-issue" organization ...
Read more >
Maven dependency:tree is not showing all transitive ...
mvn dependency:tree is listing all the transitive dependencies except for one particular dependency X whose transitive dependencies it does not list. When I...
Read more >
Viewing and debugging dependencies - Gradle User Manual
The origin of a dependency can be a declared dependency in the build script or a transitive dependency in graph plus their corresponding...
Read more >
Dependencies analysis | IntelliJ IDEA Documentation - JetBrains
If you have a large Java project with several modules that uses ... the information flow using the Dependency Structure Matrix analysis.
Read more >
Maven – Optional Dependencies and Dependency Exclusions
The answer is Yes. Project-A has declared that it doesn't need Project-D to run, so it won't be brought in as a transitive...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found