Dependency Graph missing transitive dependencies when dependency has multiple sources
See original GitHub issueWhen cyclonedx-maven-plugin 2.5.1 generates a BOM for a project that has direct dependencies X and Y and X and Y both have Z as a transitive dependency, then the dependency graph will describe Z as only being a dependency of X and will ignore it also being a dependency of Y.
This causes problems when Z has a vulnerability and X has an update available that contains a fixed version of Z, but Y does not. The dependency graph would suggest that updating X is sufficient to deal with the vulnerability. But it is not… and only AFTER the upgrade is completed and a new BOM generated will the dependency graph now show the dependency of Y on Z.
The problem can be illustrated by setting up a simple project with the following two dependencies
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-broker</artifactId>
<version>5.16.2</version>
</dependency>
<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-all</artifactId>
<version>4.0.0</version>
</dependency>
Both have com.fasterxml.jackson.core:jackson-databind
2.9.10.8 as a dependency.
In plugin 2.5.1 BOM graph, jackson-databind is only reported as being a dependency of activemq-broker
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (7 by maintainers)
Top GitHub Comments
Alright, I’m back after finding the problem and it’s unfortunately in the
org.apache.maven.shared:maven-dependency-tree
being used:The fix has thankfully already been made back in December last year and I’ve confirmed it resolves our issue of no dependency graph in the BOMs, however they haven’t done a release since way back in July of 2021.
I’m not too familiar with how the Apache ecosystem works, so it’ll take me some time to figure out their process and try get them to do a release. If anybody else is more familiar with it, feel free to let me know or take a crack yourself
Alright, I’ve emailed the Apache dev mailing list asking if somebody can release the latest version of maven-dependency-tree so we can move to it (hopefully I’ve done it right). Apparently releases are something only a PMC can do and they’re quite an involved process, so if somebody is kind enough to help us it would still be a while before we can get our hands on it.
In the meantime I’ve also had a look at the degraph-maven-plugin Steve and Mark were previously talking about. It looks like this is the bit of code actually grabbing the dependency graph before walking it, which is just directly using the same classes from maven that
maven-dependency-tree
uses, so they’re bypassing the problem.It’s probably also worth mentioning that the
-Dverbose
parameter ondependency:tree
breaking trees for WARs is only a ‘recent’ issue. Part of why it took me so long to find the problem was that I was actually using a much older version ofmaven-dependency-plugin
(and thereforemaven-dependency-tree
) for some testing which led me astray. Back in at least v2.8 the TreeMojo worked differently and would at least build trees.If nothing comes of Apache releasing the latest version of
maven-dependency-tree
, I’ll take a crack at bypassing it likedegraph-maven-plugin
has done and raise a PR.