Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Dependency Graph missing transitive dependencies when dependency has multiple sources
See original GitHub issueWhen cyclonedx-maven-plugin 2.5.1 generates a BOM for a project that has direct dependencies X and Y and X and Y both have Z as a transitive dependency, then the dependency graph will describe Z as only being a dependency of X and will ignore it also being a dependency of Y.
This causes problems when Z has a vulnerability and X has an update available that contains a fixed version of Z, but Y does not. The dependency graph would suggest that updating X is sufficient to deal with the vulnerability. But it is not… and only AFTER the upgrade is completed and a new BOM generated will the dependency graph now show the dependency of Y on Z.
The problem can be illustrated by setting up a simple project with the following two dependencies
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-broker</artifactId>
<version>5.16.2</version>
</dependency>
<dependency>
<groupId>org.apache.cassandra</groupId>
<artifactId>cassandra-all</artifactId>
<version>4.0.0</version>
</dependency>
Both have com.fasterxml.jackson.core:jackson-databind 2.9.10.8 as a dependency.
In plugin 2.5.1 BOM graph, jackson-databind is only reported as being a dependency of activemq-broker
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Alright, I’m back after finding the problem and it’s unfortunately in the
org.apache.maven.shared:maven-dependency-treebeing used:The fix has thankfully already been made back in December last year and I’ve confirmed it resolves our issue of no dependency graph in the BOMs, however they haven’t done a release since way back in July of 2021.
I’m not too familiar with how the Apache ecosystem works, so it’ll take me some time to figure out their process and try get them to do a release. If anybody else is more familiar with it, feel free to let me know or take a crack yourself
Alright, I’ve emailed the Apache dev mailing list asking if somebody can release the latest version of maven-dependency-tree so we can move to it (hopefully I’ve done it right). Apparently releases are something only a PMC can do and they’re quite an involved process, so if somebody is kind enough to help us it would still be a while before we can get our hands on it.
In the meantime I’ve also had a look at the degraph-maven-plugin Steve and Mark were previously talking about. It looks like this is the bit of code actually grabbing the dependency graph before walking it, which is just directly using the same classes from maven that
maven-dependency-treeuses, so they’re bypassing the problem.It’s probably also worth mentioning that the
-Dverboseparameter ondependency:treebreaking trees for WARs is only a ‘recent’ issue. Part of why it took me so long to find the problem was that I was actually using a much older version ofmaven-dependency-plugin(and thereforemaven-dependency-tree) for some testing which led me astray. Back in at least v2.8 the TreeMojo worked differently and would at least build trees.If nothing comes of Apache releasing the latest version of
maven-dependency-tree, I’ll take a crack at bypassing it likedegraph-maven-pluginhas done and raise a PR.