As part of fixing vulnerable dependencies, I want to remove/upgrade a few dependencies let's say json-smart. But in my project, even after excluding the dependency and adding it exclusively, Azure defender or qualys flags it as present. That confirms that the dependency is coming from some fat jar that is not visible via mvn dependency:tree neither by any IDE (be it eclipse or Intellij idea).
Please help me in understanding if there is any way I can get the dependencies inside fat-jars/uber-jars so I can exclude the same to fix the issue.
I have already tried mvn dependeny:tree, list and jfrog scanner as well but they do not identify vulnerable dependencies inside fat jars. I want to know if there is any way we can view all the dependencies inside fat jars included in the project.
Uberjar doesn't know about dependencies on its own. It simply contains copies of all the classes from its dependencies.
By looking at the folder structure (see
jar.tf fat.jar | less
) you can guess the list of the dependencies.However, depending on how the uberjar was generated you may find useful information in the META-INF folder inside it. E.g. leiningen generates META-INF/maven/ folder that contains pom.xml files for all the dependencies in a nested directory structure - that should be pretty easy to peek at and process if necessary