I am working on a task to remove issues identified by JFrog plug-in that identifies the entries in the POM by risk category - high, medium etc.
In my POM, I am getting the red squiggly lines for these entries and I am trying to figure out the cause of those as well as how to fix it.
Adding text for POM. The reason for adding image earlier was to show the red squigglies. They show up only for the 3 dependencies in the image
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>1.9.1</version>
</dependency>
<dependency>
<groupId>org.jsonschema2pojo</groupId>
<artifactId>jsonschema2pojo-maven-plugin</artifactId>
<version>1.1.1</version>
</dependency>
Also, when I look at the JFrog output, I would like to cleanup even the non-critical issues, like those shown in yellow in the below screen-shot.
I have not found a way to identify what the fix is in these situations and then apply the fix. This is a brand new application that I am working on, but using a POM from an existing application as it is a big pom and i would need to implement most of the similar functionality, but for a new pom, would like to start as clean as possible
In the image below, the version that is showing up is for downpath version of another jar. Also, for the spring-boot-starter-web, in JFrog, it doesn't show any critical issues, but in the pom it has the red squigglys.
That is what I am wondering, how can I fix the downpath version dependencies.
To see more details about a vulnerable component, click on the yellow bulb and then "Show in dependency tree". The yellow bulb should appear when standing on the dependency or by clicking
alt
+enter
.Under "Component Issue Details", you can review the issues related to the selected component and to its transitive components. The issues in bold are directly related to your component. In the following example, upgrading org.jenkins-ci.plugins:jira to 3.0.11 will resolve a critical level issue:
To filter out non-critical issues remove all severities except "Critical" in the Severity filter:
Read more about scanning local projects in the JFrog IDEA plugin here.