How to resolve issues in pom due to transitive dependencies

5.2k views Asked by At

I am working on a task to remove issues identified by JFrog plug-in that identifies the entries in the POM by risk category - high, medium etc.

In my POM, I am getting the red squiggly lines for these entries and I am trying to figure out the cause of those as well as how to fix it.

enter image description here

Adding text for POM. The reason for adding image earlier was to show the red squigglies. They show up only for the 3 dependencies in the image

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.apache.avro</groupId>
        <artifactId>avro</artifactId>
        <version>1.9.1</version>
    </dependency>
    <dependency>
        <groupId>org.jsonschema2pojo</groupId>
        <artifactId>jsonschema2pojo-maven-plugin</artifactId>
        <version>1.1.1</version>
    </dependency>

Also, when I look at the JFrog output, I would like to cleanup even the non-critical issues, like those shown in yellow in the below screen-shot.

I have not found a way to identify what the fix is in these situations and then apply the fix. This is a brand new application that I am working on, but using a POM from an existing application as it is a big pom and i would need to implement most of the similar functionality, but for a new pom, would like to start as clean as possible

In the image below, the version that is showing up is for downpath version of another jar. Also, for the spring-boot-starter-web, in JFrog, it doesn't show any critical issues, but in the pom it has the red squigglys.

That is what I am wondering, how can I fix the downpath version dependencies.

enter image description here enter image description here

enter image description here

2

There are 2 answers

6
yahavi On BEST ANSWER

To see more details about a vulnerable component, click on the yellow bulb and then "Show in dependency tree". The yellow bulb should appear when standing on the dependency or by clicking alt+enter.

Show in dependency tree

Under "Component Issue Details", you can review the issues related to the selected component and to its transitive components. The issues in bold are directly related to your component. In the following example, upgrading org.jenkins-ci.plugins:jira to 3.0.11 will resolve a critical level issue:

JFrog tool window

To filter out non-critical issues remove all severities except "Critical" in the Severity filter: Filter

Read more about scanning local projects in the JFrog IDEA plugin here.

1
Shreyank Byadagi On

I would recommend to check the dependency hierarchy and and exclude the one's not required

refer this:

https://www.educba.com/maven-exclude-dependency/