I am trying to release this Scala library to Maven using Nexus OSS repository manager (sonatype).

My library has a dependency on the latest version of the Play Framework (com.typesafe.play:play_2.13:2.8.18), which in turn depends on an old version of com.fasterxml.jackson (2.11.4). In my build configuration I have overriden the dependency using:

dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-databind" % "2.13.4"

I have verified that the build uses the correct version of jackson-databind using the sbt dependency tree plugin, and also by inspecting the cache files.

Despite this, when I release to maven by using the sbt-sonatype plugin (version 3.9.14), my release is rejected by the Sonatype Lift vulnerability scanner because of vulnerabilities in pkg:maven/com.fasterxml.jackson.core/[email protected], i.e. an older version than the library that is actually used in my build, as specified in dependencyOverrides.

When I examine the build artifacts that are automatically submitted to the Nexus repo manager, the only dependencies that are mentioned are top-level dependencies are specified in the POM file (see below). So it seems that Sonatype Lift looks at these top-level dependencies, and walks the dependency graph looking for vulnerabilities in the implied dependencies, ignoring the fact that I have explicitly overriden the version of jackson-databind in my build.

Is there any way for the dependency override to be propagated to the POM?

<?xml version='1.0' encoding='UTF-8'?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.mesonomics</groupId>
    <artifactId>play-hmac-signatures_2.13</artifactId>
    <packaging>jar</packaging>
    <description>play-hmac-signatures</description>
    <url>https://github.com/phelps-sg/play-hmac-signatures</url>
    <version>0.2.2</version>
    <licenses>
        <license>
            <name>Apache-2.0</name>
            <url>http://www.apache.org/licenses/LICENSE-2.0</url>
            <distribution>repo</distribution>
        </license>
    </licenses>
    <name>play-hmac-signatures</name>
    <organization>
        <name>com.mesonomics</name>
        <url>https://github.com/phelps-sg/play-hmac-signatures</url>
    </organization>
    <scm>
        <url>https://github.com/phelps-sg/play-hmac-signatures</url>
        <connection>[email protected]:phelps-sg/play-hmac-signatures.git</connection>
    </scm>
    <developers>
        <developer>
            <id>phelps-sg</id>
            <name>Steve Phelps</name>
            <url>https://github.com/usernamehttps://github.com/phelps-sg</url>
            <email>[email protected]</email>
        </developer>
    </developers>
    <dependencies>
        <dependency>
            <groupId>org.scala-lang</groupId>
            <artifactId>scala-library</artifactId>
            <version>2.13.10</version>
        </dependency>
        <dependency>
            <groupId>com.typesafe.play</groupId>
            <artifactId>play_2.13</artifactId>
            <version>2.8.18</version>
        </dependency>
        <dependency>
            <groupId>com.google.inject</groupId>
            <artifactId>guice</artifactId>
            <version>5.1.0</version>
        </dependency>
        <dependency>
            <groupId>org.scalactic</groupId>
            <artifactId>scalactic_2.13</artifactId>
            <version>3.2.14</version>
        </dependency>
        <dependency>
            <groupId>org.scalatest</groupId>
            <artifactId>scalatest_2.13</artifactId>
            <version>3.2.14</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.scalatestplus.play</groupId>
            <artifactId>scalatestplus-play_2.13</artifactId>
            <version>5.1.0</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
</project>
1

There are 1 answers

0
Peewee 733 On BEST ANSWER

It seems that the artifact is in fact eventually published on Maven, despite the reported vulnerabilities, and it was simply a case of waiting.