I am trying to release this Scala library to Maven using Nexus OSS repository manager (sonatype).
My library has a dependency on the latest version of the Play Framework (com.typesafe.play:play_2.13:2.8.18), which in turn depends on an old version of com.fasterxml.jackson (2.11.4). In my build configuration I have overriden the dependency using:
dependencyOverrides += "com.fasterxml.jackson.core" % "jackson-databind" % "2.13.4"
I have verified that the build uses the correct version of jackson-databind using the sbt dependency tree plugin, and also by inspecting the cache files.
Despite this, when I release to maven by using the sbt-sonatype plugin (version 3.9.14), my release is rejected by the Sonatype Lift vulnerability scanner because of vulnerabilities in pkg:maven/com.fasterxml.jackson.core/[email protected], i.e. an older version than the library that is actually used in my build, as specified in dependencyOverrides.
When I examine the build artifacts that are automatically submitted to the Nexus repo manager, the only dependencies that are mentioned are top-level dependencies are specified in the POM file (see below). So it seems that Sonatype Lift looks at these top-level dependencies, and walks the dependency graph looking for vulnerabilities in the implied dependencies, ignoring the fact that I have explicitly overriden the version of jackson-databind in my build.
Is there any way for the dependency override to be propagated to the POM?
<?xml version='1.0' encoding='UTF-8'?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mesonomics</groupId>
<artifactId>play-hmac-signatures_2.13</artifactId>
<packaging>jar</packaging>
<description>play-hmac-signatures</description>
<url>https://github.com/phelps-sg/play-hmac-signatures</url>
<version>0.2.2</version>
<licenses>
<license>
<name>Apache-2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
<distribution>repo</distribution>
</license>
</licenses>
<name>play-hmac-signatures</name>
<organization>
<name>com.mesonomics</name>
<url>https://github.com/phelps-sg/play-hmac-signatures</url>
</organization>
<scm>
<url>https://github.com/phelps-sg/play-hmac-signatures</url>
<connection>[email protected]:phelps-sg/play-hmac-signatures.git</connection>
</scm>
<developers>
<developer>
<id>phelps-sg</id>
<name>Steve Phelps</name>
<url>https://github.com/usernamehttps://github.com/phelps-sg</url>
<email>[email protected]</email>
</developer>
</developers>
<dependencies>
<dependency>
<groupId>org.scala-lang</groupId>
<artifactId>scala-library</artifactId>
<version>2.13.10</version>
</dependency>
<dependency>
<groupId>com.typesafe.play</groupId>
<artifactId>play_2.13</artifactId>
<version>2.8.18</version>
</dependency>
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>5.1.0</version>
</dependency>
<dependency>
<groupId>org.scalactic</groupId>
<artifactId>scalactic_2.13</artifactId>
<version>3.2.14</version>
</dependency>
<dependency>
<groupId>org.scalatest</groupId>
<artifactId>scalatest_2.13</artifactId>
<version>3.2.14</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.scalatestplus.play</groupId>
<artifactId>scalatestplus-play_2.13</artifactId>
<version>5.1.0</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
It seems that the artifact is in fact eventually published on Maven, despite the reported vulnerabilities, and it was simply a case of waiting.