How to resolve issues in pom due to transitive dependencies
I am working on a task to remove issues identified by JFrog plug-in that identifies the entries in the POM by risk category - high, medium etc.
In my POM, I am getting the red squiggly lines for these entries and I am trying to figure out the cause of those as well as how to fix it.
Adding text for POM. The reason for adding image earlier was to show the red squigglies. They show up only for the 3 dependencies in the image
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>1.9.1</version>
</dependency>
<dependency>
<groupId>org.jsonschema2pojo</groupId>
<artifactId>jsonschema2pojo-maven-plugin</artifactId>
<version>1.1.1</version>
</dependency>
Also, when I look at the JFrog output, I would like to cleanup even the non-critical issues, like those shown in yellow in the below screen-shot.
I have not found a way to identify what the fix is in these situations and then apply the fix. This is a brand new application that I am working on, but using a POM from an existing application as it is a big pom and i would need to implement most of the similar functionality, but for a new pom, would like to start as clean as possible
In the image below, the version that is showing up is for downpath version of another jar. Also, for the spring-boot-starter-web, in JFrog, it doesn't show any critical issues, but in the pom it has the red squigglys.
That is what I am wondering, how can I fix the downpath version dependencies.
To see more details about a vulnerable component, click on the yellow bulb and then "Show in dependency tree". The yellow bulb should appear when standing on the dependency or by clicking alt+enter.
Under "Component Issue Details", you can review the issues related to the selected component and to its transitive components. The issues in bold are directly related to your component. In the following example, upgrading org.jenkins-ci.plugins:jira to 3.0.11 will resolve a critical level issue:
To filter out non-critical issues remove all severities except "Critical" in the Severity filter:
Read more about scanning local projects in the JFrog IDEA plugin here.
- Kogito Custom Forms Not Loading (Quarkus, Maven, Html Bootstrap4)
- java.lang.NoClassDefFoundError: javax/el/ELManager
- How to set specific Java version to Maven?
- maven-site plugins 3.3 java.lang.ClassNotFoundException: org.apache.maven.doxia.siterenderer.DocumentContent
- How to import 2 different certificates with maven
- My Spring Boot app doesn't identify my entities
- Install custom jars azure devops maven artifact
- Using XJB with jaxb2-maven-plugin
- How to make Android Studio download dependencies sources and javadoc?
- Maven dependency module not found
- Unable to run 'sudo mvn' in WSL
- Error starting up Eureka Client with Spring Boot 2.4.1
- How to properly use Maven BOM-s?
- Is there a best practice to ensure that Maven dependencies use the correct repository?
- GetMapping to Method in Spring Boot Isn't Working
- WebDriverManager The import io.github cannot be resolved
- Annotations not generated in Eclipse IDE
- "No Main Manifest Attribute" in ----.jar Netbeans
- Compile and execute a JDK preview feature with Maven
- The download sources feature does not work in certain intellij versions
- Can't set context path to / at running web application from Dockerfile
- Servlets problem with accessing subpages HTTP 404 Tomcat 10.1 java 11
- Maven Error : Maven Project Configuration for Module isn't available
- Error: Could not find or load main class com.javacourse.springBootDemo.SpringBootDemoApplication
- SpringBoot: Unable to find a single main class from the following candidates
- How do I only build the jar-WITHOUT-dependencies in Maven?
- Compatibility of Jar compiled with newer JDK
- use maven shade plugin like assembly plugin
- How do you stop maven from trying to access http://repo.maven.apache.org?
- Is there a way to override the resources section with a profile in maven?