2

Why would Sonatype IQ scan report show (in IntelliJ-IDEA) a Guava vulnerability when mvn dependency:tree does not show Guava at all?

Here is my Sonatype scan result, with a Level-7 Critical vulnerability in all versions of Guava.

enter image description here

So, if mvn dependency:tree -Dverbose shows absolutely no mention of Guava, how is it that the Sonatype scan complains about it?

Also, I tried using the JDK jdeps tool and it also doesn't show a Guava dependency. jdeps eb-mu-cbos-eeoi-api-1.0.14-SNAPSHOT.jar .

Is there a way, or another tool, that would allow me to dig even deeper to discover where the Guava dependency reference is coming from?

Improve this question
6
  • This is probably not going to be of any help, but: At some point, I picked up the habit of running dependency:tree -Dverbosewith the -X flag (I don't remember why) and as part of the same command as install(which I was told helps with multi-module projects, though maybe there are other ways?). I don't suppose that that spits out anything about Guava? Commented May 13, 2021 at 14:27
  • 2
    Make sure IntelliJ and your command line mvn are the same version. Also, if you can run Sonatype IQ from the command line without IntelliJ that would be good info too. Removing the IDE from the mix with these types of issues often simplifies troubleshooting. Commented May 13, 2021 at 14:35
  • 2
    Aha - what do you get if you use -X instead of verbose? Per the tree-mojo docs, the verbose parameter "actually uses Maven 2 algorithm and may give wrong results when used with Maven 3". (Yikes!) Commented May 13, 2021 at 14:38
  • @user944849, nice, thanks. It looks like I had seen that before on Stack Overflow but completely forgotten. Some possible good news: verbose may be a no-op under Maven 3, at least until 3.1.3 is released with a new, Maven-3-correct implementation. Commented May 13, 2021 at 15:52
  • 1
    Sorry, new comment for 3 more thoughts. First, you might try not only matching the mvn version to IntelliJ but also picking the newest version -- and not only the newest version of mvn but also the newest version of the dependency plugin. Currently: mvn install org.apache.maven.plugins:maven-dependency-plugin:3.1.2:tree -X. Second, you might try running mvn -X compile and looking at the -classpath argument it passes. Finally, I wonder if Sonatype IQ could be looking at other kinds of "dependencies," like annotation processors or plugins, that dependency:tree might ignore? Commented May 13, 2021 at 16:04

1 Answer 1

Reset to default
2

Instead of --verbose Using -X reveals Guava but still does not show the parent module that the library comes from. Instead it just shows Guava at root of classpath.

So, the solution to my issue was to use the Intellij-IDEA project settings, and in the "Libraries" section when I try to delete Guava it tells me which module/library had included it.

Thanks for all your comments on my original question. It let me to the answer.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.