This is the best video on the subject that is out there. VIdeo is missing some important tactics: 1. Using Maven enforcer 2. Using mvn dependency:tree -Dverbose with -Dincludes option
Thank you for such detail video on solving vulnerabilities in Java applications. " Before bumping the versions of jackson-databing and logback-core in section, we could see these dependencies were coming from some other sources. When we want to bump these versions, don't we exclude these dependencies from their earlier sources?
ThanX! This is very useful and I gave it a like, but... don't you think we would like to see commands you are typing rather than the content that covers them? Could you put them in description?
Still the tricky thing to find is with the plugins. maven-complier-plugin downloads many old plexus-utils jars which come under critical vulnerabilites. How to fix those such that the plugin takes latest of plexus-utils
Thank you for sharing! Sometimes top level dependencies are downloading their transitive dependencies even if they are not used in your project. I wonder, is there any easy way to check if a transitive dependency is used for the project?
Look at the dependency:analyze goal for the Maven Dependency Plugin (maven.apache.org/plugins/maven-dependency-plugin/). It will group your dependencies into three categories: used and declared (as expected), used and undeclared (undeclared transitive), and unused and declared (declared but unused, so probably not transitive). I think used means loaded, not code within is executed, though. And the plugin isn't foolproof. My suggestion would be to declare everything, including all transitive dependencies. Then, with a comprehensive set of unit tests (ay, there's the rub) declare dependency exclusions (maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html) and see if your app still works. It isn't ideal.
See github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626. "Doctor. Doctor. It hurts when I do this!" "Then don't do that." Spring says "check that there are no HTTP Invoker endpoints exposed to untrusted clients. If there are none, then nothing further to do." But they aren't providing a fix in the library.
This is the best video on the subject that is out there. VIdeo is missing some important tactics:
1. Using Maven enforcer
2. Using mvn dependency:tree -Dverbose with -Dincludes option
Thank you, sir. You are a life saver.
Love the way a simple Sprint app takes ages to compile
xkcd.com/303
lol@@otherdevopsgene
Thank you for such detail video on solving vulnerabilities in Java applications. "
Before bumping the versions of jackson-databing and logback-core in section, we could see these dependencies were coming from some other sources. When we want to bump these versions, don't we exclude these dependencies from their earlier sources?
ThanX! This is very useful and I gave it a like, but... don't you think we would like to see commands you are typing rather than the content that covers them?
Could you put them in description?
Still the tricky thing to find is with the plugins. maven-complier-plugin downloads many old plexus-utils jars which come under critical vulnerabilites. How to fix those such that the plugin takes latest of plexus-utils
Thank you for sharing! Sometimes top level dependencies are downloading their transitive dependencies even if they are not used in your project. I wonder, is there any easy way to check if a transitive dependency is used for the project?
Look at the dependency:analyze goal for the Maven Dependency Plugin (maven.apache.org/plugins/maven-dependency-plugin/). It will group your dependencies into three categories: used and declared (as expected), used and undeclared (undeclared transitive), and unused and declared (declared but unused, so probably not transitive). I think used means loaded, not code within is executed, though. And the plugin isn't foolproof.
My suggestion would be to declare everything, including all transitive dependencies. Then, with a comprehensive set of unit tests (ay, there's the rub) declare dependency exclusions (maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html) and see if your app still works. It isn't ideal.
in this video you can find that why we should use dependency management tag especilly i got
Hi, how to resolve CVE-2016-1000027?
See github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626. "Doctor. Doctor. It hurts when I do this!" "Then don't do that."
Spring says "check that there are no HTTP Invoker endpoints exposed to untrusted clients. If there are none, then nothing further to do." But they aren't providing a fix in the library.