Issue
I have a maven project with some dependency written in pom file. For those Direct Dependencies we have lots of Transitive Dependency. The version of those Transitive dependency have some security issues. So is there any way that i can change the version of those Transitive Dependencies?
Solution
Solution 1) Just add a direct dependency on that transitive dependency using the newer version.
If project myProject 1.0 depends on A 1.2, and A 1.2 depends on B 2.3, then my project will have the following jars in its classpath: myproject 1.0, A 1.2 and B 2.3.
But if myProject 1.0 also depends on B 2.4, then my project will have the following jars in its classpath: myproject 1.0, A 1.2 and B 2.4. It won't have B 2.3 in the classpath because Maven detects that both B's use the same groupId and artifactId, so the one defined in the projects pom wins.
Try understand what goes on there, run mvn dependency:tree -Dverbose
.
Downsides of this approach: when you upgrade to A 1.3 which depends on B 2.5, you might end up running A 1.3 with B 2.4 (because you still override that) and get a NoSuchMethodError at runtime.
Solution 2) Use a platform bom that figures out a compatible set of dependency versions for you and release a new version of that bom for every and all CVE's. For example: the Quarkus or Spring Boot boms.
Downsides of this approach: the specific dependency that you need might not be in there, bringing you back to solution 1).
Answered By - Geoffrey De Smet
Answer Checked By - Candace Johnson (JavaFixing Volunteer)