Issue
I'm trying to figure out if any of our spring-boot projects use spring-cloud, which has a recently discovered exploit.
I know spring-boot comes with spring-cloud as a dependency, but when I check the project in Eclipse for external dependencies, none of them show spring-cloud as a dependency. This is good, but why?
I also saw that many projects uses a spring-boot component, spring-boot-autoconfigure, which has spring-cloud-spring-service-connector as a dependency. This also doesn't show as an external dependency, but again, why? It seems if it's listed in the component's maven as a dependency, it should automatically become an external dependency.
Solution
spring-boot-autoconfigure
mainly has optional
dependencies and those are never transitivly and automatically included in projects that use spring-boot-autoconfigure
. How optional dependencies work is explained in the Maven documentation.
If you want to use those you need to explicitly mention those in your project as well, which is why you won't see them if not explicitly mentioned.
Answered By - M. Deinum
Answer Checked By - Robin (JavaFixing Admin)