Issue
if both direct and transtive depedency of same artifact are present in pom.xml, which will be used
Below is snippet from my pom.xml in the same order-
<dependency>
<groupId>com.browserstack</groupId>
<artifactId>browserstack-local-java</artifactId>
<version>1.0.6</version>
</dependency>
<!-- https://mvnrepository.com/artifact/junit/junit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.1</version>
<scope>test</scope>
</dependency>```
browserstack-local-java has transitive dependency - junit 4.11
junit 4.11 has direct vulnerability. If I scan this project for vulnerability -
which version of junit will be considered?
Will it be junit 4.11 which is transitive to broswerstack-local-java
or the later one which is 4.13.1 ?
Thanks
Solution
This is described in Transitive Dependencies
Dependency mediation - this determines what version of an artifact will be chosen when multiple versions are encountered as dependencies. Maven picks the "nearest definition". That is, it uses the version of the closest dependency to your project in the tree of dependencies. You can always guarantee a version by declaring it explicitly in your project's POM. Note that if two dependency versions are at the same depth in the dependency tree, the first declaration wins. "nearest definition" means that the version used will be the closest one to your project in the tree of dependencies. Consider this tree of dependencies:
A ├── B │ └── C │ └── D 2.0 └── E └── D 1.0
In text, dependencies for A, B, and C are defined as A -> B -> C -> D 2.0 and A -> E -> D 1.0, then D 1.0 will be used when building A because the path from A to D through E is shorter. You could explicitly add a dependency to D 2.0 in A to force the use of D 2.0, as shown here:
A ├── B │ └── C │ └── D 2.0 ├── E │ └── D 1.0 │ └── D 2.0
Answered By - Lesiak
Answer Checked By - Pedro (JavaFixing Volunteer)