Issue
I have a Maven project setup with Tycho. Is there a way of finding out where a transitive dependency is coming from? (e.g., by showing a dependency tree)
Background
I am trying to address vulnerabilities that were found in some of our dependencies by running
mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
Most of the dependencies that show up are actually transitive dependencies, so they are actually not directly present in our project. To find out where they are coming from, I tried running mvn dependency:tree
, but due to the way Tycho works, all dependencies that Tycho fetches show up as direct dependencies, so I've no idea where they're coming from.
Is there a way of finding out where a transative dependency is coming from? E.g., a Tycho-way of running mvn dependency:tree
?
Solution
In Tycho 3.0.0, a new mojo, tycho-p2-plugin:dependency-tree
has been added. It has been announced here: https://github.com/eclipse-tycho/tycho/blob/master/RELEASE_NOTES.md#new-tycho-p2-plugindependency-tree-mojo
Answered By - lorenzo-bettini
Answer Checked By - Terry (JavaFixing Volunteer)