Add shaded libraries as dependencies to `-thin` jar
futuro opened this issue · 2 comments
Is your feature request related to a problem? Please describe.
org.yaml/snakeyaml
keeps having CVEs found for it, which requires that we upgrade the shaded LD SDK even though we don't use the feature that needs snakeyaml
, which is more work than we'd like.
We're switching to the thin jar, but it'd be nice not to have to explicitly add the internal dependencies to our project, and instead use exclusions to keep snakeyaml
out.
Describe the solution you'd like
I'd like the thin jar to declare the internal libraries as dependencies, so I can explicitly exclude snakeyaml
without having to explicitly include the other libraries/versions, which may change in the future.
Describe alternatives you've considered
Currently I've explicitly added the internal dependencies, as defined in the build.gradle file, to our project, but I suspect this will require more tricky coordination in the future when we need to upgrade the SDK again.
Additional context
This is spurred on by our internal security requirements around handling CVEs.
I understand the problem you're describing, and we have been considering dropping snakeyaml for that reason— but, I'm not sure I understand the particular solution you're proposing.
What would be the mechanism for declaring dependencies for the thin
jar? As I understand it (and I apologize if I'm missing something obvious; we haven't used multi-jar publications for any purpose other than this SDK, not counting the standard inclusion of source/javadoc jars), Maven does not have a concept of dependencies for a secondary artifact, i.e. one that has a classifier
as opposed to being the default jar. The dependencies declared in pom.xml
are, by definition, for the primary artifact (the default jar).
Hi @eli-darkly. Looks like we faced a similar issue.
The project uses Snyk to check dependencies for security vulnerabilities. Currently, we use com.launchdarkly:launchdarkly-java-server-sdk:6.0.5
which depends on the vulnerable snakeyaml:1.32
. Nor Snyk
nor sbt
doesn't see the launchdakly's dependencies. That's why Snyk can't notify us about the vulnerabilities of launchdarkly's dependencies.
Special thanks to the AWS Inspector who somehow found the vulnerable snakeyaml:1.32
in the Docker image.
I've compared launchdarkly's pom.xml
in the local cache with the org.liquibase:liquibase-core:4.16.1
one which also depends on snakeyaml
. Probably, the issue appears because your package lacks the dependencies
section:
<dependencies>
...
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>1.31</version>
<scope>compile</scope>
</dependency>
...
</dependencies>