launchdarkly/java-server-sdk

Add shaded libraries as dependencies to `-thin` jar

futuro opened this issue · 2 comments

futuro commented

Is your feature request related to a problem? Please describe.
org.yaml/snakeyaml keeps having CVEs found for it, which requires that we upgrade the shaded LD SDK even though we don't use the feature that needs snakeyaml, which is more work than we'd like.

We're switching to the thin jar, but it'd be nice not to have to explicitly add the internal dependencies to our project, and instead use exclusions to keep snakeyaml out.

Describe the solution you'd like
I'd like the thin jar to declare the internal libraries as dependencies, so I can explicitly exclude snakeyaml without having to explicitly include the other libraries/versions, which may change in the future.

Describe alternatives you've considered
Currently I've explicitly added the internal dependencies, as defined in the build.gradle file, to our project, but I suspect this will require more tricky coordination in the future when we need to upgrade the SDK again.

Additional context
This is spurred on by our internal security requirements around handling CVEs.

eli-darkly commented

I understand the problem you're describing, and we have been considering dropping snakeyaml for that reason— but, I'm not sure I understand the particular solution you're proposing.

What would be the mechanism for declaring dependencies for the thin jar? As I understand it (and I apologize if I'm missing something obvious; we haven't used multi-jar publications for any purpose other than this SDK, not counting the standard inclusion of source/javadoc jars), Maven does not have a concept of dependencies for a secondary artifact, i.e. one that has a classifier as opposed to being the default jar. The dependencies declared in pom.xml are, by definition, for the primary artifact (the default jar).

alok1111 commented

Hi @eli-darkly. Looks like we faced a similar issue.

The project uses Snyk to check dependencies for security vulnerabilities. Currently, we use com.launchdarkly:launchdarkly-java-server-sdk:6.0.5 which depends on the vulnerable snakeyaml:1.32. Nor Snyk nor sbt doesn't see the launchdakly's dependencies. That's why Snyk can't notify us about the vulnerabilities of launchdarkly's dependencies.
Special thanks to the AWS Inspector who somehow found the vulnerable snakeyaml:1.32 in the Docker image.

I've compared launchdarkly's pom.xml in the local cache with the org.liquibase:liquibase-core:4.16.1 one which also depends on snakeyaml. Probably, the issue appears because your package lacks the dependencies section:

    <dependencies>
    ...
        <dependency>
            <groupId>org.yaml</groupId>
            <artifactId>snakeyaml</artifactId>
            <version>1.31</version>
            <scope>compile</scope>
        </dependency>
    ...
    </dependencies>