frogbot icon indicating copy to clipboard operation
frogbot copied to clipboard
verified publisher icon jfrog

Maven - Frogbot updates non-vulnerable direct packages that were found as a vulnerable indirect dependencies

Open omerzi opened this issue 2 years ago • 0 comments

Describe the bug

In Maven, when Frogbot identifies an indirectly included package with a vulnerable version, which is also defined as a non-vulnerable version in the direct package dependencies, it tries to update the direct package to resolve the vulnerability

Current behavior

As described

Reproduction steps

Define com.fasterxml.woodstox:woodstox-core:jar:6.4.0 as a direct dependency. Define com.azure:azure-storage-blob.jar:12.19.0 as a direct dependency that brings com.fasterxml.woodstox:woodstox-core:jar:6.2.7 as a vulnerable indirect.

Expected behavior

Frogbot shouldn't attempt to fix the direct dependency.

JFrog Frogbot version

2.11.0

Package manager info

Maven

Git provider

GitHub

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Any

JFrog Xray version

No response

omerzi avatar Jul 27 '23 07:07 omerzi