search

GoogleContainerTools / jib

🏗 Build container images for your Java applications.
Apache License 2.0
13.67k stars 1.44k forks source link

Dependencies are added twice with different versions when I try to update a dependency version #3966

Open cagdasoezguer opened 1 year ago

cagdasoezguer commented 1 year ago

Environment:

Description of the issue: When I update a dependency (for example due to a security vulnerability), jib added the old and the new versions of the same dependency to the container. This also leads to failing of container-scanner stage in my pipeline, since the old vulnerable dependency still in the container.

Expected behavior: Only the new version of the dependency should be in the container.

emmileaf commented 1 year ago

How are you setting up these dependencies to be added, and is there a specific dependency/versions this is happening for? (If you could include any reproducer steps or snippets in this issue, that would also be really helpful.)

JotBePunkt commented 1 year ago

I stumbled accross the same issue an example would be:

build.gradle.kts

plugins {
    java
    id("com.google.cloud.tools.jib")
}

dependencies {
    implementation(platform("org.springframework.boot:spring-boot-dependencies:2.7.12"))

    implementation("org.springframework.security:spring-security-oauth2-client") // has net.minidev:json-smart:2.4.8 as transitive dependency which has a vulnerability

    constraints {
        implementation("net.minidev:json-smart:2.4.10") {
            because("CVE-2023-34455")
        }
   }
}

output from gradle dependencies:

...
|    +--- org.springframework.security:spring-security-oauth2-client -> 5.7.8
|    |    +--- org.springframework.security:spring-security-core:5.7.8 (*)
|    |    +--- org.springframework.security:spring-security-oauth2-core:5.7.8
|    |    |    +--- org.springframework.security:spring-security-core:5.7.8 (*)
|    |    |    +--- org.springframework:spring-core:5.3.27 (*)
|    |    |    \--- org.springframework:spring-web:5.3.27 (*)
|    |    +--- org.springframework.security:spring-security-web:5.7.8 (*)
|    |    +--- org.springframework:spring-core:5.3.27 (*)
|    |    \--- com.nimbusds:oauth2-oidc-sdk:9.35
|    |         +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
|    |         +--- com.nimbusds:content-type:2.2
|    |         +--- net.minidev:json-smart:[1.3.3,2.4.8] -> 2.4.10 (*)
|    |         +--- com.nimbusds:lang-tag:1.6
|    |         \--- com.nimbusds:nimbus-jose-jwt:9.22
...

still jib copies both version to the image: (screenshot from docker desktop) grafik

mpeddada1 commented 8 months ago

Thanks for filing this issue! Definitely curious about the build.gradle setup that results in duplicated dependencies being added. However, in the meantime, I think the Jib Layer Filter Extension can be really helpful workaround in achieving more fine-grained control over the files added by Jib.

mpeddada1 commented 1 month ago

After taking a second look at this, categorizing as an enhancement. Jib provides the layer filter extension for the purpose of allowing folks to filter out jar files from being included in the container or customizing the layers in the container if Jib's default layering doesn't fit your needs.