jakecoffman
commented
1 year ago Can you give an example pom.xml showing problem?
Open msk666666 opened 1 year ago
jakecoffman
commented
1 year ago Can you give an example pom.xml showing problem?
msk666666
commented
1 year ago 你能举一个 pom.xml 显示问题的例子吗?
For example, my pom file explicitly references this component spring-boot-starter-data-redis. The subcomponent of this component contains the lettuce-core component, and lettuce-core component cannot be monitored by dependabot.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>These are subcomponents of the spring-boot-starter-data-redis component, which includes lettuce-core.
<?xml version="1.0" encoding="UTF-8"?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starters</artifactId>
<version>2.0.0.RELEASE</version>
</parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
<version>2.0.0.RELEASE</version>
<name>Spring Boot Data Redis Starter</name>
<description>Starter for using Redis key-value data store with Spring Data Redis and
the Lettuce client</description>
<url>https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-data-redis</url>
<organization>
<name>Pivotal Software, Inc.</name>
<url>https://spring.io</url>
</organization>
<licenses>
<license>
<name>Apache License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<developers>
<developer>
<name>Pivotal</name>
<email>info@pivotal.io</email>
<organization>Pivotal Software, Inc.</organization>
<organizationUrl>http://www.spring.io</organizationUrl>
</developer>
</developers>
<scm>
<connection>scm:git:git://github.com/spring-projects/spring-boot.git/spring-boot-starters/spring-boot-starter-data-redis</connection>
<developerConnection>scm:git:ssh://git@github.com/spring-projects/spring-boot.git/spring-boot-starters/spring-boot-starter-data-redis</developerConnection>
<url>http://github.com/spring-projects/spring-boot/spring-boot-starters/spring-boot-starter-data-redis</url>
</scm>
<issueManagement>
<system>Github</system>
<url>https://github.com/spring-projects/spring-boot/issues</url>
</issueManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<version>2.0.0.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-redis</artifactId>
<version>2.0.5.RELEASE</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>jcl-over-slf4j</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.lettuce</groupId>
<artifactId>lettuce-core</artifactId>
<version>5.0.2.RELEASE</version>
<scope>compile</scope>
</dependency>
</dependencies>
</project>My problem is that dependabot can only fix the version of the spring-boot-starter-data-redis component, not the version of the lettuce-core component.
yeikel
commented
1 year ago This is an interesting project to at least get dependabot alerts
https://github.com/advanced-security/maven-dependency-submission-action
joevin-slq-docto
commented
10 months ago @jakecoffman :
Even with maven-dependency-submission-action setup, Dependabot dosn't suggest updates on sub-dependencies or detects CVEs affecting sub-dependencies, is that supposed to work or is it a pending feature?
yeikel
commented
6 months ago I don't think that Dependabot should do this at all
Why can't the vulnerability scan of subcomponents referenced by Maven components be detected?