Closed pardeep632 closed 6 years ago
mangstadt
commented
6 years ago A little more information would have been nice.
The vulnerabilities that I see all have to do with one of ez-vcard's dependencies--Jackson. ez-vcard uses Jackson to read/write jCards. If you don't use jCards (JSON-encoded vCards) then you don't have to worry about these warnings.
pardeep632
commented
6 years ago In my android build.gradle file i added the dependency like below. As you can see i am excluding the optional dependencies. But still when i raise a pull request to my project, snyc integration runs and fails saying vulnerable dependencies.
When i check the my project's external libraries, i see thgat ez-vcard is included and none of the jsoup, jackson or freemarker are accesible . So that means the excluded libraries are excluded properly. snyc report is mandatory for me to pass. So i am not sure what could be the issue ?
implementation "com.googlecode.ez-vcard:ez-vcard:0.10.4", { exclude group: 'org.jsoup', module:'jsoup' exclude group: 'com.fasterxml.jackson.core',module:'jackson-core' exclude group: 'org.freemarker',module:'freemarker' }
mangstadt
commented
6 years ago The snyk integration may not be smart enough to detect the excluded libraries.
I am using snyk.io to detect vulnerabilities with my android project dependencies. I am using ez-vcard to read write vcard files. But snyk.io says this dependency has vulnerabilities .