Closed guizmaii closed 1 year ago
It's a transitive dependency of scaladoc
for Scala 3. scaladoc:3.1.2
depends on jackson-dataformat-yaml:2.12.1
which depends on jackson-databind:2.12.1
.
sbt-dependency-submission
exports all your dependencies, your Compile
and Test
dependencies, but also your ScalaTools
dependencies: the Scala instance that sbt needs to compile your code and generate the documentation. Those ScalaTools
dependencies are declared as development
dependencies by sbt-dependency-submission
but that does not show up in the Github Dependency View
nor in the Dependabot
report. They do not show the parent node(s) of the vulnerable dependency either. So it makes it hard to understand where those dependencies come from and how to fix the vulnerability.
I am closing this issue because there already is a similar discussion in https://github.com/scalacenter/sbt-dependency-submission/issues/49.
For those who want to filter out those ScalaTools
dependencies. I am thinking of adding a configuration-ignore
input but I did not had the time to look into it yet.
Hi everyone,
Not sure it's the best place to report this issue but I give it a try anyway.
I installed this GH Actions on one of our repo (See https://github.com/conduktor/zio-kafka/blob/cdk-master/.github/workflows/dependency-graph.yml) and the reports is telling me that I have a vulnerable version of jackson-databind (See https://github.com/conduktor/zio-kafka/security/dependabot/21) which doesn't seem to be correct as we're using
v2.13.4.2
(see https://github.com/conduktor/zio-kafka/blob/cdk-master/build.sbt#L96), which is a version above the recommended version (2.13.4.1
)Any idea of why? 🤔
Jules