The org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities.
This happens in the Sonatype IQ vulnerability scanner which will also scan embedded js files. For example, it find jQuery in the path org/inferred/freebuilder/shaded/org/openjdk/tools/javadoc/internal/doclets/formats/html/resources/jquery/external/jquery jquery-1.10.2.js inside the freebuilder jar file.
Original Issue: apache/bookkeeper#2732
BUG REPORT
The org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities. This happens in the Sonatype IQ vulnerability scanner which will also scan embedded js files. For example, it find jQuery in the path
org/inferred/freebuilder/shaded/org/openjdk/tools/javadoc/internal/doclets/formats/html/resources/jquery/external/jquery jquery-1.10.2.js
inside the freebuilder jar file.Expected behavior
Bookkeeper shouldn't expose freebuilder as a dependency at all. It's an annotation processor which should be defined as optional dependency in maven and with
compileOnly
in gradle.