Why would Sonatype IQ scan report show (in IntelliJ-IDEA) a Guava vulnerability when mvn dependency:tree does not show Guava at all?
Here is my Sonatype scan result, with a Level-7 Critical vulnerability in all versions of Guava.
So, if mvn dependency:tree -Dverbose
shows absolutely no mention of Guava, how is it that the Sonatype scan complains about it?
Also, I tried using the JDK jdeps
tool and it also doesn't show a Guava dependency. jdeps eb-mu-cbos-eeoi-api-1.0.14-SNAPSHOT.jar
.
Is there a way, or another tool, that would allow me to dig even deeper to discover where the Guava dependency reference is coming from?