1

Why would Sonatype IQ scan report show (in IntelliJ-IDEA) a Guava vulnerability when mvn dependency:tree does not show Guava at all?

Here is my Sonatype scan result, with a Level-7 Critical vulnerability in all versions of Guava.

enter image description here

So, if mvn dependency:tree -Dverbose shows absolutely no mention of Guava, how is it that the Sonatype scan complains about it?

Also, I tried using the JDK jdeps tool and it also doesn't show a Guava dependency. jdeps eb-mu-cbos-eeoi-api-1.0.14-SNAPSHOT.jar .

Is there a way, or another tool, that would allow me to dig even deeper to discover where the Guava dependency reference is coming from?

djangofan
  • 25,461
  • 54
  • 171
  • 262
  • This is _probably_ not going to be of any help, but: At some point, I picked up the habit of running `dependency:tree -Dverbose`with the `-X` flag (I don't remember why) _and_ as part of the same command as `install`(which I was told helps with multi-module projects, though maybe there are [other ways](https://stackoverflow.com/a/3899772/28465)?). I don't suppose that that spits out anything about Guava? – Chris Povirk May 13 '21 at 14:27
  • 2
    Make sure IntelliJ and your command line `mvn` are the same version. Also, if you can run Sonatype IQ from the command line without IntelliJ that would be good info too. Removing the IDE from the mix with these types of issues often simplifies troubleshooting. – user944849 May 13 '21 at 14:35
  • 2
    Aha - what do you get if you use `-X` instead of `verbose`? Per the [tree-mojo docs](https://maven.apache.org/plugins/maven-dependency-plugin/tree-mojo.html), the `verbose` parameter "actually uses Maven 2 algorithm and may give wrong results when used with Maven 3". (Yikes!) – user944849 May 13 '21 at 14:38
  • @user944849, nice, thanks. It looks like I had seen that before [on Stack Overflow](https://stackoverflow.com/a/29409560/28465) but completely forgotten. Some possible good news: [`verbose` may be a no-op under Maven 3](https://issues.apache.org/jira/browse/MDEP-644), at least until [3.1.3 is released with a new, Maven-3-correct implementation](https://issues.apache.org/jira/browse/MDEP-644). – Chris Povirk May 13 '21 at 15:52
  • 1
    Sorry, new comment for 3 more thoughts. First, you might try not only matching the `mvn` version to IntelliJ but also picking the _newest_ version -- and not only the newest version of `mvn` but also the newest version of _the dependency plugin_. Currently: `mvn install org.apache.maven.plugins:maven-dependency-plugin:3.1.2:tree -X`. Second, you might try running `mvn -X compile` and looking at the `-classpath` argument it passes. Finally, I wonder if Sonatype IQ could be looking at _other_ kinds of "dependencies," like annotation processors or plugins, that `dependency:tree` might ignore? – Chris Povirk May 13 '21 at 16:04
  • @user944849 yes it worked. Using -X reveals Guava but still does not show the parent module that the library comes from. Instead it just shows Guava at root of classpath. – djangofan May 13 '21 at 17:01

1 Answers1

1

Instead of --verbose Using -X reveals Guava but still does not show the parent module that the library comes from. Instead it just shows Guava at root of classpath.

So, the solution to my issue was to use the Intellij-IDEA project settings, and in the "Libraries" section when I try to delete Guava it tells me which module/library had included it.

Thanks for all your comments on my original question. It let me to the answer.

djangofan
  • 25,461
  • 54
  • 171
  • 262