Reputation: 3250
Issue in resolving vunerabilities check
We had a vulnerability check in our sbt project using Anchor Engine.
Most of the errors related to the Jackson data bind. We are not even using it as we are using spray JSON for serialization. After searching I found it was used internally by sbt. So I can not upgrade its version. So I tried upgrading the sbt version from 1.2.6 to 1.4.0, to resolve this issue but it didn't work.
object Versions {
val guice = "4.2.1"
val slick = "3.3.2"
val hikariCP = "3.3.0"
val postgres = "42.2.5"
val rabbitMQClient = "5.5.1"
val logbackClassic = "1.2.3"
val sprayJson = "1.3.5"
val akkaHttp = "10.1.5"
val akkaActor = "2.5.19"
val akkaStream = "2.5.19"
val scalaTest = "3.0.1"
val h2 = "1.4.197"
val rabbitmqMock = "1.0.8"
val mockito = "1.9.5"
}
object CompileDeps {
val guice = "com.google.inject" % "guice" % Versions.guice
val scalaGuice = "net.codingwell" %% "scala-guice" % Versions.guice
val postgresql = "org.postgresql" % "postgresql" % Versions.postgres
val slick = "com.typesafe.slick" %% "slick" % Versions.slick
val hikariCP = "com.typesafe.slick" %% "slick-hikaricp" % Versions.hikariCP
val rabbitMQClient= "com.rabbitmq" % "amqp-client" % Versions.rabbitMQClient exclude("com.fasterxml.jackson.core", "jackson-databind")
val logbackClassic = "ch.qos.logback" % "logback-classic" % Versions.logbackClassic
val sprayJson = "io.spray" %% "spray-json" % Versions.sprayJson
val akkaHttp = "com.typesafe.akka" %% "akka-http" % Versions.akkaHttp
val akkaActor = "com.typesafe.akka" %% "akka-actor" % Versions.akkaActor
val akkaStream = "com.typesafe.akka" %% "akka-stream" % Versions.akkaStream
val akkaHttpSprayJson = "com.typesafe.akka" %% "akka-http-spray-json" % Versions.akkaHttp
}
DependencyBrowseGraph
So can anyone please guide me on how can I resolve these security checks?
Thanks
Upvotes: 0
Views: 49
Answers (1)
Reputation: 27595
You are fetching Jackson via RabbitMQ dependency. See compile dependencies of your version of RabbitMQ on Maven repository.
This dependency is marked as optional so you could probably safely remove it using exclude("com.fasterxml.jackson.core", "jackson-databind"). Test it! If it doesn't work add dependency explicitly to bump to some newer safer version or find a way to suppress warning.
For the future: use sbt-dependency-graph to generate visual dependency graph (dependencyBrowseGraph), then you'll be able to see which libraries fetches and evicts your dependencies.
Upvotes: 1
Related Questions
- "Insecure HTTP request is unsupported" Error in Scala
- sbt.TrapExitSecurityException thrown at "sbt run"
- How do I overcome "There may be incompatibilities..." SBT warning?
- How to fix "InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty" in scala's build tool (sbt)?
- SBT Dependency Resolution Failure with vespa.ai
- sbt 0.12.4 - there were x feature warning(s); re-run with -feature for details
- SBT doesn't run correctly
- What went wrong?
- Error in verifying sbt installation
- Difficulty with SBT