-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency found that is not listed in sbt #49
Comments
https://github.com/scalafx is getting dependency and security alert for jackson-databind but the project does not depend on it |
For my case I suspect some optional runtime / provided maven dependency but would be good if sbt could point me to it. |
I noticed that in one of my projects as well. I guess the reason is that Scala 3 itself depends on it - at least this search shows a dependency on jackson-databind 2.12.1 which is the version I am getting an alert for: https://github.com/lampepfl/dotty/search?q=jackson |
I tested sbt-dependency-submission with a totally empty sbt project and got dependencies on both Downgrading the Scala version to 2.13.8 lead to a drastic reduction of dependencies (only five were left, none of them yielding alerts). |
I can confirm that I also tested on a Scala 3 project |
I believe it's due to scaladoc on Scala 3, it brings Jackson & Flexmark. This plugin uses |
Thanks @ybasket. Indeed the Jackson & Flexmark dependencies are used by scaladoc on Scala 3. There is a Github recently announced a sope filter in the dependabot alerts, but for reasons I don't know, it does not seem to work with the Github dependency submissions. Should we exclude those dependencies from the report? I would say no because the vulnerabilities in the dependencies of the build tool could be exploited. I think we should always take as much dependencies as possible even if it is not always easy to understand where they are coming from. Hopefully the Github team will make it easier some day. About the vulnerabilities, they should be fixed in scaladox itself. In the meantime this is how you can fix them in your build:
lazy val foo = project.in(file(""))
.settings(
allDependencies -= "org.scala-lang" %% "scaladoc" % scalaVersion.value % "scala-doc-tool->default(compile)",
Compile / doc / sources := Seq.empty // disable the `doc` task
)
lazy val foo = project.in(file(""))
.settings(
allDependencies += "com.fasterxml.jackson.core" % "jackson-databind" % "2.13.3" % Configurations.ScalaDocTool
) |
@adpi2 Would it be hard to make that decision configurable? I agree with your reasoning in that they should be included by default, but for the given GitHub circumstances and my situation at $WORK, having all those extra dependencies stops me from using the PS: Thank your for the scaladoc removal snippets, that may help working around in the meantime. |
@ybasket If you have time to contribute on this, I would be happy to help. |
I can't make any promises, but if I find time, I'll try to implement this. |
To get started, you can add a field in this file and consume here to filter some dependencies out. The difficulty would be to define what to filter out. Do you want to filter out all developement dependencies? Even the test dependencies? Maybe a flexible solution would be to take a set of configs to ignore ( |
There are some security vulnerabilities associated with older jackson versions. People mentioned starting to see this in their projects after adding sbt-dependency-submission in their Scala 3 projects. ref: scalacenter/sbt-dependency-submission#49
@adpi2 I tried implementing this and got stuck on how to pass the information along inside the sbt state (something I have no experience with). More concretely, it seems as the state isn't yet populated when the manifest task is run, hence the exclusions can't be extracted. Do you happen to have a hint on how to work around that? I opened a draft PR to share the current version I have, will probably take a bit until I find time again to work on it: #51 |
This removes the |
I don't think it is possible to get a dependency tree for import sbt.librarymanagement.Configurations
import sbt.plugins.DependencyTreeSettings
inConfig(Configurations.ScalaTool)(DependencyTreeSettings.baseBasicReportingSettings)
So it seems that |
I see this dependency is no longer part of the compiler-interface starting at 1.4.0 but I wonder if scala3 can update to that. |
The Scala 3 compiler still depends on interface 1.3 to be compatible with Bloop < 1.5. See scala/scala3#10816. But Bloop 1.5 now depends on Zinc 1.6 so we should be able to move this forward. |
Would we expect |
No it should not, and it should warn that Adding a |
Fixed by #73 It is now possible to add |
Somehow this action came up wit a dependency on
protobuf-java
but I'm unable to get sbt to report me that dependencyAny ideas where these could be coming from?
The text was updated successfully, but these errors were encountered: