0

if both direct and transtive depedency of same artifact are present in pom.xml, which will be used

Below is snippet from my pom.xml in the same order-

<dependency>
    <groupId>com.browserstack</groupId>
    <artifactId>browserstack-local-java</artifactId>
    <version>1.0.6</version>
</dependency>
<!-- https://mvnrepository.com/artifact/junit/junit -->
<dependency>
    <groupId>junit</groupId>
    <artifactId>junit</artifactId>
    <version>4.13.1</version>
    <scope>test</scope>
</dependency>```

browserstack-local-java has transitive dependency - junit 4.11

junit 4.11 has direct vulnerability. If I scan this project for vulnerability - 
which version of junit will be considered? 
Will it be junit 4.11 which is transitive to broswerstack-local-java 
or the later one which is 4.13.1 ? 

Thanks
sumit
  • 91
  • 1
  • 1
  • 5

1 Answers1

0

This is described in Transitive Dependencies

Dependency mediation - this determines what version of an artifact will be chosen when multiple versions are encountered as dependencies. Maven picks the "nearest definition". That is, it uses the version of the closest dependency to your project in the tree of dependencies. You can always guarantee a version by declaring it explicitly in your project's POM. Note that if two dependency versions are at the same depth in the dependency tree, the first declaration wins. "nearest definition" means that the version used will be the closest one to your project in the tree of dependencies. Consider this tree of dependencies:

 A
 ├── B
 │   └── C
 │       └── D 2.0
 └── E
     └── D 1.0

In text, dependencies for A, B, and C are defined as A -> B -> C -> D 2.0 and A -> E -> D 1.0, then D 1.0 will be used when building A because the path from A to D through E is shorter. You could explicitly add a dependency to D 2.0 in A to force the use of D 2.0, as shown here:

 A
 ├── B
 │   └── C
 │       └── D 2.0
 ├── E
 │   └── D 1.0
 │
 └── D 2.0
Lesiak
  • 22,088
  • 2
  • 41
  • 65
  • Thanks @Lesiak for the explanation. Suppose I declare a third version say D3.0 explicitly in my pom.xml- then A will use D2.0 or D3.0 ? And say D2.0 has a vulnerability , in that case I need to exclude D2.0 from A even though I have mentioned D3.0 explicitly in pom.xml? – sumit Aug 11 '22 at 04:45
  • If you declare D3.0 directly in your project, D3.0 wins. Even there is no need to explicitly exclude D2.0 from A, I would consider it: 1. Your dependency scanner may be unhappy if D2.0 is still in the deps tree 2. You can add a comment explaining exclusion and direct dependency. 3. Maven's behaviour is not common knowledge – Lesiak Aug 11 '22 at 07:37