cli
cli copied to clipboard
snyk
[🐛] Snyk cannot resolve maven test dependencies defined at parent pom
I am not quite sure if this is the right place to open an issue.
Expected behaviour
Snyk should ignore test scoped dependencies
Actual behaviour
Snyk reports vulnerabilities of dependencies which have no scope defined at the actual pom. The scope is defined at the parent pom and so the resolved pom wil have the correct scope. I had this issue with log4j, see here for the issue report: https://issues.apache.org/jira/browse/LOG4J2-2987
Basically sslcontext-kickstart uses logcaptor which is a test scoped dependency. However the scope is defined within the parrent pom.
LogCaptor uses log4j library which uses junit as a test scoped dependency. However it has the same kind of structure with dependency declaration. The parent pom defined it as a test scope dependency and the child pom is using it and can omit the scope. However Snyk is not resolving the actual pom.
The maven dependency tree also shows that the dependency which is reported by Snyk is an actual test scoped dependency:
[INFO] ------------------------------------------------------------------------
[INFO] Building Apache Log4j API 2.14.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ log4j-api ---
[INFO] org.apache.logging.log4j:log4j-api:jar:2.14.1-SNAPSHOT
[INFO] +- org.apache.logging.log4j:log4j-api-java9:zip:2.14.1-SNAPSHOT:provided
[INFO] +- org.apache.felix:org.apache.felix.framework:jar:5.6.12:test
[INFO] +- org.osgi:org.osgi.core:jar:4.3.1:provided
[INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.7.0:test
[INFO] | +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] | +- org.junit.platform:junit-platform-engine:jar:1.7.0:test
[INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] | | \- org.junit.platform:junit-platform-commons:jar:1.7.0:test
[INFO] | \- junit:junit:jar:4.13.1:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.junit.jupiter:junit-jupiter-migrationsupport:jar:5.7.0:test
[INFO] | \- org.junit.jupiter:junit-jupiter-api:jar:5.7.0:test
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.7.0:test
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.7.0:test
[INFO] +- org.assertj:assertj-core:jar:3.18.1:test
[INFO] +- org.eclipse.tycho:org.eclipse.osgi:jar:3.13.0.v20180226-1711:test
[INFO] +- org.apache.maven:maven-core:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-model:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-settings:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-settings-builder:jar:3.6.3:test
[INFO] | | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:test
[INFO] | | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:test
[INFO] | | \- org.sonatype.plexus:plexus-cipher:jar:1.4:test
[INFO] | +- org.apache.maven:maven-builder-support:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-repository-metadata:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-artifact:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-plugin-api:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-model-builder:jar:3.6.3:test
[INFO] | +- org.apache.maven:maven-resolver-provider:jar:3.6.3:test
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.25:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-impl:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-spi:jar:1.4.1:test
[INFO] | +- org.apache.maven.resolver:maven-resolver-util:jar:1.4.1:test
[INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:test
[INFO] | | \- commons-io:commons-io:jar:2.8.0:test
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:test
[INFO] | | \- javax.enterprise:cdi-api:jar:1.0:test
[INFO] | | \- javax.annotation:jsr250-api:jar:1.0:test
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:test
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:test
[INFO] | | +- aopalliance:aopalliance:jar:1.0:test
[INFO] | | \- com.google.guava:guava:jar:25.1-android:test
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:test
[INFO] | | +- org.checkerframework:checker-compat-qual:jar:2.0.0:test
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:test
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:test
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:test
[INFO] | +- javax.inject:javax.inject:jar:1:test
[INFO] | +- org.codehaus.plexus:plexus-utils:jar:3.3.0:test
[INFO] | +- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:test
[INFO] | \- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:test
[INFO] +- org.apache.commons:commons-lang3:jar:3.11:test
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:test
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:test
[INFO] \- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:test (optional)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
Screenshots
Hi 👋 @Hakky54 Sorry it's taken so long to get back to you. Can I as what Snyk command you're running?
We ignore test dependencies unless you opt in by using the --dev CLI flag. I've tested the poms you've provided and it seems consistent (we only include test dependencies when using snyk test --dev).
In the Snyk CLI we're using mvn dependency:tree under the hood, so whatever the Maven CLI determines should be a test dependency is what Snyk uses.
Hi Phill, it is indeed some time ago but the issue is still present. I am using the website which pulls my repo with a webhook. So I am not sure how it is resolving the dependencies. I just pushed some new code into my library and the same issue pops up. See here for the details: https://app.snyk.io/org/hakky54/project/3c2722d3-1b82-4877-977f-d82b9ff694e4
It is complaining about junit v4.13.1 which is a test dependency within log4j-to-slf4j. This library is present as a compile scoped dependency within the library logcaptor. And logcapture is specified as a test scoped dependency within sslcontext-kickstart. So clearly this issue should be ignored by Snyk right?
This is probably an issue with your maven pom. Test dependencies needs to explicitly be defined as test dependencies like this: https://www.baeldung.com/maven-dependency-scopes#4-test Sometimes the issue is the library you are including, if the library you are including as used the scope compile if that happens, then you can probably take care of it by explicitly excluding the dependency like this:
`
<groupId></groupId>
<artifactId></artifactId>
<version></version>
<exclusions>
<exclusion>
<groupId></groupId>
<artifactId></artifactId>
</exclusion>
</exclusions>
</dependency>`
you should do: mvn dependency:tree from the commandline to check that you have succeeded with excluding the dependency. If the included dependency is indeed only for testing and has been added by mistake, then excluding it should be safe.
you can also specify explicitly that a specific dependency should have the scope test from the dependencyManagement section of your pom as long as the dependency only is used for testing. This is usually the best option for test dependencies, but it won't work if you or any of the libraries you are using have explicitly set the scope for a specific dependency.
Hi @sydseter
The scope of the dependency has been specified here: https://github.com/Hakky54/sslcontext-kickstart/blob/56c391778391b446e40487e91207afc4bc23683e/pom.xml#L119
By the time when I created this issue it was also like that. I define the scope within dependencyManagement. If I run dependency tree on the project I am getting this:
[INFO] ---------------< io.github.hakky54:sslcontext-kickstart >---------------
[INFO] Building sslcontext-kickstart 7.0.4-SNAPSHOT [2/7]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ sslcontext-kickstart ---
[INFO] io.github.hakky54:sslcontext-kickstart:jar:7.0.4-SNAPSHOT
[INFO] +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.8.1:test
[INFO] | +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] | +- org.junit.platform:junit-platform-commons:jar:1.8.1:test
[INFO] | \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.8.1:test
[INFO] | \- org.junit.platform:junit-platform-engine:jar:1.8.1:test
[INFO] +- org.mockito:mockito-junit-jupiter:jar:4.1.0:test
[INFO] | \- org.mockito:mockito-core:jar:4.1.0:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.12.1:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.12.1:test
[INFO] | \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.assertj:assertj-core:jar:3.21.0:test
[INFO] \- io.github.hakky54:logcaptor:jar:2.7.2:test
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.1:test
[INFO] | \- ch.qos.logback:logback-core:jar:1.2.1:test
[INFO] +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:test
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.14.1:test
[INFO] \- org.slf4j:jul-to-slf4j:jar:1.7.32:test
Everything within logcaptor is marked as a test scoped dependency even the one which is causing this issue org.apache.logging.log4j:log4j-to-slf4j So those should be ignored
What do you think of this behaviour? I have clearly set the scope to test and the issue is still present. Could it be something else?
Newcomer to the conversation: I would argue that the only Maven dependency scopes snyk need consider are runtime and, by extension, compile. I get false positives on provided dependencies all the time.
I have just read that the team "does not encourage" outside contributors. Could someone elaborate on that? This issue is over a year old. Does the team instead recommend users eliminate false positives by post-processing test results ourselves?
Bumping up what @mbenson asked. Java with maven here and I can't find any reasonable way (other than post-processing the results) to not consider the provided dependencies vulns.
After waiting for 2 years I decided to drop Snyk for my opensource projects. I don't expect that the maintainers will fix the issue soon. I also don't want to give false information to my end-users with the report provided by Snyk so removing it all together seems like a better solution than waiting for maybe another 2 year.
I like the product and the capability to provide a detailed report and a github badge to provide basic information to the enduser, but sad to see that this kind of issue reports are not being either picked up or fixed.