Demostrates how under specific dependency setup both Snyk and Maven Dependency Plugin fail to report the dependencies that will be part of the final WAR file.
This library is a multi-module project dependency-resolution, composed by 2 modules:
resolution-error: contains the final WAR project where the dependency is added to the final artefact but not detected by Snyk or Maven Dependency Plugin.trasitive-dependency: it's necessary to transitively include the dependency so that it's ignored but others but not the Maven WAR plugin.
- Got to the root of the project and run:
mvn clean install- Run Snyk, it will report no vulnerability (even though a vulnerable version of
snakeyaml-1.30.jaris included in the final Jar).
snyk test --file=resolution-error/pom.xml- Run Maven Dependency plugin to check the runtime dependencies and filter for the expected dependency, it's not present:
mvn dependency:tree -Dscope=runtime -pl resolution-error | grep snakeyaml- List the dependencies included in the final WAR and filter by the expected dependency, it's present:
ls resolution-error/target/resolution-error-1.0-SNAPSHOT/WEB-INF/lib/ | grep snakeyaml