Component reported as vulnerable but I don't think it is due to constraints

We have a report from GitHub - odpi/egeria: Egeria core at Sonatype Lift -- Console

This shows that some of our components, for example, lineage-integrator-client, are dependent on openlineage-java 0.21.1 . This is correct

openlineage-java depends on snakeyaml 1.33.

Further, that particular component is reported as being vulnarable, including a CVSS 9.9 due to CVE 2022-1471 due to an issue with snakeyaml.

Still all correct.

HOWEVER, in our environment we opted to define dependency constraints in gradle with revise this transitive dependency to snakeyaml 2.0 – which is not vulnerable - and snakeyaml isn’t directly showing in the report, presumably this is why

Running a full dependency tree with gradle, shows that in ALL cases, our dependency constraint has been effective, ie ‘org.yaml:snakeyaml:1.33 → 2.0’

SO… given all of this, why does our report show us as vulnerable. Does this mean other users of sonatype will see our component as having a 9.9 issue?

Hi Nigel, our data currently only supports implicating namespaces without considering classifiers. In the case of a maven dependency that means group/artifact/version. The openlineage-java 0.21.1 version has a standard jar but also has an all jar where all is considered the classifier. That jar is a shaded jar and thus does contain the vulnerable class files. Hopefully this helps explain why you’re seeing it reported in your results.

Ah! I see. Thanks for the explanation. That’s really helpful.