Excluded transitive dependency being flagged by Open Source Vulnerability

Our project has a parent pom that excludes some unused transitive dependencies (i.e. quality-measure-and-cohort-service/pom.xml at main · Alvearie/quality-measure-and-cohort-service · GitHub). However, the open source vulnerability scan is flagging these anyway (Sonatype Lift -- Console).

I thought this was because it was running each sub-module individually (instead of using the parent pom) but when I configured it to only have a .lift.toml file in the parent folder it still returned these results.

Any thoughts?

Thanks for filing this @jillrdoty. I’ll find someone to take a look at get back to you ASAP.

1 Like