Excluded transitive dependency being flagged by Open Source Vulnerability

Our project has a parent pom that excludes some unused transitive dependencies (i.e. quality-measure-and-cohort-service/pom.xml at main · Alvearie/quality-measure-and-cohort-service · GitHub). However, the open source vulnerability scan is flagging these anyway (Sonatype Lift -- Console).

I thought this was because it was running each sub-module individually (instead of using the parent pom) but when I configured it to only have a .lift.toml file in the parent folder it still returned these results.

Any thoughts?

Thanks for filing this @jillrdoty. I’ll find someone to take a look at get back to you ASAP.

1 Like

Hi Jill, this is Ken from the Lift team.

We have identified the problem, and have a fix. We need to complete going through the review process to ensure everything is solid and then we will be able to make a release for you. My expectation is to have the fix deployed by the first half of next week.

Thank you for your patience!


Hi Jill,
I checked with the team and the Monday deployment should have a fix which resolves your issue. Can you let us know if it didn’t?