Issues with vulnerabilities on transitive dependencies

Dear Sonatype team.

Working with the ONAP organization, it was noticed that few false positives were detected in one component’s transitive dependencies which shouldn’t have been marked as threats

The report in question is: IQ Server - Management
And the marked threats are:

· log4j-core-2.11.1.jar located at sdnr/wt/common/target/elasticsearch0/lib

· log4j-core-2.11.1.jar located at sdnr/wt/data-provider/provider/target/elasticsearch0/lib

· log4j-core-2.11.1.jar located at sdnr/wt/data-provider/setup/target/elasticsearch0/lib

Those specific directories aren’t part of the onap-ccsdk-features docker images : they’re actually created as part of unit testing, and are not included in the deployed artifacts.

The repo was checked using the maven “dependency:tree” command , which dumps all the various nested dependencies for our code and verified that there are no dependencies on log4j-core. The docker images were checked to verify that log4j-core version 2.11.1 is not installed. onap-ccsdk-features installs pax-logging version 2.0.14, which embeds log4j-core version 2.17.1.

Could someone please help us investigating this?

Thanks so much!

Hi Andrew,

Thank you for the question. For IQ to be as accurate as the maven dependency:tree command, one needs to use the CLM for Maven plugin. The plugin can do an IQ evaluation on its own or combined with other Nexus IQ plugins. To evaluate on its own, use the evaluate goal. To integrate with other plugins, use the index goal.

For more info, please refer to Sonatype CLM for Maven.

Kind Regards,
Jim Wilcox
Product Manager

1 Like

Thank you Jim!

We are actually using: $MVN $MAVEN_GOALS dependency:tree com.sonatype.clm:clm-maven-plugin:index

Do both evaluate and index goals detect vulnerabilities in transitive dependencies. We are actually looking to avoid those being flagged is possible.


Hi Jim,

Could you please help us commenting on my reply above?

How can we avoid transitive dependencies from appearing in our reports?

Thanks so much!

What is the use-case to avoid vulnerabilities in transitive dependencies?

You can modify your policies to exclude transitive dependencies.

Sounds like you might want to just exclude those components from your scan though.

Thanks for your reply Chris, the use case is the one mentioned in the beginning of the thread where we have a module called onap-ccsdk-features which pulls dependencies outside this repo which are flagged as log4j threats.

The solution you mentioned might work for us. Let me test it

Thank you so much!

1 Like