-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maven standard dependencies should take precedence over managed dependencies #1000
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1000 +/- ##
==========================================
+ Coverage 64.94% 65.53% +0.59%
==========================================
Files 149 149
Lines 12259 9518 -2741
==========================================
- Hits 7962 6238 -1724
+ Misses 3845 2827 -1018
- Partials 452 453 +1 ☔ View full report in Codecov by Sentry. |
Can you just check this against what I believe is the section of the docs I referred to when I did this?
I assume my mistake is in not understanding what's being referred to is triggered in specific cases which are not true (most of the time at least) for the scanner when it's reading a pom, but would like to have that confirmed. |
I think the dependency management in root pom.xml takes precedence over the dependencies in pom.xml of transitive dependencies. However, since we are only scanning the root pom.xml with direct dependencies only, dependencies take precedence over the managed dependencies, and this is also what |
…dencies (google#1000) Managed dependencies are not real dependencies so they should not take precedence over standard dependencies. Dependency management is used to control the versions of artifacts used in transitive dependencies. https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management Also, version requirements in managed dependencies are only referred when the requirement is not defined for that dependency in standard dependencies section.
Managed dependencies are not real dependencies so they should not take precedence over standard dependencies.
Dependency management is used to control the versions of artifacts used in transitive dependencies. https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management
Also, version requirements in managed dependencies are only referred when the requirement is not defined for that dependency in standard dependencies section.