[
https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4306:
----------------------------------------
Fix Version/s: (was: 4.0.8)
4.0.9
> karaf-maven-plugin is not assembling the correct version of dependencies
> ------------------------------------------------------------------------
>
> Key: KARAF-4306
> URL: https://issues.apache.org/jira/browse/KARAF-4306
> Project: Karaf
> Issue Type: Bug
> Components: karaf-tooling
> Affects Versions: 4.0.4
> Reporter: Raman Gupta
> Assignee: Jean-Baptiste Onofré
> Fix For: 4.1.0, 4.0.9
>
>
> This is similar to KARAF-3994.
> I see that the commit for that issue added the following TODO:
> * TODO Need to also check for version ranges. Currently ranges are ignored
> and all features matching the name
> I have a similar problem -- the generated system repo contains all versions
> of a feature that is matched by a range, not just the highest one that
> fulfills all of the requirements of the boot features. This is an issue
> because the generated repo may contain older (or newer) versions of libraries
> that have CVEs against them, which is then flagged by ops.
> For example:
> My feature depends on spring-dm which depends on spring range [2.5.6,4). At
> runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains
> Spring 3.1.4 (as well as three versions of Spring 4), all of which are
> defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs
> against it, so the system is flagged by ops as using jars with security
> problems (even though those jars are not actually used by the app).
> Shouldn't the Builder apply the same resolution logic as is used by Karaf
> itself, and assemble only those jars?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
