Tracing Maven transitive dependencies
Sometimes you might get a stray security alert for a maven project, eg my own atlassian plugin: https://bitbucket.org/declarativesystems/puppet_deploy_bitbucket/ was recently flagged on the Atlassian Marketplace for cve-2022-22965.
This turned out to be due to a transitive dependency on spring-beans which we
can prove by testing a couple of scenarios.
The app doesn’t ship org.springframework:spring-beans as part of its .jar
file:
$ jar -tf target/puppetdeploy-2.0.1.jar |grep spring
META-INF/spring/
META-INF/spring/plugin-context.xml
The dependency on org.springframework:spring-beans is of scope provided and is
due to a dependency on Bitbucket itself, eg:
<dependency>
<groupId>com.atlassian.bitbucket.server</groupId>
<artifactId>bitbucket-parent</artifactId>
<version>${bitbucket.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
and
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<scope>provided</scope>
</dependency>
bitbucket.version is set to 7.1.1 in the latest plugin release and this
version of Bitbucket results in
org.springframework:[email protected]:
$ mvn dependency:tree -Dincludes=org.springframework:spring-beans
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Puppet Deploy for Bitbucket Server 2.0.2
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ puppetdeploy ---
[INFO] com.declarativesystems.bitbucket:puppetdeploy:atlassian-plugin:2.0.2
[INFO] \- org.springframework:spring-beans:jar:5.2.3.RELEASE:provided
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.616 s
[INFO] Finished at: 2022-07-22T10:26:59+10:00
[INFO] Final Memory: 29M/128M
[INFO] ------------------------------------------------------------------------
This is proved by setting bitbucket.version to 7.21.3 which updates the
dependency:
$ mvn dependency:tree -Dincludes=org.springframework:spring-beans
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Puppet Deploy for Bitbucket Server 2.0.2
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ puppetdeploy ---
[INFO] com.declarativesystems.bitbucket:puppetdeploy:atlassian-plugin:2.0.2
[INFO] \- org.springframework:spring-beans:jar:5.3.20:provided
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.725 s
[INFO] Finished at: 2022-07-22T10:25:03+10:00
[INFO] Final Memory: 31M/120M
[INFO] ------------------------------------------------------------------------
In this case, the fix would be to update Bitbucket itself.