Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
4.0.4
-
None
-
None
Description
This is similar to KARAF-3994.
I see that the commit for that issue added the following TODO:
- TODO Need to also check for version ranges. Currently ranges are ignored and all features matching the name
I have a similar problem – the generated system repo contains all versions of a feature that is matched by a range, not just the highest one that fulfills all of the requirements of the boot features. This is an issue because the generated repo may contain older (or newer) versions of libraries that have CVEs against them, which is then flagged by ops.
For example:
My feature depends on spring-dm which depends on spring range [2.5.6,4). At runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains Spring 3.1.4 (as well as three versions of Spring 4), all of which are defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs against it, so the system is flagged by ops as using jars with security problems (even though those jars are not actually used by the app).
Shouldn't the Builder apply the same resolution logic as is used by Karaf itself, and assemble only those jars?
Attachments
Issue Links
- relates to
-
-
- Resolved
-
-
-
- Resolved
-