False positives

[guizmaii]

Hi everyone,

Not sure it's the best place to report this issue but I give it a try anyway.

I installed this GH Actions on one of our repo (See https://github.com/conduktor/zio-kafka/blob/cdk-master/.github/workflows/dependency-graph.yml) and the reports is telling me that I have a vulnerable version of jackson-databind (See https://github.com/conduktor/zio-kafka/security/dependabot/21) which doesn't seem to be correct as we're using v2.13.4.2 (see https://github.com/conduktor/zio-kafka/blob/cdk-master/build.sbt#L96), which is a version above the recommended version (2.13.4.1)

Any idea of why? 🤔

Jules

[adpi2]

It's a transitive dependency of scaladoc for Scala 3. scaladoc:3.1.2 depends on jackson-dataformat-yaml:2.12.1 which depends on jackson-databind:2.12.1.

sbt-dependency-submission exports all your dependencies, your Compile and Test dependencies, but also your ScalaTools dependencies: the Scala instance that sbt needs to compile your code and generate the documentation. Those ScalaTools dependencies are declared as development dependencies by sbt-dependency-submission but that does not show up in the Github Dependency View nor in the Dependabot report. They do not show the parent node(s) of the vulnerable dependency either. So it makes it hard to understand where those dependencies come from and how to fix the vulnerability.

I am closing this issue because there already is a similar discussion in #49.

For those who want to filter out those ScalaTools dependencies. I am thinking of adding a configuration-ignore input but I did not had the time to look into it yet.