Sonatype scan shows Dependency-older-than-10-years

Question

I am new to nexus IQ issues. I am getting "Dependency-older-than-10-years" constraints while Nexus IQ by Sonatype scan for below components.

Component names:

antlr : antlr : 2.7.7

javax.xml : jaxp-api : 1.4.2

org.codehaus.jettison : jettison : 1.2

org.json : json : 20080701

I haven't mentioned any of the above dependency in pom.xml explicitly. Also JSON version is not mentioned anywhere in the application.

Answer 1

As the issue description says, dependencies are older than 10 years. For eg. org.json : json : 20080701 is from year 2008. You should update them to newer versions.

Edit:

Run maven dependency:tree to find out parent of these dependencies. Then you have to choose between few solutions in order of decreasing preference.

1. Update the version of parent(assuming that newer parent version would be using newer version of child dependencies)

2. If #1 is not possible for you, directly add newer version of these offending dependencies (assuming parent dependencies are compatible with these newer versions)

In either of the case, you would have to test your application thoroughly (should be easy if application already has good quality unit tests)

Answer 2

If you are not able to see these dependency directly in your pom, then go to your dependency hierarchy and then you can see these in your resolved dependencies. and then you can identify which are causing issue and resolve them by changing the parent dependency version.