There's a dependency called jsoup version 1.8.3 which is getting bundled in my jar but it doesn't shows up when i run mvn dependency:tree command. Below is my POM.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.company.product</groupId>
<artifactId>product</artifactId>
<version>3.1.40.0.1-SNAPSHOT</version>
</parent>
<artifactId>product-collector</artifactId>
<name>product-collector</name>
<description>Factory Automation Collector for Manufacturer</description>
<packaging>war</packaging>
<properties>
<version.thorntail>2.7.0.Final</version.thorntail>
<collector-installer-path>/opt/company/Collector/Installer/</collector-installer-path>
</properties>
<dependencies>
<dependency>
<groupId>io.thorntail</groupId>
<artifactId>jaxrs</artifactId>
<version>${version.thorntail}</version>
</dependency>
<dependency>
<groupId>io.thorntail</groupId>
<artifactId>management</artifactId>
<version>${version.thorntail}</version>
</dependency>
<dependency>
<groupId>io.thorntail</groupId>
<artifactId>ejb</artifactId>
<version>${version.thorntail}</version>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.12.2</version>
</dependency>
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>8.0.1</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>3.6.2.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>4.0.0.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>4.0.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-multipart-provider</artifactId>
<version>${version.resteasy}</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jackson2-provider</artifactId>
<version>${version.resteasy}</version>
</dependency>
<dependency>
<groupId>com.googlecode.json-simple</groupId>
<artifactId>json-simple</artifactId>
<version>1.1.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.github.fge/json-schema-core -->
<dependency>
<groupId>com.github.fge</groupId>
<artifactId>json-schema-core</artifactId>
<version>1.2.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.github.fge/json-schema-validator -->
<dependency>
<groupId>com.github.fge</groupId>
<artifactId>json-schema-validator</artifactId>
<version>2.2.6</version>
</dependency>
</dependencies>
<build>
<finalName>collector</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.6</version>
<configuration>
<failOnMissingWebXml>false</failOnMissingWebXml>
</configuration>
</plugin>
<plugin>
<groupId>io.thorntail</groupId>
<artifactId>thorntail-maven-plugin</artifactId>
<version>${version.thorntail}</version>
<executions>
<execution>
<goals>
<goal>package</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.5</version>
<executions>
<execution>
<id>copy-resources-productInstaller</id>
<phase>pre-integration-test</phase>
<goals>
<goal>copy-resources</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/collectorInstallerArchive</outputDirectory>
<resources>
<resource>
<directory>../product-core-parent/product-webservice/src/main/resources</directory>
<filtering>false</filtering>
<includes>
<include>config.properties</include>
</includes>
</resource>
<resource>
<directory>./src/main/resources/installer/</directory>
<filtering>false</filtering>
</resource>
<resource>
<directory>../product-installer/src/main/productInstallerArchive</directory>
<filtering>false</filtering>
<includes>
<include>dockerpull_aws.sh</include>
<include>dockerpull_nexus.sh</include>
<include>dockercleanup.sh</include>
</includes>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.8</version>
<executions>
<execution>
<id>copy-scripts</id>
<phase>pre-integration-test</phase>
<configuration>
<target>
<chmod file="target/collectorInstallerArchive/*.sh"
perm="755" />
</target>
</configuration>
<goals>
<goal>run</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.github.hazendaz.maven</groupId>
<artifactId>makeself-maven-plugin</artifactId>
<version>1.0.0.beta6</version>
<configuration>
<archiveDir>collectorInstallerArchive/</archiveDir>
<fileName>collector-installer.bin</fileName>
<label>Distro Self Extraction</label>
<startupScript>./collector-installer.sh</startupScript>
</configuration>
<executions>
<execution>
<id>makeself</id>
<phase>post-integration-test</phase>
<goals>
<goal>makeself</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>collectorDocker</id>
<build>
<plugins>
<plugin>
<groupId>io.fabric8</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>0.28.0</version>
<configuration>
<images>
<image>
<name>product-collector</name>
<build>
<dockerFileDir>${project.basedir}/src/main/resources</dockerFileDir>
<assembly>
<inline>
<files>
<file>
<source>./target/collector-thorntail.jar</source>
<outputDirectory>${collector-installer-path}</outputDirectory>
</file>
<file>
<source>../product-core-parent/product-webservice/src/main/resources/config.properties</source>
<outputDirectory>${collector-installer-path}</outputDirectory>
</file>
</files>
</inline>
</assembly>
</build>
</image>
</images>
</configuration>
<executions>
<execution>
<phase>install</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
When dependency tree didn't help, i started excluding dependencies one by one to check which dependency is bringing jsoup. So, I found that ejb artifact of io.thorntail dependency is bringing it. I then tried excluding jsoup from ejb dependency by using exclusion tag
<dependency>
<groupId>io.thorntail</groupId>
<artifactId>ejb</artifactId>
<version>${version.thorntail}</version>
<exclusions>
<exclusion>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
</exclusion>
</exclusions>
</dependency>
but it was still coming in collector-thorntail.jar in target folder at this path: product-collector/target/collector-thorntail.jar/m2Repo/org/jsoup/jsoup/1.8.3/jsoup-1.8.3.jar
How do i exclude this jsoup dependency from my project as it is showing vulnerability in blackduck scan?
I tried excluding it using exclusion tag of POM.xml but it is still being bundled under the jar.