The vulnerability scanning results indicate that the version of the Java dependency library is risky
Cause 1:
When Container Registry scans Java application images, it tries to scan the Java dependency libraries. If risks are detected in the dependency libraries, a message is provided in the scanning results.
Solution:
Check the version of the dependency libraries that are introduced by dependency management tools such as Maven. For example, check whether the coordinates of the risky version of the dependency library are defined in the pom.xml file. If no coordinates of the risky version are defined in the pom.xml file, you need to check whether the risky version is indirectly introduced by a dependency library.
Cause 2:
When Container Registry scans Java application images, it tries to scan the Java dependency libraries. If a dependency library depends on the risky version in the Shade manner, a message is provided in the scanning results.
Solution:
We recommend that you use the global search method to locate the risky dependency library. The following code provides the dependency library coordinates for io.netty:
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty-shaded</artifactId>
<version>1.24.0</version>
</dependency>In fact, the dependency library contains the v4.1.38.Final of io.netty in the Shade manner. In this case, if you define a later version of io.netty in the pom.xml file, the risky dependency library will still be detected. Similarly, you can check whether your dependency libraries contain a risky version in the Shade manner. For more information about the Shade mechanism of JAR packages of dependency libraries, see Apache Maven Shade Plugin.