Documentation

Recent Changes

You are here: Documentation » How To Handle Vulnerable Dependency Warnings

How To Handle Vulnerable Dependency Warnings

Recent Atomikos releases will do a courtesy scan of your application's classpath to detect known vulnerable dependencies. This is a best-effort scan based on the information that was known to us at the time of release.

What can you do?

If you get warnings concerning vulnerable dependencies then you can do one of the following:

  • Upgrade the version of the dependency to avoid the warning, or
  • Override the warning by creating an extra property file on your classpath (see below).

Overriding the warning(s)

Overriding warnings for vulnerable dependencies is NOT recommended. The preferred approach should be to upgrade your dependency version to a safer one. Only override after you have assessed the detailed risks for your application's use case!

You may opt to override these warnings by doing the following:

  • Create a file named atomikos-overridden-maven-dependency-versions.properties in the format explained below.
  • Make sure this file is on the application's classpath.

Format of the overriding property file

If you wish to override the dependency warnings then you can do that. The following is an example for how to allow versions 2.3.2 and 2.12.4 of Log4j:

# FORMAT: groupId\:artifactId=one or more version(s) separated by whitespace
# (the backslash before the colon is required or it will not work)
org.apache.logging.log4j\:log4j-core= 2.3.2 2.12.4

Connect

Corporate Information

Atomikos Corporate Headquarters
Hoveniersstraat, 39/1, 2800
Mechelen, Belgium

Contact Us

Community

Copyright 2026 Atomikos BVBA | Our Privacy Policy
By using this site you agree to our cookies. More info. That's Fine