Skip to content

Exclude BouncyCastle as transitive dependency #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 27, 2025
Merged

Exclude BouncyCastle as transitive dependency #7

merged 2 commits into from
Oct 27, 2025
+6 −0

Conversation

@quapka
Copy link

@quapka quapka commented Oct 23, 2025

While testing different BouncyCastle versions, I've stumbled upon the fact that the explicitly listed org.bouncycastle dependency in simulator/pom.xml is not needed. I've found out that BouncyCastle is part of the globalplatformpro artefact. I am assuming this was not intentional, but I could be mistaken.

This PR makes it so that updating the org.bouncycastle dependency has an effect.

quapka and others added 2 commits October 23, 2025 09:52
@quapka
Exclude BouncyCastle as transitive dependency
bf63b71 
While testing different BouncyCastle versions I've stumbled upon the
fact that the explicitly listed `org.bouncycastle` dependency in
simulator/pom.xml is not _needed_. I've found out that BouncyCastle is
part of `globalplatformpro` artifact.
@martinpaljak
Merge branch 'next' into bc-dep
2ae0aca
@martinpaljak martinpaljak merged commit 8575948 into martinpaljak:next Oct 27, 2025
@martinpaljak
Copy link
Owner

Thanks! I expect the two to always be equal versions, but it should not hurt to remove the transitive one.

@quapka
Copy link
Author

quapka commented Oct 29, 2025

Since you mentioned the expectations on the versions equality, I had a look at that in Maven. I read here about the dependencyManagement section. I don't see into Maven, but been looking into the dependency tree:

cd simulator/
../mvnw dependency:tree -Dverbose

  • Using 04e2e4cc2bcb0020ff54276db086930e755d9ca5, prior to this PR, I get (showing only the relevant parts):

    ...
[INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.82:compile
...
[INFO] +- com.github.martinpaljak:globalplatformpro:jar:25.10.20:compile
...
[INFO] |  +- org.bouncycastle:bcpkix-jdk18on:jar:1.82:compile
[INFO] |  |  \- org.bouncycastle:bcutil-jdk18on:jar:1.82:compile
[INFO] |  |     \- (org.bouncycastle:bcprov-jdk18on:jar:1.82:compile - omitted for duplicate)
...

  • For the current HEAD:

    ...
[INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.82:compile
...
[INFO] +- com.github.martinpaljak:globalplatformpro:jar:25.10.20:compile
... --> no bouncycastle

  • Finally, with this patch on HEAD (using 1.81 just to test the enforcement):

diff --git a/simulator/pom.xml b/simulator/pom.xml
index 127ea96..bbccb27 100644
--- a/simulator/pom.xml
+++ b/simulator/pom.xml
@@ -15,6 +15,16 @@
         <globalplatform.version>1.6</globalplatform.version>
     </properties>

+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcprov-jdk18on</artifactId>
+                <version>1.81</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <!-- The base JC API -->
         <dependency>
@@ -38,7 +48,6 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk18on</artifactId>
-            <version>1.82</version>
         </dependency>
         <!-- Instance proxy for Applets -->
         <dependency>
@@ -57,12 +66,6 @@
             <groupId>com.github.martinpaljak</groupId>
             <artifactId>globalplatformpro</artifactId>
             <version>25.10.20</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>*</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
         <!-- unit tests -->
         <dependency>

I get this:

...
[INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.81:compile
...
[INFO] +- com.github.martinpaljak:globalplatformpro:jar:25.10.20:compile
...
[INFO] |  +- org.bouncycastle:bcpkix-jdk18on:jar:1.82:compile
[INFO] |  |  \- org.bouncycastle:bcutil-jdk18on:jar:1.82:compile
[INFO] |  |     \- (org.bouncycastle:bcprov-jdk18on:jar:1.81:compile - version managed from 1.82; omitted for duplicate)
...

Not sure, whether to:

  • stick with the exclusion (and excluding wildcard * BC dependencies)
  • exclude bcprov-jdk18on and not other, such as bcpkix-jdk18on and bcutil-jdk18on
  • use the dependencyManagement and force bcprov-jdk18on version
  • use the dependencyManagement and force also bcpkix-jdk18on and bcutil-jdk18on

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@quapka @martinpaljak