Interview › Security & DevSecOps
What is a transitive dependency, and why does it complicate patching? [Intermediate]
Answer
A transitive dependency is a dependency pulled in by another dependency rather than declared directly by the application. It complicates patching because the vulnerable package may be several levels deep, and overriding it can break the library that expects a specific version.
Technical explanation
Direct dependencies are controlled in the application's manifest; transitive dependencies are resolved by the package manager.
Fixing transitives may require upgrading the parent dependency, changing a BOM, excluding a module, or adding a safe override.
Every override needs compatibility testing because dependency graphs can introduce runtime conflicts.
Hands-on example
Example: spring-boot-starter pulls a vulnerable Jackson version. The safer fix is often upgrading Spring Boot's BOM. If not possible, override jackson-databind to the fixed version, run integration tests, and inspect the resolved tree before release.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]