trivy: Maven dependencies not resolved correctly during filesystem scan - properties

Description

Trivy filesystem scan of a pom.xml with a properties section resolves the wrong version of the dependency. In this example jackson

What did you expect to happen?

Version of dependencies in properties section of pom.xml to be used when trivy lists the packages and looks for matching cves

What happened instead?

Older versions of dependencies used

Output of run with -debug:

For simplicity sake I have removed all but the jackson dependencies

trivy -d fs --security-checks vuln -f json --list-all-pkgs .
2022-05-17T14:22:30.208+0100	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-05-17T14:22:30.248+0100	DEBUG	cache dir:  /Users/mrjonstrong/Library/Caches/trivy
2022-05-17T14:22:30.248+0100	DEBUG	DB update was skipped because the local DB is the latest
2022-05-17T14:22:30.248+0100	DEBUG	DB Schema: 2, UpdatedAt: 2022-05-17 12:06:28.847448335 +0000 UTC, NextUpdate: 2022-05-17 18:06:28.847447935 +0000 UTC, DownloadedAt: 2022-05-17 13:07:53.138275 +0000 UTC
2022-05-17T14:22:30.249+0100	DEBUG	Vulnerability type:  [os library]
2022-05-17T14:22:30.249+0100	DEBUG	No secret config detected: trivy-secret.yaml
2022-05-17T14:22:30.259+0100	DEBUG	Resolving com.fasterxml.jackson:jackson-bom:2.13.2.20220328...
2022-05-17T14:22:30.294+0100	DEBUG	Resolving com.fasterxml.jackson:jackson-bom:2.13.0...
2022-05-17T14:22:30.307+0100	DEBUG	Resolving com.fasterxml.jackson.core:jackson-databind:2.13.0...
2022-05-17T14:22:30.569+0100	DEBUG	Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.2...
2022-05-17T14:22:30.575+0100	DEBUG	Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.2...
2022-05-17T14:22:30.576+0100	DEBUG	Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.2...
2022-05-17T14:22:30.587+0100	DEBUG	Resolving com.fasterxml.jackson.core:jackson-annotations:2.13.0...
2022-05-17T14:22:30.615+0100	DEBUG	Resolving com.fasterxml.jackson.core:jackson-core:2.13.0...
2022-05-17T14:22:30.739+0100	DEBUG	OS is not detected.
2022-05-17T14:22:30.739+0100	DEBUG	Detected OS: unknown
2022-05-17T14:22:30.739+0100	INFO	Number of language-specific files: 1
2022-05-17T14:22:30.739+0100	INFO	Detecting pom vulnerabilities...
2022-05-17T14:22:30.739+0100	DEBUG	Detecting library vulnerabilities, type: pom, path: pom.xml

Output of trivy -v:

Version: 0.28.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-05-17 12:06:28.847448335 +0000 UTC
  NextUpdate: 2022-05-17 18:06:28.847447935 +0000 UTC
  DownloadedAt: 2022-05-17 13:07:53.138275 +0000 UTC

Additional details (base image name, container registry info…):

Maven dependency tree shows higher versions of jackson

mvn dependency:tree | grep jackson
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.2:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.2:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.2:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile

pom.xml

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 23

Most upvoted comments

Hello @cardoso-thiago Thank for waiting!

your pom.xml contains ehcache library. ehcache-2.10.1.jar contains rest-management-private-classpath folder with pom.properties files. Trivy finds these files and includes these dependencies in result(same case: #2010):

➜ find . -name pom.properties
./META-INF/maven/net.sf.ehcache/ehcache/pom.properties
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/pom.properties
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/pom.properties
./rest-management-private-classpath/META-INF/maven/javax.ws.rs/javax.ws.rs-api/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.media/jersey-media-sse/pom.properties
./rest-management-private-classpath/META-INF/maven/net.sf.ehcache/management-ehcache-common/pom.properties
./rest-management-private-classpath/META-INF/maven/net.sf.ehcache/management-ehcache-impl-v1/pom.properties
./rest-management-private-classpath/META-INF/maven/net.sf.ehcache/management-ehcache-v2/pom.properties
./rest-management-private-classpath/META-INF/maven/net.sf.ehcache/management-ehcache-v1/pom.properties
./rest-management-private-classpath/META-INF/maven/net.sf.ehcache/management-ehcache-impl-v2/pom.properties
./rest-management-private-classpath/META-INF/maven/org.javassist/javassist/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.core/jersey-common/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.core/jersey-server/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.core/jersey-client/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2.external/aopalliance-repackaged/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2.external/javax.inject/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2.external/asm-all-repackaged/pom.properties
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.properties
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.properties
./rest-management-private-classpath/META-INF/maven/javax.servlet/javax.servlet-api/pom.properties
./rest-management-private-classpath/META-INF/maven/org.jvnet/tiger-types/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-security/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-server/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-io/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-util/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-http/pom.properties
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.bundles.repackaged/jersey-guava/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2/hk2-utils/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2/osgi-resource-locator/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2/hk2-api/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.hk2/hk2-locator/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.containers/jersey-container-servlet/pom.properties
./rest-management-private-classpath/META-INF/maven/org.glassfish.jersey.containers/jersey-container-servlet-core/pom.properties
./rest-management-private-classpath/META-INF/maven/javax.validation/validation-api/pom.properties
./rest-management-private-classpath/META-INF/maven/javax.annotation/javax.annotation-api/pom.properties
./rest-management-private-classpath/META-INF/maven/net.sf.ehcache.internal/ehcache-rest-agent/pom.properties
./rest-management-private-classpath/META-INF/maven/org.terracotta/management-common-resources-v1/pom.properties
./rest-management-private-classpath/META-INF/maven/org.terracotta/management-core-resources/pom.properties
./rest-management-private-classpath/META-INF/maven/org.terracotta/management-common-v2/pom.properties
./rest-management-private-classpath/META-INF/maven/org.terracotta/management-core/pom.properties
./rest-management-private-classpath/META-INF/maven/org.terracotta/management-common-v1/pom.properties
./rest-management-private-classpath/META-INF/maven/org.terracotta/management-common-resources-v2/pom.properties
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations/pom.properties

➜ cat ./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties
#Generated by org.apache.felix.bundleplugin
#Thu Apr 10 09:54:57 PDT 2014
version=2.3.3
groupId=com.fasterxml.jackson.core
artifactId=jackson-databind

Hello @mrjonstrong , @atkinspa33 Thanks for your information, examples and help!

Finally, we managed to solve problem with overwriting parent props! You will be able to test these changes in the next release. Also we have canary build.

Regards, Dmitriy

Hi @DmitriyLewen

Thanks for taking a look into this.

The thing is that when I run mvn dependency:tree | grep jackson

I get version jackson-databind v2.13.2 as I think it’s picked the higher version from the properties section (or somewhere else at least). So I was thinking that trivy would mirror the dependency tree and identify the higher version.

mvn dependency:tree | grep jackson
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.2:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.2:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.2:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile

Given the higher version in the mvn dependency:tree - can trivy identify it also as the higher version?