trivy: pom.xml scanner founds wrong dependencies versions
Description
While scanning my java project trivy detects wrong versions of certain dependencies such as:
org.springframework.security:spring-security-core : 4.2.20.RELEASE
org.springframework.security:spring-security-web : 4.2.20.RELEASE
org.springframework:spring-beans: 4.3.30.RELEASE
org.springframework:spring-core : 4.3.30.RELEASE
But
john@sophia$ mvn compile dependency:tree | grep spring-security-core
[INFO] | +- org.springframework.security:spring-security-core:jar:5.7.1:compile
or
john@sophia$ mvn compile dependency:tree | grep spring-security-web
[INFO] | +- org.springframework.security:spring-security-web:jar:5.7.1:compile
What did you expect to happen?
I expect trivy to look for the right versions.
What happened instead?
It happens trivy triggers false positive reports since the tool detects wrong versions.
Output of run with -debug:
2022-06-30T14:11:59.248+0200 DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-06-30T14:11:59.293+0200 DEBUG cache dir: /Users/john/Library/Caches/trivy
2022-06-30T14:11:59.293+0200 INFO Need to update DB
2022-06-30T14:11:59.293+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-06-30T14:11:59.293+0200 INFO Downloading DB...
32.83 MiB / 32.83 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 22.74 MiB p/s 1.6s
2022-06-30T14:12:02.328+0200 DEBUG Updating database metadata...
2022-06-30T14:12:02.328+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-06-30 12:06:32.283426777 +0000 UTC, NextUpdate: 2022-06-30 18:06:32.283426377 +0000 UTC, DownloadedAt: 2022-06-30 12:12:02.328067 +0000 UTC
2022-06-30T14:12:02.328+0200 INFO Vulnerability scanning is enabled
2022-06-30T14:12:02.328+0200 DEBUG Vulnerability type: [os library]
2022-06-30T14:12:02.328+0200 INFO Secret scanning is enabled
2022-06-30T14:12:02.328+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-30T14:12:02.328+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-06-30T14:12:02.328+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-06-30T14:12:02.349+0200 DEBUG Resolving com.datastax.oss:java-driver-bom:4.14.1...
2022-06-30T14:12:02.355+0200 DEBUG Resolving io.dropwizard.metrics:metrics-bom:4.2.9...
2022-06-30T14:12:02.357+0200 DEBUG Resolving org.codehaus.groovy:groovy-bom:3.0.10...
2022-06-30T14:12:02.359+0200 DEBUG Resolving org.infinispan:infinispan-bom:13.0.10.Final...
2022-06-30T14:12:02.364+0200 DEBUG Resolving com.fasterxml.jackson:jackson-bom:2.13.3...
2022-06-30T14:12:02.367+0200 DEBUG Resolving org.glassfish.jersey:jersey-bom:2.35...
2022-06-30T14:12:02.370+0200 DEBUG Resolving org.eclipse.jetty:jetty-bom:9.4.46.v20220331...
2022-06-30T14:12:02.372+0200 DEBUG Resolving org.junit:junit-bom:5.8.2...
2022-06-30T14:12:02.372+0200 DEBUG Resolving org.jetbrains.kotlin:kotlin-bom:1.6.21...
2022-06-30T14:12:02.374+0200 DEBUG Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.6.1...
2022-06-30T14:12:02.374+0200 DEBUG Resolving org.apache.logging.log4j:log4j-bom:2.17.2...
2022-06-30T14:12:02.377+0200 DEBUG Resolving io.micrometer:micrometer-bom:1.9.0...
2022-06-30T14:12:02.378+0200 DEBUG Resolving org.mockito:mockito-bom:4.5.1...
2022-06-30T14:12:02.378+0200 DEBUG Resolving io.netty:netty-bom:4.1.77.Final...
2022-06-30T14:12:02.383+0200 DEBUG Resolving com.squareup.okhttp3:okhttp-bom:4.9.3...
2022-06-30T14:12:02.383+0200 DEBUG Resolving com.oracle.database.jdbc:ojdbc-bom:21.5.0.0...
2022-06-30T14:12:02.384+0200 DEBUG Resolving io.prometheus:simpleclient_bom:0.15.0...
2022-06-30T14:12:02.386+0200 DEBUG Resolving com.querydsl:querydsl-bom:5.0.0...
2022-06-30T14:12:02.387+0200 DEBUG Resolving io.r2dbc:r2dbc-bom:Borca-SR1...
2022-06-30T14:12:02.388+0200 DEBUG Resolving io.projectreactor:reactor-bom:2020.0.19...
2022-06-30T14:12:02.388+0200 DEBUG Resolving io.rsocket:rsocket-bom:1.1.2...
2022-06-30T14:12:02.389+0200 DEBUG Resolving org.springframework.data:spring-data-bom:2021.2.0...
2022-06-30T14:12:02.390+0200 DEBUG Resolving org.springframework:spring-framework-bom:5.3.20...
2022-06-30T14:12:02.390+0200 DEBUG Resolving org.springframework.integration:spring-integration-bom:5.5.12...
2022-06-30T14:12:02.392+0200 DEBUG Resolving org.springframework.security:spring-security-bom:5.7.1...
2022-06-30T14:12:02.392+0200 DEBUG Resolving org.springframework.session:spring-session-bom:2021.2.0...
2022-06-30T14:12:02.394+0200 DEBUG Resolving com.eposnow:service-framework:0.0.3...
2022-06-30T14:12:02.394+0200 DEBUG Resolving com.eposnow:RiftDocumentTest:1.0.1...
2022-06-30T14:12:02.395+0200 DEBUG Resolving org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE...
2022-06-30T14:12:02.397+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter:2.7.0...
2022-06-30T14:12:02.397+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-web:2.7.0...
2022-06-30T14:12:02.398+0200 DEBUG Resolving org.springdoc:springdoc-openapi-ui:1.6.9...
2022-06-30T14:12:02.401+0200 DEBUG Resolving org.springframework:spring-beans:4.3.30.RELEASE...
2022-06-30T14:12:02.502+0200 DEBUG Resolving org.springframework:spring-core:4.3.30.RELEASE...
2022-06-30T14:12:02.520+0200 DEBUG Resolving org.springframework:spring-context:4.3.30.RELEASE...
2022-06-30T14:12:02.537+0200 DEBUG Resolving org.springframework:spring-webmvc:4.3.30.RELEASE...
2022-06-30T14:12:02.556+0200 DEBUG Resolving org.springframework.security:spring-security-core:4.2.20.RELEASE...
2022-06-30T14:12:02.575+0200 DEBUG Resolving org.springframework:spring-framework-bom:4.3.30.RELEASE...
2022-06-30T14:12:02.593+0200 DEBUG Resolving org.springframework.security:spring-security-config:4.2.20.RELEASE...
2022-06-30T14:12:02.614+0200 DEBUG Resolving org.springframework.security:spring-security-web:4.2.20.RELEASE...
2022-06-30T14:12:02.632+0200 DEBUG Resolving commons-codec:commons-codec:1.14...
2022-06-30T14:12:02.690+0200 DEBUG Resolving org.springframework.boot:spring-boot:2.7.0...
2022-06-30T14:12:02.691+0200 DEBUG Resolving org.springframework.boot:spring-boot-autoconfigure:2.7.0...
2022-06-30T14:12:02.691+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-logging:2.7.0...
2022-06-30T14:12:02.691+0200 DEBUG Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2022-06-30T14:12:02.694+0200 DEBUG Resolving org.yaml:snakeyaml:1.30...
2022-06-30T14:12:02.695+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-json:2.7.0...
2022-06-30T14:12:02.696+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-tomcat:2.7.0...
2022-06-30T14:12:02.696+0200 DEBUG Resolving org.springframework:spring-web:5.3.20...
2022-06-30T14:12:02.697+0200 DEBUG Resolving org.springdoc:springdoc-openapi-webmvc-core:2.7.0...
2022-06-30T14:12:02.712+0200 DEBUG org.springdoc:springdoc-openapi-webmvc-core:2.7.0 was not found in local/remote repositories
2022-06-30T14:12:02.712+0200 DEBUG Resolving org.webjars:swagger-ui:4.11.1...
2022-06-30T14:12:02.714+0200 DEBUG Resolving org.webjars:webjars-locator-core:0.50...
2022-06-30T14:12:02.715+0200 DEBUG Resolving commons-logging:commons-logging:1.2...
2022-06-30T14:12:02.720+0200 DEBUG Resolving org.springframework:spring-aop:4.3.30.RELEASE...
2022-06-30T14:12:02.736+0200 DEBUG Resolving org.springframework:spring-expression:4.3.30.RELEASE...
2022-06-30T14:12:02.752+0200 DEBUG Resolving aopalliance:aopalliance:1.0...
2022-06-30T14:12:02.752+0200 DEBUG Resolving ch.qos.logback:logback-classic:1.2.11...
2022-06-30T14:12:02.754+0200 DEBUG Resolving org.apache.logging.log4j:log4j-to-slf4j:2.17.2...
2022-06-30T14:12:02.758+0200 DEBUG Resolving org.slf4j:jul-to-slf4j:1.7.36...
2022-06-30T14:12:02.760+0200 DEBUG Resolving com.fasterxml.jackson.core:jackson-databind:2.13.3...
2022-06-30T14:12:02.762+0200 DEBUG Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.3...
2022-06-30T14:12:02.763+0200 DEBUG Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3...
2022-06-30T14:12:02.764+0200 DEBUG Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.3...
2022-06-30T14:12:02.765+0200 DEBUG Resolving org.apache.tomcat.embed:tomcat-embed-core:9.0.63...
2022-06-30T14:12:02.765+0200 DEBUG Resolving org.apache.tomcat.embed:tomcat-embed-el:9.0.63...
2022-06-30T14:12:02.766+0200 DEBUG Resolving org.apache.tomcat.embed:tomcat-embed-websocket:9.0.63...
2022-06-30T14:12:02.766+0200 DEBUG Resolving org.slf4j:slf4j-api:1.7.36...
2022-06-30T14:12:02.766+0200 DEBUG Resolving com.fasterxml.jackson.core:jackson-core:2.13.1...
2022-06-30T14:12:02.821+0200 DEBUG Resolving ch.qos.logback:logback-core:1.2.11...
2022-06-30T14:12:02.822+0200 DEBUG Resolving com.fasterxml.jackson.core:jackson-annotations:2.13.3...
2022-06-30T14:12:02.876+0200 DEBUG OS is not detected.
2022-06-30T14:12:02.876+0200 DEBUG Detected OS: unknown
2022-06-30T14:12:02.876+0200 INFO Number of language-specific files: 1
2022-06-30T14:12:02.876+0200 INFO Detecting pom vulnerabilities...
2022-06-30T14:12:02.876+0200 DEBUG Detecting library vulnerabilities, type: pom, path: pom.xml
Output of trivy -v:
Version: 0.29.2
Vulnerability DB:
Version: 2
UpdatedAt: 2022-06-30 12:06:32.283426777 +0000 UTC
NextUpdate: 2022-06-30 18:06:32.283426377 +0000 UTC
DownloadedAt: 2022-06-30 12:12:02.328067 +0000 UTC
Additional details (base image name, container registry info…):
I have the feeling this can be related to this closed PR : https://github.com/aquasecurity/trivy/issues/1943
Here is pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.company</groupId>
<artifactId>project</artifactId>
<version>0.0.1</version>
<packaging>jar</packaging>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<name>project</name>
<description>converter service</description>
<properties>
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<spring.boot.version>2.7.0</spring.boot.version>
<project.artifact.name>${project.artifactId}</project.artifact.name>
<log4j2.version>2.17.0</log4j2.version>
<logback.version>1.2.9</logback.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.5.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${spring.boot.version}</version>
</plugin>
<plugin>
<groupId>pl.project13.maven</groupId>
<artifactId>git-commit-id-plugin</artifactId>
<version>2.2.4</version>
<executions>
<execution>
<id>get-the-git-infos</id>
<goals>
<goal>revision</goal>
</goals>
</execution>
</executions>
<configuration>
<dotGitDirectory>${project.basedir}/.git</dotGitDirectory>
<prefix>git</prefix>
<verbose>false</verbose>
<generateGitPropertiesFile>true</generateGitPropertiesFile>
<generateGitPropertiesFilename>${project.build.outputDirectory}/git.properties</generateGitPropertiesFilename>
<format>json</format>
<gitDescribe>
<skip>false</skip>
<always>false</always>
<dirty>-dirty</dirty>
</gitDescribe>
</configuration>
</plugin>
</plugins>
</build>
</project>
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15
Hi @DmitriyLewen Thats pretty cool !!!
Thank you very much.
Hi @DmitriyLewen,
If we remove
then tryvi finds the rights deps. But as soon as the parent is introduced introducing dependencies updates then trivy does not recognize the right versions.
Thank you for your work,
John.