trivy: Trivy detects CVE-2018-14721 on wrong versions of jackson-databind

Trivy detects jackson in a docker image but fails to take the version into account

image

The CVE mentions FasterXML jackson-databind 2.x before 2.9.7 but the contents of the docker image is jackson-*-2.10.3

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 17 (9 by maintainers)

Most upvoted comments

Muchas gracias maestro maquina !!!

@MartinKirchner now trivy json format prints data with PkhPath.

Note: there was disabled JAR detection in fs/repo scanning.

It works for me:

trivy -d rootfs -f json -o r.json --offline-scan .

I’ve tests this option in trivy v0.22.0.

works for me 😉

@afdesk In my opinion you can close the issue. However, it was originally from @jvitrifork and I have no idea if his problem is solved.

@afdesk That is great! I updated and tried it out. Thanks a lot! I wish you all the best in 2022.

I now unzipped the JAR and searched for the offending names:

/tmp/WEB-INF/lib/ehcache-2.10.1$ find -name *jetty*
./rest-management-private-classpath/jetty-dir.css
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-continuation
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-http
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-io
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-security
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-server
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-servlet
./rest-management-private-classpath/META-INF/maven/org.eclipse.jetty/jetty-util
./rest-management-private-classpath/org/eclipse/jetty

/tmp/WEB-INF/lib/ehcache-2.10.1$ find -name *jackson*
./rest-management-private-classpath/com/fasterxml/jackson
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-annotations
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-core
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.module
./rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations
./rest-management-private-classpath/META-INF/services/com.fasterxml.jackson.core.JsonFactory
./rest-management-private-classpath/META-INF/services/com.fasterxml.jackson.core.ObjectCodec
./rest-management-private-classpath/META-INF/services/com.fasterxml.jackson.databind.Module

So it seems that ehcache sort of repackages the offending libraries. I cannot say yet from which version the repackaged class files are.

So as an intermediate request to trivy I’d like to propose to print out the path to the offending library.