DmitriyLewen issues

Results 134 issues of


                                            DmitriyLewen

bug: Trivy doesn’t use context in dependency parsers to stop the run.

## Description We use the [Context.WithTimeout](https://github.com/aquasecurity/trivy/blob/b4ad00f301a5fd7326060a567871c6f4a9711696/pkg/commands/artifact/run.go#L365) function to stop Trivy by timeout. But we don't use context for the [Parser](https://github.com/aquasecurity/trivy/blob/1f5f34895823fae81bf521fc939bee743a50e304/pkg/fanal/analyzer/language/analyze.go#L16-L19) interface. That is why Trivy doesn't stop the run, if...

kind/bug

scan/vulnerability

fix(license): handle SPDX WITH exceptions as single license in category detection

## Description This PR improves the licensing scanner to handle SPDX license expressions with the WITH operator and implements case-insensitive license matching for better compatibility. Key Changes: 1. SPDX WITH...

fix(vuln): save package-specific severity before severity selection

## Description Refactored vulnerability severity processing logic to fix package-specific severity handling. The changes move the package-specific severity processing earlier in the flow and ensure vendor severities are properly stored...

fix(java): correctly inherit properties from parent fields for pom.xml files

## Description Maven has 2 "types" of properties: - from `Properties` element - from pom fields (e.g. `project.version`, `parent.project.artifactID`, etc.) Maven priority (check next point if property is empty): 1....

bug(pom): incorrect inheritance of properties from pom fields for nested parents.

## Description Trivy fills fields from pom.xml file as properties (e.g. `project.version`, `project.parent.version`, etc.) But when there are nested parents - Trivy takes incorrect values. ### Example - Current logic...

kind/bug

feat(license): use separate SPDX ids to ignore SPDX expressions

## Description Trivy currently ignores licenses only by full compliance. e.g. for `LGPLv2+ and MIT` you need to use `LGPLv2+ and MIT` (`MIT and LGPLv2+` will not work). ### Feature...

help wanted

kind/feature

scan/license

fix(java): use hash of GAV+root pom file path for pkgID for packages from pom.xml files

## Description This PR refactors how POM (Maven) package IDs are generated in Trivy to address issues with duplicate dependencies across multi-module Maven projects. Previously, package IDs were based solely...

fix: overwrite OS packages PURLs after overwrite OS

## Description This PR fixes an issue where OS package PURLs (Package URLs) were not being updated when the --distro flag is used to override the detected OS. Previously, when...

enhancement(cyclonedx): use `component.evidence.occurrences.location` for filapaths and linenumber

## Description In CycloneDX 1.5, the location and line fields were added under [component.evidence.occurrences](https://cyclonedx.org/docs/1.7/json/#components_items_evidence_occurrences). These are fields we can use in Trivy: 1. location can be used instead of property.filePath...

help wanted

bug(cyclonedx): duplicates in dependsOn array when scanned SBOM contains components with same name + version but different bomRef/SPDXID.

## Description SBOM formats allow multiple components with different bomRef/SPDXID, but with the same name + version. Example from docker.io/bitnamilegacy/postgresql:15.4.0-debian-11-r45: ```json { "name": "org.postgresql:pljava", "SPDXID": "SPDXRef-Package-200e4c8a9fedcdb5", "versionInfo": "1.6.6", "supplier": "NOASSERTION",...