trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
pom.xml scanner founds wrong dependencies versions
Description
While scanning my java project trivy detects wrong versions of certain dependencies such as:
org.springframework.security:spring-security-core : 4.2.20.RELEASE
org.springframework.security:spring-security-web : 4.2.20.RELEASE
org.springframework:spring-beans: 4.3.30.RELEASE
org.springframework:spring-core : 4.3.30.RELEASE
But
john@sophia$ mvn compile dependency:tree | grep spring-security-core
[INFO] | +- org.springframework.security:spring-security-core:jar:5.7.1:compile
or
john@sophia$ mvn compile dependency:tree | grep spring-security-web
[INFO] | +- org.springframework.security:spring-security-web:jar:5.7.1:compile
What did you expect to happen?
I expect trivy to look for the right versions.
What happened instead?
It happens trivy triggers false positive reports since the tool detects wrong versions.
Output of run with -debug:
2022-06-30T14:11:59.248+0200 DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-06-30T14:11:59.293+0200 DEBUG cache dir: /Users/john/Library/Caches/trivy
2022-06-30T14:11:59.293+0200 INFO Need to update DB
2022-06-30T14:11:59.293+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-06-30T14:11:59.293+0200 INFO Downloading DB...
32.83 MiB / 32.83 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 22.74 MiB p/s 1.6s
2022-06-30T14:12:02.328+0200 DEBUG Updating database metadata...
2022-06-30T14:12:02.328+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-06-30 12:06:32.283426777 +0000 UTC, NextUpdate: 2022-06-30 18:06:32.283426377 +0000 UTC, DownloadedAt: 2022-06-30 12:12:02.328067 +0000 UTC
2022-06-30T14:12:02.328+0200 INFO Vulnerability scanning is enabled
2022-06-30T14:12:02.328+0200 DEBUG Vulnerability type: [os library]
2022-06-30T14:12:02.328+0200 INFO Secret scanning is enabled
2022-06-30T14:12:02.328+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-30T14:12:02.328+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-06-30T14:12:02.328+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-06-30T14:12:02.349+0200 DEBUG Resolving com.datastax.oss:java-driver-bom:4.14.1...
2022-06-30T14:12:02.355+0200 DEBUG Resolving io.dropwizard.metrics:metrics-bom:4.2.9...
2022-06-30T14:12:02.357+0200 DEBUG Resolving org.codehaus.groovy:groovy-bom:3.0.10...
2022-06-30T14:12:02.359+0200 DEBUG Resolving org.infinispan:infinispan-bom:13.0.10.Final...
2022-06-30T14:12:02.364+0200 DEBUG Resolving com.fasterxml.jackson:jackson-bom:2.13.3...
2022-06-30T14:12:02.367+0200 DEBUG Resolving org.glassfish.jersey:jersey-bom:2.35...
2022-06-30T14:12:02.370+0200 DEBUG Resolving org.eclipse.jetty:jetty-bom:9.4.46.v20220331...
2022-06-30T14:12:02.372+0200 DEBUG Resolving org.junit:junit-bom:5.8.2...
2022-06-30T14:12:02.372+0200 DEBUG Resolving org.jetbrains.kotlin:kotlin-bom:1.6.21...
2022-06-30T14:12:02.374+0200 DEBUG Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.6.1...
2022-06-30T14:12:02.374+0200 DEBUG Resolving org.apache.logging.log4j:log4j-bom:2.17.2...
2022-06-30T14:12:02.377+0200 DEBUG Resolving io.micrometer:micrometer-bom:1.9.0...
2022-06-30T14:12:02.378+0200 DEBUG Resolving org.mockito:mockito-bom:4.5.1...
2022-06-30T14:12:02.378+0200 DEBUG Resolving io.netty:netty-bom:4.1.77.Final...
2022-06-30T14:12:02.383+0200 DEBUG Resolving com.squareup.okhttp3:okhttp-bom:4.9.3...
2022-06-30T14:12:02.383+0200 DEBUG Resolving com.oracle.database.jdbc:ojdbc-bom:21.5.0.0...
2022-06-30T14:12:02.384+0200 DEBUG Resolving io.prometheus:simpleclient_bom:0.15.0...
2022-06-30T14:12:02.386+0200 DEBUG Resolving com.querydsl:querydsl-bom:5.0.0...
2022-06-30T14:12:02.387+0200 DEBUG Resolving io.r2dbc:r2dbc-bom:Borca-SR1...
2022-06-30T14:12:02.388+0200 DEBUG Resolving io.projectreactor:reactor-bom:2020.0.19...
2022-06-30T14:12:02.388+0200 DEBUG Resolving io.rsocket:rsocket-bom:1.1.2...
2022-06-30T14:12:02.389+0200 DEBUG Resolving org.springframework.data:spring-data-bom:2021.2.0...
2022-06-30T14:12:02.390+0200 DEBUG Resolving org.springframework:spring-framework-bom:5.3.20...
2022-06-30T14:12:02.390+0200 DEBUG Resolving org.springframework.integration:spring-integration-bom:5.5.12...
2022-06-30T14:12:02.392+0200 DEBUG Resolving org.springframework.security:spring-security-bom:5.7.1...
2022-06-30T14:12:02.392+0200 DEBUG Resolving org.springframework.session:spring-session-bom:2021.2.0...
2022-06-30T14:12:02.394+0200 DEBUG Resolving com.eposnow:service-framework:0.0.3...
2022-06-30T14:12:02.394+0200 DEBUG Resolving com.eposnow:RiftDocumentTest:1.0.1...
2022-06-30T14:12:02.395+0200 DEBUG Resolving org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE...
2022-06-30T14:12:02.397+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter:2.7.0...
2022-06-30T14:12:02.397+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-web:2.7.0...
2022-06-30T14:12:02.398+0200 DEBUG Resolving org.springdoc:springdoc-openapi-ui:1.6.9...
2022-06-30T14:12:02.401+0200 DEBUG Resolving org.springframework:spring-beans:4.3.30.RELEASE...
2022-06-30T14:12:02.502+0200 DEBUG Resolving org.springframework:spring-core:4.3.30.RELEASE...
2022-06-30T14:12:02.520+0200 DEBUG Resolving org.springframework:spring-context:4.3.30.RELEASE...
2022-06-30T14:12:02.537+0200 DEBUG Resolving org.springframework:spring-webmvc:4.3.30.RELEASE...
2022-06-30T14:12:02.556+0200 DEBUG Resolving org.springframework.security:spring-security-core:4.2.20.RELEASE...
2022-06-30T14:12:02.575+0200 DEBUG Resolving org.springframework:spring-framework-bom:4.3.30.RELEASE...
2022-06-30T14:12:02.593+0200 DEBUG Resolving org.springframework.security:spring-security-config:4.2.20.RELEASE...
2022-06-30T14:12:02.614+0200 DEBUG Resolving org.springframework.security:spring-security-web:4.2.20.RELEASE...
2022-06-30T14:12:02.632+0200 DEBUG Resolving commons-codec:commons-codec:1.14...
2022-06-30T14:12:02.690+0200 DEBUG Resolving org.springframework.boot:spring-boot:2.7.0...
2022-06-30T14:12:02.691+0200 DEBUG Resolving org.springframework.boot:spring-boot-autoconfigure:2.7.0...
2022-06-30T14:12:02.691+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-logging:2.7.0...
2022-06-30T14:12:02.691+0200 DEBUG Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2022-06-30T14:12:02.694+0200 DEBUG Resolving org.yaml:snakeyaml:1.30...
2022-06-30T14:12:02.695+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-json:2.7.0...
2022-06-30T14:12:02.696+0200 DEBUG Resolving org.springframework.boot:spring-boot-starter-tomcat:2.7.0...
2022-06-30T14:12:02.696+0200 DEBUG Resolving org.springframework:spring-web:5.3.20...
2022-06-30T14:12:02.697+0200 DEBUG Resolving org.springdoc:springdoc-openapi-webmvc-core:2.7.0...
2022-06-30T14:12:02.712+0200 DEBUG org.springdoc:springdoc-openapi-webmvc-core:2.7.0 was not found in local/remote repositories
2022-06-30T14:12:02.712+0200 DEBUG Resolving org.webjars:swagger-ui:4.11.1...
2022-06-30T14:12:02.714+0200 DEBUG Resolving org.webjars:webjars-locator-core:0.50...
2022-06-30T14:12:02.715+0200 DEBUG Resolving commons-logging:commons-logging:1.2...
2022-06-30T14:12:02.720+0200 DEBUG Resolving org.springframework:spring-aop:4.3.30.RELEASE...
2022-06-30T14:12:02.736+0200 DEBUG Resolving org.springframework:spring-expression:4.3.30.RELEASE...
2022-06-30T14:12:02.752+0200 DEBUG Resolving aopalliance:aopalliance:1.0...
2022-06-30T14:12:02.752+0200 DEBUG Resolving ch.qos.logback:logback-classic:1.2.11...
2022-06-30T14:12:02.754+0200 DEBUG Resolving org.apache.logging.log4j:log4j-to-slf4j:2.17.2...
2022-06-30T14:12:02.758+0200 DEBUG Resolving org.slf4j:jul-to-slf4j:1.7.36...
2022-06-30T14:12:02.760+0200 DEBUG Resolving com.fasterxml.jackson.core:jackson-databind:2.13.3...
2022-06-30T14:12:02.762+0200 DEBUG Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.3...
2022-06-30T14:12:02.763+0200 DEBUG Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3...
2022-06-30T14:12:02.764+0200 DEBUG Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.3...
2022-06-30T14:12:02.765+0200 DEBUG Resolving org.apache.tomcat.embed:tomcat-embed-core:9.0.63...
2022-06-30T14:12:02.765+0200 DEBUG Resolving org.apache.tomcat.embed:tomcat-embed-el:9.0.63...
2022-06-30T14:12:02.766+0200 DEBUG Resolving org.apache.tomcat.embed:tomcat-embed-websocket:9.0.63...
2022-06-30T14:12:02.766+0200 DEBUG Resolving org.slf4j:slf4j-api:1.7.36...
2022-06-30T14:12:02.766+0200 DEBUG Resolving com.fasterxml.jackson.core:jackson-core:2.13.1...
2022-06-30T14:12:02.821+0200 DEBUG Resolving ch.qos.logback:logback-core:1.2.11...
2022-06-30T14:12:02.822+0200 DEBUG Resolving com.fasterxml.jackson.core:jackson-annotations:2.13.3...
2022-06-30T14:12:02.876+0200 DEBUG OS is not detected.
2022-06-30T14:12:02.876+0200 DEBUG Detected OS: unknown
2022-06-30T14:12:02.876+0200 INFO Number of language-specific files: 1
2022-06-30T14:12:02.876+0200 INFO Detecting pom vulnerabilities...
2022-06-30T14:12:02.876+0200 DEBUG Detecting library vulnerabilities, type: pom, path: pom.xml
Output of trivy -v:
Version: 0.29.2
Vulnerability DB:
Version: 2
UpdatedAt: 2022-06-30 12:06:32.283426777 +0000 UTC
NextUpdate: 2022-06-30 18:06:32.283426377 +0000 UTC
DownloadedAt: 2022-06-30 12:12:02.328067 +0000 UTC
Additional details (base image name, container registry info...):
I have the feeling this can be related to this closed PR : https://github.com/aquasecurity/trivy/issues/1943
Here is pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.company</groupId>
<artifactId>project</artifactId>
<version>0.0.1</version>
<packaging>jar</packaging>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<name>project</name>
<description>converter service</description>
<properties>
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<spring.boot.version>2.7.0</spring.boot.version>
<project.artifact.name>${project.artifactId}</project.artifact.name>
<log4j2.version>2.17.0</log4j2.version>
<logback.version>1.2.9</logback.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.5.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${spring.boot.version}</version>
</plugin>
<plugin>
<groupId>pl.project13.maven</groupId>
<artifactId>git-commit-id-plugin</artifactId>
<version>2.2.4</version>
<executions>
<execution>
<id>get-the-git-infos</id>
<goals>
<goal>revision</goal>
</goals>
</execution>
</executions>
<configuration>
<dotGitDirectory>${project.basedir}/.git</dotGitDirectory>
<prefix>git</prefix>
<verbose>false</verbose>
<generateGitPropertiesFile>true</generateGitPropertiesFile>
<generateGitPropertiesFilename>${project.build.outputDirectory}/git.properties</generateGitPropertiesFilename>
<format>json</format>
<gitDescribe>
<skip>false</skip>
<always>false</always>
<dirty>-dirty</dirty>
</gitDescribe>
</configuration>
</plugin>
</plugins>
</build>
</project>
Hello @Bhaal22 Thank for your report!
I can reproduce your problem. I will investigate that and write you.
Regards, Dmitriy
Hi @DmitriyLewen,
If we remove
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
then tryvi finds the rights deps. But as soon as the parent is introduced introducing dependencies updates then trivy does not recognize the right versions.
Thank you for your work,
John.
Hi @DmitriyLewen just seen your PR. thank you for your work. do you have any idea when those changes can be included?
the same issue, when use this as
<dependency>
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring.boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
and
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>${mybatis.plus.boot.starter.version}</version>
</dependency>
trivy not detection the right version
Hello @zhanglc Thanks for your information!
looks like 1 dependency is placed in dependencyManagement.
Can you specify which tags (dependencyManagement, dependencyManagement or Parent) contain your dependencies?
Regards, Dmitriy
@DmitriyLewen
the bellow is the minimum reproducible configuration:
.
|-pom.xml
|-application.yml
|-trivy-secret.yaml
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.test</groupId>
<artifactId>trivy-test</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>pom</packaging>
<dependencyManagement>
<dependencies>
<dependency>
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.5.14</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.5.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.itextpdf/itextpdf -->
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>itextpdf</artifactId>
<version>5.5.13.3</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.5.2</version>
</dependency>
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>itextpdf</artifactId>
<version>5.5.13.3</version>
</dependency>
</dependencies>
</project>
application.yml
spring:
datasource:
dynamic:
primary: main
strict: true
datasource:
iconnector:
url: jdbc:postgresql://127.0.0.1:5432/standalone
username: standalone
password: test1234
driver-class-name: org.postgresql.Driver
trivy-secret.yaml
rules:
- id: rule1
category: general
title: Generic Rule
severity: HIGH
path: .*\.yml
keywords:
- password
regex: (?i).*(?P<key>password)(=|:)\s(?P<password>[0-9a-zA-Z\-_=]{8,64})
secret-group-name: secret
allow-rules:
- id: skip-pom
description: skip pom files
path: .*pom\.xml
trivy version:
Version: 0.30.4
Vulnerability DB:
Version: 2
UpdatedAt: 2022-08-10 00:11:08.466749127 +0000 UTC
NextUpdate: 2022-08-10 06:11:08.466748727 +0000 UTC
DownloadedAt: 2022-08-10 01:52:21.665513824 +0000 UTC
vuln check issue
the dependency seems not like the maven.
it's should be org.springframework.boot:spring-boot:jar:2.5.14:compile. but trivy detection it as 2.5.3 from the
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.5.2</version>
</dependency>
mvn dependency:tree
[INFO] +- com.baomidou:mybatis-plus-boot-starter:jar:3.5.2:compile
[INFO] | +- com.baomidou:mybatis-plus:jar:3.5.2:compile
[INFO] | | +- com.baomidou:mybatis-plus-extension:jar:3.5.2:compile
[INFO] | | | +- com.baomidou:mybatis-plus-core:jar:3.5.2:compile
[INFO] | | | | +- com.baomidou:mybatis-plus-annotation:jar:3.5.2:compile
[INFO] | | | | +- com.github.jsqlparser:jsqlparser:jar:4.4:compile
[INFO] | | | | \- org.mybatis:mybatis:jar:3.5.10:compile
[INFO] | | | \- org.mybatis:mybatis-spring:jar:2.0.7:compile
[INFO] | | \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.5.32:compile
[INFO] | | +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.5.32:compile
[INFO] | | | +- org.jetbrains:annotations:jar:13.0:compile
[INFO] | | | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.5.32:compile
[INFO] | | \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.5.32:compile
[INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.5.14:compile
[INFO] | | \- org.springframework.boot:spring-boot:jar:2.5.14:compile
[INFO] | | +- org.springframework:spring-core:jar:5.3.20:compile
[INFO] | | | \- org.springframework:spring-jcl:jar:5.3.20:compile
[INFO] | | \- org.springframework:spring-context:jar:5.3.20:compile
[INFO] | | +- org.springframework:spring-aop:jar:5.3.20:compile
[INFO] | | \- org.springframework:spring-expression:jar:5.3.20:compile
[INFO] | \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.5.14:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.5.14:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.5.14:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.28:compile
[INFO] | +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] | | \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] | \- org.springframework:spring-jdbc:jar:5.3.20:compile
[INFO] | +- org.springframework:spring-beans:jar:5.3.20:compile
[INFO] | \- org.springframework:spring-tx:jar:5.3.20:compile
[INFO] \- com.itextpdf:itextpdf:jar:5.5.13.3:compile
trivy fs --security-checks vuln .
2022-08-10T10:03:26.898+0800 INFO Vulnerability scanning is enabled
2022-08-10T10:03:49.332+0800 INFO Number of language-specific files: 1
2022-08-10T10:03:49.332+0800 INFO Detecting pom vulnerabilities...
pom.xml (pom)
Total: 12 (UNKNOWN: 2, LOW: 0, MEDIUM: 8, HIGH: 0, CRITICAL: 2)
┌───────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-core │ CVE-2021-42550 │ MEDIUM │ 1.2.4 │ 1.2.9 │ logback: remote code execution through JNDI call from within │
│ │ │ │ │ │ its configuration file... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-42550 │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot │ CVE-2022-22965 │ CRITICAL │ 2.5.3 │ 2.5.12, 2.6.6 │ spring-framework: RCE via Data Binding on JDK 9+ │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22965 │
├───────────────────────────────────────┤ │ ├───────────────────┼────────────────────────┤ │
│ org.springframework:spring-beans │ │ │ 5.3.9 │ 5.3.18, 5.2.20 │ │
│ │ │ │ │ │ │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-beans │ GHSA-36p3-wjmg-h94x │ UNKNOWN │ 5.3.9 │ 5.2.20, 5.3.18 │ Improper Neutralization of Special Elements used in an OS │
│ │ │ │ │ │ Command ('OS Command... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-36p3-wjmg-h94x │
├───────────────────────────────────────┼─────────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ CVE-2021-22060 │ MEDIUM │ │ 5.3.14, 5.3.14 │ springframework: Additional Log Injection in Spring │
│ │ │ │ │ │ Framework (follow-up to CVE-2021-22096) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22060 │
│ ├─────────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22096 │ │ │ 5.2.18, 5.3.11 │ springframework: malicious input leads to insertion of │
│ │ │ │ │ │ additional log entries │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22096 │
│ ├─────────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-22950 │ │ │ 5.2.20.RELEASE, 5.3.17 │ spring-expression: Denial of service via specially crafted │
│ │ │ │ │ │ SpEL expression │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22950 │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ CVE-2022-22968 │ MEDIUM │ 5.3.9 │ 5.2.21, 5.3.19 │ Spring Framework: Data Binding Rules Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22968 │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ CVE-2022-22970 │ MEDIUM │ 5.3.9 │ 5.2.22.RELEASE, 5.3.20 │ springframework: DoS via data binding to multipartFile or │
│ │ │ │ │ │ servlet part │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22970 │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ CVE-2022-22971 │ MEDIUM │ 5.3.9 │ 5.2.22.RELEASE, 5.3.20 │ springframework: DoS with STOMP over WebSocket │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22971 │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ GHSA-36p3-wjmg-h94x │ UNKNOWN │ 5.3.9 │ 5.2.20, 5.3.18 │ Improper Neutralization of Special Elements used in an OS │
│ │ │ │ │ │ Command ('OS Command... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-36p3-wjmg-h94x │
├───────────────────────────────────────┼─────────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-expression │ CVE-2022-22950 │ MEDIUM │ │ 5.2.20, 5.3.16 │ spring-expression: Denial of service via specially crafted │
│ │ │ │ │ │ SpEL expression │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22950 │
└───────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
secret check issue
we want to check password is in application.yml by add rule in trivy-secert.yaml , but not find .
trivy filesystem --debug --security-checks secret .
2022-08-10T10:05:21.678+0800 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-10T10:05:21.681+0800 DEBUG cache dir: /home/z002sv7w/.cache/trivy
2022-08-10T10:05:21.681+0800 INFO Secret scanning is enabled
2022-08-10T10:05:21.681+0800 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-10T10:05:21.681+0800 INFO Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-10T10:05:21.681+0800 INFO Loading trivy-secret.yaml for secret scanning...
2022-08-10T10:05:21.683+0800 DEBUG Resolving org.springframework.boot:spring-boot-dependencies:2.5.14...
2022-08-10T10:05:23.015+0800 DEBUG Resolving com.datastax.oss:java-driver-bom:4.11.3...
2022-08-10T10:05:23.225+0800 DEBUG Resolving io.dropwizard.metrics:metrics-bom:4.1.31...
2022-08-10T10:05:23.637+0800 DEBUG Resolving org.codehaus.groovy:groovy-bom:3.0.10...
2022-08-10T10:05:23.855+0800 DEBUG Resolving org.infinispan:infinispan-bom:12.1.11.Final...
2022-08-10T10:05:24.668+0800 DEBUG Resolving com.fasterxml.jackson:jackson-bom:2.12.6.20220326...
2022-08-10T10:05:25.297+0800 DEBUG Resolving org.glassfish.jersey:jersey-bom:2.33...
2022-08-10T10:05:25.721+0800 DEBUG Resolving org.eclipse.jetty:jetty-bom:9.4.46.v20220331...
2022-08-10T10:05:25.933+0800 DEBUG Resolving org.junit:junit-bom:5.7.2...
2022-08-10T10:05:26.137+0800 DEBUG Resolving org.jetbrains.kotlin:kotlin-bom:1.5.32...
2022-08-10T10:05:26.344+0800 DEBUG Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.2...
2022-08-10T10:05:26.548+0800 DEBUG Resolving org.apache.logging.log4j:log4j-bom:2.17.2...
2022-08-10T10:05:27.164+0800 DEBUG Resolving io.micrometer:micrometer-bom:1.7.12...
2022-08-10T10:05:27.367+0800 DEBUG Resolving io.netty:netty-bom:4.1.77.Final...
2022-08-10T10:05:27.778+0800 DEBUG Resolving com.oracle.database.jdbc:ojdbc-bom:21.1.0.0...
2022-08-10T10:05:27.987+0800 DEBUG Resolving io.prometheus:simpleclient_bom:0.10.0...
2022-08-10T10:05:28.407+0800 DEBUG Resolving io.r2dbc:r2dbc-bom:Arabba-SR13...
2022-08-10T10:05:28.610+0800 DEBUG Resolving io.projectreactor:reactor-bom:2020.0.19...
2022-08-10T10:05:28.810+0800 DEBUG Resolving io.rsocket:rsocket-bom:1.1.2...
2022-08-10T10:05:29.012+0800 DEBUG Resolving org.springframework.data:spring-data-bom:2021.0.11...
2022-08-10T10:05:29.216+0800 DEBUG Resolving org.springframework:spring-framework-bom:5.3.20...
2022-08-10T10:05:29.418+0800 DEBUG Resolving org.springframework.integration:spring-integration-bom:5.5.12...
2022-08-10T10:05:29.637+0800 DEBUG Resolving org.springframework.security:spring-security-bom:5.5.8...
2022-08-10T10:05:29.839+0800 DEBUG Resolving org.springframework.session:spring-session-bom:2021.0.6...
2022-08-10T10:05:30.042+0800 DEBUG Resolving com.baomidou:mybatis-plus-boot-starter:3.5.2...
2022-08-10T10:05:30.244+0800 DEBUG Resolving org.springframework.boot:spring-boot-dependencies:2.5.3...
2022-08-10T10:05:30.687+0800 DEBUG Resolving com.datastax.oss:java-driver-bom:4.11.2...
2022-08-10T10:05:30.886+0800 DEBUG Resolving io.dropwizard.metrics:metrics-bom:4.1.25...
2022-08-10T10:05:31.299+0800 DEBUG Resolving org.codehaus.groovy:groovy-bom:3.0.8...
2022-08-10T10:05:31.515+0800 DEBUG Resolving org.infinispan:infinispan-bom:12.1.7.Final...
2022-08-10T10:05:31.935+0800 DEBUG Resolving com.fasterxml.jackson:jackson-bom:2.12.4...
2022-08-10T10:05:32.145+0800 DEBUG Resolving org.eclipse.jetty:jetty-bom:9.4.43.v20210629...
2022-08-10T10:05:32.358+0800 DEBUG Resolving org.jetbrains.kotlin:kotlin-bom:1.5.21...
2022-08-10T10:05:32.561+0800 DEBUG Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.1...
2022-08-10T10:05:32.761+0800 DEBUG Resolving org.apache.logging.log4j:log4j-bom:2.14.1...
2022-08-10T10:05:33.398+0800 DEBUG Resolving io.micrometer:micrometer-bom:1.7.2...
2022-08-10T10:05:33.600+0800 DEBUG Resolving io.netty:netty-bom:4.1.66.Final...
2022-08-10T10:05:33.804+0800 DEBUG Resolving io.r2dbc:r2dbc-bom:Arabba-SR10...
2022-08-10T10:05:34.006+0800 DEBUG Resolving io.projectreactor:reactor-bom:2020.0.9...
2022-08-10T10:05:34.220+0800 DEBUG Resolving io.rsocket:rsocket-bom:1.1.1...
2022-08-10T10:05:34.422+0800 DEBUG Resolving org.springframework.data:spring-data-bom:2021.0.3...
2022-08-10T10:05:34.626+0800 DEBUG Resolving org.springframework:spring-framework-bom:5.3.9...
2022-08-10T10:05:34.836+0800 DEBUG Resolving org.springframework.integration:spring-integration-bom:5.5.2...
2022-08-10T10:05:35.045+0800 DEBUG Resolving org.springframework.security:spring-security-bom:5.5.1...
2022-08-10T10:05:35.248+0800 DEBUG Resolving org.springframework.session:spring-session-bom:2021.0.1...
2022-08-10T10:05:35.448+0800 DEBUG Resolving com.itextpdf:itextpdf:5.5.13.3...
2022-08-10T10:05:35.858+0800 DEBUG Resolving com.baomidou:mybatis-plus:3.5.2...
2022-08-10T10:05:36.057+0800 DEBUG Resolving org.springframework.boot:spring-boot-autoconfigure:2.5.3...
2022-08-10T10:05:36.268+0800 DEBUG Resolving org.springframework.boot:spring-boot-starter-jdbc:2.5.3...
2022-08-10T10:05:36.467+0800 DEBUG Resolving com.baomidou:mybatis-plus-extension:3.5.2...
2022-08-10T10:05:36.668+0800 DEBUG Resolving org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.21...
2022-08-10T10:05:36.868+0800 DEBUG Resolving org.springframework.boot:spring-boot:2.5.3...
2022-08-10T10:05:37.066+0800 DEBUG Resolving org.springframework.boot:spring-boot-starter:2.5.3...
2022-08-10T10:05:37.266+0800 DEBUG Resolving com.zaxxer:HikariCP:4.0.3...
2022-08-10T10:05:37.684+0800 DEBUG Resolving org.springframework:spring-jdbc:5.3.9...
2022-08-10T10:05:37.884+0800 DEBUG Resolving com.baomidou:mybatis-plus-core:3.5.2...
2022-08-10T10:05:38.085+0800 DEBUG Resolving org.mybatis:mybatis-spring:2.0.7...
2022-08-10T10:05:38.526+0800 DEBUG Resolving org.jetbrains.kotlin:kotlin-stdlib:1.6.21...
2022-08-10T10:05:38.724+0800 DEBUG Resolving org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.21...
2022-08-10T10:05:38.922+0800 DEBUG Resolving org.springframework:spring-core:5.3.9...
2022-08-10T10:05:39.122+0800 DEBUG Resolving org.springframework:spring-context:5.3.9...
2022-08-10T10:05:39.346+0800 DEBUG Resolving org.springframework.boot:spring-boot-starter-logging:2.5.3...
2022-08-10T10:05:39.547+0800 DEBUG Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2022-08-10T10:05:40.180+0800 DEBUG Resolving org.yaml:snakeyaml:1.28...
2022-08-10T10:05:40.403+0800 DEBUG Resolving org.slf4j:slf4j-api:1.7.30...
2022-08-10T10:05:40.809+0800 DEBUG Resolving org.springframework:spring-beans:5.3.9...
2022-08-10T10:05:41.017+0800 DEBUG Resolving org.springframework:spring-tx:5.3.9...
2022-08-10T10:05:41.215+0800 DEBUG Resolving com.baomidou:mybatis-plus-annotation:3.5.2...
2022-08-10T10:05:41.415+0800 DEBUG Resolving com.github.jsqlparser:jsqlparser:4.4...
2022-08-10T10:05:41.632+0800 DEBUG Resolving org.mybatis:mybatis:3.5.10...
2022-08-10T10:05:42.074+0800 DEBUG Resolving org.jetbrains.kotlin:kotlin-stdlib-common:1.6.21...
2022-08-10T10:05:42.273+0800 DEBUG Resolving org.jetbrains:annotations:13.0...
2022-08-10T10:05:42.476+0800 DEBUG Resolving org.springframework:spring-jcl:5.3.9...
2022-08-10T10:05:42.674+0800 DEBUG Resolving org.springframework:spring-aop:5.3.9...
2022-08-10T10:05:42.880+0800 DEBUG Resolving org.springframework:spring-expression:5.3.9...
2022-08-10T10:05:43.079+0800 DEBUG Resolving ch.qos.logback:logback-classic:1.2.4...
2022-08-10T10:05:43.507+0800 DEBUG Resolving org.apache.logging.log4j:log4j-to-slf4j:2.14.1...
2022-08-10T10:05:43.970+0800 DEBUG Resolving org.slf4j:jul-to-slf4j:1.7.32...
2022-08-10T10:05:44.375+0800 DEBUG Resolving ch.qos.logback:logback-core:1.2.4...
2022-08-10T10:05:44.580+0800 DEBUG OS is not detected.
license check issue
the license check seems like not the check dependency , just the source code ? the lib is AGPL licence
<dependency>
<groupId>com.itextpdf</groupId>
<artifactId>itextpdf</artifactId>
<version>5.5.13.3</version>
</dependency>
or it's not suitable for java maven project ?
trivy filesystem --license-full .
we want to check password is in application.yml by add rule in trivy-secert.yaml , but not find .
you need to use correct regex group name. In your case: secret-group-name: password.
or it's not suitable for java maven project ?
Trivy doesn't currently support license lookups for java files.
About vulnerability checking: I will check your information and write to you later.
Regards, Dmitriy
Hello @zhanglc
I also checked your pom.xml file.
It is same problem.
Created a PR to fix this bug. When PR is merged, I will write in this issue.
Regards Dmitriy
Hello @zhanglc Unfortunately we didn't have enough time to review PR. We are currently working on this.
I will write - when PR is merged.