trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
Duplicate packages detected in case of Trivy image scan for the same target, class, type , filepath and layer
Description
Duplicate packages detected in case of Trivy image scan for the same target, class, type and layer
What did you expect to happen?
Expected unique packages for a given target, class and type
What happened instead?
. Noticed duplicate packages listed for the same target, class and type Sample packages:
{
"Name": "org.slf4j:jcl-over-slf4j",
"Version": "1.7.25",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/bin/2.8.3/boot.jar"
},
{
"Name": "org.slf4j:jcl-over-slf4j",
"Version": "1.7.25",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/bin/2.8.3/boot.jar"
},
{
"Name": "org.slf4j:slf4j-api",
"Version": "1.7.25",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/bin/2.8.3/boot.jar"
},
{
"Name": "org.slf4j:slf4j-api",
"Version": "1.7.25",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/bin/2.8.3/boot.jar"
},
{
"Name": "org.tcrawley:dynapath",
"Version": "1.0.0",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/bin/2.8.3/boot.jar"
},
{
"Name": "org.tcrawley:dynapath",
"Version": "1.0.0",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/bin/2.8.3/boot.jar"
},
{
"Name": "boot:aether",
"Version": "2.8.2",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "boot:aether",
"Version": "2.8.3",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "boot:base",
"Version": "2.8.2",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "boot:base",
"Version": "2.8.3",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "boot:pod",
"Version": "2.8.2",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "boot:pod",
"Version": "2.8.3",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "com.cemerick:pomegranate",
"Version": "1.1.0",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
{
"Name": "com.cemerick:pomegranate",
"Version": "1.1.0",
"Layer": {
"DiffID": "sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6"
},
"FilePath": "root/.boot/cache/lib/2.8.3/aether.uber.jar"
},
Output of run with -debug:
trivy image --list-all-pkgs --security-checks 'vuln' -f json -o clojure.json --debug --timeout 20m clojure
2023-01-17T15:08:28.510+0530 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-17T15:08:28.554+0530 DEBUG cache dir: /Users/deepfactor/Library/Caches/trivy
2023-01-17T15:08:28.555+0530 DEBUG DB update was skipped because the local DB is the latest
2023-01-17T15:08:28.555+0530 DEBUG DB Schema: 2, UpdatedAt: 2023-01-17 06:06:31.140023977 +0000 UTC, NextUpdate: 2023-01-17 12:06:31.140023677 +0000 UTC, DownloadedAt: 2023-01-17 09:32:14.899829 +0000 UTC
2023-01-17T15:08:28.556+0530 INFO Vulnerability scanning is enabled
2023-01-17T15:08:28.556+0530 DEBUG Vulnerability type: [os library]
2023-01-17T15:08:28.592+0530 DEBUG Image ID: sha256:142d27b9a2a8139d57649bf2e40eaa1a250e3fd39bd1c292ecca94caf7151b91
2023-01-17T15:08:28.592+0530 DEBUG Diff IDs: [sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3 sha256:86c081974855f765ab2e3eb92719dfaf8ff69e32af9ec317ce03e8ef7583f8b8 sha256:cd7884686c9fc94d950cd066744c73da12badfbf6643f8cf9a95a23dd5c28194 sha256:f52b91b1b5b3f0bf0bc7cde4ef1682c7349293cdad64129d365e7ef01a23169b sha256:31b31a316cf3502c21c039e346627402cdf31f9171e16f375eebbc7f3445d378 sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6 sha256:78745c9189dddee37dc3548c55a462538566dcdf887616ddd28ee40b4a8171cd sha256:ed15876966f64e8a31f232cf3314f46a7edf3c96e5ec91898f9c9ec5d855bb17 sha256:f7e41ab97d1d78b26c42bbbec90965684bff97b4d9000f0a0142de562b8f4090 sha256:57de3251a838d62c9e73ed6515c63c1ee7332774045e72bdd768fa0149d8aa63 sha256:23e9ce64982575ec652ce7ce1367cd4d65df04342c1e0c7f81246e4a7e7c78fb]
2023-01-17T15:08:28.592+0530 DEBUG Base Layers: [sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3 sha256:86c081974855f765ab2e3eb92719dfaf8ff69e32af9ec317ce03e8ef7583f8b8 sha256:cd7884686c9fc94d950cd066744c73da12badfbf6643f8cf9a95a23dd5c28194 sha256:f52b91b1b5b3f0bf0bc7cde4ef1682c7349293cdad64129d365e7ef01a23169b]
2023-01-17T15:08:28.607+0530 DEBUG Missing image ID in cache: sha256:142d27b9a2a8139d57649bf2e40eaa1a250e3fd39bd1c292ecca94caf7151b91
2023-01-17T15:08:28.608+0530 DEBUG Missing diff ID in cache: sha256:f071333ddc4b597001bd1ab3f295960e816e233f0ca9d499901cb898a317d1e6
2023-01-17T15:08:41.684+0530 DEBUG Parsing Java artifacts... {"file": "root/.boot/cache/bin/2.8.3/boot.jar"}
2023-01-17T15:08:41.707+0530 DEBUG Parsing Java artifacts... {"file": "root/.boot/cache/lib/2.8.3/aether.uber.jar"}
2023-01-17T15:08:41.707+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/alandipert/desiderata/1.0.2/desiderata-1.0.2.jar"}
2023-01-17T15:08:41.708+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/boot/aether/2.8.3/aether-2.8.3.jar"}
2023-01-17T15:08:41.708+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/boot/core/2.8.3/core-2.8.3.jar"}
2023-01-17T15:08:41.709+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/boot/pod/2.8.3/pod-2.8.3.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/boot/worker/2.8.3/worker-2.8.3.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/cheshire/cheshire/5.8.1/cheshire-5.8.1.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/clj-http/clj-http/0.3.6/clj-http-0.3.6.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/clj-http-lite/clj-http-lite/0.2.0/clj-http-lite-0.2.0.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/clj-jgit/clj-jgit/0.8.10/clj-jgit-0.8.10.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/clj-stacktrace/clj-stacktrace/0.2.7/clj-stacktrace-0.2.7.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/clj-yaml/clj-yaml/0.4.0/clj-yaml-0.4.0.jar"}
2023-01-17T15:08:41.710+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/clojure-complete/clojure-complete/0.2.5/clojure-complete-0.2.5.jar"}
2023-01-17T15:08:41.711+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/cemerick/pomegranate/1.1.0/pomegranate-1.1.0.jar"}
2023-01-17T15:08:41.711+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.6/jackson-core-2.9.6.jar"}
2023-01-17T15:08:41.711+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.9.6/jackson-dataformat-cbor-2.9.6.jar"}
2023-01-17T15:08:41.711+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-smile/2.9.6/jackson-dataformat-smile-2.9.6.jar"}
2023-01-17T15:08:41.734+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar"}
2023-01-17T15:08:41.735+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/googlecode/javaewah/JavaEWAH/1.1.6/JavaEWAH-1.1.6.jar"}
2023-01-17T15:08:41.735+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/com/jcraft/jsch/0.1.54/jsch-0.1.54.jar"}
2023-01-17T15:08:41.736+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar"}
2023-01-17T15:08:41.736+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar"}
2023-01-17T15:08:41.736+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar"}
2023-01-17T15:08:41.737+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar"}
2023-01-17T15:08:41.737+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/fipp/fipp/0.6.17/fipp-0.6.17.jar"}
2023-01-17T15:08:41.737+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/fs/fs/1.3.3/fs-1.3.3.jar"}
2023-01-17T15:08:41.737+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar"}
2023-01-17T15:08:41.738+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/javax/servlet/servlet-api/2.5/servlet-api-2.5.jar"}
2023-01-17T15:08:41.814+0530 DEBUG Parsing Java artifacts... {"file": "aether.uber.jar"}
2023-01-17T15:08:41.825+0530 DEBUG Parsing Java artifacts... {"file": "aether.uber.jar"}
2023-01-17T15:08:41.932+0530 DEBUG Parsing Java artifacts... {"file": "aether.uber.jar"}
2023-01-17T15:08:42.870+0530 DEBUG No such POM in the central repositories {"file": "clj-yaml-0.4.0.jar"}
2023-01-17T15:08:43.106+0530 DEBUG No such POM in the central repositories {"file": "aether.uber.jar"}
2023-01-17T15:08:43.115+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/javazoom/jlayer/1.0.1/jlayer-1.0.1.jar"}
2023-01-17T15:08:43.117+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/mvxcvi/arrangement/1.2.0/arrangement-1.2.0.jar"}
2023-01-17T15:08:43.117+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/mvxcvi/puget/1.1.2/puget-1.1.2.jar"}
2023-01-17T15:08:43.117+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/net/cgrand/parsley/0.9.3/parsley-0.9.3.jar"}
2023-01-17T15:08:43.119+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/net/cgrand/regex/1.1.0/regex-1.1.0.jar"}
2023-01-17T15:08:43.119+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/jline/jline/2.14.6/jline-2.14.6.jar"}
2023-01-17T15:08:43.121+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/net/java/dev/jna/jna/5.2.0/jna-5.2.0.jar"}
2023-01-17T15:08:43.121+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/nrepl/bencode/1.0.0/bencode-1.0.0.jar"}
2023-01-17T15:08:43.121+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/nrepl/drawbridge/0.1.0/drawbridge-0.1.0.jar"}
2023-01-17T15:08:43.121+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/nrepl/nrepl/0.4.5/nrepl-0.4.5.jar"}
2023-01-17T15:08:43.122+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/commons/commons-compress/1.3/commons-compress-1.3.jar"}
2023-01-17T15:08:43.123+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/commons/commons-lang3/3.5/commons-lang3-3.5.jar"}
2023-01-17T15:08:43.124+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar"}
2023-01-17T15:08:43.125+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/httpcomponents/httpcore/4.4.11/httpcore-4.4.11.jar"}
2023-01-17T15:08:43.125+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/httpcomponents/httpmime/4.1.2/httpmime-4.1.2.jar"}
2023-01-17T15:08:43.126+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/maven-artifact/3.5.3/maven-artifact-3.5.3.jar"}
2023-01-17T15:08:43.126+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/maven-builder-support/3.5.3/maven-builder-support-3.5.3.jar"}
2023-01-17T15:08:43.126+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/maven-model/3.5.3/maven-model-3.5.3.jar"}
2023-01-17T15:08:43.126+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/maven-model-builder/3.5.3/maven-model-builder-3.5.3.jar"}
2023-01-17T15:08:43.127+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/maven-repository-metadata/3.5.3/maven-repository-metadata-3.5.3.jar"}
2023-01-17T15:08:43.127+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/maven-resolver-provider/3.5.3/maven-resolver-provider-3.5.3.jar"}
2023-01-17T15:08:43.127+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-api/1.1.1/maven-resolver-api-1.1.1.jar"}
2023-01-17T15:08:43.127+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-connector-basic/1.0.3/maven-resolver-connector-basic-1.0.3.jar"}
2023-01-17T15:08:43.128+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-impl/1.1.1/maven-resolver-impl-1.1.1.jar"}
2023-01-17T15:08:43.128+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-spi/1.1.1/maven-resolver-spi-1.1.1.jar"}
2023-01-17T15:08:43.128+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-transport-file/1.0.3/maven-resolver-transport-file-1.0.3.jar"}
2023-01-17T15:08:43.128+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-transport-http/1.0.3/maven-resolver-transport-http-1.0.3.jar"}
2023-01-17T15:08:43.128+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-transport-wagon/1.0.3/maven-resolver-transport-wagon-1.0.3.jar"}
2023-01-17T15:08:43.129+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/resolver/maven-resolver-util/1.1.1/maven-resolver-util-1.1.1.jar"}
2023-01-17T15:08:43.129+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/wagon/wagon-http/3.3.2/wagon-http-3.3.2.jar"}
2023-01-17T15:08:43.129+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/wagon/wagon-http-shared/3.3.2/wagon-http-shared-3.3.2.jar"}
2023-01-17T15:08:43.130+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/apache/maven/wagon/wagon-provider-api/3.0.0/wagon-provider-api-3.0.0.jar"}
2023-01-17T15:08:43.130+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojars/trptcolin/sjacket/0.1.1.1/sjacket-0.1.1.1.jar"}
2023-01-17T15:08:43.139+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/clojure/1.8.0/clojure-1.8.0.jar"}
2023-01-17T15:08:43.141+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/core.rrb-vector/0.0.14/core.rrb-vector-0.0.14.jar"}
2023-01-17T15:08:43.141+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/data.xml/0.0.8/data.xml-0.0.8.jar"}
2023-01-17T15:08:43.141+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/data.zip/0.1.3/data.zip-0.1.3.jar"}
2023-01-17T15:08:43.141+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/tools.cli/0.3.1/tools.cli-0.3.1.jar"}
2023-01-17T15:08:43.141+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/tools.logging/0.4.1/tools.logging-0.4.1.jar"}
2023-01-17T15:08:43.141+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/clojure/tools.namespace/0.2.11/tools.namespace-0.2.11.jar"}
2023-01-17T15:08:43.142+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.7.1/plexus-component-annotations-1.7.1.jar"}
2023-01-17T15:08:43.142+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.24/plexus-interpolation-1.24.jar"}
2023-01-17T15:08:43.142+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/codehaus/plexus/plexus-utils/3.1.0/plexus-utils-3.1.0.jar"}
2023-01-17T15:08:43.151+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/eclipse/jgit/org.eclipse.jgit/4.8.0.201706111038-r/org.eclipse.jgit-4.8.0.201706111038-r.jar"}
2023-01-17T15:08:43.162+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/jsoup/jsoup/1.11.3/jsoup-1.11.3.jar"}
2023-01-17T15:08:43.162+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/projectodd/shimdandy/shimdandy-impl/1.2.1/shimdandy-impl-1.2.1.jar"}
2023-01-17T15:08:43.162+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.25/jcl-over-slf4j-1.7.25.jar"}
2023-01-17T15:08:43.163+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/slf4j/slf4j-api/1.7.26/slf4j-api-1.7.26.jar"}
2023-01-17T15:08:43.163+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/slf4j/slf4j-nop/1.7.26/slf4j-nop-1.7.26.jar"}
2023-01-17T15:08:43.163+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/tcrawley/dynapath/1.0.0/dynapath-1.0.0.jar"}
2023-01-17T15:08:43.163+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/thnetos/cd-client/0.3.6/cd-client-0.3.6.jar"}
2023-01-17T15:08:43.164+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/org/yaml/snakeyaml/1.5/snakeyaml-1.5.jar"}
2023-01-17T15:08:43.164+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/reply/reply/0.4.3/reply-0.4.3.jar"}
2023-01-17T15:08:43.164+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/ring/ring-core/1.0.2/ring-core-1.0.2.jar"}
2023-01-17T15:08:43.164+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/slingshot/slingshot/0.10.3/slingshot-0.10.3.jar"}
2023-01-17T15:08:43.164+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/tigris/tigris/0.1.1/tigris-0.1.1.jar"}
2023-01-17T15:08:43.164+0530 DEBUG Parsing Java artifacts... {"file": "root/.m2/repository/trptcolin/versioneer/0.1.1/versioneer-0.1.1.jar"}
2023-01-17T15:08:43.382+0530 DEBUG No such POM in the central repositories {"file": "aether.uber.jar"}
2023-01-17T15:09:42.782+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%225959582d97d8b61f4d154ca9e495aafd16726e34%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
2023-01-17T15:09:43.111+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%2291841c3b0736e6bf309a57cee3ee502c6d570634%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
2023-01-17T15:09:43.650+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%22a8abe6239917ecaa6b185cba3df83f746f4ece20%22&rows=1&wt=json (status: 504)", "timeout": "20s", "remaining": 5}
2023-01-17T15:11:03.019+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%225959582d97d8b61f4d154ca9e495aafd16726e34%22&rows=1&wt=json (status: 504)", "timeout": "40s", "remaining": 4}
2023-01-17T15:11:03.360+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%2291841c3b0736e6bf309a57cee3ee502c6d570634%22&rows=1&wt=json (status: 504)", "timeout": "40s", "remaining": 4}
2023-01-17T15:11:03.885+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%22a8abe6239917ecaa6b185cba3df83f746f4ece20%22&rows=1&wt=json (status: 504)", "timeout": "40s", "remaining": 4}
2023-01-17T15:11:43.621+0530 DEBUG No such POM in the central repositories {"file": "aether.uber.jar"}
2023-01-17T15:11:43.969+0530 DEBUG No such POM in the central repositories {"file": "aether.uber.jar"}
2023-01-17T15:11:44.126+0530 DEBUG No such POM in the central repositories {"file": "boot.jar"}
2023-01-17T15:12:43.255+0530 DEBUG retrying request {"request": "GET https://search.maven.org/solrsearch/select?q=1%3A%225959582d97d8b61f4d154ca9e495aafd16726e34%22&rows=1&wt=json (status: 504)", "timeout": "1m20s", "remaining": 3}
2023-01-17T15:14:19.654+0530 INFO Detected OS: ubuntu
2023-01-17T15:14:19.654+0530 INFO Detecting Ubuntu vulnerabilities...
2023-01-17T15:14:19.654+0530 DEBUG ubuntu: os version: 22.04
2023-01-17T15:14:19.654+0530 DEBUG ubuntu: the number of packages: 169
2023-01-17T15:14:19.669+0530 INFO Number of language-specific files: 1
2023-01-17T15:14:19.670+0530 INFO Detecting jar vulnerabilities...
2023-01-17T15:14:19.670+0530 DEBUG Detecting library vulnerabilities, type: jar, path:
Output of trivy -v:
Version: 0.36.1
Vulnerability DB:
Version: 2
UpdatedAt: 2023-01-14 06:08:53.577799309 +0000 UTC
NextUpdate: 2023-01-14 12:08:53.577798909 +0000 UTC
DownloadedAt: 2023-01-14 08:36:00.33772 +0000 UTC
Additional details (base image name, container registry info...):
Image scanned: clojure
JSON Report clojure.txt
Thanks @knqyf263 . Would be great if someone can help with https://github.com/aquasecurity/trivy/discussions/3442 as well.
@namandf I can reproduce it. it's a bit strange case.
I took a look at clojure:latest, and it contains aether.uber.jar
but there is another aether.uber.jar inside aether.uber.jar, and the inner aether.uber.jar contains another aether.uber.jar...
aether.uber.jar
└── aether.uber.jar
└── aether.uber.jar
so Trivy adds packages which look like duplicates
We may want to show nested paths like
-
/path/to/aether.uber.jar -
/path/to/aether.uber.jar/aether.uber.jar -
/path/to/aether.uber.jar/aether.uber.jar/aether.uber.jar
It is another enhancement. I'll close this issue as it works as expected.