trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

feat(java): use remote repositories from `settings.xml` for `pom.xml` files

Open DmitriyLewen opened this issue 1 year ago • 12 comments

Description

We currently get repositories from pom.xml files + maven central: https://github.com/aquasecurity/trivy/blob/57e24aa85382f749df7f673e241caaf3fcbb45cb/pkg/dependency/parser/java/pom/parse.go#L339-L342

But settings.xml file may also contain remote repositories. We need to add logic to get repositories from this file. See more details in #7175

Discussed in https://github.com/aquasecurity/trivy/discussions/7175

DmitriyLewen avatar Oct 29 '24 04:10 DmitriyLewen

I am not sure, if this query of mine is related or not; but I am finding myself stuck in a situation where I need some support from Trivy to scan desired repository. I am running multi-module maven project in Jenkins as CICD; I have two sequential process : mvn deploy and in next stage, Trivy CLI command. What I am noticing for searching dependencies instead of pointing to local repository, Trivy is trying to fetch from Central Maven repository.

2024-12-02T10:17:58+01:00	DEBUG	[pom] Resolving...	group_id="com.hub" artifact_id="ehub-analytics-gar" version="2.3.12"
2024-12-02T10:17:58+01:00	DEBUG	[pom] Failed to fetch	url="https://repo.maven.apache.org/maven2/com/lawson/eventhub/ehub-analytics-gar/2.3.12/ehub-analytics-gar-2.3.12.pom" statusCode=404

I am running a Jenkins pipeline script with withMaven block providing the settings id as parameter, but that settings is ignored by Trivy.

arkajnag23 avatar Dec 02 '24 11:12 arkajnag23

Hello @arkajnag23 hmm... Trivy checks the local repository first. Do you use the default repository (~/.m2/repository)?

DmitriyLewen avatar Dec 02 '24 11:12 DmitriyLewen

@DmitriyLewen our pipeline creates a temp settings file and a temp repository when running the builds as its ec2 instances, hence looking for an option of providing maven settings is

arkajnag23 avatar Dec 02 '24 11:12 arkajnag23

our pipeline creates a temp settings file

This may be the reason why Trivy doesn't detect the settings file. Trivy checks $HOME/.m2/settings.xml, /usr/share/maven/conf/settings.xml and $MAVEN_HOME/conf/settings.xml files.

Without information about local repository Trivy gets pom's from maven central.

DmitriyLewen avatar Dec 02 '24 11:12 DmitriyLewen

@DmitriyLewen is there any way where we can set the settings file path??

arkajnag23 avatar Dec 02 '24 12:12 arkajnag23

unfortunately at the moment Trivy doesn't have such functionality. Create a new discussion about it. If this functionality is in demand among users - we will think about how to add it

like the solution - you can change $MAVEN_HOME at the time of Trivy launch

DmitriyLewen avatar Dec 03 '24 05:12 DmitriyLewen

Hello @DmitriyLewen, as discussed in https://github.com/aquasecurity/trivy/discussions/7175#discussioncomment-11082605, I did some experiments regarding the different priorities when maven downloads packages.

Here are the results:

Test cases and results
Test case Resolution order
Default From central (https://repo.maven.apache.org/maven2)
--- ---
Single repo in pom From custom repo, then central
Multiple repos in pom From custom repos in the order of definition (first to last), then central
--- ---
Single repo in settings From custom repo, then central
Multiple repos in settings From custom repos in reversed order profile definition (last to first), then central
Single private repo in settings From custom repo with auth, then central
--- ---
Single repo in pom, single repo in settings From custom repo in settings, then custom repo in pom, then central
Multiple repos in pom, multiple repos in settings From custom repos in settings in reversed order, then custom repos in pom in order of definition, then central
--- ---
Mirror for '*' From mirror
Mirror for '*', single repo in pom From mirror
Mirror for '*', single repo in settings From mirror
--- ---
Mirror for 'central' From mirror
Mirror for 'central', single repo in pom From custom repo, then mirror
Mirror for 'central', single repo in settings From custom repo, then mirror

Hope this helps!

Kind regards, Malte

malmor avatar Dec 13 '24 13:12 malmor

@malmor Thanks! I'll get to it when I have time.

DmitriyLewen avatar Dec 16 '24 10:12 DmitriyLewen

In Maven documentation: https://maven.apache.org/guides/mini/guide-multiple-repositories.html#repository-order

Repository Order Remote repository URLs are queried in the following order for artifacts until one returns a valid result:

  • effective settings:
    • Global settings.xml
    • User settings.xml
  • local effective build POM:
    • Local pom.xml
    • Parent POMs, recursively
    • Super POM
  • effective POMs from dependency path to the artifact.

For each of these locations, the repositories within the profiles are queried first in the order outlined at Introduction to build profiles.

Before downloading from a repository, mirrors configuration is applied. Effective settings and local build POM, with profile taken into account, can easily be reviewed to see their repositories order with mvn help:effective-settings and mvn help:effective-pom -Dverbose.

philippe-granet avatar Apr 22 '25 22:04 philippe-granet

If this issue is still open, I’d be happy to give it a try.

ricardo-kh avatar Jul 03 '25 14:07 ricardo-kh

hello @ricardo-kh That would be great!

Assigned it to you.

DmitriyLewen avatar Jul 04 '25 05:07 DmitriyLewen

Ready for review: https://github.com/aquasecurity/trivy/pull/9159

ricardo-kh avatar Jul 08 '25 09:07 ricardo-kh

I’m stepping back from this issue to make room for others to take it further. Thanks to the maintainers for the feedback on my attempt to implement this change! Please feel free to un-assign me, since I don't have the required permission to do so.

ricardo-kh avatar Oct 22 '25 08:10 ricardo-kh