trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

bug(java): We should parse dependencies with unsupported scopes to correctly detect version/skip dependency

Open DmitriyLewen opened this issue 1 year ago • 0 comments

Description

IIUC mvn checks dependency version without regard to scope. it means that if you add test dependency (as example), transitive dependency of another dependency will use version of test dependency:

➜ cat pom.xml           
    <groupId>com.example</groupId>
    <artifactId>test</artifactId>
    <version>1.0.0</version>

    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-annotations</artifactId>
            <version>2.18.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.18.1</version>
        </dependency>
    </dependencies>
</project>

➜ mvn dependency:resolve
...
[INFO] The following files have been resolved:
[INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.18.0:test -- module com.fasterxml.jackson.annotation
[INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.18.1:compile -- module com.fasterxml.jackson.databind
[INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.18.1:compile -- module com.fasterxml.jackson.core
...

But Trivy parses only import, runtime, compile and empty scopes: https://github.com/aquasecurity/trivy/blob/57e24aa85382f749df7f673e241caaf3fcbb45cb/pkg/dependency/parser/java/pom/parse.go#L430 So for this example Trivy skips new test com.fasterxml.jackson.core:jackson-annotations:2.18.0 dependency (as test scope), and includes com.fasterxml.jackson.core:jackson-annotations:2.18.1 into report:

➜ trivy -q fs ./pom.xml -f json --list-all-pkgs | grep jackson-annotations
            "com.fasterxml.jackson.core:jackson-annotations:2.18.1",

This is wrong behavior. I am not sure about the right way:

  • (most likely case) we need to skip jackson-annotations as test dependency
  • we should use version 2.18.0 for jackson-annotations, because, UUIC, maven will use jackson-annotations:2.18.0 in package jackson-databind (I may be wrong)

Anyway, we need to analyze all scopes and resolve dependencies after that. But we already added support for test scope (We are reverting these changes - because the running time on trivi has increased a lot)

We need to think how we can handle this case. for example, mvn always downloads all required files before resolving dependencies. Maybe we can do something like this.

@aquasecurity/trivy Do you have any ideas?

Discussed in https://github.com/aquasecurity/trivy/discussions/7836

DmitriyLewen avatar Oct 31 '24 11:10 DmitriyLewen