Trivy security scan failing for jmx_prometheus_javaagent-0.16.0.jar

[mkothar2]

trafficstars

jmx_prometheus_javaagent-0.16.0.jar

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+--------------------+------------------+----------+-------------------+---------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | +--------------------+------------------+----------+-------------------+---------------+ | org.yaml:snakeyaml | CVE-2017-18640 | HIGH | 1.23 | 1.26 | +--------------------+------------------+----------+-------------------+---------------+

[fstab]

This should not happen, as the whole purpose of the 0.16.0 release was to build a version with snakeyaml 1.29. I am not familiar with Trivy. Do you know why it concludes that snakeyaml 1.23 is in the JAR?

[ross211]

The link jmx_prometheus_javaagent_java6-0.16.0.jar referenced in https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.16.0 returns a 404.

Looking inside the supposed Java 7+ jar returns the following which is probably what Trivvy is looking at:

jmx_prometheus_javaagent-0.16.0 $ grep -r '1\.23' .
./META-INF/maven/io.prometheus.jmx/collector/pom.xml:      <version>1.23</version> <!-- required for the Java 6 release -->
./META-INF/maven/org.yaml/snakeyaml/pom.xml:    <version>1.23</version>
./META-INF/maven/org.yaml/snakeyaml/pom.xml:        <tag>snakeyaml-1.23</tag>
./META-INF/maven/org.yaml/snakeyaml/pom.properties:version=1.23

[fstab]

I removed the pom.xml from the binary and released 0.16.1.

For reference: The metadata in pom.xml wrongly points to 1.23. That version is in fact not included in the Java 7+ binary. However, the metadata makes Trivy assume that the old version is used, and that causes the CVE warning.

Thanks for creating this issue.

[ross211]

I can confirm this has cleared the notice in trivy for me.

[dhoard]

Since this has been resolved. I propose we should close this issue.

[dhoard]

Closing as resolved.