Trivy Scan of Java pom.xml breaks #8097

Orrimp · 2024-12-13T15:27:56Z

Orrimp
Dec 13, 2024

Description

As of https://trivy.dev/v0.58/docs/coverage/language/#supported-languages there is support for pom.xml files and even JAR files.
With the latest version of Trivy 0.58 I am unable to get any CVEs based on pom.xml dependencies.

What have I tried:

My large Spring Boot Microservice with dozens of dependencies
Spring Initializr with Web, Lombok dependencies
Apache Maven Archtype Pom.xml
Construction an SBOM and using the SBOM to scan with trivy sbom
Scanning the Image containing the JAR

We are using Trivy for Image Scan and for JAR or FS Scan to have both reports. Image CVE scanning works fine, but we are unable to check pom.xml or JARs for vulnerabilities.

I am doing something fundamentally wrong here?

Desired Behavior

A table (even empty) with CVEs found in the dependencies of my pom.xml file. I expect the same view as in trivy image with all the CVEs in the image but for my filesystem or JAR (rootfs)

Actual Behavior

trivy fs against a Spring Boot Maven Project with Web dependency:
For me, it seems like the Trivy breaks when scanning pom or JAR files and does not really execute the scan. It's way too fast.

trivy fs demo
2024-12-13T16:22:25+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-12-13T16:22:25+01:00       INFO    [secret] Secret scanning is enabled
2024-12-13T16:22:25+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T16:22:25+01:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T16:22:28+01:00       INFO    Number of language-specific files       num=1
2024-12-13T16:22:28+01:00       INFO    [pom] Detecting vulnerabilities...
<NEW COMMAND>

Reproduction Steps

1. Create A new Project with Spring Initzr https://start.spring.io/ 
2. Execute `trivy fs`against the downloaded directory
3. Receive no report what's so ever

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

trivy fs demo/ --debug
2024-12-13T16:18:05+01:00       DEBUG   No plugins loaded
2024-12-13T16:18:05+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-13T16:18:05+01:00       DEBUG   Cache dir       dir="/home/orrimp/.cache/trivy"
2024-12-13T16:18:05+01:00       DEBUG   Cache dir       dir="/home/orrimp/.cache/trivy"
2024-12-13T16:18:05+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-13T16:18:05+01:00       DEBUG   Ignore statuses statuses=[]
2024-12-13T16:18:05+01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-12-13T16:18:05+01:00       DEBUG   DB info schema=2 updated_at=2024-12-13T12:16:44.472392691Z next_update=2024-12-14T12:16:44.472392221Z downloaded_at=2024-12-13T14:24:29.634863041Z
2024-12-13T16:18:05+01:00       DEBUG   [pkg] Package types     types=[os library]
2024-12-13T16:18:05+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2024-12-13T16:18:05+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-12-13T16:18:05+01:00       INFO    [secret] Secret scanning is enabled
2024-12-13T16:18:05+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T16:18:05+01:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T16:18:05+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-13T16:18:05+01:00       DEBUG   Initializing scan cache...      type="memory"
2024-12-13T16:18:05+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.springframework.boot:spring-boot-starter-parent:3.4.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.springframework.boot:spring-boot-dependencies:3.4.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.springframework.boot:spring-boot-dependencies:3.4.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.springframework.boot:spring-boot-starter-parent:3.4.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.activemq" artifact_id="activemq-bom" version="6.1.4"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.activemq" artifact_id="artemis-bom" version="2.37.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.apache.activemq:artemis-project:2.37.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:33"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:33"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.activemq:artemis-project:2.37.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.assertj" artifact_id="assertj-bom" version="3.26.3"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="io.zipkin.reporter2" artifact_id="zipkin-reporter-bom" version="3.4.2"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="io.zipkin.brave" artifact_id="brave-bom" version="6.0.3"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.cassandra" artifact_id="java-driver-bom" version="4.18.1"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jaxb" artifact_id="jaxb-bom" version="4.0.5"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.groovy" artifact_id="groovy-bom" version="4.0.24"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.infinispan" artifact_id="infinispan-bom" version="15.0.11.Final"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.infinispan:infinispan-build-configuration-parent:15.0.11.Final"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.jboss:jboss-parent:43"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.jboss:jboss-parent:43"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.infinispan:infinispan-build-configuration-parent:15.0.11.Final"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.18.1"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jersey" artifact_id="jersey-bom" version="3.1.9"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.eclipse.jetty.ee10" artifact_id="jetty-ee10-bom" version="12.0.15"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.eclipse.jetty" artifact_id="jetty-bom" version="12.0.15"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.11.3"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-bom" version="1.9.25"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlinx" artifact_id="kotlinx-coroutines-bom" version="1.8.1"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlinx" artifact_id="kotlinx-serialization-bom" version="1.6.3"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-bom" version="2.24.1"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:11.3.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:33"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:33"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:11.3.0"
2024-12-13T16:18:05+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-bom" version="1.14.1"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-tracing-bom" version="1.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-bom" version="1.14.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.mockito" artifact_id="mockito-bom" version="5.14.2"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-bom" version="4.1.115.Final"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.opentelemetry" artifact_id="opentelemetry-bom" version="1.43.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.prometheus" artifact_id="prometheus-metrics-bom" version="1.3.3"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="io.prometheus:client_java:1.3.3"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="io.prometheus:client_java:1.3.3"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.prometheus" artifact_id="simpleclient_bom" version="0.16.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="io.prometheus:parent:0.16.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="io.prometheus:parent:0.16.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.pulsar" artifact_id="pulsar-bom" version="3.3.2"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:29"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:29"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="com.querydsl" artifact_id="querydsl-bom" version="5.1.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.projectreactor" artifact_id="reactor-bom" version="2024.0.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.rest-assured" artifact_id="rest-assured-bom" version="5.5.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="io.rsocket" artifact_id="rsocket-bom" version="1.1.3"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.seleniumhq.selenium" artifact_id="selenium-bom" version="4.25.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.amqp" artifact_id="spring-amqp-bom" version="3.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.batch" artifact_id="spring-batch-bom" version="5.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.data" artifact_id="spring-data-bom" version="2024.1.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-framework-bom" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.integration" artifact_id="spring-integration-bom" version="6.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.pulsar" artifact_id="spring-pulsar-bom" version="1.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.restdocs" artifact_id="spring-restdocs-bom" version="3.0.3"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.security" artifact_id="spring-security-bom" version="6.4.1"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.session" artifact_id="spring-session-bom" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.ws" artifact_id="spring-ws-bom" version="4.0.11"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.testcontainers" artifact_id="testcontainers-bom" version="1.20.4"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-starter-hateoas" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-starter-web" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.hateoas" artifact_id="spring-hateoas" version="2.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-starter" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-starter-json" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-starter-tomcat" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-web" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-webmvc" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-aop" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-beans" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-context" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-core" version="6.2.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.plugin" artifact_id="spring-plugin-core" version="3.0.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="com.jayway.jsonpath" artifact_id="json-path" version="2.9.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="slf4j-api" version="2.0.16"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:2.0.16"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-bom:2.0.16"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-bom:2.0.16"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:2.0.16"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-autoconfigure" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.boot" artifact_id="spring-boot-starter-logging" version="3.4.0"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="jakarta.annotation" artifact_id="jakarta.annotation-api" version="2.1.1"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.7"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.7"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="org.yaml" artifact_id="snakeyaml" version="2.3"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-databind" version="2.18.1"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:06+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.2"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.datatype" artifact_id="jackson-datatype-jdk8" version="2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.datatype" artifact_id="jackson-datatype-jsr310" version="2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.module" artifact_id="jackson-module-parameter-names" version="2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.tomcat.embed" artifact_id="tomcat-embed-core" version="10.1.33"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.tomcat.embed" artifact_id="tomcat-embed-el" version="10.1.33"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.tomcat.embed" artifact_id="tomcat-embed-websocket" version="10.1.33"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-observation" version="1.14.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-expression" version="6.2.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-jcl" version="6.2.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="net.minidev" artifact_id="json-smart" version="2.5.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="ch.qos.logback" artifact_id="logback-classic" version="1.5.12"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="ch.qos.logback:logback-parent:1.5.12"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="ch.qos.logback:logback-parent:1.5.12"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-to-slf4j" version="2.24.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging.log4j:log4j:2.24.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging.log4j:log4j-bom:2.24.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:11.3.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:33"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:33"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:11.3.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging.log4j:log4j-bom:2.24.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging.log4j:log4j:2.24.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.groovy" artifact_id="groovy-bom" version="4.0.22"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.17.2"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:58"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:58"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="jakarta.platform" artifact_id="jakarta.jakartaee-bom" version="9.1.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="jakarta.platform:jakartaee-api-parent:9.1.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.7"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.7"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="jakarta.platform:jakartaee-api-parent:9.1.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.3"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.mockito" artifact_id="mockito-bom" version="4.11.0"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-framework-bom" version="5.3.39"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="jul-to-slf4j" version="2.0.16"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:2.0.16"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-bom:2.0.16"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-bom:2.0.16"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:2.0.16"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-annotations" version="2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-core" version="2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:07+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:61"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.18.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.18.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.18.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-commons" version="1.14.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Resolving...      group_id="net.minidev" artifact_id="accessors-smart" version="2.5.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Resolving...      group_id="ch.qos.logback" artifact_id="logback-core" version="1.5.12"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Start parent      artifact="ch.qos.logback:logback-parent:1.5.12"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="ch.qos.logback:logback-parent:1.5.12"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-api" version="2.24.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging.log4j:log4j:2.24.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging.log4j:log4j-bom:2.24.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:11.3.0"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:33"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:33"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:11.3.0"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging.log4j:log4j-bom:2.24.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging.log4j:log4j:2.24.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm" version="9.6"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5.1"
2024-12-13T16:18:08+01:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5.1"
2024-12-13T16:18:08+01:00       DEBUG   OS is not detected.
2024-12-13T16:18:08+01:00       DEBUG   Detected OS: unknown
2024-12-13T16:18:08+01:00       INFO    Number of language-specific files       num=1
2024-12-13T16:18:08+01:00       INFO    [pom] Detecting vulnerabilities...
2024-12-13T16:18:08+01:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2024-12-13T16:18:08+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2024-12-13T16:18:08+01:00       DEBUG   [vex] VEX filtering is disabled

Operating System

macOS and Windows

Version

trivy --version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-13 12:16:44.472392691 +0000 UTC
  NextUpdate: 2024-12-14 12:16:44.472392221 +0000 UTC
  DownloadedAt: 2024-12-13 14:24:29.634863041 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2024-12-16T10:08:49Z

DmitriyLewen
Dec 16, 2024
Maintainer

Hello @Orrimp
Thanks for your interest to Trivy!

The debug log shows that Trivy detects Packages of your pom.xml file.

If the table is empty - these packages are not vulnerable.

Please scan your pom.xml file with the -f json --list-all-pkgs flag.

if Trivy does not detect a package - send me a test pom.xml file for investigation.
if Trivy does not detect a vulnerability for a package - tell me the package, version and CVE number for this vulnerability.

Regards, Dmitriy

0 replies

Orrimp · 2024-12-16T11:16:19Z

Orrimp
Dec 16, 2024
Author

Hi, Thank you for your reply. From my view the scan is aborted. There is no Table and even no list of iffent CVE severity's like trivy image. I would be happy to have an output with CVEs(0) or HIGH(0). The list of packages is filled with your output.

…

On Mon, 16 Dec 2024, 11:09 DmitriyLewen, ***@***.***> wrote: Hello @Orrimp <https://github.com/Orrimp> Thanks for your interest to Trivy! The debug log shows that Trivy detects Packages of your pom.xml file. If the table is empty - these packages are not vulnerable. Please scan your pom.xml file with the -f json --list-all-pkgs flag. - if Trivy does not detect a package - send me a test pom.xml file for investigation. - if Trivy does not detect a vulnerability for a package - tell me the package, version and CVE number for this vulnerability. Regards, Dmitriy — Reply to this email directly, view it on GitHub <#8097 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTESONOS7ZUGKHCLNT55IT2F2RENAVCNFSM6AAAAABTSGYP5CVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNJXHEZDQNI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

1 reply

DmitriyLewen Dec 16, 2024
Maintainer

Trivy shows empty table on for OS packages - #2548 (comment)

If Trivy fails, it will return an exit code.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy Scan of Java pom.xml breaks #8097

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Trivy Scan of Java pom.xml breaks #8097

Orrimp Dec 13, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 1 reply

DmitriyLewen Dec 16, 2024 Maintainer

Orrimp Dec 16, 2024 Author

DmitriyLewen Dec 16, 2024 Maintainer

Orrimp
Dec 13, 2024

Replies: 2 comments 1 reply

DmitriyLewen
Dec 16, 2024
Maintainer

Orrimp
Dec 16, 2024
Author

DmitriyLewen Dec 16, 2024
Maintainer