META-INF pom is considered as a vulnerability #5811

o-shevchenko · 2023-12-20T07:16:52Z

o-shevchenko
Dec 20, 2023

Description

Trivy reports vulnerabilities but such jars are not present in our Docker image. Gradle dependencies tree doesn't show it. Debug parameter for Trivy also doesn't show such libs.

After digging into it, we discovered that Trivy probably detects META-INF/pom.xml as a vulnerability.

Particularly, it found META-INF/pom.xml introduced in the last databricks-jdbc jar

Probably, Databricks should fix build for com.databricks:databricks-jdbc:2.6.36 as well, since com.databricks:databricks-jdbc:2.6.34 doesn't include problematic dependencies in META-INF/pom.xml but detection still should be fixed in Trivy for such cases.

Desired Behavior

Trivy doesn't report vulnerability if the actual jar is not present.

Actual Behavior

Trivy reports vulnerability if the actual jar is not present but there is pom.xml with a problematic version

Reproduction Steps

1. Add com.databricks:databricks-jdbc:2.6.36 as a dependency in Gradle project
2. Run Trivy check for vulnerabilities
3. Vulnerabilities for common-compress and logback are detected even if you don't have code in your project.

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.474Z	DEBUG	Severities: ["HIGH" "CRITICAL"]
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.475Z	DEBUG	Ignore statuses	{"statuses": null}
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.485Z	DEBUG	cache dir:  /tmp/.cache/trivy
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.485Z	DEBUG	There is no valid metadata file: unable to open a file: open /tmp/.cache/trivy/db/metadata.json: no such file or directory
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.485Z	INFO	Need to update DB
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.486Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.486Z	INFO	Downloading DB...
[2023-12-19T20:29:59.431Z] 2023-12-19T20:29:58.486Z	DEBUG	no metadata file
[2023-12-19T20:30:01.163Z] 
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.112Z	DEBUG	Updating database metadata...
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.117Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-19 18:12:22.125851037 +0000 UTC, NextUpdate: 2023-12-20 00:12:22.125850456 +0000 UTC, DownloadedAt: 2023-12-19 20:30:01.112380997 +0000 UTC
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.117Z	INFO	Vulnerability scanning is enabled
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.117Z	DEBUG	Vulnerability type:  [os library]
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.117Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.130Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
[2023-12-19T20:30:01.163Z] 2023-12-19T20:30:01.130Z	DEBUG	Saving the container image to a local file to obtain the image config...
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.765Z	DEBUG	Image ID: sha256:ac871a5c7e4da43a4f8724f1b391f382569f48daa69ca9b42008173b4f7af373
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.765Z	DEBUG	Diff IDs: [sha256:1053d00b8e292c8a36bef630a0f4977b29da4e2fd60ac9425e0fcd1f7c1108d5 sha256:6001b9bfd27a8e10bbcb4491e17104bc78581f326ec30d0446a257acbc336c1e sha256:29d6ba8a30636385f853dc91f9c71f3d24d2f6df081d0f2fe07ef5b9c633bb88 sha256:2beb85be0daf7bff57c8a685185be69252257b346abafafb1e5c878d2fea2ae9 sha256:2a68f69a63a27288bd63edd12a66674ba399891d5d34f27b223229e6197602f5 sha256:f32d3fd941d086e3eea17c88de6ab316634f7b574f68878144ae0aa2acb5a079 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:490cb628ef1868fc13a2df67404e2db66f362cd9fd08fa7b5ea0a43bcf8cd413 sha256:3dddac3a41b6b3f27699c9d5c592769e093ce7cc5b52377abca76bd9cb102c1e sha256:c44a6a3239d81a023026365b61f7afcd8de7b0f50af60542987f6b0570be1bd6 sha256:7087a01081db90b0c983a411ed052d944307aeb268c2e1c2c800fdfdcc912485]
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.765Z	DEBUG	Base Layers: []
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.767Z	DEBUG	Missing image ID in cache: sha256:ac871a5c7e4da43a4f8724f1b391f382569f48daa69ca9b42008173b4f7af373
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.767Z	DEBUG	Missing diff ID in cache: sha256:1053d00b8e292c8a36bef630a0f4977b29da4e2fd60ac9425e0fcd1f7c1108d5
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.767Z	DEBUG	Missing diff ID in cache: sha256:2a68f69a63a27288bd63edd12a66674ba399891d5d34f27b223229e6197602f5
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.767Z	DEBUG	Missing diff ID in cache: sha256:29d6ba8a30636385f853dc91f9c71f3d24d2f6df081d0f2fe07ef5b9c633bb88
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.768Z	DEBUG	Skipping directory: dev
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.767Z	DEBUG	Missing diff ID in cache: sha256:6001b9bfd27a8e10bbcb4491e17104bc78581f326ec30d0446a257acbc336c1e
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.770Z	DEBUG	Missing diff ID in cache: sha256:f32d3fd941d086e3eea17c88de6ab316634f7b574f68878144ae0aa2acb5a079
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.767Z	DEBUG	Missing diff ID in cache: sha256:2beb85be0daf7bff57c8a685185be69252257b346abafafb1e5c878d2fea2ae9
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.774Z	DEBUG	Skipping directory: proc
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.775Z	DEBUG	Skipping directory: sys
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.775Z	DEBUG	Missing diff ID in cache: sha256:490cb628ef1868fc13a2df67404e2db66f362cd9fd08fa7b5ea0a43bcf8cd413
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.782Z	DEBUG	Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.787Z	DEBUG	Missing diff ID in cache: sha256:3dddac3a41b6b3f27699c9d5c592769e093ce7cc5b52377abca76bd9cb102c1e
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.798Z	DEBUG	Missing diff ID in cache: sha256:c44a6a3239d81a023026365b61f7afcd8de7b0f50af60542987f6b0570be1bd6
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.807Z	DEBUG	Missing diff ID in cache: sha256:7087a01081db90b0c983a411ed052d944307aeb268c2e1c2c800fdfdcc912485
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.816Z	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
[2023-12-19T20:30:09.399Z] 2023-12-19T20:30:08.816Z	INFO	Downloading the Java DB...
[2023-12-19T20:30:25.787Z] 
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.413Z	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.414Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/FileChooserDemo/FileChooserDemo.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.414Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/Metalworks/Metalworks.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/animal-sniffer-annotations-1.23.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/CodePointIM/CodePointIM.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/annotations-23.0.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/Font2DTest/Font2DTest.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/annotations-4.1.1.4.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.417Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/aspectjweaver-1.9.20.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.418Z	DEBUG	No such POM in the central repositories	{"file": "CodePointIM.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.418Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/Notepad/Notepad.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/aopalliance-1.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/HdrHistogram-2.1.12.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/J2Ddemo/J2Ddemo.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.415Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/LatencyUtils-2.0.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.419Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/context-propagation-1.1.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.419Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/checker-qual-3.33.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.419Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/commons-lang3-3.13.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.421Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/databricks-jdbc-2.6.36.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.421Z	DEBUG	No such POM in the central repositories	{"file": "FileChooserDemo.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.422Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/SampleTree/SampleTree.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.422Z	DEBUG	No such POM in the central repositories	{"file": "Metalworks.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.423Z	DEBUG	No such POM in the central repositories	{"file": "SampleTree.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.423Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/SwingSet2/SwingSet2.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.426Z	DEBUG	No such POM in the central repositories	{"file": "J2Ddemo.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.426Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/TableExample/TableExample.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.426Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/Stylepad/Stylepad.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.427Z	DEBUG	No such POM in the central repositories	{"file": "Stylepad.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.427Z	DEBUG	No such POM in the central repositories	{"file": "Font2DTest.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.427Z	DEBUG	No such POM in the central repositories	{"file": "SwingSet2.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.427Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/demo/jfc/TransparentRuler/TransparentRuler.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.428Z	DEBUG	Parsing Java artifacts...	{"file": "usr/local/java/lib/jrt-fs.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.429Z	DEBUG	No such POM in the central repositories	{"file": "Notepad.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.430Z	DEBUG	No such POM in the central repositories	{"file": "jrt-fs.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.430Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/failureaccess-1.0.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.432Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-api-1.59.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.434Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/error_prone_annotations-2.20.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.434Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-core-1.58.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.438Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-inprocess-1.58.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.438Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-kotlin-stub-1.4.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.439Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-netty-shaded-1.58.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.434Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-context-1.58.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.451Z	DEBUG	No such POM in the central repositories	{"file": "TableExample.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.451Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-protobuf-1.59.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.454Z	DEBUG	No such POM in the central repositories	{"file": "TransparentRuler.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.454Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-protobuf-lite-1.59.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.456Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-services-1.58.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.459Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-spring-boot-starter-5.1.5.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.460Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-stub-1.59.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.460Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/guava-32.0.1-jre.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.464Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/j2objc-annotations-2.8.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.464Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/gson-2.10.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.464Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/grpc-util-1.58.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.465Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-annotations-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.465Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-core-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.467Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-databind-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.467Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-datatype-jdk8-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.467Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-dataformat-yaml-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.467Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-datatype-jsr310-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.467Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jakarta.activation-api-2.1.2.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.468Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jakarta.annotation-api-2.1.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.468Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-module-kotlin-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.468Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jackson-module-parameter-names-2.15.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.468Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jakarta.inject-api-2.0.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.468Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jakarta.xml.bind-api-4.0.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/javax.annotation-api-1.3.2.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jakarta.validation-api-3.0.2.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jersey-common-3.1.4.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jakarta.ws.rs-api-3.1.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jsr305-3.0.2.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jul-to-slf4j-2.0.9.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.469Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/jooq-3.19.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.470Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlin-reflect-1.9.21.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.473Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlin-stdlib-jdk7-1.9.21.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.473Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlin-stdlib-jdk8-1.9.21.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.473Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlin-stdlib-1.9.21.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.474Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlinx-coroutines-core-jvm-1.7.3.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.479Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlinx-datetime-jvm-0.5.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.480Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlinx-serialization-json-jvm-1.6.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.480Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.481Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/log4j-api-2.21.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.481Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/log4j-to-slf4j-2.21.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.481Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/logback-classic-1.4.14.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.481Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/logback-core-1.4.14.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.482Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-commons-1.12.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.481Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/kotlinx-serialization-core-jvm-1.6.1.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.483Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-core-1.12.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.484Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-observation-1.12.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.484Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-registry-prometheus-1.12.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.484Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-jakarta9-1.12.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.486Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-tracing-1.2.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.486Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/micrometer-tracing-bridge-otel-1.2.0.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.487Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-buffer-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.488Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-codec-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.488Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-codec-dns-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.489Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-codec-http2-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.489Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-codec-socks-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.490Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-codec-http-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.490Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-handler-4.1.101.Final.jar"}
[2023-12-19T20:30:25.788Z] 2023-12-19T20:30:25.490Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-common-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.491Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-resolver-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.491Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-resolver-dns-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.490Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-handler-proxy-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.491Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-resolver-dns-native-macos-4.1.101.Final-osx-x86_64.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.492Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-tcnative-boringssl-static-2.0.61.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.492Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-tcnative-classes-2.0.61.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.492Z	DEBUG	No such POM in the central repositories	{"file": "netty-resolver-dns-native-macos-4.1.101.Final-osx-x86_64.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.491Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-resolver-dns-classes-macos-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.494Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-transport-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.494Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-transport-native-epoll-4.1.101.Final-linux-x86_64.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.494Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-transport-classes-epoll-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.495Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/netty-transport-native-unix-common-4.1.101.Final.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.495Z	DEBUG	No such POM in the central repositories	{"file": "netty-transport-native-epoll-4.1.101.Final-linux-x86_64.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.495Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/okhttp-4.12.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.496Z	DEBUG	POM was determined in a heuristic way	{"file": "netty-transport-native-epoll-4.1.101.Final-linux-x86_64.jar", "artifact": "io.netty:netty-transport-native-epoll:4.1.101.Final-linux-x86_64"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.494Z	DEBUG	POM was determined in a heuristic way	{"file": "netty-resolver-dns-native-macos-4.1.101.Final-osx-x86_64.jar", "artifact": "io.netty:netty-resolver-dns-native-macos:4.1.101.Final-osx-x86_64"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.496Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-api-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.496Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-api-events-1.31.0-alpha.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.497Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-context-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.497Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/okio-jvm-3.6.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.497Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-exporter-common-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.500Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-exporter-otlp-common-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.499Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-exporter-otlp-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.501Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-exporter-sender-okhttp-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.502Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-extension-trace-propagators-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.502Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-instrumentation-api-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.503Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-extension-incubator-1.31.0-alpha.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.503Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-instrumentation-api-semconv-1.31.0-alpha.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.504Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-sdk-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.504Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-sdk-extension-autoconfigure-spi-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.504Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-sdk-common-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.505Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-sdk-logs-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.505Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-sdk-trace-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.505Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-sdk-metrics-1.31.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.505Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/opentelemetry-semconv-1.21.0-alpha.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.506Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/osgi-resource-locator-1.0.3.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.507Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/proto-google-common-protos-2.22.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.507Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/perfmark-api-0.26.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.507Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/protobuf-java-3.25.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.508Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/protobuf-kotlin-3.25.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.508Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/r2dbc-spi-1.0.0.RELEASE.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.509Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/reactive-streams-1.0.4.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.509Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/reactor-core-3.6.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.510Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/protobuf-java-util-3.25.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.511Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/reactor-netty-core-1.1.13.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.512Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/reactor-netty-http-1.1.13.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.512Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/simpleclient-0.16.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.513Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/simpleclient_tracer_common-0.16.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.513Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/simpleclient_tracer_otel-0.16.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.513Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/simpleclient_tracer_otel_agent-0.16.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.513Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/slf4j-api-2.0.9.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.513Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/snakeyaml-2.2.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.513Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/simpleclient_common-0.16.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.514Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-aop-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.514Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-beans-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.516Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-actuator-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.514Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.518Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-autoconfigure-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.519Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-devtools-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.520Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.521Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-actuator-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.521Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-aop-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.522Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-json-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.522Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-logging-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.522Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-reactor-netty-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.523Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-starter-webflux-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.523Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-context-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.527Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-boot-actuator-autoconfigure-3.2.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.527Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-core-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.533Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-web-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.534Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-webflux-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.538Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/springdoc-openapi-starter-common-2.3.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.538Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-expression-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.540Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/springdoc-openapi-starter-webflux-api-2.3.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.540Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/spring-jcl-6.1.1.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.540Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/swagger-core-jakarta-2.2.19.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.541Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/swagger-models-jakarta-2.2.19.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.541Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/springdoc-openapi-starter-webflux-ui-2.3.0.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.541Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/swagger-ui-5.10.3.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.541Z	DEBUG	Parsing Java artifacts...	{"file": "home/user/libs/swagger-annotations-jakarta-2.2.19.jar"}
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.682Z	DEBUG	No secrets found in container image config
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.734Z	INFO	Detected OS: redhat
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.734Z	INFO	Detecting RHEL/CentOS vulnerabilities...
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.734Z	DEBUG	Red Hat: os version: 8
[2023-12-19T20:30:25.789Z] 2023-12-19T20:30:25.734Z	DEBUG	Red Hat: the number of packages: 101
[2023-12-19T20:30:26.232Z] 2023-12-19T20:30:25.792Z	INFO	Number of language-specific files: 1
[2023-12-19T20:30:26.232Z] 2023-12-19T20:30:25.792Z	INFO	Detecting jar vulnerabilities...
[2023-12-19T20:30:26.232Z] 2023-12-19T20:30:25.792Z	DEBUG	Detecting library vulnerabilities, type: jar, path:

Operating System

Linux

Version

TRIVY_IMAGE='aquasec/trivy:0.48.1'

Checklist

Run trivy image --reset
Read the troubleshooting

DmitriyLewen · 2023-12-20T09:59:36Z

DmitriyLewen
Dec 20, 2023
Maintainer

Hello @o-shevchenko
Thanks for your report.

You're almost right.
Trivy checks pom.propetries files inside jar files - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/java/#jarwarparear

But why you think we don't need to include these dependencies in result?
Maven added pom.properties files for dependencies used in your jar.
So if your jar contains vulnerable dependency - we should report it.

0 replies

o-shevchenko · 2023-12-20T11:11:45Z

o-shevchenko
Dec 20, 2023
Author

Hey @DmitriyLewen , thanks for the response!
That's an interesting case.

But why you think we don't need to include these dependencies in result?

Because com.databricks:databricks-jdbc:2.6.36 doesn't bring any transitive dependencies (See ./gradlew dependencies)

The reported jars are NOT present in Docker and Java class path as well.
So, our application code is not affected by reported CVEs, since jar with code is simply not present.
Moreover, usually, when you have a CVE in a transitive dependency, you can override a version of it by specifying it explicitly. As a result the problematic dependency will be evicted by the newer version.

But that's not the case here, even if you specify a newer version of the dependency and it will be present in classpath, Trivy still will be reporting vulnerability.
I think the application is not affected by CVEs. com.databricks:databricks-jdbc:2.6.36 is not affected by CVEs. So, such a report is false-positive.

Don't you agree?

5 replies

DmitriyLewen Dec 20, 2023
Maintainer

It is more seems on problem in com.databricks:databricks-jdbc:2.6.36.jar.
Maven docs says - The pom.xml and pom.properties files are packaged up in the JAR so that each artifact produced by Maven is self-describing and also allows you to utilize the metadata in your own application if the need arises. .

com.databricks:databricks-jdbc:2.6.36 doesn't use dependencies (i checked thier pom.xml file), but why does jar file contain unused self-described artifacts?

o-shevchenko Dec 20, 2023
Author

I think Databricks jar should be fixed as well. I've opened discussion, that's strange that 2.6.35 is missed and 2.5.36 includes such changes. Probably, something wrong with build process. But it's a wild guess since I don't see source code.

But anyway, I'm not sure that Trivy handles such a case correctly. That's why I opened this ticket.

DmitriyLewen Dec 21, 2023
Maintainer

I think Trivy works correctly.
We don't parse code files (.class, etc.) to understand that your application doesn't use these wrong added dependencies.
Tell us, if you have any ideas on how we can detect that dependencies are not being used.

o-shevchenko Dec 21, 2023
Author

I'm not sure about implementation here, I think you are more familiar with the codebase and logic to find out how to improve detection. Maybe we should just check jars in classpath, maybe we should be able to disable pom.properties check. But I found a case where we have a false-positive result, so that's the chance to improve Trivy.

DmitriyLewen Dec 21, 2023
Maintainer

Let's wait Databricks
Perhaps their answer will help us understand how we need to act in such cases.

o-shevchenko · 2024-12-05T18:28:26Z

o-shevchenko
Dec 5, 2024
Author

We faced this issue again. Trivy reports CVE-2023-2976 in com.google.guava:guava[0/31.1-jre/] that comes from databricks-jdbc-2.6.40.jar

1 reply

DmitriyLewen Dec 6, 2024
Maintainer

Hello @o-shevchenko
I checked databricks-jdbc-2.6.40.jar and IIUC this is same case.

If you sure that databricks-jdbc-2.6.40.jar doesn't use com.google.guava:guava:31.1-jre - you can create VEX.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

META-INF pom is considered as a vulnerability #5811

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 3 comments 6 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

META-INF pom is considered as a vulnerability #5811

o-shevchenko Dec 20, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 6 replies

DmitriyLewen Dec 20, 2023 Maintainer

o-shevchenko Dec 20, 2023 Author

DmitriyLewen Dec 20, 2023 Maintainer

o-shevchenko Dec 20, 2023 Author

DmitriyLewen Dec 21, 2023 Maintainer

o-shevchenko Dec 21, 2023 Author

DmitriyLewen Dec 21, 2023 Maintainer

o-shevchenko Dec 5, 2024 Author

DmitriyLewen Dec 6, 2024 Maintainer

o-shevchenko
Dec 20, 2023

Replies: 3 comments 6 replies

DmitriyLewen
Dec 20, 2023
Maintainer

o-shevchenko
Dec 20, 2023
Author

DmitriyLewen Dec 20, 2023
Maintainer

o-shevchenko Dec 20, 2023
Author

DmitriyLewen Dec 21, 2023
Maintainer

o-shevchenko Dec 21, 2023
Author

DmitriyLewen Dec 21, 2023
Maintainer

o-shevchenko
Dec 5, 2024
Author

DmitriyLewen Dec 6, 2024
Maintainer