Closed nscuro closed 4 months ago
Not a regression, but an API change: https://github.com/aquasecurity/trivy/pull/6633
Application.libraries
was renamed to Application.packages
: https://github.com/aquasecurity/trivy/pull/6633/files#diff-6e749acacaaabfff86d6fd4081426955f2ec744bff55dd5e9def2a2a020d62d1
Following this rename in our code here:
Makes the test pass again.
Question is how do we deal with this. Updating to 0.51.2 behavior will break things for users with older Trivy versions.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
Trivy v0.51.2 was released today, and since our integration tests run against Trivy's
latest
tag, they picked up the new release.The test asserting for vulnerabilities in
woodstox-core
are failing. Trivy no longer reports vulnerabilities for it.https://github.com/DependencyTrack/dependency-track/blob/e87c5cc93a2683912583820ee1f52734d3f4cb6b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java#L92-L127
The test succeeds when pinning Trivy to v0.51.1. Looks like a regression in Trivy.
Steps to Reproduce
TrivyAnalysisTaskIntegrationTest#test
Expected Behavior
The test should not fail.
Dependency-Track Version
4.12.0-SNAPSHOT
Dependency-Track Distribution
Container Image, Executable WAR
Database Server
N/A
Database Server Version
No response
Browser
N/A
Checklist