`TrivyAnalysisTaskIntegrationTest#test` fails with Trivy v0.51.2

[nscuro]

Current Behavior

Trivy v0.51.2 was released today, and since our integration tests run against Trivy's latest tag, they picked up the new release.

The test asserting for vulnerabilities in woodstox-core are failing. Trivy no longer reports vulnerabilities for it.

https://github.com/DependencyTrack/dependency-track/blob/e87c5cc93a2683912583820ee1f52734d3f4cb6b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java#L92-L127

The test succeeds when pinning Trivy to v0.51.1. Looks like a regression in Trivy.

Steps to Reproduce

1. Execute TrivyAnalysisTaskIntegrationTest#test

Expected Behavior

The test should not fail.

Dependency-Track Version

4.12.0-SNAPSHOT

Dependency-Track Distribution

Container Image, Executable WAR

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

Not a regression, but an API change: https://github.com/aquasecurity/trivy/pull/6633

Application.libraries was renamed to Application.packages: https://github.com/aquasecurity/trivy/pull/6633/files#diff-6e749acacaaabfff86d6fd4081426955f2ec744bff55dd5e9def2a2a020d62d1

Following this rename in our code here:

https://github.com/DependencyTrack/dependency-track/blob/e87c5cc93a2683912583820ee1f52734d3f4cb6b/src/main/java/org/dependencytrack/parser/trivy/model/Application.java#L23-L25

Makes the test pass again.

Question is how do we deal with this. Updating to 0.51.2 behavior will break things for users with older Trivy versions.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.