search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.8k stars 570 forks source link

Ignoring Java test dependencies #985

Open lossurdo opened 2 years ago

lossurdo commented 2 years ago

What would you like to be added:

Some way to ignore Java test dependencies like this vulnerable-legacy log4j:

<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.17</version>
    <scope>test</scope>
</dependency>

Why is this needed:

Test libs are not packaged in final JAR/WAR file. Scope "provided" is not package too.

Additional context:

Grype reporting log4j test libs:

log4j                 1.2.17                       java-archive  CVE-2022-23307       High
log4j                 1.2.17                       java-archive  GHSA-2qrg-x229-3v8q  Critical
log4j                 1.2.17                       java-archive  CVE-2022-23305       Critical
log4j                 1.2.17                       java-archive  GHSA-w9p3-5cr8-m3jj  High
log4j                 1.2.17                       java-archive  CVE-2020-9493        Critical
log4j                 1.2.17                       java-archive  CVE-2022-23302       High
log4j                 1.2.17                       java-archive  CVE-2019-17571       Critical
log4j                 1.2.17                       java-archive  GHSA-65fg-84f6-3jq3  Critical
log4j                 1.2.17                       java-archive  GHSA-fp5r-v3w9-4333  High
kzantow commented 2 years ago

This sounds like a very good enhancement @lossurdo.

It seems to me there is a possibility that a test dependency gets hijacked and results in executing malicious code of some sort during test runs, so this information would probably be good to include by default.

But adding a flag to the Java cataloger to only include "packaged" dependencies or something of the sort might be fairly straightforward. Would this accomplish what you are looking for?

kzantow commented 2 years ago

I think what we might like to do here is: 1) if scanning a jar that has an embedded pom.xml, we would assume this is a runtime dependency and exclude test, provided and maybe more 2) if scanning source, we probably want to include test dependencies because these will be executed while running tests, perhaps we add a flag to omit these

cc: @wagoodman

lossurdo commented 2 years ago

Hi @kzantow!

Maybe something like this on Grype ignoring YAML:

ignore:
  - pom:
      scope: test

ignore:
  - pom:
      scope: provided

No matter if pom.xml is found on source code or inside a WAR/EAR file.