BOM dependencies are well parsed when the BOM is set into the <dependencyManagement> of the analysed project.
If the analysed project is using a BOM A that itself contains another BOM B, dependencies from A are parsed but not dependencies from B.
Dependencies coming from BOM B are not found and following message is displayed :
[DEBUG] org.camunda.bpm:camunda-engine: was not found in local/remote repositories
BOM dependencies are well parsed when the BOM is set into the
<dependencyManagement>of the analysed project. If the analysed project is using a BOM A that itself contains another BOM B, dependencies from A are parsed but not dependencies from B.Dependencies coming from BOM B are not found and following message is displayed :
coming from : https://github.com/aquasecurity/go-dep-parser/blob/245251acdcb8cbef92773c2675021d629a371bc8/pkg/java/pom/parse.go#L591
I wanted to start a fix based on a recursive method to manage BOM, but I'm not a Go developer (and unfortunately no time to learn).
This issue impacts the trivy scan #5748 as it analyses dependencies returned by this parser.
The issue can be reproduced with this example project : https://github.com/glelarge/trivy-maven-issue