Closed noorul closed 2 years ago
@noorul thanks for your report! I'll try to figure out this issue.
After looking at the code https://github.com/aquasecurity/go-dep-parser/blob/main/pkg/java/jar/parse.go#L110 and trying to go through the contents of the JAR file manually, it looks like there is no metadata that can be used to figure out which version of log4j is being shipped.
I filed an issue with newrelic https://github.com/newrelic/newrelic-java-agent/issues/612
@noorul What did you scan? newrelic.jar
may not contain the dependent JAR files inside the JAR file. In that case, you have to scan the dependencies, not newrelic.jar
. For example, a JAR file may be located like /home/user/.m2/repository/log4j/log4j/x.x.x/log4j-x.x.x.jar
, not inside of newrelic.jar
.
Trivy doesn't support gradle files, so they will be ignored even though a build.gradle exists in the JAR file.
This issue is stale because it has been labeled with inactivity.
Description
What did you expect to happen?
Trivy should report CVE-2021-44228.
What happened instead?
It did not show any vulnerability.
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
Image:
Steps:
Output: