I guess multiple import bom is confusing trivy. The dependency is defined in com.fasterxml.jackson.jackson-bom and org.keycloak.keycloak-parent. 2.12.1 is defined in org.keycloak.keycloak-parent, while 2.13.2.2 is defined in com.fasterxml.jackson.jackson-bom.
For reference: The rootfs scanner of the builded jar does not report the jackson-databind library which is correct.
Description
Using the fs scanner to detect vulnerable libraries of the pom.xml leads to incorrect version detection and false-positive reports.
What did you expect to happen?
A report based on the correct detected dependency versions.
What happened instead?
A false-positive report based on the incorrect detected dependency versions.
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
Test with main branch of https://github.com/adorsys/keycloak-config-cli . For reporting this bug, I generated a minimal pom.xml of the project:
pom.xml
Trivy report:
maven output:
I guess multiple import bom is confusing trivy. The dependency is defined in com.fasterxml.jackson.jackson-bom and org.keycloak.keycloak-parent. 2.12.1 is defined in org.keycloak.keycloak-parent, while 2.13.2.2 is defined in com.fasterxml.jackson.jackson-bom.
For reference: The rootfs scanner of the builded jar does not report the jackson-databind library which is correct.