resolving org.fasterxml.jackson.core without adhering to jackson.version in properties

mrjonstrong commented 2 years ago

Checklist

[x] I've read the documentation regarding wrong detection.
[x] I've confirmed that a security advisory in data sources was correct.
- Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

org.fasterxml.jackson.core:jackson-annotations org.fasterxml.jackson.core:jackson-core org.fasterxml.jackson.core:jackson-databind are identified by trivy as version 2.13.0 (having come from org.springframework.cloud/spring-cloud-starter-config@3.1.0). However, on the pom.xml in properties jackson version is given as 2.13.2 and maven tree (output below) shows them correctly as 2.13.2.

JSON Output of run with `-debug`:

2022-04-19T14:46:42.359+0100    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-19T14:46:42.383+0100    DEBUG   cache dir:  /Users/mrjonstrong/Library/Caches/trivy
2022-04-19T14:46:42.384+0100    DEBUG   DB update was skipped because the local DB is the latest
2022-04-19T14:46:42.384+0100    DEBUG   DB Schema: 2, UpdatedAt: 2022-04-19 12:11:46.793914247 +0000 UTC, NextUpdate: 2022-04-19 18:11:46.793913847 +0000 UTC, DownloadedAt: 2022-04-19 13:18:54.915469 +0000 UTC
2022-04-19T14:46:42.385+0100    DEBUG   Vulnerability type:  [os library]
2022-04-19T14:47:27.581+0100    DEBUG   Resolving com.datastax.oss:java-driver-bom:4.6.1...
2022-04-19T14:47:27.582+0100    DEBUG   Resolving io.dropwizard.metrics:metrics-bom:4.1.17...
2022-04-19T14:47:27.583+0100    DEBUG   Resolving org.codehaus.groovy:groovy-bom:2.5.14...
2022-04-19T14:47:27.584+0100    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.11.4...
2022-04-19T14:47:27.587+0100    DEBUG   Resolving org.glassfish.jersey:jersey-bom:2.30.1...
2022-04-19T14:47:27.589+0100    DEBUG   Resolving org.eclipse.jetty:jetty-bom:9.4.35.v20201120...
2022-04-19T14:47:27.610+0100    DEBUG   Resolving org.junit:junit-bom:5.6.3...
2022-04-19T14:47:27.611+0100    DEBUG   Resolving org.jetbrains.kotlin:kotlin-bom:1.3.72...
2022-04-19T14:47:27.612+0100    DEBUG   Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.3.8...
2022-04-19T14:47:27.613+0100    DEBUG   Resolving org.apache.logging.log4j:log4j-bom:2.13.3...
2022-04-19T14:47:27.615+0100    DEBUG   Resolving io.micrometer:micrometer-bom:1.5.10...
2022-04-19T14:47:27.633+0100    DEBUG   Resolving io.netty:netty-bom:4.1.58.Final...
2022-04-19T14:47:36.910+0100    DEBUG   Resolving io.netty:netty-bom:4.1.58.Final...
2022-04-19T14:47:36.947+0100    DEBUG   Resolving io.r2dbc:r2dbc-bom:Arabba-SR8...
2022-04-19T14:47:36.964+0100    DEBUG   Resolving io.projectreactor:reactor-bom:Dysprosium-SR16...
2022-04-19T14:47:36.982+0100    DEBUG   Resolving io.rsocket:rsocket-bom:1.0.3...
2022-04-19T14:47:36.995+0100    DEBUG   Resolving org.springframework.data:spring-data-releasetrain:Neumann-SR6...
2022-04-19T14:47:37.048+0100    DEBUG   Resolving org.springframework:spring-framework-bom:5.2.12.RELEASE...
2022-04-19T14:47:37.067+0100    DEBUG   Resolving org.springframework.integration:spring-integration-bom:5.3.5.RELEASE...
2022-04-19T14:47:37.089+0100    DEBUG   Resolving org.springframework.security:spring-security-bom:5.3.6.RELEASE...
2022-04-19T14:47:37.109+0100    DEBUG   Resolving org.springframework.session:spring-session-bom:Dragonfruit-SR1...
2022-04-19T14:49:14.110+0100    DEBUG   Resolving com.datastax.oss:java-driver-bom:4.13.0...
2022-04-19T14:49:14.111+0100    DEBUG   Resolving io.dropwizard.metrics:metrics-bom:4.2.9...
2022-04-19T14:49:14.112+0100    DEBUG   Resolving org.codehaus.groovy:groovy-bom:3.0.10...
2022-04-19T14:49:14.114+0100    DEBUG   Resolving org.infinispan:infinispan-bom:12.1.11.Final...
2022-04-19T14:49:14.118+0100    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.13.2.20220328...
2022-04-19T14:49:14.121+0100    DEBUG   Resolving org.glassfish.jersey:jersey-bom:2.35...
2022-04-19T14:49:14.123+0100    DEBUG   Resolving org.eclipse.jetty:jetty-bom:9.4.45.v20220203...
2022-04-19T14:49:14.125+0100    DEBUG   Resolving org.junit:junit-bom:5.8.2...
2022-04-19T14:49:14.125+0100    DEBUG   Resolving org.jetbrains.kotlin:kotlin-bom:1.6.10...
2022-04-19T14:49:14.126+0100    DEBUG   Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.2...
2022-04-19T14:49:14.126+0100    DEBUG   Resolving org.apache.logging.log4j:log4j-bom:2.17.2...
2022-04-19T14:49:14.130+0100    DEBUG   Resolving io.micrometer:micrometer-bom:1.8.4...
2022-04-19T14:49:14.132+0100    DEBUG   Resolving io.netty:netty-bom:4.1.75.Final...
2022-04-19T14:49:14.133+0100    DEBUG   Resolving com.oracle.database.jdbc:ojdbc-bom:21.3.0.0...
2022-04-19T14:49:14.134+0100    DEBUG   Resolving io.prometheus:simpleclient_bom:0.12.0...
2022-04-19T14:49:14.135+0100    DEBUG   Resolving com.querydsl:querydsl-bom:5.0.0...
2022-04-19T14:49:14.136+0100    DEBUG   Resolving io.r2dbc:r2dbc-bom:Arabba-SR13...
2022-04-19T14:49:14.137+0100    DEBUG   Resolving io.projectreactor:reactor-bom:2020.0.17...
2022-04-19T14:49:14.138+0100    DEBUG   Resolving io.rsocket:rsocket-bom:1.1.1...
2022-04-19T14:49:14.138+0100    DEBUG   Resolving org.springframework.data:spring-data-bom:2021.1.3...
2022-04-19T14:49:14.139+0100    DEBUG   Resolving org.springframework:spring-framework-bom:5.3.18...
2022-04-19T14:49:14.140+0100    DEBUG   Resolving org.springframework.integration:spring-integration-bom:5.5.10...
2022-04-19T14:49:14.141+0100    DEBUG   Resolving org.springframework.security:spring-security-bom:5.6.2...
2022-04-19T14:49:14.141+0100    DEBUG   Resolving org.springframework.session:spring-session-bom:2021.1.2...
2022-04-19T14:49:14.143+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-dependencies:2021.0.0...
2022-04-19T14:49:14.144+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-commons-dependencies:3.1.0...
2022-04-19T14:49:14.145+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-netflix-dependencies:3.1.0...
2022-04-19T14:49:14.145+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-stream-dependencies:3.2.1...
2022-04-19T14:49:14.146+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-task-dependencies:2.4.0...
2022-04-19T14:49:14.147+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-circuitbreaker-dependencies:2.1.0...
2022-04-19T14:49:14.147+0100    DEBUG   Resolving io.github.resilience4j:resilience4j-bom:1.7.0...
2022-04-19T14:49:14.148+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-config-dependencies:3.1.0...
2022-04-19T14:49:14.148+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-function-dependencies:3.2.1...
2022-04-19T14:49:14.149+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-gateway-dependencies:3.1.0...
2022-04-19T14:49:14.150+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-consul-dependencies:3.1.0...
2022-04-19T14:49:14.151+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-sleuth-dependencies:3.1.0...
2022-04-19T14:49:14.151+0100    DEBUG   Resolving io.zipkin.brave:brave-bom:5.13.2...
2022-04-19T14:49:14.152+0100    DEBUG   Resolving io.zipkin.reporter2:zipkin-reporter-bom:2.16.1...
2022-04-19T14:49:14.153+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-vault-dependencies:3.1.0...
2022-04-19T14:49:14.154+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-zookeeper-dependencies:3.1.0...
2022-04-19T14:49:14.155+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-cloudfoundry-dependencies:3.1.0...
2022-04-19T14:49:14.157+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-bus-dependencies:3.1.0...
2022-04-19T14:49:14.158+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-contract-dependencies:3.1.0...
2022-04-19T14:49:14.160+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-openfeign-dependencies:3.1.0...
2022-04-19T14:49:14.161+0100    DEBUG   Resolving io.github.openfeign:feign-bom:11.7...
2022-04-19T14:49:14.162+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-kubernetes-dependencies:2.1.0...
2022-04-19T14:49:14.163+0100    DEBUG   Resolving io.fabric8:kubernetes-client-bom:5.9.0...
2022-04-19T14:49:14.165+0100    DEBUG   Resolving org.springframework.boot:spring-boot-starter-web:2.6.6...
2022-04-19T14:49:14.165+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-starter-config:3.1.0...
2022-04-19T14:49:14.168+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-build-dependencies:3.1.0...
2022-04-19T14:49:14.175+0100    DEBUG   Resolving io.dropwizard.metrics:metrics-bom:4.2.4...
2022-04-19T14:49:14.176+0100    DEBUG   Resolving org.codehaus.groovy:groovy-bom:3.0.9...
2022-04-19T14:49:14.178+0100    DEBUG   Resolving org.infinispan:infinispan-bom:12.1.7.Final...
2022-04-19T14:49:14.181+0100    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.13.0...
2022-04-19T14:49:14.182+0100    DEBUG   Resolving org.eclipse.jetty:jetty-bom:9.4.44.v20210927...
2022-04-19T14:49:14.184+0100    DEBUG   Resolving org.junit:junit-bom:5.8.1...
2022-04-19T14:49:14.184+0100    DEBUG   Resolving org.jetbrains.kotlin:kotlin-bom:1.6.0...
2022-04-19T14:49:14.185+0100    DEBUG   Resolving org.apache.logging.log4j:log4j-bom:2.14.1...
2022-04-19T14:49:14.187+0100    DEBUG   Resolving io.micrometer:micrometer-bom:1.8.0...
2022-04-19T14:49:14.188+0100    DEBUG   Resolving io.netty:netty-bom:4.1.70.Final...
2022-04-19T14:49:14.189+0100    DEBUG   Resolving io.r2dbc:r2dbc-bom:Arabba-SR11...
2022-04-19T14:49:14.190+0100    DEBUG   Resolving io.projectreactor:reactor-bom:2020.0.13...
2022-04-19T14:49:14.191+0100    DEBUG   Resolving org.springframework.data:spring-data-bom:2021.1.0...
2022-04-19T14:49:14.192+0100    DEBUG   Resolving org.springframework:spring-framework-bom:5.3.13...
2022-04-19T14:49:14.193+0100    DEBUG   Resolving org.springframework.integration:spring-integration-bom:5.5.6...
2022-04-19T14:49:14.194+0100    DEBUG   Resolving org.springframework.security:spring-security-bom:5.6.0...
2022-04-19T14:49:14.194+0100    DEBUG   Resolving org.springframework.session:spring-session-bom:2021.1.0...
2022-04-19T14:49:14.196+0100    DEBUG   Resolving org.springframework.boot:spring-boot-autoconfigure:2.6.6...
2022-04-19T14:49:14.196+0100    DEBUG   Resolving org.springframework.boot:spring-boot-starter-actuator:2.6.6...
2022-04-19T14:49:14.196+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-starter-bootstrap:3.1.0...
2022-04-19T14:49:14.198+0100    DEBUG   Resolving commons-io:commons-io:2.11.0...
2022-04-19T14:49:14.202+0100    DEBUG   Resolving org.junit:junit-bom:5.7.2...
2022-04-19T14:49:14.203+0100    DEBUG   Resolving org.springframework.boot:spring-boot-starter:2.6.6...
2022-04-19T14:49:14.203+0100    DEBUG   Resolving org.springframework.boot:spring-boot-starter-json:2.6.6...
2022-04-19T14:49:14.204+0100    DEBUG   Resolving org.springframework.boot:spring-boot-starter-tomcat:2.6.6...
2022-04-19T14:49:14.204+0100    DEBUG   Resolving org.springframework:spring-web:5.3.18...
2022-04-19T14:49:14.204+0100    DEBUG   Resolving org.springframework:spring-webmvc:5.3.18...
2022-04-19T14:49:14.205+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-starter:3.1.0...
2022-04-19T14:49:14.206+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-config-client:3.1.0...
2022-04-19T14:49:14.207+0100    DEBUG   Resolving com.fasterxml.jackson.core:jackson-databind:2.13.0...
2022-04-19T14:49:14.254+0100    DEBUG   Resolving org.springframework.boot:spring-boot:2.6.6...
2022-04-19T14:49:14.255+0100    DEBUG   Resolving org.springframework.boot:spring-boot-actuator-autoconfigure:2.6.6...
2022-04-19T14:49:14.255+0100    DEBUG   Resolving io.micrometer:micrometer-core:1.8.4...
2022-04-19T14:49:14.256+0100    DEBUG   Resolving org.springframework.boot:spring-boot-starter-logging:2.6.6...
2022-04-19T14:49:14.256+0100    DEBUG   Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2022-04-19T14:49:14.258+0100    DEBUG   Resolving org.springframework:spring-core:5.3.18...
2022-04-19T14:49:14.258+0100    DEBUG   Resolving org.yaml:snakeyaml:1.29...
2022-04-19T14:49:14.259+0100    DEBUG   Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.2...
2022-04-19T14:49:14.264+0100    DEBUG   Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.2...
2022-04-19T14:49:14.265+0100    DEBUG   Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.2...
2022-04-19T14:49:14.266+0100    DEBUG   Resolving org.apache.tomcat.embed:tomcat-embed-core:9.0.60...
2022-04-19T14:49:14.266+0100    DEBUG   Resolving org.apache.tomcat.embed:tomcat-embed-el:9.0.60...
2022-04-19T14:49:14.266+0100    DEBUG   Resolving org.apache.tomcat.embed:tomcat-embed-websocket:9.0.60...
2022-04-19T14:49:14.267+0100    DEBUG   Resolving org.springframework:spring-beans:5.3.18...
2022-04-19T14:49:14.267+0100    DEBUG   Resolving org.springframework:spring-aop:5.3.18...
2022-04-19T14:49:14.267+0100    DEBUG   Resolving org.springframework:spring-context:5.3.18...
2022-04-19T14:49:14.268+0100    DEBUG   Resolving org.springframework:spring-expression:5.3.18...
2022-04-19T14:49:14.268+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-context:3.1.0...
2022-04-19T14:49:14.269+0100    DEBUG   Resolving org.springframework.cloud:spring-cloud-commons:3.1.0...
2022-04-19T14:49:14.271+0100    DEBUG   Resolving org.springframework.security:spring-security-rsa:1.0.10.RELEASE...
2022-04-19T14:49:14.271+0100    DEBUG   Resolving com.fasterxml.jackson.core:jackson-annotations:2.13.0...
2022-04-19T14:49:14.294+0100    DEBUG   Resolving org.apache.httpcomponents:httpclient:4.5.13...
2022-04-19T14:49:14.300+0100    DEBUG   Resolving com.fasterxml.jackson.core:jackson-core:2.13.0...
2022-04-19T14:49:14.324+0100    DEBUG   Resolving org.springframework.boot:spring-boot-actuator:2.6.6...
2022-04-19T14:49:14.325+0100    DEBUG   Resolving org.hdrhistogram:HdrHistogram:2.1.12...
2022-04-19T14:49:14.326+0100    DEBUG   Resolving ch.qos.logback:logback-classic:1.2.11...
2022-04-19T14:49:14.328+0100    DEBUG   Resolving org.apache.logging.log4j:log4j-to-slf4j:2.17.2...
2022-04-19T14:49:14.333+0100    DEBUG   Resolving org.slf4j:jul-to-slf4j:1.7.36...
2022-04-19T14:49:14.334+0100    DEBUG   Resolving org.springframework:spring-jcl:5.3.18...
2022-04-19T14:49:14.335+0100    DEBUG   Resolving org.bouncycastle:bcpkix-jdk15on:1.68...
2022-04-19T14:49:14.335+0100    DEBUG   Resolving org.apache.httpcomponents:httpcore:4.4.13...
2022-04-19T14:49:14.337+0100    DEBUG   Resolving commons-codec:commons-codec:1.11...
2022-04-19T14:49:14.341+0100    DEBUG   Resolving ch.qos.logback:logback-core:1.2.11...
2022-04-19T14:49:14.341+0100    DEBUG   Resolving org.slf4j:slf4j-api:1.7.32...
2022-04-19T14:49:14.376+0100    DEBUG   Resolving org.bouncycastle:bcprov-jdk15on:1.68...
2022-04-19T14:49:14.404+0100    DEBUG   OS is not detected.
2022-04-19T14:49:14.404+0100    DEBUG   Detected OS: unknown
2022-04-19T14:49:14.404+0100    INFO    Number of language-specific files: 1
2022-04-19T14:49:14.404+0100    INFO    Detecting pom vulnerabilities...
2022-04-19T14:49:14.404+0100    DEBUG   Detecting library vulnerabilities, type: pom, path: pom.xml
{
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "pom.xml",
      "Class": "lang-pkgs",
      "Type": "pom",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2020-36518",
          "PkgName": "com.fasterxml.jackson.core:jackson-databind",
          "InstalledVersion": "2.13.0",
          "FixedVersion": "2.12.6.1, 2.13.2.1",
          "Layer": {},
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36518",
          "DataSource": {
            "ID": "glad",
            "Name": "GitLab Advisory Database Community",
            "URL": "https://gitlab.com/gitlab-org/advisories-community"
          },
          "Title": "jackson-databind: denial of service via a large depth of nested objects",
          "Description": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-787"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V2Score": 5,
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2020-36518",
            "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b",
            "https://github.com/FasterXML/jackson-databind/issues/2816",
            "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12",
            "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13",
            "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
          ],
          "PublishedDate": "2022-03-11T07:15:00Z",
          "LastModifiedDate": "2022-03-30T16:36:00Z"
        }
      ]
    }
  ]
}

Output of `trivy -v`:

Version: 0.26.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-04-19 12:11:46.793914247 +0000 UTC
  NextUpdate: 2022-04-19 18:11:46.793913847 +0000 UTC
  DownloadedAt: 2022-04-19 13:18:54.915469 +0000 UTC

Additional details (base image name, container registry info...):

Maven tree with correct versions showing

[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.6.6:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.2:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.2:compile [INFO] | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.2:compile [INFO] | +- org.springframework.cloud:spring-cloud-config-client:jar:3.1.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile [INFO] | - com.fasterxml.jackson.core:jackson-databind:jar:2.13.2:compile [INFO] | - com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile

afdesk commented 2 years ago

@mrjonstrong thanks for your report! your log contains com.fasterxml.jackson.core:jackson-databind:2.13.0. it seems this package has a problematic dependency:

2022-04-19T14:49:14.207+0100    DEBUG   Resolving com.fasterxml.jackson.core:jackson-databind:2.13.0...
...
        {
          "VulnerabilityID": "CVE-2020-36518",
          "PkgName": "com.fasterxml.jackson.core:jackson-databind",
          "InstalledVersion": "2.13.0",
          "FixedVersion": "2.12.6.1, 2.13.2.1",
...

ctrung commented 2 years ago

Hi, i have a similar behaviour.

After looping through all my dependencies, I found out that ehcache-2.10.9.2.jar is the culprit.\ It embeds third party libraries and Trivy seems to be pulling the data from rest-management-private-classpath/META-INF/maven/**/pom.xml files.

If feasable, #1912 might show the "full embedded path" of the dependency ? Eg. in the JSON file, something like "PkgPath": "foo/bar/xxx.jar/baz/.../yyy.jar" would allow us to filter it with OPA.

Update on ehcache : Version 3.x already has a patch for the next version : https://github.com/ehcache/ehcache3/pull/3006 \ People have asked for ehcache 2.x but not sure if this will be backported -> https://groups.google.com/g/ehcache-users/c/oU3gcjkVBts

$ trivy --version
Version: 0.25.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-04-19 12:11:46.793914247 +0000 UTC
  NextUpdate: 2022-04-19 18:11:46.793913847 +0000 UTC
  DownloadedAt: 2022-04-19 14:45:33.796876269 +0000 UTC

$ trivy --debug rootfs ehcache-2.10.9.2.jar
ehcache-2.10.9.2.jar
2022-04-19T18:52:17.797+0200    [35mDEBUG[0m  Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-19T18:52:17.797+0200    [35mDEBUG[0m  cache dir:  /home/ctrung/.cache/trivy
2022-04-19T18:52:17.797+0200    [35mDEBUG[0m  DB update was skipped because the local DB is the latest
2022-04-19T18:52:17.797+0200    [35mDEBUG[0m  DB Schema: 2, UpdatedAt: 2022-04-19 12:11:46.793914247 +0000 UTC, NextUpdate: 2022-04-19 18:11:46.793913847 +0000 UTC, DownloadedAt: 2022-04-19 14:45:33.796876269 +0000 UTC
2022-04-19T18:52:17.797+0200    [35mDEBUG[0m  Vulnerability type:  [os library]
2022-04-19T18:52:17.797+0200    [35mDEBUG[0m  Parsing Java artifacts...   {"file": "ehcache-2.10.9.2.jar"}
2022-04-19T18:52:17.803+0200    [35mDEBUG[0m  Parsing Java artifacts...   {"file": "net/sf/ehcache/pool/sizeof/sizeof-agent.jar"}
2022-04-19T18:52:18.168+0200    [35mDEBUG[0m  No such POM in the central repositories {"file": "sizeof-agent.jar"}
2022-04-19T18:52:18.170+0200    [35mDEBUG[0m  OS is not detected and vulnerabilities in OS packages are not detected.
2022-04-19T18:52:18.170+0200    [35mDEBUG[0m  Detected OS: unknown
2022-04-19T18:52:18.170+0200    [34mINFO[0m   Number of language-specific files: 1
2022-04-19T18:52:18.170+0200    [34mINFO[0m   Detecting jar vulnerabilities...
2022-04-19T18:52:18.170+0200    [35mDEBUG[0m  Detecting library vulnerabilities, type: jar, path: 

Java (jar)
==========
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518   | HIGH     | 2.11.1            | 2.12.6.1, 2.13.2.1             | jackson-databind: denial of service   |
|                                             |                  |          |                   |                                | via a large depth of nested objects   |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-server              | CVE-2021-34428   | LOW      | 9.4.39.v20210325  | 9.4.40.v20210413, 10.0.3,      | jetty: SessionListener can            |
|                                             |                  |          |                   | 11.0.3                         | prevent a session from being          |
|                                             |                  |          |                   |                                | invalidated breaking logout           |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-34428 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.glassfish.jersey.core:jersey-common     | CVE-2021-28168   | MEDIUM   |              2.31 | 2.34, 3.0.2                    | jersey: Local information disclosure  |
|                                             |                  |          |                   |                                | via system temporary directory        |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28168 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+

mrjonstrong commented 2 years ago

Thanks @afdesk but I think I didn't explain it well.

trivy is misidentifying it as a different version, as you pointed out installed version trviy thinks is com.fasterxml.jackson.core:jackson-databind:2.13.0

But as per maven tree I'm using com.fasterxml.jackson.core:jackson-databind:2.13.2 [INFO] | - com.fasterxml.jackson.core:jackson-databind:jar:2.13.2:compile

If it helps I can share the pom.xml it is scanning, but here is a bit <jackson.version>2.13.2</jackson.version> <jackson-bom.version>${jackson.version}</jackson-bom.version>

mrjonstrong commented 2 years ago

Thanks @ctrung

I'm not sure if it is the same thing or not, your example was a rootfs scan instead of mine being a filesystem scan and reading the pom.xml When building I thought maven would pick only one version of jackson-databind and pick the one declared in the properties.

I tried the same scan with version 0.23.0 of trivy and got the expected result of it only picking up com.fasterxml.jackson.core:jackson-databind:2.13.2 so I wondered what might have changed in between versions.

I noticed https://github.com/aquasecurity/trivy/pull/1959 but thought that might of helped.

javixeneize commented 2 years ago

@afdesk @knqyf263 im having the same issue. Looks like trivy is not resolving the right dependency version. It might be related to #1728 as it might be picking the wrong version of the dependency?

mrjonstrong commented 2 years ago

If it helps here is the pom ' <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

4.0.0

<groupId>your.group.id</groupId>
<artifactId>your-artifact-id</artifactId>
<version>your-version</version>

<packaging>jar</packaging>

<name>hello-world</name>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.6.6</version>
       <relativePath/>
</parent>

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <java.version>11</java.version>
    <maven.compiler.plugin.version>2.3.2</maven.compiler.plugin.version>
    <maven.resources.plugin.version>2.6</maven.resources.plugin.version>
    <maven.dependency.plugin.version>2.8</maven.dependency.plugin.version>
    <maven.deploy.plugin.version>2.7</maven.deploy.plugin.version>
    <maven.compiler.source>11</maven.compiler.source>
    <maven.compiler.target>11</maven.compiler.target>
    <maven.release.plugin.version>2.5.3</maven.release.plugin.version>
    <maven.test.skip>false</maven.test.skip>
    <jackson.version>2.13.2</jackson.version>
    <jackson-bom.version>${jackson.version}</jackson-bom.version>
    <jacoco.version>0.8.6</jacoco.version>
    <env.BUILD_NUMBER>0</env.BUILD_NUMBER>
    <argLine/>
</properties>

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>2021.0.0</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-config</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-autoconfigure</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-bootstrap</artifactId>
    </dependency>
    <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>2.11.0</version>
    </dependency>
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.18.22</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <version>2.6.5</version>
        <scope>test</scope>
    </dependency>
</dependencies>

'

github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.

github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.

knqyf263 commented 1 year ago

In favor of #3986

aquasecurity / trivy