search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.27k stars 2.3k forks source link

pom.xml scanner founds wrong dependencies versions #2430

Closed Bhaal22 closed 2 years ago

Bhaal22 commented 2 years ago

Description

While scanning my java project trivy detects wrong versions of certain dependencies such as:

org.springframework.security:spring-security-core : 4.2.20.RELEASE
org.springframework.security:spring-security-web : 4.2.20.RELEASE
org.springframework:spring-beans: 4.3.30.RELEASE
org.springframework:spring-core : 4.3.30.RELEASE

But

john@sophia$ mvn compile dependency:tree | grep spring-security-core
[INFO] |  +- org.springframework.security:spring-security-core:jar:5.7.1:compile

or

john@sophia$ mvn compile dependency:tree | grep spring-security-web
[INFO] |  +- org.springframework.security:spring-security-web:jar:5.7.1:compile

What did you expect to happen?

I expect trivy to look for the right versions.

What happened instead?

It happens trivy triggers false positive reports since the tool detects wrong versions.

Output of run with -debug:

2022-06-30T14:11:59.248+0200    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-06-30T14:11:59.293+0200    DEBUG   cache dir:  /Users/john/Library/Caches/trivy
2022-06-30T14:11:59.293+0200    INFO    Need to update DB
2022-06-30T14:11:59.293+0200    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-06-30T14:11:59.293+0200    INFO    Downloading DB...
32.83 MiB / 32.83 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 22.74 MiB p/s 1.6s
2022-06-30T14:12:02.328+0200    DEBUG   Updating database metadata...
2022-06-30T14:12:02.328+0200    DEBUG   DB Schema: 2, UpdatedAt: 2022-06-30 12:06:32.283426777 +0000 UTC, NextUpdate: 2022-06-30 18:06:32.283426377 +0000 UTC, DownloadedAt: 2022-06-30 12:12:02.328067 +0000 UTC
2022-06-30T14:12:02.328+0200    INFO    Vulnerability scanning is enabled
2022-06-30T14:12:02.328+0200    DEBUG   Vulnerability type:  [os library]
2022-06-30T14:12:02.328+0200    INFO    Secret scanning is enabled
2022-06-30T14:12:02.328+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-30T14:12:02.328+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-06-30T14:12:02.328+0200    DEBUG   No secret config detected: trivy-secret.yaml
2022-06-30T14:12:02.349+0200    DEBUG   Resolving com.datastax.oss:java-driver-bom:4.14.1...
2022-06-30T14:12:02.355+0200    DEBUG   Resolving io.dropwizard.metrics:metrics-bom:4.2.9...
2022-06-30T14:12:02.357+0200    DEBUG   Resolving org.codehaus.groovy:groovy-bom:3.0.10...
2022-06-30T14:12:02.359+0200    DEBUG   Resolving org.infinispan:infinispan-bom:13.0.10.Final...
2022-06-30T14:12:02.364+0200    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.13.3...
2022-06-30T14:12:02.367+0200    DEBUG   Resolving org.glassfish.jersey:jersey-bom:2.35...
2022-06-30T14:12:02.370+0200    DEBUG   Resolving org.eclipse.jetty:jetty-bom:9.4.46.v20220331...
2022-06-30T14:12:02.372+0200    DEBUG   Resolving org.junit:junit-bom:5.8.2...
2022-06-30T14:12:02.372+0200    DEBUG   Resolving org.jetbrains.kotlin:kotlin-bom:1.6.21...
2022-06-30T14:12:02.374+0200    DEBUG   Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.6.1...
2022-06-30T14:12:02.374+0200    DEBUG   Resolving org.apache.logging.log4j:log4j-bom:2.17.2...
2022-06-30T14:12:02.377+0200    DEBUG   Resolving io.micrometer:micrometer-bom:1.9.0...
2022-06-30T14:12:02.378+0200    DEBUG   Resolving org.mockito:mockito-bom:4.5.1...
2022-06-30T14:12:02.378+0200    DEBUG   Resolving io.netty:netty-bom:4.1.77.Final...
2022-06-30T14:12:02.383+0200    DEBUG   Resolving com.squareup.okhttp3:okhttp-bom:4.9.3...
2022-06-30T14:12:02.383+0200    DEBUG   Resolving com.oracle.database.jdbc:ojdbc-bom:21.5.0.0...
2022-06-30T14:12:02.384+0200    DEBUG   Resolving io.prometheus:simpleclient_bom:0.15.0...
2022-06-30T14:12:02.386+0200    DEBUG   Resolving com.querydsl:querydsl-bom:5.0.0...
2022-06-30T14:12:02.387+0200    DEBUG   Resolving io.r2dbc:r2dbc-bom:Borca-SR1...
2022-06-30T14:12:02.388+0200    DEBUG   Resolving io.projectreactor:reactor-bom:2020.0.19...
2022-06-30T14:12:02.388+0200    DEBUG   Resolving io.rsocket:rsocket-bom:1.1.2...
2022-06-30T14:12:02.389+0200    DEBUG   Resolving org.springframework.data:spring-data-bom:2021.2.0...
2022-06-30T14:12:02.390+0200    DEBUG   Resolving org.springframework:spring-framework-bom:5.3.20...
2022-06-30T14:12:02.390+0200    DEBUG   Resolving org.springframework.integration:spring-integration-bom:5.5.12...
2022-06-30T14:12:02.392+0200    DEBUG   Resolving org.springframework.security:spring-security-bom:5.7.1...
2022-06-30T14:12:02.392+0200    DEBUG   Resolving org.springframework.session:spring-session-bom:2021.2.0...
2022-06-30T14:12:02.394+0200    DEBUG   Resolving com.eposnow:service-framework:0.0.3...
2022-06-30T14:12:02.394+0200    DEBUG   Resolving com.eposnow:RiftDocumentTest:1.0.1...
2022-06-30T14:12:02.395+0200    DEBUG   Resolving org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE...
2022-06-30T14:12:02.397+0200    DEBUG   Resolving org.springframework.boot:spring-boot-starter:2.7.0...
2022-06-30T14:12:02.397+0200    DEBUG   Resolving org.springframework.boot:spring-boot-starter-web:2.7.0...
2022-06-30T14:12:02.398+0200    DEBUG   Resolving org.springdoc:springdoc-openapi-ui:1.6.9...
2022-06-30T14:12:02.401+0200    DEBUG   Resolving org.springframework:spring-beans:4.3.30.RELEASE...
2022-06-30T14:12:02.502+0200    DEBUG   Resolving org.springframework:spring-core:4.3.30.RELEASE...
2022-06-30T14:12:02.520+0200    DEBUG   Resolving org.springframework:spring-context:4.3.30.RELEASE...
2022-06-30T14:12:02.537+0200    DEBUG   Resolving org.springframework:spring-webmvc:4.3.30.RELEASE...
2022-06-30T14:12:02.556+0200    DEBUG   Resolving org.springframework.security:spring-security-core:4.2.20.RELEASE...
2022-06-30T14:12:02.575+0200    DEBUG   Resolving org.springframework:spring-framework-bom:4.3.30.RELEASE...
2022-06-30T14:12:02.593+0200    DEBUG   Resolving org.springframework.security:spring-security-config:4.2.20.RELEASE...
2022-06-30T14:12:02.614+0200    DEBUG   Resolving org.springframework.security:spring-security-web:4.2.20.RELEASE...
2022-06-30T14:12:02.632+0200    DEBUG   Resolving commons-codec:commons-codec:1.14...
2022-06-30T14:12:02.690+0200    DEBUG   Resolving org.springframework.boot:spring-boot:2.7.0...
2022-06-30T14:12:02.691+0200    DEBUG   Resolving org.springframework.boot:spring-boot-autoconfigure:2.7.0...
2022-06-30T14:12:02.691+0200    DEBUG   Resolving org.springframework.boot:spring-boot-starter-logging:2.7.0...
2022-06-30T14:12:02.691+0200    DEBUG   Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2022-06-30T14:12:02.694+0200    DEBUG   Resolving org.yaml:snakeyaml:1.30...
2022-06-30T14:12:02.695+0200    DEBUG   Resolving org.springframework.boot:spring-boot-starter-json:2.7.0...
2022-06-30T14:12:02.696+0200    DEBUG   Resolving org.springframework.boot:spring-boot-starter-tomcat:2.7.0...
2022-06-30T14:12:02.696+0200    DEBUG   Resolving org.springframework:spring-web:5.3.20...
2022-06-30T14:12:02.697+0200    DEBUG   Resolving org.springdoc:springdoc-openapi-webmvc-core:2.7.0...
2022-06-30T14:12:02.712+0200    DEBUG   org.springdoc:springdoc-openapi-webmvc-core:2.7.0 was not found in local/remote repositories
2022-06-30T14:12:02.712+0200    DEBUG   Resolving org.webjars:swagger-ui:4.11.1...
2022-06-30T14:12:02.714+0200    DEBUG   Resolving org.webjars:webjars-locator-core:0.50...
2022-06-30T14:12:02.715+0200    DEBUG   Resolving commons-logging:commons-logging:1.2...
2022-06-30T14:12:02.720+0200    DEBUG   Resolving org.springframework:spring-aop:4.3.30.RELEASE...
2022-06-30T14:12:02.736+0200    DEBUG   Resolving org.springframework:spring-expression:4.3.30.RELEASE...
2022-06-30T14:12:02.752+0200    DEBUG   Resolving aopalliance:aopalliance:1.0...
2022-06-30T14:12:02.752+0200    DEBUG   Resolving ch.qos.logback:logback-classic:1.2.11...
2022-06-30T14:12:02.754+0200    DEBUG   Resolving org.apache.logging.log4j:log4j-to-slf4j:2.17.2...
2022-06-30T14:12:02.758+0200    DEBUG   Resolving org.slf4j:jul-to-slf4j:1.7.36...
2022-06-30T14:12:02.760+0200    DEBUG   Resolving com.fasterxml.jackson.core:jackson-databind:2.13.3...
2022-06-30T14:12:02.762+0200    DEBUG   Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.3...
2022-06-30T14:12:02.763+0200    DEBUG   Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.3...
2022-06-30T14:12:02.764+0200    DEBUG   Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.3...
2022-06-30T14:12:02.765+0200    DEBUG   Resolving org.apache.tomcat.embed:tomcat-embed-core:9.0.63...
2022-06-30T14:12:02.765+0200    DEBUG   Resolving org.apache.tomcat.embed:tomcat-embed-el:9.0.63...
2022-06-30T14:12:02.766+0200    DEBUG   Resolving org.apache.tomcat.embed:tomcat-embed-websocket:9.0.63...
2022-06-30T14:12:02.766+0200    DEBUG   Resolving org.slf4j:slf4j-api:1.7.36...
2022-06-30T14:12:02.766+0200    DEBUG   Resolving com.fasterxml.jackson.core:jackson-core:2.13.1...
2022-06-30T14:12:02.821+0200    DEBUG   Resolving ch.qos.logback:logback-core:1.2.11...
2022-06-30T14:12:02.822+0200    DEBUG   Resolving com.fasterxml.jackson.core:jackson-annotations:2.13.3...
2022-06-30T14:12:02.876+0200    DEBUG   OS is not detected.
2022-06-30T14:12:02.876+0200    DEBUG   Detected OS: unknown
2022-06-30T14:12:02.876+0200    INFO    Number of language-specific files: 1
2022-06-30T14:12:02.876+0200    INFO    Detecting pom vulnerabilities...
2022-06-30T14:12:02.876+0200    DEBUG   Detecting library vulnerabilities, type: pom, path: pom.xml

Output of trivy -v:

Version: 0.29.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-06-30 12:06:32.283426777 +0000 UTC
  NextUpdate: 2022-06-30 18:06:32.283426377 +0000 UTC
  DownloadedAt: 2022-06-30 12:12:02.328067 +0000 UTC

Additional details (base image name, container registry info...):

I have the feeling this can be related to this closed PR : https://github.com/aquasecurity/trivy/issues/1943

Here is pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.company</groupId>
    <artifactId>project</artifactId>
    <version>0.0.1</version>
    <packaging>jar</packaging>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.0</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <name>project</name>
    <description>converter service</description>

    <properties>
        <java.version>1.8</java.version>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>${java.version}</maven.compiler.source>
        <maven.compiler.target>${java.version}</maven.compiler.target>
        <spring.boot.version>2.7.0</spring.boot.version>
        <project.artifact.name>${project.artifactId}</project.artifact.name>
        <log4j2.version>2.17.0</log4j2.version>
        <logback.version>1.2.9</logback.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
            <version>2.5.2.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-all</artifactId>
            <version>1.10.19</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <version>${spring.boot.version}</version>
            </plugin>
            <plugin>
                <groupId>pl.project13.maven</groupId>
                <artifactId>git-commit-id-plugin</artifactId>
                <version>2.2.4</version>
                <executions>
                    <execution>
                        <id>get-the-git-infos</id>
                        <goals>
                            <goal>revision</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <dotGitDirectory>${project.basedir}/.git</dotGitDirectory>
                    <prefix>git</prefix>
                    <verbose>false</verbose>
                    <generateGitPropertiesFile>true</generateGitPropertiesFile>
                    <generateGitPropertiesFilename>${project.build.outputDirectory}/git.properties</generateGitPropertiesFilename>
                    <format>json</format>
                    <gitDescribe>
                        <skip>false</skip>
                        <always>false</always>
                        <dirty>-dirty</dirty>
                    </gitDescribe>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>
DmitriyLewen commented 2 years ago

Hello @Bhaal22 Thank for your report!

I can reproduce your problem. I will investigate that and write you.

Regards, Dmitriy

Bhaal22 commented 2 years ago

Hi @DmitriyLewen,

If we remove 

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.0</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

then tryvi finds the rights deps. But as soon as the parent is introduced introducing dependencies updates then trivy does not recognize the right versions.

Thank you for your work,

John.

Bhaal22 commented 2 years ago

Hi @DmitriyLewen just seen your PR. thank you for your work. do you have any idea when those changes can be included?

DmitriyLewen commented 2 years ago

Hello @Bhaal22 I can't promise, but we will try to include these changes in next release

Bhaal22 commented 2 years ago

awesomeness !

zhanglc commented 2 years ago

the same issue, when use this as 

<dependency>
      <!-- Import dependency management from Spring Boot -->
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-dependencies</artifactId>
      <version>${spring.boot.version}</version>
      <type>pom</type>
      <scope>import</scope>
  </dependency>

and 

            <dependency>
                <groupId>com.baomidou</groupId>
                <artifactId>mybatis-plus-boot-starter</artifactId>
                <version>${mybatis.plus.boot.starter.version}</version>
            </dependency>

trivy not detection the right version

DmitriyLewen commented 2 years ago

Hello @zhanglc Thanks for your information!

looks like 1 dependency is placed in dependencyManagement. Can you specify which tags (dependencyManagement, dependencyManagement or Parent) contain your dependencies?

Regards, Dmitriy

zhanglc commented 2 years ago

@DmitriyLewen

the bellow is the minimum reproducible configuration:

.
 |-pom.xml
 |-application.yml
 |-trivy-secret.yaml

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.test</groupId>
    <artifactId>trivy-test</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>pom</packaging>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <!-- Import dependency management from Spring Boot -->
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>
                <version>2.5.14</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

            <dependency>
                <groupId>com.baomidou</groupId>
                <artifactId>mybatis-plus-boot-starter</artifactId>
                <version>3.5.2</version>
            </dependency>
            <!-- https://mvnrepository.com/artifact/com.itextpdf/itextpdf -->
            <dependency>
                <groupId>com.itextpdf</groupId>
                <artifactId>itextpdf</artifactId>
                <version>5.5.13.3</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>com.baomidou</groupId>
            <artifactId>mybatis-plus-boot-starter</artifactId>
            <version>3.5.2</version>
        </dependency>
        <dependency>
            <groupId>com.itextpdf</groupId>
            <artifactId>itextpdf</artifactId>
            <version>5.5.13.3</version>
        </dependency>
    </dependencies>

</project>

application.yml

spring:
  datasource:
    dynamic:
      primary: main
      strict: true 
      datasource:
        iconnector:
          url: jdbc:postgresql://127.0.0.1:5432/standalone
          username: standalone
          password: test1234
          driver-class-name: org.postgresql.Driver

trivy-secret.yaml

rules:
  - id: rule1
    category: general
    title: Generic Rule
    severity: HIGH
    path: .*\.yml
    keywords:
      - password
    regex: (?i).*(?P<key>password)(=|:)\s(?P<password>[0-9a-zA-Z\-_=]{8,64})
    secret-group-name: secret
    allow-rules:
      - id: skip-pom
        description: skip pom files
        path: .*pom\.xml

trivy version:

Version: 0.30.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-08-10 00:11:08.466749127 +0000 UTC
  NextUpdate: 2022-08-10 06:11:08.466748727 +0000 UTC
  DownloadedAt: 2022-08-10 01:52:21.665513824 +0000 UTC

vuln check issue

the dependency seems not like the maven.

it's should be org.springframework.boot:spring-boot:jar:2.5.14:compile. but trivy detection it as 2.5.3 from the 

            <dependency>
                <groupId>com.baomidou</groupId>
                <artifactId>mybatis-plus-boot-starter</artifactId>
                <version>3.5.2</version>
            </dependency>
mvn dependency:tree
[INFO] +- com.baomidou:mybatis-plus-boot-starter:jar:3.5.2:compile
[INFO] |  +- com.baomidou:mybatis-plus:jar:3.5.2:compile
[INFO] |  |  +- com.baomidou:mybatis-plus-extension:jar:3.5.2:compile
[INFO] |  |  |  +- com.baomidou:mybatis-plus-core:jar:3.5.2:compile
[INFO] |  |  |  |  +- com.baomidou:mybatis-plus-annotation:jar:3.5.2:compile
[INFO] |  |  |  |  +- com.github.jsqlparser:jsqlparser:jar:4.4:compile
[INFO] |  |  |  |  \- org.mybatis:mybatis:jar:3.5.10:compile
[INFO] |  |  |  \- org.mybatis:mybatis-spring:jar:2.0.7:compile
[INFO] |  |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.5.32:compile
[INFO] |  |     +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.5.32:compile
[INFO] |  |     |  +- org.jetbrains:annotations:jar:13.0:compile
[INFO] |  |     |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.5.32:compile
[INFO] |  |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.5.32:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.5.14:compile
[INFO] |  |  \- org.springframework.boot:spring-boot:jar:2.5.14:compile
[INFO] |  |     +- org.springframework:spring-core:jar:5.3.20:compile
[INFO] |  |     |  \- org.springframework:spring-jcl:jar:5.3.20:compile
[INFO] |  |     \- org.springframework:spring-context:jar:5.3.20:compile
[INFO] |  |        +- org.springframework:spring-aop:jar:5.3.20:compile
[INFO] |  |        \- org.springframework:spring-expression:jar:5.3.20:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.5.14:compile
[INFO] |     +- org.springframework.boot:spring-boot-starter:jar:2.5.14:compile
[INFO] |     |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.5.14:compile
[INFO] |     |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |     |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |     |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |     |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |     |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |     |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |     |  \- org.yaml:snakeyaml:jar:1.28:compile
[INFO] |     +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] |     |  \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] |     \- org.springframework:spring-jdbc:jar:5.3.20:compile
[INFO] |        +- org.springframework:spring-beans:jar:5.3.20:compile
[INFO] |        \- org.springframework:spring-tx:jar:5.3.20:compile
[INFO] \- com.itextpdf:itextpdf:jar:5.5.13.3:compile
trivy fs --security-checks vuln .
2022-08-10T10:03:26.898+0800    INFO    Vulnerability scanning is enabled
2022-08-10T10:03:49.332+0800    INFO    Number of language-specific files: 1
2022-08-10T10:03:49.332+0800    INFO    Detecting pom vulnerabilities...

pom.xml (pom)

Total: 12 (UNKNOWN: 2, LOW: 0, MEDIUM: 8, HIGH: 0, CRITICAL: 2)

┌───────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-core           │ CVE-2021-42550      │ MEDIUM   │ 1.2.4             │ 1.2.9                  │ logback: remote code execution through JNDI call from within │
│                                       │                     │          │                   │                        │ its configuration file...                                    │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-42550                   │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot  │ CVE-2022-22965      │ CRITICAL │ 2.5.3             │ 2.5.12, 2.6.6          │ spring-framework: RCE via Data Binding on JDK 9+             │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22965                   │
├───────────────────────────────────────┤                     │          ├───────────────────┼────────────────────────┤                                                              │
│ org.springframework:spring-beans      │                     │          │ 5.3.9             │ 5.3.18, 5.2.20         │                                                              │
│                                       │                     │          │                   │                        │                                                              │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-beans      │ GHSA-36p3-wjmg-h94x │ UNKNOWN  │ 5.3.9             │ 5.2.20, 5.3.18         │ Improper Neutralization of Special Elements used in an OS    │
│                                       │                     │          │                   │                        │ Command ('OS Command...                                      │
│                                       │                     │          │                   │                        │ https://github.com/advisories/GHSA-36p3-wjmg-h94x            │
├───────────────────────────────────────┼─────────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core       │ CVE-2021-22060      │ MEDIUM   │                   │ 5.3.14, 5.3.14         │ springframework: Additional Log Injection in Spring          │
│                                       │                     │          │                   │                        │ Framework (follow-up to CVE-2021-22096)                      │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-22060                   │
│                                       ├─────────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2021-22096      │          │                   │ 5.2.18, 5.3.11         │ springframework: malicious input leads to insertion of       │
│                                       │                     │          │                   │                        │ additional log entries                                       │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-22096                   │
│                                       ├─────────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2022-22950      │          │                   │ 5.2.20.RELEASE, 5.3.17 │ spring-expression: Denial of service via specially crafted   │
│                                       │                     │          │                   │                        │ SpEL expression                                              │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22950                   │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core       │ CVE-2022-22968      │ MEDIUM   │ 5.3.9             │ 5.2.21, 5.3.19         │ Spring Framework: Data Binding Rules Vulnerability           │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22968                   │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core       │ CVE-2022-22970      │ MEDIUM   │ 5.3.9             │ 5.2.22.RELEASE, 5.3.20 │ springframework: DoS via data binding to multipartFile or    │
│                                       │                     │          │                   │                        │ servlet part                                                 │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22970                   │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core       │ CVE-2022-22971      │ MEDIUM   │ 5.3.9             │ 5.2.22.RELEASE, 5.3.20 │ springframework: DoS with STOMP over WebSocket               │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22971                   │
├───────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core       │ GHSA-36p3-wjmg-h94x │ UNKNOWN  │ 5.3.9             │ 5.2.20, 5.3.18         │ Improper Neutralization of Special Elements used in an OS    │
│                                       │                     │          │                   │                        │ Command ('OS Command...                                      │
│                                       │                     │          │                   │                        │ https://github.com/advisories/GHSA-36p3-wjmg-h94x            │
├───────────────────────────────────────┼─────────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-expression │ CVE-2022-22950      │ MEDIUM   │                   │ 5.2.20, 5.3.16         │ spring-expression: Denial of service via specially crafted   │
│                                       │                     │          │                   │                        │ SpEL expression                                              │
│                                       │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22950                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

secret check issue

we want to check password is in application.yml by add rule in trivy-secert.yaml , but not find .

trivy filesystem --debug --security-checks secret .
2022-08-10T10:05:21.678+0800    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-10T10:05:21.681+0800    DEBUG   cache dir:  /home/z002sv7w/.cache/trivy
2022-08-10T10:05:21.681+0800    INFO    Secret scanning is enabled
2022-08-10T10:05:21.681+0800    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-10T10:05:21.681+0800    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-08-10T10:05:21.681+0800    INFO    Loading trivy-secret.yaml for secret scanning...
2022-08-10T10:05:21.683+0800    DEBUG   Resolving org.springframework.boot:spring-boot-dependencies:2.5.14...
2022-08-10T10:05:23.015+0800    DEBUG   Resolving com.datastax.oss:java-driver-bom:4.11.3...
2022-08-10T10:05:23.225+0800    DEBUG   Resolving io.dropwizard.metrics:metrics-bom:4.1.31...
2022-08-10T10:05:23.637+0800    DEBUG   Resolving org.codehaus.groovy:groovy-bom:3.0.10...
2022-08-10T10:05:23.855+0800    DEBUG   Resolving org.infinispan:infinispan-bom:12.1.11.Final...
2022-08-10T10:05:24.668+0800    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.12.6.20220326...
2022-08-10T10:05:25.297+0800    DEBUG   Resolving org.glassfish.jersey:jersey-bom:2.33...
2022-08-10T10:05:25.721+0800    DEBUG   Resolving org.eclipse.jetty:jetty-bom:9.4.46.v20220331...
2022-08-10T10:05:25.933+0800    DEBUG   Resolving org.junit:junit-bom:5.7.2...
2022-08-10T10:05:26.137+0800    DEBUG   Resolving org.jetbrains.kotlin:kotlin-bom:1.5.32...
2022-08-10T10:05:26.344+0800    DEBUG   Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.2...
2022-08-10T10:05:26.548+0800    DEBUG   Resolving org.apache.logging.log4j:log4j-bom:2.17.2...
2022-08-10T10:05:27.164+0800    DEBUG   Resolving io.micrometer:micrometer-bom:1.7.12...
2022-08-10T10:05:27.367+0800    DEBUG   Resolving io.netty:netty-bom:4.1.77.Final...
2022-08-10T10:05:27.778+0800    DEBUG   Resolving com.oracle.database.jdbc:ojdbc-bom:21.1.0.0...
2022-08-10T10:05:27.987+0800    DEBUG   Resolving io.prometheus:simpleclient_bom:0.10.0...
2022-08-10T10:05:28.407+0800    DEBUG   Resolving io.r2dbc:r2dbc-bom:Arabba-SR13...
2022-08-10T10:05:28.610+0800    DEBUG   Resolving io.projectreactor:reactor-bom:2020.0.19...
2022-08-10T10:05:28.810+0800    DEBUG   Resolving io.rsocket:rsocket-bom:1.1.2...
2022-08-10T10:05:29.012+0800    DEBUG   Resolving org.springframework.data:spring-data-bom:2021.0.11...
2022-08-10T10:05:29.216+0800    DEBUG   Resolving org.springframework:spring-framework-bom:5.3.20...
2022-08-10T10:05:29.418+0800    DEBUG   Resolving org.springframework.integration:spring-integration-bom:5.5.12...
2022-08-10T10:05:29.637+0800    DEBUG   Resolving org.springframework.security:spring-security-bom:5.5.8...
2022-08-10T10:05:29.839+0800    DEBUG   Resolving org.springframework.session:spring-session-bom:2021.0.6...
2022-08-10T10:05:30.042+0800    DEBUG   Resolving com.baomidou:mybatis-plus-boot-starter:3.5.2...
2022-08-10T10:05:30.244+0800    DEBUG   Resolving org.springframework.boot:spring-boot-dependencies:2.5.3...
2022-08-10T10:05:30.687+0800    DEBUG   Resolving com.datastax.oss:java-driver-bom:4.11.2...
2022-08-10T10:05:30.886+0800    DEBUG   Resolving io.dropwizard.metrics:metrics-bom:4.1.25...
2022-08-10T10:05:31.299+0800    DEBUG   Resolving org.codehaus.groovy:groovy-bom:3.0.8...
2022-08-10T10:05:31.515+0800    DEBUG   Resolving org.infinispan:infinispan-bom:12.1.7.Final...
2022-08-10T10:05:31.935+0800    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.12.4...
2022-08-10T10:05:32.145+0800    DEBUG   Resolving org.eclipse.jetty:jetty-bom:9.4.43.v20210629...
2022-08-10T10:05:32.358+0800    DEBUG   Resolving org.jetbrains.kotlin:kotlin-bom:1.5.21...
2022-08-10T10:05:32.561+0800    DEBUG   Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.1...
2022-08-10T10:05:32.761+0800    DEBUG   Resolving org.apache.logging.log4j:log4j-bom:2.14.1...
2022-08-10T10:05:33.398+0800    DEBUG   Resolving io.micrometer:micrometer-bom:1.7.2...
2022-08-10T10:05:33.600+0800    DEBUG   Resolving io.netty:netty-bom:4.1.66.Final...
2022-08-10T10:05:33.804+0800    DEBUG   Resolving io.r2dbc:r2dbc-bom:Arabba-SR10...
2022-08-10T10:05:34.006+0800    DEBUG   Resolving io.projectreactor:reactor-bom:2020.0.9...
2022-08-10T10:05:34.220+0800    DEBUG   Resolving io.rsocket:rsocket-bom:1.1.1...
2022-08-10T10:05:34.422+0800    DEBUG   Resolving org.springframework.data:spring-data-bom:2021.0.3...
2022-08-10T10:05:34.626+0800    DEBUG   Resolving org.springframework:spring-framework-bom:5.3.9...
2022-08-10T10:05:34.836+0800    DEBUG   Resolving org.springframework.integration:spring-integration-bom:5.5.2...
2022-08-10T10:05:35.045+0800    DEBUG   Resolving org.springframework.security:spring-security-bom:5.5.1...
2022-08-10T10:05:35.248+0800    DEBUG   Resolving org.springframework.session:spring-session-bom:2021.0.1...
2022-08-10T10:05:35.448+0800    DEBUG   Resolving com.itextpdf:itextpdf:5.5.13.3...
2022-08-10T10:05:35.858+0800    DEBUG   Resolving com.baomidou:mybatis-plus:3.5.2...
2022-08-10T10:05:36.057+0800    DEBUG   Resolving org.springframework.boot:spring-boot-autoconfigure:2.5.3...
2022-08-10T10:05:36.268+0800    DEBUG   Resolving org.springframework.boot:spring-boot-starter-jdbc:2.5.3...
2022-08-10T10:05:36.467+0800    DEBUG   Resolving com.baomidou:mybatis-plus-extension:3.5.2...
2022-08-10T10:05:36.668+0800    DEBUG   Resolving org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.21...
2022-08-10T10:05:36.868+0800    DEBUG   Resolving org.springframework.boot:spring-boot:2.5.3...
2022-08-10T10:05:37.066+0800    DEBUG   Resolving org.springframework.boot:spring-boot-starter:2.5.3...
2022-08-10T10:05:37.266+0800    DEBUG   Resolving com.zaxxer:HikariCP:4.0.3...
2022-08-10T10:05:37.684+0800    DEBUG   Resolving org.springframework:spring-jdbc:5.3.9...
2022-08-10T10:05:37.884+0800    DEBUG   Resolving com.baomidou:mybatis-plus-core:3.5.2...
2022-08-10T10:05:38.085+0800    DEBUG   Resolving org.mybatis:mybatis-spring:2.0.7...
2022-08-10T10:05:38.526+0800    DEBUG   Resolving org.jetbrains.kotlin:kotlin-stdlib:1.6.21...
2022-08-10T10:05:38.724+0800    DEBUG   Resolving org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.21...
2022-08-10T10:05:38.922+0800    DEBUG   Resolving org.springframework:spring-core:5.3.9...
2022-08-10T10:05:39.122+0800    DEBUG   Resolving org.springframework:spring-context:5.3.9...
2022-08-10T10:05:39.346+0800    DEBUG   Resolving org.springframework.boot:spring-boot-starter-logging:2.5.3...
2022-08-10T10:05:39.547+0800    DEBUG   Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2022-08-10T10:05:40.180+0800    DEBUG   Resolving org.yaml:snakeyaml:1.28...
2022-08-10T10:05:40.403+0800    DEBUG   Resolving org.slf4j:slf4j-api:1.7.30...
2022-08-10T10:05:40.809+0800    DEBUG   Resolving org.springframework:spring-beans:5.3.9...
2022-08-10T10:05:41.017+0800    DEBUG   Resolving org.springframework:spring-tx:5.3.9...
2022-08-10T10:05:41.215+0800    DEBUG   Resolving com.baomidou:mybatis-plus-annotation:3.5.2...
2022-08-10T10:05:41.415+0800    DEBUG   Resolving com.github.jsqlparser:jsqlparser:4.4...
2022-08-10T10:05:41.632+0800    DEBUG   Resolving org.mybatis:mybatis:3.5.10...
2022-08-10T10:05:42.074+0800    DEBUG   Resolving org.jetbrains.kotlin:kotlin-stdlib-common:1.6.21...
2022-08-10T10:05:42.273+0800    DEBUG   Resolving org.jetbrains:annotations:13.0...
2022-08-10T10:05:42.476+0800    DEBUG   Resolving org.springframework:spring-jcl:5.3.9...
2022-08-10T10:05:42.674+0800    DEBUG   Resolving org.springframework:spring-aop:5.3.9...
2022-08-10T10:05:42.880+0800    DEBUG   Resolving org.springframework:spring-expression:5.3.9...
2022-08-10T10:05:43.079+0800    DEBUG   Resolving ch.qos.logback:logback-classic:1.2.4...
2022-08-10T10:05:43.507+0800    DEBUG   Resolving org.apache.logging.log4j:log4j-to-slf4j:2.14.1...
2022-08-10T10:05:43.970+0800    DEBUG   Resolving org.slf4j:jul-to-slf4j:1.7.32...
2022-08-10T10:05:44.375+0800    DEBUG   Resolving ch.qos.logback:logback-core:1.2.4...
2022-08-10T10:05:44.580+0800    DEBUG   OS is not detected.

license check issue

the license check seems like not the check dependency , just the source code ? the lib is AGPL licence

        <dependency>
            <groupId>com.itextpdf</groupId>
            <artifactId>itextpdf</artifactId>
            <version>5.5.13.3</version>
        </dependency>

or it's not suitable for java maven project ?

trivy filesystem --license-full .
DmitriyLewen commented 2 years ago

we want to check password is in application.yml by add rule in trivy-secert.yaml , but not find .

you need to use correct regex group name. In your case: secret-group-name: password.

or it's not suitable for java maven project ?

Trivy doesn't currently support license lookups for java files.

About vulnerability checking: I will check your information and write to you later.

Regards, Dmitriy

DmitriyLewen commented 2 years ago

Hello @zhanglc

I also checked your pom.xml file. It is same problem.

Created a PR to fix this bug. When PR is merged, I will write in this issue.

Regards Dmitriy

zhanglc commented 2 years ago

@DmitriyLewen I sew the new version 0.31.2 , is this fix in the release ?

DmitriyLewen commented 2 years ago

Hello @zhanglc Unfortunately we didn't have enough time to review PR. We are currently working on this.

I will write - when PR is merged.

zhanglc commented 2 years ago

@DmitriyLewen thanks a lot

DmitriyLewen commented 2 years ago

Hello @zhanglc @Bhaal22 We fixed this bug.

Changes will be included to next release. Until then (if it suits you) you can use canary image or binary.

Bhaal22 commented 2 years ago

Hi @DmitriyLewen Thats pretty cool !!!

Thank you very much.