search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.66k stars 2.33k forks source link

CVE-2016-1000027 not detected #3373

Closed monwolf closed 1 year ago

monwolf commented 1 year ago

Description

We have a Java application with the library spring-web-5.3.24 and it's vulnerable to CVE-2016-1000027 as mvnrepository warns:

image

What did you expect to happen?

Trivy detect the vulnerability

What happened instead?

Trivy doesn't show to detect it

Output of run with -debug:

2023-01-03T15:18:40.602+0100    DEBUG  Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-03T15:18:40.605+0100    DEBUG  cache dir:  /var/lib/jenkins/trivy-scan/.trivycache/
2023-01-03T15:18:40.605+0100    DEBUG  DB update was skipped because the local DB is the latest
2023-01-03T15:18:40.605+0100    DEBUG  DB Schema: 2, UpdatedAt: 2023-01-03 12:07:55.726489542 +0000 UTC, NextUpdate: 2023-01-03 18:07:55.726489142 +0000 UTC, DownloadedAt: 2023-01-03 12:21:51.76607004 +0000 UTC
2023-01-03T15:18:40.605+0100    INFO   Vulnerability scanning is enabled
2023-01-03T15:18:40.605+0100    DEBUG  Vulnerability type:  [os library]
2023-01-03T15:18:40.606+0100    INFO   Secret scanning is enabled
2023-01-03T15:18:40.606+0100    INFO   If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-03T15:18:40.606+0100    INFO   Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-01-03T15:18:40.611+0100    DEBUG  No secret config detected: trivy-secret.yaml
2023-01-03T15:18:40.611+0100    DEBUG  Image ID: sha256:a23d26037a6aca1e7b22719cbcab1a507a1cdc3cf26293457ac0a606dba3fce2
2023-01-03T15:18:40.611+0100    DEBUG  Diff IDs: [sha256:c3f11d77a5de76ec836c52333d45ac3742c7b27d3d83feba6ec978e223715c67 sha256:d9db04f7e324990348d55839435d8107a2261e0ba9a9ad6e01ff81170de6871e sha256:ef8a888d22e1c472c638d1d929d65d8c041142e69adfd19fa8b4a5a701c9e786 sha256:c365dcc44aa9bd517d5bb728239d4bd7d4182559262df8a660e8f97c7b1c0db2 sha256:ae5689116551e487f5162f7d15d2e18369e93893e672a51c7e0307612c7efd59 sha256:352d6228c9cbd3ebff8dfc66446c88f5bb15b3c3f66a838a828690301f97b615]
2023-01-03T15:18:40.611+0100    DEBUG  Base Layers: [sha256:c3f11d77a5de76ec836c52333d45ac3742c7b27d3d83feba6ec978e223715c67]
2023-01-03T15:18:40.648+0100    DEBUG  Missing image ID in cache: sha256:a23d26037a6aca1e7b22719cbcab1a507a1cdc3cf26293457ac0a606dba3fce2
2023-01-03T15:18:40.648+0100    DEBUG  Missing diff ID in cache: sha256:352d6228c9cbd3ebff8dfc66446c88f5bb15b3c3f66a838a828690301f97b615
2023-01-03T15:18:40.648+0100    DEBUG  Missing diff ID in cache: sha256:ae5689116551e487f5162f7d15d2e18369e93893e672a51c7e0307612c7efd59
2023-01-03T15:18:48.346+0100    DEBUG  Parsing Java artifacts...   {"file": "app.jar"}
2023-01-03T15:18:49.356+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-webflux-5.3.24.jar"}
2023-01-03T15:18:49.467+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jetty-reactive-httpclient-1.1.13.jar"}
2023-01-03T15:18:49.468+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jetty-client-9.4.49.v20220914.jar"}
2023-01-03T15:18:49.683+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-jupiter-5.8.2.jar"}
2023-01-03T15:18:49.896+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-jupiter-engine-5.8.2.jar"}
2023-01-03T15:18:50.111+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-platform-engine-1.8.2.jar"}
2023-01-03T15:18:50.322+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/mockito-junit-jupiter-4.5.1.jar"}
2023-01-03T15:18:50.536+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-jupiter-params-5.8.2.jar"}
2023-01-03T15:18:50.754+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-jupiter-api-5.8.2.jar"}
2023-01-03T15:18:50.967+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-platform-commons-1.8.2.jar"}
2023-01-03T15:18:51.179+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-vintage-engine-5.9.0.jar"}
2023-01-03T15:18:51.392+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/encoder-1.2.3.jar"}
2023-01-03T15:18:51.395+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/postgresql-42.5.1.jar"}
2023-01-03T15:18:51.611+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-consul-config-3.1.2.jar"}
2023-01-03T15:18:51.612+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-consul-discovery-3.1.2.jar"}
2023-01-03T15:18:51.612+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-consul-3.1.2.jar"}
2023-01-03T15:18:51.613+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-consul-discovery-3.1.2.jar"}
2023-01-03T15:18:51.613+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-consul-core-3.1.2.jar"}
2023-01-03T15:18:51.614+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-bootstrap-3.1.5.jar"}
2023-01-03T15:18:51.614+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-vault-config-3.1.1.jar"}
2023-01-03T15:18:51.615+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-loadbalancer-3.1.5.jar"}
2023-01-03T15:18:51.615+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-vault-config-3.1.1.jar"}
2023-01-03T15:18:51.616+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-starter-3.1.5.jar"}
2023-01-03T15:18:51.617+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/snakeyaml-1.33.jar"}
2023-01-03T15:18:51.619+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.7.6.jar"}
2023-01-03T15:18:51.728+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jackson-datatype-jsr310-2.14.0.jar"}
2023-01-03T15:18:51.728+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jackson-module-parameter-names-2.14.0.jar"}
2023-01-03T15:18:51.730+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jackson-core-2.14.0.jar"}
2023-01-03T15:18:51.731+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jackson-datatype-jdk8-2.14.0.jar"}
2023-01-03T15:18:51.732+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-vault-core-2.3.2.jar"}
2023-01-03T15:18:51.736+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jackson-databind-2.14.0.jar"}
2023-01-03T15:18:51.739+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jackson-annotations-2.14.0.jar"}
2023-01-03T15:18:51.740+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-loadbalancer-3.1.5.jar"}
2023-01-03T15:18:51.742+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/commons-lang3-3.12.0.jar"}
2023-01-03T15:18:51.747+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/guava-30.1-jre.jar"}
2023-01-03T15:18:51.752+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-oauth2-resource-server-5.7.5.jar"}
2023-01-03T15:18:51.860+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-web-5.7.5.jar"}
2023-01-03T15:18:51.971+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/commons-io-2.9.0.jar"}
2023-01-03T15:18:51.972+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/javax.activation-api-1.2.0.jar"}
2023-01-03T15:18:51.973+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/junit-4.13.2.jar"}
2023-01-03T15:18:52.184+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/javax.servlet-api-4.0.1.jar"}
2023-01-03T15:18:52.186+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-webmvc-5.3.24.jar"}
2023-01-03T15:18:52.299+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-oauth2-jose-5.7.5.jar"}
2023-01-03T15:18:52.405+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-oauth2-core-5.7.5.jar"}
2023-01-03T15:18:52.515+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-web-5.3.24.jar"}
2023-01-03T15:18:52.631+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-test-autoconfigure-2.7.6.jar"}
2023-01-03T15:18:52.742+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-autoconfigure-2.7.6.jar"}
2023-01-03T15:18:52.858+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-test-2.7.6.jar"}
2023-01-03T15:18:52.966+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-actuator-2.7.6.jar"}
2023-01-03T15:18:53.079+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-2.7.6.jar"}
2023-01-03T15:18:53.194+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-config-5.7.5.jar"}
2023-01-03T15:18:53.308+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-core-5.7.5.jar"}
2023-01-03T15:18:53.416+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-data-jpa-2.7.6.jar"}
2023-01-03T15:18:53.418+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-context-support-5.3.24.jar"}
2023-01-03T15:18:53.525+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-context-5.3.24.jar"}
2023-01-03T15:18:53.638+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-aop-5.3.24.jar"}
2023-01-03T15:18:53.746+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-orm-5.3.24.jar"}
2023-01-03T15:18:53.852+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-jdbc-5.3.24.jar"}
2023-01-03T15:18:53.961+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-data-commons-2.7.6.jar"}
2023-01-03T15:18:53.964+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-tx-5.3.24.jar"}
2023-01-03T15:18:54.073+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-beans-5.3.24.jar"}
2023-01-03T15:18:54.182+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-test-5.3.24.jar"}
2023-01-03T15:18:54.293+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-expression-5.3.24.jar"}
2023-01-03T15:18:54.402+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-core-5.3.24.jar"}
2023-01-03T15:18:54.516+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/reactor-extra-3.4.9.jar"}
2023-01-03T15:18:54.626+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/reactor-core-3.4.25.jar"}
2023-01-03T15:18:54.734+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/reactive-streams-1.0.4.jar"}
2023-01-03T15:18:54.945+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/json-path-2.7.0.jar"}
2023-01-03T15:18:55.155+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/logback-classic-1.2.11.jar"}
2023-01-03T15:18:55.156+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/log4j-to-slf4j-2.17.2.jar"}
2023-01-03T15:18:55.157+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jul-to-slf4j-1.7.36.jar"}
2023-01-03T15:18:55.158+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/HikariCP-4.0.3.jar"}
2023-01-03T15:18:55.158+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/slf4j-api-1.7.36.jar"}
2023-01-03T15:18:55.159+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jetty-http-9.4.49.v20220914.jar"}
2023-01-03T15:18:55.160+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jetty-io-9.4.49.v20220914.jar"}
2023-01-03T15:18:55.161+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/checker-qual-3.5.0.jar"}
2023-01-03T15:18:55.372+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.annotation-api-1.3.5.jar"}
2023-01-03T15:18:55.373+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/json-20160807.jar"}
2023-01-03T15:18:55.374+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-consul-config-3.1.2.jar"}
2023-01-03T15:18:55.374+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-commons-3.1.5.jar"}
2023-01-03T15:18:55.375+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-cloud-context-3.1.5.jar"}
2023-01-03T15:18:55.376+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/failureaccess-1.0.1.jar"}
2023-01-03T15:18:55.376+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar"}
2023-01-03T15:18:55.377+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jsr305-3.0.2.jar"}
2023-01-03T15:18:55.377+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/error_prone_annotations-2.3.4.jar"}
2023-01-03T15:18:55.377+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/j2objc-annotations-1.3.jar"}
2023-01-03T15:18:55.379+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/micrometer-core-1.9.6.jar"}
2023-01-03T15:18:55.499+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/hibernate-core-5.6.14.Final.jar"}
2023-01-03T15:18:55.616+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jaxb-runtime-2.3.7.jar"}
2023-01-03T15:18:55.618+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.xml.bind-api-2.3.3.jar"}
2023-01-03T15:18:55.627+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/assertj-core-3.22.0.jar"}
2023-01-03T15:18:55.634+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/hamcrest-core-2.2.jar"}
2023-01-03T15:18:55.740+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/hamcrest-2.2.jar"}
2023-01-03T15:18:55.955+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/mockito-core-4.5.1.jar"}
2023-01-03T15:18:56.173+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jsonassert-1.5.1.jar"}
2023-01-03T15:18:56.173+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/xmlunit-core-2.9.0.jar"}
2023-01-03T15:18:56.174+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/tomcat-embed-el-9.0.69.jar"}
2023-01-03T15:18:56.388+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/hibernate-validator-6.2.5.Final.jar"}
2023-01-03T15:18:56.391+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/consul-api-1.4.6.jar"}
2023-01-03T15:18:56.497+0100    DEBUG  No such POM in the central repositories {"file": "consul-api-1.4.6.jar"}
2023-01-03T15:18:56.603+0100    DEBUG  POM was determined in a heuristic way   {"file": "consul-api-1.4.6.jar", "artifact": "com.ecwid.consul:consul-api:1.4.6"}
2023-01-03T15:18:56.604+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/httpclient-4.5.13.jar"}
2023-01-03T15:18:56.606+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/httpcore-4.4.15.jar"}
2023-01-03T15:18:56.607+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/tomcat-embed-websocket-9.0.69.jar"}
2023-01-03T15:18:56.826+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/tomcat-embed-core-9.0.69.jar"}
2023-01-03T15:18:57.054+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-jcl-5.3.24.jar"}
2023-01-03T15:18:57.161+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jetty-util-9.4.49.v20220914.jar"}
2023-01-03T15:18:57.162+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/opentest4j-1.2.0.jar"}
2023-01-03T15:18:57.373+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.transaction-api-1.3.3.jar"}
2023-01-03T15:18:57.374+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.persistence-api-2.2.3.jar"}
2023-01-03T15:18:57.374+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-aspects-5.3.24.jar"}
2023-01-03T15:18:57.479+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-crypto-5.7.5.jar"}
2023-01-03T15:18:57.587+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/HdrHistogram-2.1.12.jar"}
2023-01-03T15:18:57.588+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/LatencyUtils-2.0.3.jar"}
2023-01-03T15:18:57.588+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/json-smart-2.4.8.jar"}
2023-01-03T15:18:57.589+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.activation-api-1.2.2.jar"}
2023-01-03T15:18:57.596+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/byte-buddy-1.12.19.jar"}
2023-01-03T15:18:57.603+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/byte-buddy-agent-1.12.19.jar"}
2023-01-03T15:18:57.604+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/objenesis-3.2.jar"}
2023-01-03T15:18:57.815+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/android-json-0.0.20131108.vaadin1.jar"}
2023-01-03T15:18:58.030+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/logback-core-1.2.11.jar"}
2023-01-03T15:18:58.032+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/log4j-api-2.17.2.jar"}
2023-01-03T15:18:58.033+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.validation-api-2.0.2.jar"}
2023-01-03T15:18:58.034+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/hibernate-commons-annotations-5.1.2.Final.jar"}
2023-01-03T15:18:58.141+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jboss-logging-3.4.3.Final.jar"}
2023-01-03T15:18:58.142+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/classmate-1.5.1.jar"}
2023-01-03T15:18:58.143+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/nimbus-jose-jwt-9.22.jar"}
2023-01-03T15:18:58.145+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-security-rsa-1.0.11.RELEASE.jar"}
2023-01-03T15:18:58.146+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/gson-2.9.1.jar"}
2023-01-03T15:18:58.147+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/evictor-1.0.0.jar"}
2023-01-03T15:18:58.148+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/commons-codec-1.15.jar"}
2023-01-03T15:18:58.152+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/aspectjweaver-1.9.7.jar"}
2023-01-03T15:18:58.268+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/antlr-2.7.7.jar"}
2023-01-03T15:18:58.383+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jandex-2.4.2.Final.jar"}
2023-01-03T15:18:58.384+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/accessors-smart-2.4.8.jar"}
2023-01-03T15:18:58.385+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jcip-annotations-1.0-1.jar"}
2023-01-03T15:18:58.492+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/bcpkix-jdk15on-1.69.jar"}
2023-01-03T15:18:58.725+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/txw2-2.3.7.jar"}
2023-01-03T15:18:58.726+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/istack-commons-runtime-3.0.12.jar"}
2023-01-03T15:18:58.726+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/jakarta.activation-1.2.2.jar"}
2023-01-03T15:18:58.727+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/asm-9.1.jar"}
2023-01-03T15:18:58.943+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/bcutil-jdk15on-1.69.jar"}
2023-01-03T15:18:59.166+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/bcprov-jdk15on-1.69.jar"}
2023-01-03T15:18:59.420+0100    DEBUG  Parsing Java artifacts...   {"file": "BOOT-INF/lib/spring-boot-jarmode-layertools-2.7.6.jar"}
2023-01-03T15:18:59.879+0100    DEBUG  No such POM in the central repositories {"file": "app.jar"}
2023-01-03T15:18:59.902+0100    INFO   Detected OS: ubuntu
2023-01-03T15:18:59.902+0100    INFO   Detecting Ubuntu vulnerabilities...
2023-01-03T15:18:59.902+0100    DEBUG  ubuntu: os version: 20.04
2023-01-03T15:18:59.902+0100    DEBUG  ubuntu: the number of packages: 131
2023-01-03T15:18:59.907+0100    INFO   Number of language-specific files: 1
2023-01-03T15:18:59.908+0100    INFO   Detecting jar vulnerabilities...
2023-01-03T15:18:59.908+0100    DEBUG  Detecting library vulnerabilities, type: jar, path: 
2023-01-03T15:18:59.925+0100    DEBUG  Found an ignore file /var/lib/jenkins/trivy-scan/.trivyignore
2023-01-03T15:18:59.925+0100    DEBUG  These IDs will be ignored: []

Output of trivy -v:

Version: 0.36.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-01-31 12:11:21.103014506 +0000 UTC
  NextUpdate: 2022-01-31 18:11:21.103014206 +0000 UTC
  DownloadedAt: 2022-01-31 16:17:00.298475202 +0000 UTC

Additional details (base image name, container registry info...):

knqyf263 commented 1 year ago

Dmitriy will take a look after he will be back from new year holidays.

monwolf commented 1 year ago

jajaj ok, Dmitriy enjoy your holidays

DmitriyLewen commented 1 year ago

Hello @monwolf Thanks for your report!

Looks like GitLab database doesn't contain this version in affected range. I created issue about this.

Regards, Dmitriy

DmitriyLewen commented 1 year ago

GitLab updated this CVE.

After update Trivy-db, Trivy will be able to detect CVE-2016-1000027.

I close this issue. If you still have question - fill free to reopen this issue.

Regards, Dmitriy