search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.93k stars 2.26k forks source link

Miscalculated versions of transitive dependencies in maven project #3986

Closed rafaeltc closed 1 year ago

rafaeltc commented 1 year ago

Description

Trivy miscalculates the version of transitive dependencies when their version is set to ${project.version}.

This behavior can be easily verified when comparing the output of mvn dependency:tree against trivy fs --format cyclonedx.

For example, use the pom below, which contains org.jruby:jruby@9.4.2.0 and org.apache.zookeeper:zookeeper@3.7.1.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <dependencies>
        <dependency>
            <groupId>org.jruby</groupId>
            <artifactId>jruby</artifactId>
                         <version>9.4.2.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.zookeeper</groupId>
            <artifactId>zookeeper</artifactId>
            <version>3.7.1</version>
        </dependency>
    </dependencies>
</project>

What did you expect to happen?

Trivy should resolve the following dependencies:

        "pkg:maven/org.apache.zookeeper/zookeeper@3.7.1",
        "pkg:maven/org.apache.zookeeper/zookeeper-jute@3.7.1",
        "pkg:maven/org.jruby/jruby@9.4.2.0",
        "pkg:maven/org.jruby/jruby-base@9.4.2.0",
        "pkg:maven/org.jruby/jruby-stdlib@9.4.2.0",

What happened instead?

Trivy miscalculates the following transitive dependencies

        "pkg:maven/org.apache.zookeeper/zookeeper-jute@23",
        "pkg:maven/org.jruby/jruby-base@7",
        "pkg:maven/org.jruby/jruby-stdlib@7",

Output of run with -debug:

DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
DEBUG   cache dir:  /Users/xxxx/Library/Caches/trivy
DEBUG   Walk the file tree rooted at '.' in parallel
DEBUG   Resolving org.jruby:jruby:9.4.2.0...
DEBUG   Start parent: org.jruby:jruby-artifacts:9.4.2.0
DEBUG   Start parent: org.jruby:jruby-parent:9.4.2.0
DEBUG   Start parent: org.sonatype.oss:oss-parent:7
DEBUG   Exit parent: org.sonatype.oss:oss-parent:7
DEBUG   Exit parent: org.jruby:jruby-parent:9.4.2.0
DEBUG   Exit parent: org.jruby:jruby-artifacts:9.4.2.0
DEBUG   Resolving org.apache.zookeeper:zookeeper:3.7.1...
DEBUG   Start parent: org.apache.zookeeper:parent:3.7.1
DEBUG   Start parent: org.apache:apache:23
DEBUG   Exit parent: org.apache:apache:23
DEBUG   Exit parent: org.apache.zookeeper:parent:3.7.1
DEBUG   Resolving org.jruby:jruby-base:7...
DEBUG   org.jruby:jruby-base:7 was not found in local/remote repositories
DEBUG   Resolving org.jruby:jruby-stdlib:7...
DEBUG   org.jruby:jruby-stdlib:7 was not found in local/remote repositories
DEBUG   Resolving org.apache.zookeeper:zookeeper-jute:23...
DEBUG   org.apache.zookeeper:zookeeper-jute:23 was not found in local/remote repositories
DEBUG   Resolving org.apache.yetus:audience-annotations:0.12.0...
DEBUG   Start parent: org.apache.yetus:yetus-project:0.12.0
DEBUG   Start parent: org.apache:apache:21
DEBUG   Exit parent: org.apache:apache:21
DEBUG   Exit parent: org.apache.yetus:yetus-project:0.12.0
DEBUG   Resolving io.netty:netty-handler:4.1.76.Final...
DEBUG   Start parent: io.netty:netty-parent:4.1.76.Final
DEBUG   Start parent: org.sonatype.oss:oss-parent:9
DEBUG   Exit parent: org.sonatype.oss:oss-parent:9
DEBUG   Exit parent: io.netty:netty-parent:4.1.76.Final
DEBUG   Resolving io.netty:netty-transport-native-epoll:4.1.76.Final...
DEBUG   Start parent: io.netty:netty-parent:4.1.76.Final
DEBUG   Exit parent: io.netty:netty-parent:4.1.76.Final
DEBUG   Resolving org.slf4j:slf4j-api:1.7.35...
DEBUG   Start parent: org.slf4j:slf4j-parent:1.7.35
DEBUG   Exit parent: org.slf4j:slf4j-parent:1.7.35
DEBUG   Resolving org.sonatype.oss:netty-common:9...
DEBUG   org.sonatype.oss:netty-common:9 was not found in local/remote repositories
DEBUG   Resolving org.sonatype.oss:netty-resolver:9...
DEBUG   org.sonatype.oss:netty-resolver:9 was not found in local/remote repositories
DEBUG   Resolving org.sonatype.oss:netty-buffer:9...
DEBUG   org.sonatype.oss:netty-buffer:9 was not found in local/remote repositories
DEBUG   Resolving org.sonatype.oss:netty-transport:9...
DEBUG   org.sonatype.oss:netty-transport:9 was not found in local/remote repositories
DEBUG   Resolving org.sonatype.oss:netty-codec:9...
DEBUG   org.sonatype.oss:netty-codec:9 was not found in local/remote repositories
DEBUG   Resolving io.netty:netty-common:9...
DEBUG   io.netty:netty-common:9 was not found in local/remote repositories
DEBUG   Resolving io.netty:netty-buffer:9...
DEBUG   io.netty:netty-buffer:9 was not found in local/remote repositories
DEBUG   Resolving io.netty:netty-transport:9...
DEBUG   io.netty:netty-transport:9 was not found in local/remote repositories
DEBUG   Resolving io.netty:netty-transport-native-unix-common:9...
DEBUG   io.netty:netty-transport-native-unix-common:9 was not found in local/remote repositories
DEBUG   Resolving io.netty:netty-transport-classes-epoll:9...
DEBUG   io.netty:netty-transport-classes-epoll:9 was not found in local/remote repositories
DEBUG   OS is not detected.
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:dd9c1603-86f1-4e59-bb9e-e6c6b7ea7196",
  "version": 1,
  "metadata": {
    "timestamp": "2023-04-04T17:33:14+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.38.3"
      }
    ],
    "component": {
      "bom-ref": "fc54e891-bc83-4f5e-8a33-d1fc83e6851d",
      "type": "application",
      "name": ".",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "pkg:maven/com.example/demo@0.0.1-SNAPSHOT",
      "type": "library",
      "name": "com.example:demo",
      "version": "0.0.1-SNAPSHOT",
      "purl": "pkg:maven/com.example/demo@0.0.1-SNAPSHOT",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-buffer@9",
      "type": "library",
      "name": "io.netty:netty-buffer",
      "version": "9",
      "purl": "pkg:maven/io.netty/netty-buffer@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-common@9",
      "type": "library",
      "name": "io.netty:netty-common",
      "version": "9",
      "purl": "pkg:maven/io.netty/netty-common@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-handler@4.1.76.Final",
      "type": "library",
      "name": "io.netty:netty-handler",
      "version": "4.1.76.Final",
      "purl": "pkg:maven/io.netty/netty-handler@4.1.76.Final",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-transport@9",
      "type": "library",
      "name": "io.netty:netty-transport",
      "version": "9",
      "purl": "pkg:maven/io.netty/netty-transport@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-transport-classes-epoll@9",
      "type": "library",
      "name": "io.netty:netty-transport-classes-epoll",
      "version": "9",
      "purl": "pkg:maven/io.netty/netty-transport-classes-epoll@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.76.Final",
      "type": "library",
      "name": "io.netty:netty-transport-native-epoll",
      "version": "4.1.76.Final",
      "purl": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.76.Final",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/io.netty/netty-transport-native-unix-common@9",
      "type": "library",
      "name": "io.netty:netty-transport-native-unix-common",
      "version": "9",
      "purl": "pkg:maven/io.netty/netty-transport-native-unix-common@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.apache.yetus/audience-annotations@0.12.0",
      "type": "library",
      "name": "org.apache.yetus:audience-annotations",
      "version": "0.12.0",
      "purl": "pkg:maven/org.apache.yetus/audience-annotations@0.12.0",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.apache.zookeeper/zookeeper@3.7.1",
      "type": "library",
      "name": "org.apache.zookeeper:zookeeper",
      "version": "3.7.1",
      "purl": "pkg:maven/org.apache.zookeeper/zookeeper@3.7.1",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.apache.zookeeper/zookeeper-jute@23",
      "type": "library",
      "name": "org.apache.zookeeper:zookeeper-jute",
      "version": "23",
      "purl": "pkg:maven/org.apache.zookeeper/zookeeper-jute@23",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.jruby/jruby@9.4.2.0",
      "type": "library",
      "name": "org.jruby:jruby",
      "version": "9.4.2.0",
      "purl": "pkg:maven/org.jruby/jruby@9.4.2.0",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.jruby/jruby-base@7",
      "type": "library",
      "name": "org.jruby:jruby-base",
      "version": "7",
      "purl": "pkg:maven/org.jruby/jruby-base@7",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.jruby/jruby-stdlib@7",
      "type": "library",
      "name": "org.jruby:jruby-stdlib",
      "version": "7",
      "purl": "pkg:maven/org.jruby/jruby-stdlib@7",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.slf4j/slf4j-api@1.7.35",
      "type": "library",
      "name": "org.slf4j:slf4j-api",
      "version": "1.7.35",
      "purl": "pkg:maven/org.slf4j/slf4j-api@1.7.35",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.sonatype.oss/netty-buffer@9",
      "type": "library",
      "name": "org.sonatype.oss:netty-buffer",
      "version": "9",
      "purl": "pkg:maven/org.sonatype.oss/netty-buffer@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.sonatype.oss/netty-codec@9",
      "type": "library",
      "name": "org.sonatype.oss:netty-codec",
      "version": "9",
      "purl": "pkg:maven/org.sonatype.oss/netty-codec@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.sonatype.oss/netty-common@9",
      "type": "library",
      "name": "org.sonatype.oss:netty-common",
      "version": "9",
      "purl": "pkg:maven/org.sonatype.oss/netty-common@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.sonatype.oss/netty-resolver@9",
      "type": "library",
      "name": "org.sonatype.oss:netty-resolver",
      "version": "9",
      "purl": "pkg:maven/org.sonatype.oss/netty-resolver@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.sonatype.oss/netty-transport@9",
      "type": "library",
      "name": "org.sonatype.oss:netty-transport",
      "version": "9",
      "purl": "pkg:maven/org.sonatype.oss/netty-transport@9",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "9260b8ba-beff-4960-809d-c71fc4eb8aa9",
      "type": "application",
      "name": "pom.xml",
      "properties": [
        {
          "name": "aquasecurity:trivy:Type",
          "value": "pom"
        },
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "9260b8ba-beff-4960-809d-c71fc4eb8aa9",
      "dependsOn": [
        "pkg:maven/com.example/demo@0.0.1-SNAPSHOT",
        "pkg:maven/io.netty/netty-buffer@9",
        "pkg:maven/io.netty/netty-common@9",
        "pkg:maven/io.netty/netty-handler@4.1.76.Final",
        "pkg:maven/io.netty/netty-transport@9",
        "pkg:maven/io.netty/netty-transport-classes-epoll@9",
        "pkg:maven/io.netty/netty-transport-native-epoll@4.1.76.Final",
        "pkg:maven/io.netty/netty-transport-native-unix-common@9",
        "pkg:maven/org.apache.yetus/audience-annotations@0.12.0",
        "pkg:maven/org.apache.zookeeper/zookeeper@3.7.1",
        "pkg:maven/org.apache.zookeeper/zookeeper-jute@23",
        "pkg:maven/org.jruby/jruby@9.4.2.0",
        "pkg:maven/org.jruby/jruby-base@7",
        "pkg:maven/org.jruby/jruby-stdlib@7",
        "pkg:maven/org.slf4j/slf4j-api@1.7.35",
        "pkg:maven/org.sonatype.oss/netty-buffer@9",
        "pkg:maven/org.sonatype.oss/netty-codec@9",
        "pkg:maven/org.sonatype.oss/netty-common@9",
        "pkg:maven/org.sonatype.oss/netty-resolver@9",
        "pkg:maven/org.sonatype.oss/netty-transport@9"
      ]
    },
    {
      "ref": "fc54e891-bc83-4f5e-8a33-d1fc83e6851d",
      "dependsOn": [
        "9260b8ba-beff-4960-809d-c71fc4eb8aa9"
      ]
    }
  ],
  "vulnerabilities": []
}

Output of trivy -v:

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-04 12:07:32.147069586 +0000 UTC
  NextUpdate: 2023-04-04 18:07:32.147069286 +0000 UTC
  DownloadedAt: 2023-04-04 13:16:05.387076 +0000 UTC
Policy Bundle:
  Digest: sha256:45a795b2f64ea9eb0caa1d7faf7c7cd5699a3d4d39f6ff17cad20670135be9f9
  DownloadedAt: 2023-02-28 17:04:11.035112 +0000 UTC

note: I have also performed the same test with canary Version: 0.39.0-SNAPSHOT-c42f360f5 and the issue persists

Additional details (base image name, container registry info...):

Trivy is miscalculating (some) transitive dependencies as can be verified by the aforementioned materials and the Maven dependency tree for the aforementioned pom:

com.example:demo:jar:0.0.1-SNAPSHOT
+- org.jruby:jruby:jar:9.4.2.0:compile
|  +- org.jruby:jruby-base:jar:9.4.2.0:compile
|  |  +- org.ow2.asm:asm:jar:9.2:compile
|  |  +- org.ow2.asm:asm-commons:jar:9.2:compile
|  |  |  +- org.ow2.asm:asm-tree:jar:9.2:compile
|  |  |  \- org.ow2.asm:asm-analysis:jar:9.2:compile
|  |  +- org.ow2.asm:asm-util:jar:9.2:compile
|  |  +- com.github.jnr:jnr-netdb:jar:1.2.0:compile
|  |  +- com.github.jnr:jnr-enxio:jar:0.32.14:compile
|  |  +- com.github.jnr:jnr-unixsocket:jar:0.38.19:compile
|  |  +- com.github.jnr:jnr-posix:jar:3.1.16:compile
|  |  +- com.github.jnr:jnr-constants:jar:0.10.4:compile
|  |  +- com.github.jnr:jnr-ffi:jar:2.2.13:compile
|  |  |  +- com.github.jnr:jnr-a64asm:jar:1.0.0:compile
|  |  |  \- com.github.jnr:jnr-x86asm:jar:1.0.2:compile
|  |  +- com.github.jnr:jffi:jar:1.3.10:compile
|  |  +- com.github.jnr:jffi:jar:native:1.3.10:compile
|  |  +- org.jruby.joni:joni:jar:2.1.48:compile
|  |  +- org.jruby.jcodings:jcodings:jar:1.0.58:compile
|  |  +- org.jruby:dirgra:jar:0.3:compile
|  |  +- com.headius:invokebinder:jar:1.12:compile
|  |  +- com.headius:options:jar:1.6:compile
|  |  +- com.jcraft:jzlib:jar:1.1.3:compile
|  |  +- joda-time:joda-time:jar:2.10.10:compile
|  |  +- me.qmx.jitescript:jitescript:jar:0.4.1:compile
|  |  \- com.headius:backport9:jar:1.12:compile
|  \- org.jruby:jruby-stdlib:jar:9.4.2.0:compile
\- org.apache.zookeeper:zookeeper:jar:3.7.1:compile
   +- org.apache.zookeeper:zookeeper-jute:jar:3.7.1:compile
   +- org.apache.yetus:audience-annotations:jar:0.12.0:compile
   +- io.netty:netty-handler:jar:4.1.76.Final:compile
   |  +- io.netty:netty-common:jar:4.1.76.Final:compile
   |  +- io.netty:netty-resolver:jar:4.1.76.Final:compile
   |  +- io.netty:netty-buffer:jar:4.1.76.Final:compile
   |  +- io.netty:netty-transport:jar:4.1.76.Final:compile
   |  \- io.netty:netty-codec:jar:4.1.76.Final:compile
   +- io.netty:netty-transport-native-epoll:jar:4.1.76.Final:compile
   |  +- io.netty:netty-transport-native-unix-common:jar:4.1.76.Final:compile
   |  \- io.netty:netty-transport-classes-epoll:jar:4.1.76.Final:compile
   \- org.slf4j:slf4j-api:jar:1.7.35:compile

By comparing which versions are correctly resolved against the ones which are not, we can spot the pattern: all miscalculated versions are resolved from ${project.version}:

jruby-9.4.2.0.pom (trimmed)

<parent>
    <groupId>org.jruby</groupId>
    <artifactId>jruby-artifacts</artifactId>
    <version>9.4.2.0</version>
  </parent>
  <artifactId>jruby</artifactId>
  <name>JRuby Main Maven Artifact</name>
  <dependencies>
    <dependency>
      <groupId>org.jruby</groupId>
      <artifactId>jruby-base</artifactId>
      <version>${project.version}</version>
    </dependency>
    <dependency>
      <groupId>org.jruby</groupId>
      <artifactId>jruby-stdlib</artifactId>
      <version>${project.version}</version>
    </dependency>
  </dependencies>

Note that both jruby-base and jruby-stdlib have their <version>${project.version}</version> resolved to 7, which, is the end-of-the-line of this inheritance path (jruby > jruby-parent > oss-parent)

jruby-artifacts-9.4.2.0.pom

 <parent>
    <groupId>org.jruby</groupId>
    <artifactId>jruby-parent</artifactId>
    <version>9.4.2.0</version>
  </parent>
  <artifactId>jruby-artifacts</artifactId>
  <packaging>pom</packaging>
  <name>JRuby Artifacts</name>
  <properties>
    <polyglot.dump.pom>pom.xml</polyglot.dump.pom>
    <polyglot.dump.readonly>true</polyglot.dump.readonly>
  </properties>

jruby-parent-9.4.2.0.pom

<parent>
    <groupId>org.sonatype.oss</groupId>
    <artifactId>oss-parent</artifactId>
    <version>7</version>
</parent>
<groupId>org.jruby</groupId>
<artifactId>jruby-parent</artifactId>
<version>9.4.2.0</version>
<packaging>pom</packaging>

oss-parent-7.pom

<groupId>org.sonatype.oss</groupId>
<artifactId>oss-parent</artifactId>
<version>7</version>
<packaging>pom</packaging>

The same behavior can be found when resolving the dependencies from zookeeper. Note that zookeeper-jute version is not correctly resolved for the same reasons as jruby dependencies. On the other hand, audience-annotations is correctly resolved as it is declared differently:

zookeeper-3.7.1.pom (trimmed)

<parent>
    <groupId>org.apache.zookeeper</groupId>
    <artifactId>parent</artifactId>
    <version>3.7.1</version>
  </parent>

  <artifactId>zookeeper</artifactId>
  <packaging>jar</packaging>
  <name>Apache ZooKeeper - Server</name>
  <description>ZooKeeper server</description>

  <dependencies>
    <dependency>
      <groupId>org.apache.zookeeper</groupId>
      <artifactId>zookeeper-jute</artifactId>
      <version>${project.version}</version>
    </dependency>
    <dependency>
      <groupId>org.apache.yetus</groupId>
      <artifactId>audience-annotations</artifactId>
    </dependency>
  </dependencies>

parent-3.7.1.pom (trimmed) 

<parent>
    <groupId>org.apache</groupId>
    <artifactId>apache</artifactId>
    <version>23</version>
    <relativePath />
    <!-- no parent resolution -->
</parent>
<groupId>org.apache.zookeeper</groupId>
<artifactId>parent</artifactId>
<packaging>pom</packaging>  
<version>3.7.1</version>
<modules>
    <module>zookeeper-jute</module>
</modules>
<properties>
    <audience-annotations.version>0.12.0</audience-annotations.version>
</properties>
<dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.apache.yetus</groupId>
        <artifactId>audience-annotations</artifactId>
        <version>${audience-annotations.version}</version>
      </dependency>
    <dependencies>
<dependencyManagement>

Possibly related issues

The issues below appear to share some similarities but do not seem to source from the same issue:

DmitriyLewen commented 1 year ago

Hello @rafaeltc Thanks for your report and great investigation.

I created #205 to solve this problem. You can check status of this issue in this PR.

Regards, Dmitriy