Closed coheigea closed 19 hours ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
@DmitriyLewen How do I run the tests...even on main, I'm getting failures with:
go test ./pkg/dependency/parser/java/pom
@DmitriyLewen I added a test, but I'm having trouble running the tests locally even with mage, can you enable the workflow please?
it should work
➜ cd ./pkg/dependency/parser/java/pom
➜ go test -run "TestPom_Parse"
PASS
ok github.com/aquasecurity/trivy/pkg/dependency/parser/java/pom 0.039s
Please re-run the tests
All checks passed 👍
@coheigea I changed your test to show that mvn
merges exceptions from base pom and parent (your test showed that mvn
takes exceptions from parent
, but didn't show that exceptions from the base pom are also used).
Can you take a look?
Yes it's fine thanks! @DmitriyLewen
I noticed that if I have a child pom with a dependency with some exclusions, and a parent pom with a dependencyManagement section with the same dependency with different exclusions, then Trivy only uses the child exclusions.
This is not the behaviour that the maven command line uses, the mvn dependency:tree combines the set of exclusions in this case.
To reproduce unzip "trivy.zip" attached and run:
This will return nothing as jettison is excluded in the parent pom. Now run:
and see it returns findings in jettison even though it's not on the classpath