CLAassistant
commented
2 weeks ago
All committers have signed the CLA.
Closed coheigea closed 19 hours ago
CLAassistant
commented
2 weeks ago
All committers have signed the CLA.
CLAassistant
commented
2 weeks ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
coheigea
commented
2 weeks ago @DmitriyLewen How do I run the tests...even on main, I'm getting failures with:
go test ./pkg/dependency/parser/java/pom
DmitriyLewen
commented
2 weeks ago coheigea
commented
2 weeks ago @DmitriyLewen I added a test, but I'm having trouble running the tests locally even with mage, can you enable the workflow please?
DmitriyLewen
commented
2 weeks ago it should work
➜ cd ./pkg/dependency/parser/java/pom
➜ go test -run "TestPom_Parse"
PASS
ok github.com/aquasecurity/trivy/pkg/dependency/parser/java/pom 0.039s
Please re-run the tests
coheigea
commented
2 weeks ago All checks passed 👍
DmitriyLewen
commented
2 weeks ago @coheigea I changed your test to show that mvn merges exceptions from base pom and parent (your test showed that mvn takes exceptions from parent, but didn't show that exceptions from the base pom are also used).
Can you take a look?
coheigea
commented
1 day ago Yes it's fine thanks! @DmitriyLewen
I noticed that if I have a child pom with a dependency with some exclusions, and a parent pom with a dependencyManagement section with the same dependency with different exclusions, then Trivy only uses the child exclusions.
This is not the behaviour that the maven command line uses, the mvn dependency:tree combines the set of exclusions in this case.
To reproduce unzip "trivy.zip" attached and run:
This will return nothing as jettison is excluded in the parent pom. Now run:
and see it returns findings in jettison even though it's not on the classpath