search

openzipkin / zipkin-reporter-java

Shared library for reporting zipkin spans on transports such as http or kafka
Apache License 2.0
126 stars 70 forks source link

trivy: follow-up about having maven-invoker-plugin integration tests skipped by default. #228

Closed codefromthecrypt closed 7 months ago

codefromthecrypt commented 11 months ago

Describe the Bug

Currently, trivy reports vulnerabilities in intentionally old dependencies used in maven-invoker-plugin by default. While we can configure our setup to skip these tests, it can introduce FUD (fear, uncertainty and doubt) in folks who run trivy on their own and don't know about the src/it pattern used in integration testing.

Here is the discussion which has resulted so far in progress, a work around to manually skip like so:

$ trivy -q --skip-files "**/src/it/*/pom.xml" repo https://github.com/openzipkin/zipkin-reporter-java

Steps to Reproduce

$ trivy -q repo https://github.com/openzipkin/zipkin-reporter-java

amqp-client/src/it/amqp_v4/pom.xml (pom)

Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 2)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │     Installed Version     │     Fixed Version     │                            Title                             │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client            │ CVE-2018-11087 │ MEDIUM   │ fixed  │ @old-amqp-client.version@ │ 4.8.0, 5.4.0          │ Moderate severity vulnerability that affects                 │
│                                     │                │          │        │                           │                       │ com.rabbitmq:amqp-client and                                 │
│                                     │                │          │        │                           │                       │ org.springframework.amqp:spring-amqp                         │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2018-11087                   │
│                                     ├────────────────┤          │        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2023-46120 │          │        │                           │ 5.18.0                │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│                                     │                │          │        │                           │                       │ to Remote DoS...                                             │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2023-46120                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2021-44228 │ CRITICAL │        │ @log4j.version@           │ 2.15.0, 2.3.1, 2.12.2 │ Remote code execution in Log4j 2.x when logs contain an      │
│                                     │                │          │        │                           │                       │ attacker-controlled string...                                │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2021-44228                   │
│                                     ├────────────────┤          │        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45046 │          │        │                           │ 2.16.0, 2.12.2        │ log4j-core: DoS in log4j 2.x with thread context message     │
│                                     │                │          │        │                           │                       │ pattern and context...                                       │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2021-45046                   │
│                                     ├────────────────┼──────────┤        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45105 │ HIGH     │        │                           │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC)   │
│                                     │                │          │        │                           │                       │ input data...                                                │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2021-45105                   │
│                                     ├────────────────┼──────────┤        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2020-9488  │ LOW      │        │                           │ 2.13.2                │ improper validation of certificate with host mismatch in     │
│                                     │                │          │        │                           │                       │ SMTP appender                                                │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

okhttp3/src/it/okhttp3_v3/pom.xml (pom)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 2)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2021-44228 │ CRITICAL │ fixed  │ @log4j.version@   │ 2.15.0, 2.3.1, 2.12.2 │ Remote code execution in Log4j 2.x when logs contain an    │
│                                     │                │          │        │                   │                       │ attacker-controlled string...                              │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-44228                 │
│                                     ├────────────────┤          │        │                   ├───────────────────────┼────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45046 │          │        │                   │ 2.16.0, 2.12.2        │ log4j-core: DoS in log4j 2.x with thread context message   │
│                                     │                │          │        │                   │                       │ pattern and context...                                     │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-45046                 │
│                                     ├────────────────┼──────────┤        │                   ├───────────────────────┼────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45105 │ HIGH     │        │                   │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) │
│                                     │                │          │        │                   │                       │ input data...                                              │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-45105                 │
│                                     ├────────────────┼──────────┤        │                   ├───────────────────────┼────────────────────────────────────────────────────────────┤
│                                     │ CVE-2020-9488  │ LOW      │        │                   │ 2.13.2                │ improper validation of certificate with host mismatch in   │
│                                     │                │          │        │                   │                       │ SMTP appender                                              │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2020-9488                  │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴────────────────────────────────────────────────────────────┘

Expected Behaviour

I would expect no output as personally believe maven-invoker-plugin should be detectable, that way doing good practice like testing with old versions for the sake of compatibility won't look like a bad thing by default.