Trivy detects CVE in pom file even though the specific dependency has been upgraded to the fix version #8036

SemProvoost · 2024-12-03T17:05:49Z

SemProvoost
Dec 3, 2024

Description

Example pom:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.bbb.aaa</groupId>
    <artifactId>aaa</artifactId>
    <version>1.0.0</version>
    <packaging>pom</packaging>
    <name>aaa</name>
    <description>desc</description>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.2.11</version>
        <relativePath />
    </parent>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>io.netty</groupId>
                <artifactId>netty-common</artifactId>
                <version>4.1.115.Final</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.postgresql</groupId>
            <artifactId>r2dbc-postgresql</artifactId>
            <scope>runtime</scope>
        </dependency>
    </dependencies>
</project>

When you run trivy fs . --scanners vuln --debug on this, Trivy will still detect the CVE. Even though we specifically set netty-common to version 4.1.115.Final:

pom.xml (pom)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ io.netty:netty-common │ CVE-2024-47535 │ HIGH     │ fixed  │ 4.1.114.Final     │ 4.1.115       │ netty: Denial of Service attack on windows app using Netty │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-47535                 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Desired Behavior

We would expect Trivy to mark the CVE as solved here.

Actual Behavior

Trivy still detects the CVE.

However:
If I set the netty-handler version instead of netty-common -> Trivy doen't detect the CVE anymore.

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>io.netty</groupId>
-               <artifactId>netty-common</artifactId>
+               <artifactId>netty-handler</artifactId>
                <version>4.1.115.Final</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

Reproduction Steps

See example pom in 'description' & diff in 'actual behaviour'
(As these fields support markdown)

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

trivy fs . --scanners vuln --debug 
2024-12-03T17:55:25+01:00       DEBUG   No plugins loaded
2024-12-03T17:55:25+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-03T17:55:25+01:00       DEBUG   Cache dir       dir="/Users/sem/Library/Caches/trivy"
2024-12-03T17:55:25+01:00       DEBUG   Cache dir       dir="/Users/sem/Library/Caches/trivy"
2024-12-03T17:55:25+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-03T17:55:25+01:00       DEBUG   Ignore statuses statuses=[]
2024-12-03T17:55:25+01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-12-03T17:55:25+01:00       DEBUG   DB info schema=2 updated_at=2024-12-03T12:16:21.355397579Z next_update=2024-12-04T12:16:21.355397188Z downloaded_at=2024-12-03T13:33:24.279984Z
2024-12-03T17:55:25+01:00       DEBUG   [pkg] Package types     types=[os library]
2024-12-03T17:55:25+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-12-03T17:55:25+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-12-03T17:55:25+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-03T17:55:25+01:00       DEBUG   Initializing scan cache...      type="memory"
2024-12-03T17:55:25+01:00       DEBUG   [pom] Start parent      artifact="org.springframework.boot:spring-boot-starter-parent:3.2.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.springframework.boot:spring-boot-dependencies:3.2.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.springframework.boot:spring-boot-dependencies:3.2.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.springframework.boot:spring-boot-starter-parent:3.2.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.assertj" artifact_id="assertj-bom" version="3.24.2"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.zipkin.brave" artifact_id="brave-bom" version="5.16.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.zipkin.reporter2" artifact_id="zipkin-reporter-bom" version="2.16.3"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.datastax.oss" artifact_id="java-driver-bom" version="4.17.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.dropwizard.metrics" artifact_id="metrics-bom" version="4.2.28"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.dropwizard.metrics:metrics-parent:4.2.28"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.dropwizard.metrics:metrics-parent:4.2.28"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jaxb" artifact_id="jaxb-bom" version="4.0.5"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.groovy" artifact_id="groovy-bom" version="4.0.23"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.infinispan" artifact_id="infinispan-bom" version="14.0.32.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.infinispan:infinispan-build-configuration-parent:14.0.32.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.jboss:jboss-parent:39"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.jboss:jboss-parent:39"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.infinispan:infinispan-build-configuration-parent:14.0.32.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.15.4"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.15"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:50"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:50"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.15"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jersey" artifact_id="jersey-bom" version="3.1.9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.eclipse.jetty.ee10" artifact_id="jetty-ee10-bom" version="12.0.14"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.eclipse.jetty" artifact_id="jetty-bom" version="12.0.14"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.5"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-bom" version="1.9.25"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlinx" artifact_id="kotlinx-coroutines-bom" version="1.7.3"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlinx" artifact_id="kotlinx-serialization-bom" version="1.6.3"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-bom" version="2.21.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:10.1.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:10.1.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-bom" version="1.12.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-tracing-bom" version="1.2.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.mockito" artifact_id="mockito-bom" version="5.7.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-bom" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.squareup.okhttp3" artifact_id="okhttp-bom" version="4.12.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.opentelemetry" artifact_id="opentelemetry-bom" version="1.31.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.prometheus" artifact_id="simpleclient_bom" version="0.16.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.prometheus:parent:0.16.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.prometheus:parent:0.16.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.querydsl" artifact_id="querydsl-bom" version="5.0.0"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.projectreactor" artifact_id="reactor-bom" version="2023.0.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.rest-assured" artifact_id="rest-assured-bom" version="5.3.2"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.rsocket" artifact_id="rsocket-bom" version="1.1.3"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.seleniumhq.selenium" artifact_id="selenium-bom" version="4.14.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.amqp" artifact_id="spring-amqp-bom" version="3.1.7"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.batch" artifact_id="spring-batch-bom" version="5.1.2"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.data" artifact_id="spring-data-bom" version="2023.1.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-framework-bom" version="6.1.14"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.integration" artifact_id="spring-integration-bom" version="6.2.10"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.pulsar" artifact_id="spring-pulsar-bom" version="1.0.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.restdocs" artifact_id="spring-restdocs-bom" version="3.0.2"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.security" artifact_id="spring-security-bom" version="6.2.7"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.session" artifact_id="spring-session-bom" version="3.2.6"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.springframework.ws" artifact_id="spring-ws-bom" version="4.0.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.testcontainers" artifact_id="testcontainers-bom" version="1.19.8"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.postgresql" artifact_id="r2dbc-postgresql" version="1.0.7.RELEASE"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.r2dbc" artifact_id="r2dbc-spi" version="1.0.0.RELEASE"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.r2dbc:r2dbc-spi-parent:1.0.0.RELEASE"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.r2dbc:r2dbc-spi-parent:1.0.0.RELEASE"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.8.2"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.ongres.scram" artifact_id="client" version="2.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="com.ongres.scram:parent:2.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="com.ongres.scram:parent:2.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.projectreactor" artifact_id="reactor-core" version="3.6.11"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.projectreactor.netty" artifact_id="reactor-netty-core" version="1.1.23"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="org.reactivestreams" artifact_id="reactive-streams" version="1.0.4"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.ongres.scram" artifact_id="common" version="2.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="com.ongres.scram:parent:2.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="com.ongres.scram:parent:2.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-handler" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-handler-proxy" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-resolver-dns" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-resolver-dns-native-macos" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport-native-epoll" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="com.ongres.stringprep" artifact_id="saslprep" version="1.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="com.ongres.stringprep:parent:1.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="com.ongres.stringprep:parent:1.1"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-common" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-resolver" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-buffer" version="4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:26+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport-native-unix-common" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="org.mockito" artifact_id="mockito-core" version="5.7.0"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="com.google.code.gson" artifact_id="gson" version="2.10.1"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="com.google.code.gson:gson-parent:2.10.1"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="com.google.code.gson:gson-parent:2.10.1"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-socks" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-http" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-dns" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-resolver-dns-classes-macos" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport-classes-epoll" version="4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.114.Final"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="com.ongres.stringprep" artifact_id="stringprep" version="1.1"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="com.ongres.stringprep:parent:1.1"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="com.ongres.stringprep:parent:1.1"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="net.bytebuddy" artifact_id="byte-buddy" version="1.14.19"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="net.bytebuddy:byte-buddy-parent:1.14.19"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="net.bytebuddy:byte-buddy-parent:1.14.19"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="net.bytebuddy" artifact_id="byte-buddy-agent" version="1.14.19"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="net.bytebuddy:byte-buddy-parent:1.14.19"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="net.bytebuddy:byte-buddy-parent:1.14.19"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Resolving...      group_id="org.objenesis" artifact_id="objenesis" version="3.3"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Start parent      artifact="org.objenesis:objenesis-parent:3.3"
2024-12-03T17:55:27+01:00       DEBUG   [pom] Exit parent       artifact="org.objenesis:objenesis-parent:3.3"
2024-12-03T17:55:27+01:00       DEBUG   OS is not detected.
2024-12-03T17:55:27+01:00       DEBUG   Detected OS: unknown
2024-12-03T17:55:27+01:00       INFO    Number of language-specific files       num=1
2024-12-03T17:55:27+01:00       INFO    [pom] Detecting vulnerabilities...
2024-12-03T17:55:27+01:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2024-12-03T17:55:27+01:00       DEBUG   [vex] VEX filtering is disabled

pom.xml (pom)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ io.netty:netty-common │ CVE-2024-47535 │ HIGH     │ fixed  │ 4.1.114.Final     │ 4.1.115       │ netty: Denial of Service attack on windows app using Netty │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-47535                 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Operating System

macOS & Linux

Version

0.57.1

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2024-12-05T06:21:34Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy detects CVE in pom file even though the specific dependency has been upgraded to the fix version #8036

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Trivy detects CVE in pom file even though the specific dependency has been upgraded to the fix version #8036

SemProvoost Dec 3, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

DmitriyLewen Dec 5, 2024 Maintainer

SemProvoost
Dec 3, 2024

DmitriyLewen
Dec 5, 2024
Maintainer