Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(java): We should parse dependencies with unsupported scopes to correctly detect version/skip dependency #7844

Open
DmitriyLewen opened this issue Oct 31, 2024 Discussed in #7836 · 0 comments
Open

bug(java): We should parse dependencies with unsupported scopes to correctly detect version/skip dependency #7844

DmitriyLewen opened this issue Oct 31, 2024 Discussed in #7836 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 31, 2024
edited
Loading

Description

IIUC mvn checks dependency version without regard to scope.
it means that if you add test dependency (as example), transitive dependency of another dependency will use version of test dependency:

➜ cat pom.xml           
    <groupId>com.example</groupId>
    <artifactId>test</artifactId>
    <version>1.0.0</version>

    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-annotations</artifactId>
            <version>2.18.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.18.1</version>
        </dependency>
    </dependencies>
</project>

➜ mvn dependency:resolve
...
[INFO] The following files have been resolved:
[INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.18.0:test -- module com.fasterxml.jackson.annotation
[INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.18.1:compile -- module com.fasterxml.jackson.databind
[INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.18.1:compile -- module com.fasterxml.jackson.core
...

But Trivy parses only import, runtime, compile and empty scopes:

trivy/pkg/dependency/parser/java/pom/parse.go

Line 430 in 57e24aa

if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime") || d.Optional {

So for this example Trivy skips new test com.fasterxml.jackson.core:jackson-annotations:2.18.0 dependency (as test scope), and includes com.fasterxml.jackson.core:jackson-annotations:2.18.1 into report:

➜ trivy -q fs ./pom.xml -f json --list-all-pkgs | grep jackson-annotations
            "com.fasterxml.jackson.core:jackson-annotations:2.18.1",

This is wrong behavior.
I am not sure about the right way:

  • (most likely case) we need to skip jackson-annotations as test dependency
  • we should use version 2.18.0 for jackson-annotations, because, UUIC, maven will use jackson-annotations:2.18.0 in package jackson-databind (I may be wrong)

Anyway, we need to analyze all scopes and resolve dependencies after that.
But we already added support for test scope (We are reverting these changes - because the running time on trivi has increased a lot)

We need to think how we can handle this case.
for example, mvn always downloads all required files before resolving dependencies. Maybe we can do something like this.

@aquasecurity/trivy Do you have any ideas?

Discussed in #7836
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DmitriyLewen