Since trivy:0.49.0 several jar files with qualifier are no longer detected

[bpapez]

Description

In our project we create the SBOM with the Trivy image scan (format cyclonedy). Since Trivy version 0.49.0 the SBOM is no longer containing several JARs, which use a qualifier other than SNAPSHOT.

Desired Behavior

Dependencies with custom qualifiers in the version should still be detected and listed in the SBOM.

Actual Behavior

For instance jasypt-1.9.3-lite.jar. The log shows

No such POM in the central repositories {"file": "jasypt-1.9.3-lite.jar"}

although it exists in a central repository (see link above). It still worked correctly with Trivy 0.48.3.

We have about 30 dependencies like that, which now disappeared from the SBOM. Some of these jars are built by us from forked repositories, where we either backported a patch or where we had to make a JAR work well with OSGI. For that we keep the same version, but we add a custom qualifier, which is a valid practice. Also Dependency Track was able to report vulnerabilities on them, therefore it is important that such files do not get simply removed from the SBOM.

For now we have to stick with Trivy 0.48.3 . Could this get fixed again please or is there an option we could use to still get a correct SBOM with the latest Trivy? I tried --offline-scan, but that did not make a difference.

Reproduction Steps

1. I am scanning an image.tar with trivy image --format cyclonedx --output dependency-results.sbom.cdx.json --input image.tar
2. The sbom file no longer contains dependency to jasypt-1.9.3-lite.jar and others, although with trivy 0.48.3 they were still listed.

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-02-29T12:29:58.871Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jasypt-1.9.3-lite.jar"}
2024-02-29T12:29:58.872Z        DEBUG   No such POM in the central repositories {"file": "jasypt-1.9.3-lite.jar"}

Operating System

I use the provided Docker image on different OS

Version

Version: 0.49.1
Java DB:
  Version: 1
  UpdatedAt: 2024-02-29 00:45:37.104370989 +0000 UTC
  NextUpdate: 2024-03-03 00:45:37.104370869 +0000 UTC
  DownloadedAt: 2024-02-29 09:56:46.4002486 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @bpapez
Thanks for your report!

At the moment I assume the following points:

1. your jar file doesn't contain GAV (GroupID ArtifactID and version) in pom.properties and MANIFEST.MF files.
2. your jar file is not same as jar file from maven repository (so we can't detect this artifact using sha1)
3. we updated the logic to avoid false positives: now when we try to guess GroupID by filename - we only check artifact if maven repository contains version from filename. If you changed file name (used updated version), maven repository doesn't contain this version and we skip this artifact.

If I'm right, I think best solution for you is to populate pom.properties file with new version. In this case, Trivy will be able to correctly detect the artifact (you will also save time and resources, since Trivy does not need to look for artifacts from trivy-java-db).

Regards, Dmitriy

[DmitriyLewen]

Trivy does not take the right package/groupId, in reality it is this artifact: https://mvnrepository.com/artifact/concurrent/concurrent and it has version 1.3.4 on central Maven. On the mvnrepository.com page I am linking you can see next to the Central tab, also the Atlassian 3rd-P Old and then the Jahia tab, which is our public Maven repo hosting the 1.3.4-jahia6 version. In the other tabs you can also see that Atlassian, Redhat and others have their own forks of this library.

Unfortunately, trivy-java-db only contains maven Central.
trivy-java-db is already large in size, if we add all repositories size will be very large.

I very want to help you, but it looks like you have only one solution - add information about GAV to these jars and overwrite them..

---

jackrabbit-core@2.20.12-jahia1-SNAPSHOT
https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/apache/jackrabbit/jackrabbit-core/2.20.12-jahia1-SNAPSHOT/

This jar file contains correct pom.properties file:

➜ cat ./jackrabbit-core/META-INF/maven/org.apache.jackrabbit/jackrabbit-core/pom.properties 
artifactId=jackrabbit-core
groupId=org.apache.jackrabbit
version=2.20.12-jahia1-SNAPSHOT

But here are links to three artifacts, which are NOT found with latest Trivy and your DB (but they were listed with Trivy 0.48.x)
drools-compiler@6.0.0.Final-nocdi
https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/drools/drools-compiler/6.0.0.Final/

It works for me. Can you compare your jar with with file from repository?

➜ wget https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/drools/drools-compiler/6.0.0.Final/drools-compiler-6.0.0.Final-nocdi.jar
...

drools-compiler-6.0 100%[===================>]   1,44M  1,59MB/s    in 0,9s    

2024-04-24 10:46:38 (1,59 MB/s) - ‘drools-compiler-6.0.0.Final-nocdi.jar’ saved [1507761/1507761]

➜ trivy -q rootfs -f json --list-all-pkgs ./drools-compiler-6.0.0.Final-nocdi.jar | jq ' .Results[].Packages[] | select(.Name=="org.drools:drools-compiler")'
{
  "Name": "org.drools:drools-compiler",
  "Identifier": {
    "PURL": "pkg:maven/org.drools/drools-compiler@6.0.0.Final"
  },
  "Version": "6.0.0.Final",
  "Layer": {},
  "FilePath": "drools-compiler-6.0.0.Final-nocdi.jar"
}

---

Also for that Trivy is assuming the wrong package/groupId. The correct groupId is org.eclipse.jdt.core.compiler and Maven central at least has version 4.6.1 : https://repo1.maven.org/maven2/org/eclipse/jdt/core/compiler/ecj/

Can you share link on this jar? Perhaps pom.properties or MANIFEST.MF file contain edu.gmu.cs GroupID.

---

Similarly Trivy is assuming the wrong package/groupId also for:
pkg:maven/com.syncthemall/boilerpipe@1.1.0-jahia1
which should be pkg:maven/de.l3s.boilerpipe/boilerpipe@1.1.0-jahia1 (link to forked artifact) (link to original on Maven central)

New Trivy should not detect this can. Are you using the new Trivy for scanning?

[bpapez]

Trivy does not take the right package/groupId, in reality it is this artifact: https://mvnrepository.com/artifact/concurrent/concurrent and it has version 1.3.4 on central Maven ...

I very want to help you, but it looks like you have only one solution - add information about GAV to these jars and overwrite them..

I will create internal tickets to try doing that. For the jars, which were created by us from a fork it should not be a problem.

However I think its bad that we will need to create new forks from 3rd party repos, which we have not changed, just to add a pom.properties, which is missing in the original and Trivy's is not able to detect the right package name from MANIFEST.MF.

But here are links to three artifacts, which are NOT found with latest Trivy and your DB (but they were listed with Trivy 0.48.x)
drools-compiler@6.0.0.Final-nocdi
https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/drools/drools-compiler/6.0.0.Final/

It works for me. Can you compare your jar with with file from repository?

Sorry, my mistake. That jar is getting correctly detected. I shouldn't have placed it on that list.

Also for that Trivy is assuming the wrong package/groupId. The correct groupId is org.eclipse.jdt.core.compiler and Maven central at least has version 4.6.1 : https://repo1.maven.org/maven2/org/eclipse/jdt/core/compiler/ecj/

Can you share link on this jar? Perhaps pom.properties or MANIFEST.MF file contain edu.gmu.cs GroupID.

I already gave you the link : https://repo1.maven.org/maven2/org/eclipse/jdt/core/compiler/ecj/
The https://repo1.maven.org/maven2/org/eclipse/jdt/core/compiler/ecj/4.6.1/ecj-4.6.1.jar does not have any reference to edu.gmu.cs GroupID. The MANIFEST.MF has Bundle-SymbolicName: org.eclipse.jdt.core.compiler.batch and the folders , but the right GAV GroupID is org.eclipse.jdt.core.compiler. What are you looking for in MANIFEST.MF to get the GroupID? If the header name you look for is GroupID then I must say that I have not seen that so far in the jars we use.

Similarly Trivy is assuming the wrong package/groupId also for:
pkg:maven/com.syncthemall/boilerpipe@1.1.0-jahia1
which should be pkg:maven/de.l3s.boilerpipe/boilerpipe@1.1.0-jahia1 (link to forked artifact) (link to original on Maven central)

New Trivy should not detect this can. Are you using the new Trivy for scanning?

The wrong package/groupID guess was done in Trivy 0.48. The newer Trivy versions are not listing that file at all in the SBOM although it is there. I gave you the link to the forked artifact jar which we use in our image. As this is a forked jar, I hope it is not a big issue to add the pom.properties with the GAV.

[DmitriyLewen]

Trivy's is not able to detect the right package name from MANIFEST.MF

Trivy checks MANIFEST.MF files. But there is no standard for this file and perhaps we missed something. Can you share examples of files that Trivy doesn't detect - we'll try to update our logic.

---

Sorry, my mistake. That jar is getting correctly detected. I shouldn't have placed it on that list.

Do solr-core@3.6.2-jahia1 and org.springframework/spring-core@3.2.18.RELEASE_OSGI work too?

---

What are you looking for in MANIFEST.MF to get the GroupID?

We take these fields from MANIFEST.MF. For GroupID we use these fields.

---

I already gave you the link : https://repo1.maven.org/maven2/org/eclipse/jdt/core/compiler/ecj/

I realized what the problem is - it is very strange that one organization uses different GroupIDs:

• https://repo1.maven.org/maven2/org/eclipse/jdt/core/maven-metadata.xml
• https://repo1.maven.org/maven2/org/eclipse/jdt/core/compiler/ecj/maven-metadata.xml
• https://repo1.maven.org/maven2/org/eclipse/jdt/core/manipulation/maven-metadata.xml

I'll try to update our logic for these cases (we stop checking subdirectories if metadata.xml is found, because we thought those directories were version directories).
created aquasecurity/trivy-java-db#30

[bpapez]

Thank you for the infos so far. I created an internal ticket to add GAV in pom.properties for the libs, which were forked by us or which were never uploaded to Maven central and have no or not enough information in MANIFEST.MF.

Do solr-core@3.6.2-jahia1 and org.springframework/spring-core@3.2.18.RELEASE_OSGI work too?

No they don't work.

Here is a list of jars, which Trivy >=0.49 does not detect and they do have some information in MANIFEST.MF :

• https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/com/graphql-java-kickstart/graphql-java-kickstart/15.1.1-jahia/graphql-java-kickstart-15.1.1-jahia.jar
• https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/com/graphql-java-kickstart/graphql-java-servlet/15.1.1-jahia/graphql-java-servlet-15.1.1-jahia.jar
• https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/apache/solr/solr-core/3.6.2-jahia1/solr-core-3.6.2-jahia1.jar
• https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/apache/solr/solr-solrj/3.6.2-jahia1/solr-solrj-3.6.2-jahia1.jar
• https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/springframework/spring-core/3.2.18.RELEASE_OSGI/spring-core-3.2.18.RELEASE_OSGI.jar
• https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/springframework/spring-expression/3.2.18.RELEASE_OSGI/spring-expression-3.2.18.RELEASE_OSGI.jar

They are all forked by us and are not on Maven central. If you cannot make them detect through given MANIFEST.MF info, will it work if we add a GAV in pom.properties?

It looks like the next file was even not detected in Trivy 0.48 although it exists on Maven central:

• https://repo1.maven.org/maven2/javax/ccpp/ccpp/1.0/ccpp-1.0.jar

[DmitriyLewen]

will it work if we add a GAV in pom.properties?

yes. Trivy will detect these jars.

It looks like the next file was even not detected in Trivy 0.48 although it exists on Maven central:
https://repo1.maven.org/maven2/javax/ccpp/ccpp/1.0/ccpp-1.0.jar

This artifact doesn't have maven-metadata.xml file. Therefore, we can't be sure that this file is correct and we don't add similar artifacts in trivy-java-db.

Here is a list of jars, which Trivy >=0.49 does not detect and they do have some information in MANIFEST.MF :

MANIFEST.MF files don't contain some fields:

• no GroupID: https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/com/graphql-java-kickstart/graphql-java-kickstart/15.1.1-jahia/graphql-java-kickstart-15.1.1-jahia.jar
• no GroupID: https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/com/graphql-java-kickstart/graphql-java-servlet/15.1.1-jahia/graphql-java-servlet-15.1.1-jahia.jar
• no ArtifactID: https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/apache/solr/solr-core/3.6.2-jahia1/solr-core-3.6.2-jahia1.jar
• no ArtifactID: https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/apache/solr/solr-solrj/3.6.2-jahia1/solr-solrj-3.6.2-jahia1.jar
• no GroupID: https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/springframework/spring-core/3.2.18.RELEASE_OSGI/spring-core-3.2.18.RELEASE_OSGI.jar
• no GroupID: https://devtools.jahia.com/nexus/content/groups/maven-jahia-org/org/springframework/spring-expression/3.2.18.RELEASE_OSGI/spring-expression-3.2.18.RELEASE_OSGI.jar

[DmitriyLewen]

Related issue - aquasecurity/trivy-java-db#28