Replies: 2 comments 9 replies
-
I also hope to get an answer to this question🙏🙏🙏 |
Beta Was this translation helpful? Give feedback.
-
Hello @zangcc @RexHarrr
Trivy doesn't scan
This is strange case...
I think you see same problem for Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
Description
commons-collections: The version of commons-collections in the actual code project is 3.2.2, but trivy scans it as 3.2.1. The scan results are inconsistent with the actual version.
I hope trivy can print out the delivery relationship of the dependency tree during docker image scanning or jar package scanning. In this false positive, our users can only see commons-collections:commons-collections (web.jar) 3.2.1 in the scan results.
Desired Behavior
Can correctly display the commons-collections:commons-collections version in the code project.
Actual Behavior
commons-collections: The version of commons-collections in the actual code project is 3.2.2, but trivy scans it as 3.2.1. The scan results are inconsistent with the actual version.
1.trivy uses the fs parameter to scan, and the commons-collections dependency does not appear in the scan results.
The command I used is:
trivy_0.48.3_macOS-64bit/trivy fs {repo_path} -o {output_file} --dependency-tree --offline-scan --timeout 999m
code_fs.txt
Commons-collections-3.2.1.jar does not exist in this scan result.
2.Package this code project into a jar package, and then scan it with the rootfs parameter. It is found that the Commons-collections-3.2.1 version appears in the scan results.
The packaging command I use is:
mvn -gs /root/tools/apache-maven-3.9.2/settings.xml clean package -Dmaven.test.skip -Dmaven.repo.local=/root/.m2/repository
Then use the rootfs parameter to scan the jar package:
trivy rootfs --skip-db-update --offline-scan --dependency-tree --timeout 999m /root/code/codeproject-web/target/xxxxxxxx-web.jar -o xxxxxxx_trivy_resule_jar.txt
20240422_jar_2.txt
In the actual code project, we are obviously using the 3.2.2 version of commons-collections:commons-collections.jar, and there is no 3.2.1 version of commons-collections:commons-collections.jar.
3.The results of the docker image scan are similar to the jar package, but the wrong version - 3.2.1 is still displayed.
docker cp temp_container:/opt/project/web.jar local_directory
jar tf web.jar | grep "3.2.2"
jar tf web.jar | grep "3.2.1"
trivy image imageid -o docker_result.txt --timeout 9999m
docker_result.txt
Reproduction Steps
Target
None
Scanner
None
Output Format
None
Mode
None
Debug Output
Operating System
GNU/Linux
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions