Some of the Java archives are not being detected by Trivy #2714

namandf · 2022-08-16T06:00:33Z

namandf
Aug 16, 2022

Scanned some of the java docker images available on Docker hub eg. jinghan94/java-jar-run , jensatdocker/jens-jar, ibmjava etc. Bunch of java packages are not captured and scanned for vulnerabilities.

The debug logs suggest that such packages are being skipped due to the error No such POM in the central repositories {"file": ".........."} .

When i enable --offline-scan, it still continues to skip these packages.

Checked the source code. https://github.com/aquasecurity/go-dep-parser/blob/a12ecf227cddf3e130229f2e06f3cab14bef557c/pkg/java/jar/parse.go#L164 suggests that we will skip validation in case of offline scan, but we still continue to validate groupid, artifact id and version (https://github.com/aquasecurity/go-dep-parser/blob/a12ecf227cddf3e130229f2e06f3cab14bef557c/pkg/java/jar/parse.go#L165). Is that expected? Any specific reason to ignore such packages.

Syft SBOM does capture these packages and scans them for vulnerabilities.

Sample logs with offline scan disabled:

2022-08-12T15:07:37.595+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/visualvm/visualvm/modules/com-sun-tools-visualvm-profiling.jar"}
2022-08-12T15:07:38.328+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-jvmstat.jar"}
2022-08-12T15:07:38.329+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/visualvm/visualvm/modules/com-sun-tools-visualvm-sa.jar"}
2022-08-12T15:07:38.370+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-jvm.jar"}
2022-08-12T15:07:38.370+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-modules-appui.jar"}
2022-08-12T15:07:38.371+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/visualvm/visualvm/modules/com-sun-tools-visualvm-sampler.jar"}
2022-08-12T15:07:38.371+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/visualvm/visualvm/modules/com-sun-tools-visualvm-threaddump.jar"}
2022-08-12T15:07:38.509+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-profiler.jar"}
2022-08-12T15:07:38.509+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/visualvm/visualvm/modules/com-sun-tools-visualvm-tools.jar"}
2022-08-12T15:07:38.912+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-profiling.jar"}
2022-08-12T15:07:38.912+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/visualvm/visualvm/modules/com-sun-tools-visualvm-uisupport.jar"}
2022-08-12T15:07:39.762+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-sampler.jar"}
2022-08-12T15:07:39.762+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-sa.jar"}
2022-08-12T15:07:39.762+0530	DEBUG	No such POM in the central repositories	{"file": "com-sun-tools-visualvm-threaddump.jar"}```

**Sample logs with offline scan enabled**

```2022-08-12T16:06:51.956+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/jre/lib/resources.jar"}
2022-08-12T16:06:51.957+0530	DEBUG	Unable to identify POM in offline mode	{"file": "resources.jar"}
2022-08-12T16:06:52.094+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/jre/lib/rt.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/jre/lib/security/policy/limited/US_export_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/jre/lib/security/policy/limited/local_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/jre/lib/security/policy/unlimited/US_export_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Unable to identify POM in offline mode	{"file": "US_export_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Unable to identify POM in offline mode	{"file": "local_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/jre/lib/security/policy/unlimited/local_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Unable to identify POM in offline mode	{"file": "US_export_policy.jar"}
2022-08-12T16:06:52.095+0530	DEBUG	Unable to identify POM in offline mode	{"file": "local_policy.jar"}
2022-08-12T16:06:52.098+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/ant-javafx.jar"}
2022-08-12T16:06:52.098+0530	DEBUG	Unable to identify POM in offline mode	{"file": "ant-javafx.jar"}
2022-08-12T16:06:52.106+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/dt.jar"}
2022-08-12T16:06:52.106+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/javafx-mx.jar"}
2022-08-12T16:06:52.106+0530	DEBUG	Unable to identify POM in offline mode	{"file": "javafx-mx.jar"}
2022-08-12T16:06:52.107+0530	DEBUG	Unable to identify POM in offline mode	{"file": "dt.jar"}
2022-08-12T16:06:52.107+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/jconsole.jar"}
2022-08-12T16:06:52.107+0530	DEBUG	Unable to identify POM in offline mode	{"file": "rt.jar"}
2022-08-12T16:06:52.108+0530	DEBUG	Unable to identify POM in offline mode	{"file": "jconsole.jar"}
2022-08-12T16:06:52.112+0530	DEBUG	Parsing Java artifacts...	{"file": "var/local/jdk1.8.0_221/lib/missioncontrol/mc.jar"}```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Some of the Java archives are not being detected by Trivy #2714

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Some of the Java archives are not being detected by Trivy #2714

namandf Aug 16, 2022

Replies: 0 comments

namandf
Aug 16, 2022