Dependency appears in Trivy but not when running maven tree. #4272
Replies: 5 comments
-
|
Hello @viniciusnavarro This is strange situation. Can you send your POM file(or part of reproduced issue file) to investigate your problem? Also I don't think I understood you correctly: you don't have the Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
|
It's a great tool! And on this last question the answer is yes, to help understand the situation: 1. Maven
In the generated file I can't find the "dom4j" Attached file: mvntree.log 2.Cyclonedx Maven Plugin After building the application, a bom.json file is generated and in this file I also don't find the "dom4j" dependency Attached file: bomMavenPluginCycloneDx.json.log 3.Trivy Attached file: sbomTrivy.json.log |
Beta Was this translation helpful? Give feedback.
-
|
Hello @viniciusnavarro I investigated your logs. |
Beta Was this translation helpful? Give feedback.
-
|
This issue is stale because it has been labeled with inactivity. |
Beta Was this translation helpful? Give feedback.
-
|
Hello @viniciusnavarro We have added some changes to parsing of Can you update your Trivy and check your file? Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
I'm using Trivy to scan a java project using the trivy filesystem method that uses pom to analyze third-party dependencies. I will use the generated sbom to import into dependency-track.
Trivy is showing me that there is a component that is vulnerable, which is dom4j.
But when running the maven dependency tree to know where to fix this component it doesn't exist in the project(
using the VS code search tool).
And I'm also noticing that Trivy is showing more artifacts than the cyclonedx plugin for maven and I'm getting a little confused, am I missing something?
Commands:
trivy sbom --output sbom.json --artifact-type fs ./mvn dependency:treeBeta Was this translation helpful? Give feedback.
All reactions