From 9e2f37eb90e705a8b3385260ee6a356935456195 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 28 Aug 2024 14:33:26 +0600 Subject: [PATCH 1/5] feat(pom): add `test` scope support --- pkg/dependency/parser/java/pom/artifact.go | 1 + pkg/dependency/parser/java/pom/parse.go | 4 +++- pkg/dependency/parser/java/pom/pom.go | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/dependency/parser/java/pom/artifact.go b/pkg/dependency/parser/java/pom/artifact.go index b2e97efb229b..f691afac5ebd 100644 --- a/pkg/dependency/parser/java/pom/artifact.go +++ b/pkg/dependency/parser/java/pom/artifact.go @@ -27,6 +27,7 @@ type artifact struct { Module bool Relationship ftypes.Relationship + Test bool Locations ftypes.Locations } diff --git a/pkg/dependency/parser/java/pom/parse.go b/pkg/dependency/parser/java/pom/parse.go index cbd7bf47db17..57f41a1d32f4 100644 --- a/pkg/dependency/parser/java/pom/parse.go +++ b/pkg/dependency/parser/java/pom/parse.go @@ -214,6 +214,7 @@ func (p *Parser) parseRoot(root artifact, uniqModules map[string]struct{}) ([]ft Licenses: result.artifact.Licenses, Relationship: art.Relationship, Locations: art.Locations, + Test: art.Test, } // save only dependency names @@ -234,6 +235,7 @@ func (p *Parser) parseRoot(root artifact, uniqModules map[string]struct{}) ([]ft Licenses: art.Licenses, Relationship: art.Relationship, Locations: art.Locations, + Dev: art.Test, } pkgs = append(pkgs, pkg) @@ -400,7 +402,7 @@ func (p *Parser) parseDependencies(deps []pomDependency, props map[string]string // Resolve dependencies d = d.Resolve(props, depManagement, rootDepManagement) - if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime") || d.Optional { + if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime" && d.Scope != "test") || d.Optional { continue } diff --git a/pkg/dependency/parser/java/pom/pom.go b/pkg/dependency/parser/java/pom/pom.go index 889d107c3c6c..d27f995217d6 100644 --- a/pkg/dependency/parser/java/pom/pom.go +++ b/pkg/dependency/parser/java/pom/pom.go @@ -303,6 +303,7 @@ func (d pomDependency) ToArtifact(opts analysisOptions) artifact { Exclusions: exclusions, Locations: locations, Relationship: ftypes.RelationshipIndirect, // default + Test: d.Scope == "test", } } From bec76ddb109becc5cd40329c5ff9093f967b455b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 28 Aug 2024 14:33:39 +0600 Subject: [PATCH 2/5] test: update happy path --- pkg/dependency/parser/java/pom/parse_test.go | 28 +++++++++++++++++++ .../parser/java/pom/testdata/happy/pom.xml | 6 ++++ 2 files changed, 34 insertions(+) diff --git a/pkg/dependency/parser/java/pom/parse_test.go b/pkg/dependency/parser/java/pom/parse_test.go index 934085d5d536..77a47b5ecdac 100644 --- a/pkg/dependency/parser/java/pom/parse_test.go +++ b/pkg/dependency/parser/java/pom/parse_test.go @@ -61,6 +61,19 @@ func TestPom_Parse(t *testing.T) { }, }, }, + { + ID: "org.example:example-test:2.0.0", + Name: "org.example:example-test", + Version: "2.0.0", + Relationship: ftypes.RelationshipDirect, + Dev: true, + Locations: ftypes.Locations{ + { + StartLine: 49, + EndLine: 54, + }, + }, + }, }, wantDeps: []ftypes.Dependency{ { @@ -68,6 +81,7 @@ func TestPom_Parse(t *testing.T) { DependsOn: []string{ "org.example:example-api:1.7.30", "org.example:example-runtime:1.0.0", + "org.example:example-test:2.0.0", }, }, }, @@ -109,6 +123,19 @@ func TestPom_Parse(t *testing.T) { }, }, }, + { + ID: "org.example:example-test:2.0.0", + Name: "org.example:example-test", + Version: "2.0.0", + Relationship: ftypes.RelationshipDirect, + Dev: true, + Locations: ftypes.Locations{ + { + StartLine: 49, + EndLine: 54, + }, + }, + }, }, wantDeps: []ftypes.Dependency{ { @@ -116,6 +143,7 @@ func TestPom_Parse(t *testing.T) { DependsOn: []string{ "org.example:example-api:1.7.30", "org.example:example-runtime:1.0.0", + "org.example:example-test:2.0.0", }, }, }, diff --git a/pkg/dependency/parser/java/pom/testdata/happy/pom.xml b/pkg/dependency/parser/java/pom/testdata/happy/pom.xml index 1f3c9697a17d..9dfc1c75bd65 100644 --- a/pkg/dependency/parser/java/pom/testdata/happy/pom.xml +++ b/pkg/dependency/parser/java/pom/testdata/happy/pom.xml @@ -46,5 +46,11 @@ 999 provided + + org.example + example-test + 2.0.0 + test + From e3cfe7231d8ecc405ffde162172bbee75e8d9777 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 30 Aug 2024 10:39:35 +0600 Subject: [PATCH 3/5] docs: add info about maven scopes --- docs/docs/coverage/language/java.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md index 67cd8c135b9d..7d85f9784116 100644 --- a/docs/docs/coverage/language/java.md +++ b/docs/docs/coverage/language/java.md @@ -69,6 +69,12 @@ The vulnerability database will be downloaded anyway. !!! Warning Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed. +### scopes +Trivy supports `runtime`, `compile`, `test` and `import` (for `dependencyManagement`) [dependency scopes][dependency-scopes]. +Dependencies without scope are also detected. + +!!! Note + To detect dependencies with `test` scope, you need to use `--include-dev-deps` flag. ### maven-invoker-plugin Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise. @@ -120,3 +126,4 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend [maven-pom-repos]: https://maven.apache.org/settings.html#repositories [sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock [detection-priority]: ../../scanner/vulnerability.md#detection-priority +[dependency-scopes]: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope From a162fa15ba2415e7c575cbe0f317ec0ad8e90e1b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 30 Aug 2024 10:57:45 +0600 Subject: [PATCH 4/5] docs: update table --- docs/docs/coverage/language/java.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md index 7d85f9784116..bca6a3be444f 100644 --- a/docs/docs/coverage/language/java.md +++ b/docs/docs/coverage/language/java.md @@ -12,12 +12,12 @@ Each artifact supports the following scanners: The following table provides an outline of the features Trivy offers. -| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] | -|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:| -| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed | -| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - | -| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed | -| *.sbt.lock | - | Exclude | - | ✓ | Not needed | +| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] | +|------------------|:---------------------:|:------------------:|:------------------------------------:|:--------:|:----------------------------------------:| +| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed | +| pom.xml | Maven repository [^1] | [Include](#scopes) | ✓ | ✓[^7] | - | +| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed | +| *.sbt.lock | - | Exclude | - | ✓ | Not needed | These may be enabled or disabled depending on the target. See [here](./index.md) for the detail. From 117555f15ec0d6daacff5dfdcd2f83b368364658 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 3 Sep 2024 13:33:52 +0600 Subject: [PATCH 5/5] docs: use `Eclude` field. --- docs/docs/coverage/language/java.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md index bca6a3be444f..26bad288e552 100644 --- a/docs/docs/coverage/language/java.md +++ b/docs/docs/coverage/language/java.md @@ -15,7 +15,7 @@ The following table provides an outline of the features Trivy offers. | Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] | |------------------|:---------------------:|:------------------:|:------------------------------------:|:--------:|:----------------------------------------:| | JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed | -| pom.xml | Maven repository [^1] | [Include](#scopes) | ✓ | ✓[^7] | - | +| pom.xml | Maven repository [^1] | [Exclude](#scopes) | ✓ | ✓[^7] | - | | *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed | | *.sbt.lock | - | Exclude | - | ✓ | Not needed | @@ -73,8 +73,7 @@ The vulnerability database will be downloaded anyway. Trivy supports `runtime`, `compile`, `test` and `import` (for `dependencyManagement`) [dependency scopes][dependency-scopes]. Dependencies without scope are also detected. -!!! Note - To detect dependencies with `test` scope, you need to use `--include-dev-deps` flag. +By default, Trivy doesn't report dependencies with `test` scope. Use the `--include-dev-deps` flag to include them. ### maven-invoker-plugin Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.