gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

revert(java): stop supporting of test scope for pom.xml files (#7488)

Browse Source
This commit is contained in:
DmitriyLewen
2024-09-12 11:10:13 +06:00
committed by GitHub
parent 8876e70655
commit b0222feeb5
6 changed files with 7 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/docs/coverage/language/java.md
View File

@@ -12,12 +12,12 @@ Each artifact supports the following scanners:
The following table provides an outline of the features Trivy offers.
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:------------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | [Exclude](#scopes) | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
@@ -69,11 +69,6 @@ The vulnerability database will be downloaded anyway.
!!! Warning
Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
### scopes
Trivy supports `runtime`, `compile`, `test` and `import` (for `dependencyManagement`) [dependency scopes][dependency-scopes].
Dependencies without scope are also detected.
By default, Trivy doesn't report dependencies with `test` scope. Use the `--include-dev-deps` flag to include them.
### maven-invoker-plugin
Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
@@ -125,4 +120,3 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
[detection-priority]: ../../scanner/vulnerability.md#detection-priority
[dependency-scopes]: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope

1
pkg/dependency/parser/java/pom/artifact.go
View File

@@ -27,7 +27,6 @@ type artifact struct {
Module bool
Relationship ftypes.Relationship
Test bool
Locations ftypes.Locations
}

4
pkg/dependency/parser/java/pom/parse.go
View File

@@ -214,7 +214,6 @@ func (p *Parser) parseRoot(root artifact, uniqModules map[string]struct{}) ([]ft
Licenses: result.artifact.Licenses,
Relationship: art.Relationship,
Locations: art.Locations,
Test: art.Test,
}
// save only dependency names
@@ -235,7 +234,6 @@ func (p *Parser) parseRoot(root artifact, uniqModules map[string]struct{}) ([]ft
Licenses: art.Licenses,
Relationship: art.Relationship,
Locations: art.Locations,
Dev: art.Test,
}
pkgs = append(pkgs, pkg)
@@ -402,7 +400,7 @@ func (p *Parser) parseDependencies(deps []pomDependency, props map[string]string
// Resolve dependencies
d = d.Resolve(props, depManagement, rootDepManagement)
if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime" && d.Scope != "test") || d.Optional {
if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime") || d.Optional {
continue
}

28
pkg/dependency/parser/java/pom/parse_test.go
View File

@@ -61,19 +61,6 @@ func TestPom_Parse(t *testing.T) {
},
},
},
{
ID: "org.example:example-test:2.0.0",
Name: "org.example:example-test",
Version: "2.0.0",
Relationship: ftypes.RelationshipDirect,
Dev: true,
Locations: ftypes.Locations{
{
StartLine: 49,
EndLine: 54,
},
},
},
},
wantDeps: []ftypes.Dependency{
{
@@ -81,7 +68,6 @@ func TestPom_Parse(t *testing.T) {
DependsOn: []string{
"org.example:example-api:1.7.30",
"org.example:example-runtime:1.0.0",
"org.example:example-test:2.0.0",
},
},
},
@@ -123,19 +109,6 @@ func TestPom_Parse(t *testing.T) {
},
},
},
{
ID: "org.example:example-test:2.0.0",
Name: "org.example:example-test",
Version: "2.0.0",
Relationship: ftypes.RelationshipDirect,
Dev: true,
Locations: ftypes.Locations{
{
StartLine: 49,
EndLine: 54,
},
},
},
},
wantDeps: []ftypes.Dependency{
{
@@ -143,7 +116,6 @@ func TestPom_Parse(t *testing.T) {
DependsOn: []string{
"org.example:example-api:1.7.30",
"org.example:example-runtime:1.0.0",
"org.example:example-test:2.0.0",
},
},
},

1
pkg/dependency/parser/java/pom/pom.go
View File

@@ -303,7 +303,6 @@ func (d pomDependency) ToArtifact(opts analysisOptions) artifact {
Exclusions: exclusions,
Locations: locations,
Relationship: ftypes.RelationshipIndirect, // default
Test: d.Scope == "test",
}
}

6
pkg/dependency/parser/java/pom/testdata/happy/pom.xml vendored
View File

@@ -46,11 +46,5 @@
<version>999</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.example</groupId>
<artifactId>example-test</artifactId>
<version>2.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>