Merge pull request #4023 from nscuro/issue-4021

Handle breaking change in Trivy v0.54.0 server API
DependencyTrack · Jul 31, 2024 · 783f25a · 783f25a
2 parents e3b856f + 60ced7b
commit 783f25a
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Options.java b/src/main/java/org/dependencytrack/parser/trivy/model/Options.java
@@ -21,13 +21,32 @@
 import com.google.gson.annotations.SerializedName;
 
 public class Options {
+
+    /**
+     * NB: GSON doesn't support serialization of getters, it can only deal with fields.
+     * Need to have libraries as redundant field to packages, with Jackson we could just
+     * use a computed getter with {@link com.fasterxml.jackson.annotation.JsonGetter}.
+     * Migrate this to Jackson eventually.
+     *
+     * @see <a href="https://github.com/DependencyTrack/dependency-track/issues/3737">GitHub issue</a>
+     * @deprecated Kept for compatibility with Trivy < 0.54.0
+     */
+    @Deprecated(forRemoval = true)
     @SerializedName("vuln_type")
     private String[] vulnType;
+
+    @SerializedName("pkg_types")
+    private String[] pkgTypes;
+
     private String[] scanners;
 
-    public String[] getVulnType() { return vulnType; }
-    public void setVulnType(String[] value) { this.vulnType = value; }
+    public void setPkgTypes(String[] value) {
+        this.pkgTypes = value;
+        this.vulnType = value;
+    }
+
+    public void setScanners(String[] value) {
+        this.scanners = value;
+    }
 
-    public String[] getScanners() { return scanners; }
-    public void setScanners(String[] value) { this.scanners = value; }
 }
diff --git a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java
@@ -414,7 +414,7 @@ private TrivyResponse scanBlob(PutRequest input) {
         scan.setBlobIDS(new String[]{input.getDiffID()});
 
         final var opts = new Options();
-        opts.setVulnType(new String[]{"os", "library"});
+        opts.setPkgTypes(new String[]{"os", "library"});
         opts.setScanners(new String[]{"vuln"});
 
         scan.setOptions(opts);

diff --git a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java
@@ -27,6 +27,7 @@
 import com.github.packageurl.PackageURL;
 import com.github.tomakehurst.wiremock.http.Fault;
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import jakarta.json.Json;
 import org.assertj.core.api.SoftAssertions;
 import org.dependencytrack.PersistenceCapableTest;
 import org.dependencytrack.common.ManagedHttpClientFactory;
@@ -44,7 +45,6 @@
 import org.junit.Rule;
 import org.junit.Test;
 
-import jakarta.json.Json;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
@@ -410,6 +410,10 @@ Those using Woodstox to parse XML data may be vulnerable to Denial of Service at
                              "${json-unit.regex}(^sha256:[a-f0-9]{64}$)"
                            ],
                            "options": {
+                             "pkg_types": [
+                               "os",
+                               "library"
+                             ],
                              "vuln_type": [
                                "os",
                                "library"