Dependencies with runtime scope in pom.xml are ignored

[ben12]

Description

Trivy (fs) ignore dependencies with scope "runtime"

CF aquasecurity/go-dep-parser#296

Desired Behavior

Trivy (fs) must consider dependencies with scope "runtime"

Actual Behavior

Trivy (fs) ignore dependencies with scope "runtime"

Reproduction Steps

1. In your pom.xml, declare dependency org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:4.0.3 with "compile" scope
2. Run `trivy fs`
3. Vulnerabilities on org.codehaus.jettison:jettison:1.4.0 are not reported

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

-

Operating System

In docker image (linux amd64)

Version

Version: 0.49.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @ben12
Thanks for your interest to Trivy.

Maven doesn't include runtime dependencies in compilation - https://maven.apache.org/guides/introduction/introduction-to-dependent-mechanism.html#dependent-scope.
So your application doesn't include these dependencies (nor does it include test dependencies).

This is why we don't include these dependencies in reports. - https://aquasecurity.github.io/trivy/v0.49/docs/coverage/language/java

Regards, Dmitriy

[ben12]

Hello @DmitriyLewen

Maven doesn't include runtime dependencies in compilation - https://maven.apache.org/guides/introduction/introduction-to-dependent-mechanism.html#dependent-scope.

Correct, runtime dependencies are not used during Maven's compile lifecycle.

So your application doesn't include these dependencies (nor does it include test dependencies).

Wrong, runtime like compilation dependencies are required at runtime, so they must be provided to the final user. We need (at least) to check vulnerabilities and licences of all delivered libraries.

https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-scope :

This scope indicates that the dependency is not required for compilation, but is for execution. Maven includes a dependency with this scope in the runtime and test classpaths, but not the compile classpath.

[DmitriyLewen]

Hm... okay. Thanks for your clarifications.
I agree with you now. We need to include runtime scope.

[DmitriyLewen]

Created #6207 for this task.