Maven: Trivy reports vulnerability based on wrong dependency version #7567

dhladik · 2024-09-20T13:25:59Z

dhladik
Sep 20, 2024

Description

With the recent CVE-2024-7254, we have upgraded our protobuf-kotlin library to 3.25.5.

However, Trivy reports the library to be of version 3.25.0. I am not sure if this is a Maven or Trivy problem, but Maven's POM looks good.

I have triple checked if such library is present in the JAR both manually and through Gradle's dependency scanner.

Happens both for rootfs and image commands.

Command:

trivy rootfs app.jar -format json

JSON output:

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-20T14:43:17.045184+02:00",
  "ArtifactName": "app.jar",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "Java",
      "Class": "lang-pkgs",
      "Type": "jar",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-7254",
          "PkgName": "com.google.protobuf:protobuf-kotlin",
          "PkgPath": "app.jar/BOOT-INF/lib/protobuf-kotlin-3.25.5.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/com.google.protobuf/protobuf-kotlin@3.25.0",
            "UID": "42735b8694f994c4"
          },
          "InstalledVersion": "3.25.0",
          "FixedVersion": "3.25.5, 4.27.5, 4.28.2",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-7254",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Maven",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
          },
          "Title": "protobuf: StackOverflow vulnerability in Protocol Buffers",
          "Description": "Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-20"
          ],
          "VendorSeverity": {
            "ghsa": 3,
            "redhat": 3
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-7254",
            "https://github.com/protocolbuffers/protobuf",
            "https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b",
            "https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b",
            "https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534",
            "https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46",
            "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
            "https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3",
            "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
            "https://www.cve.org/CVERecord?id=CVE-2024-7254"
          ],
          "PublishedDate": "2024-09-19T01:15:10.963Z",
          "LastModifiedDate": "2024-09-19T01:15:10.963Z"
        }
      ]
    }
  ]
}

Desired Behavior

With the CVE mitigated in protobuf-kotlin:3.25.5, Trivy is expected to match the version in JAR correctly and no longer report the vulnerability.

Actual Behavior

Trivy ignores the hotfix portion of this library and reports the installed version wrongly, e.g.: real installed version is 3.25.5 but Trivy reports installed 3.25.0

Reproduction Steps

1. Have a dependency `com.google.protobuf:protobuf-kotlin:3.25.5` in your project
2. Run either `trivy rootfs` or `trivy image` on JAR or Docker image respectively
3. Observe Trivy reporting the installed version as `3.25.0`
...

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2024-09-20T15:21:38+02:00	DEBUG	No plugins loaded
2024-09-20T15:21:38+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-20T15:21:38+02:00	DEBUG	Cache dir	dir="/Users/daniel/Library/Caches/trivy"
2024-09-20T15:21:38+02:00	DEBUG	Cache dir	dir="/Users/daniel/Library/Caches/trivy"
2024-09-20T15:21:38+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-20T15:21:38+02:00	DEBUG	Ignore statuses	statuses=[]
2024-09-20T15:21:38+02:00	DEBUG	DB update was skipped because the local DB is the latest
2024-09-20T15:21:38+02:00	DEBUG	DB info	schema=2 updated_at=2024-09-20T12:13:24.104899501Z next_update=2024-09-20T18:13:24.104899361Z downloaded_at=2024-09-20T13:14:22.959768Z
2024-09-20T15:21:38+02:00	DEBUG	[pkg] Package types	types=[os library]
2024-09-20T15:21:38+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-20T15:21:38+02:00	INFO	[vuln] Vulnerability scanning is enabled
2024-09-20T15:21:38+02:00	INFO	[secret] Secret scanning is enabled
2024-09-20T15:21:38+02:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-20T15:21:38+02:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-20T15:21:38+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-20T15:21:38+02:00	DEBUG	Initializing scan cache...	type="memory"
2024-09-20T15:21:38+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-09-20T15:21:38+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-boot-actuator-autoconfigure-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/springdoc-openapi-starter-webmvc-ui-2.3.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/springdoc-openapi-starter-webmvc-api-2.3.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/springdoc-openapi-starter-common-2.3.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/swagger-core-jakarta-2.2.19.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-datatype-jsr310-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/logstash-logback-encoder-7.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-datatype-jdk8-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-module-parameter-names-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-dataformat-yaml-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-databind-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/swagger-models-jakarta-2.2.19.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-annotations-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-core-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jackson-module-kotlin-2.17.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/moshi-kotlin-1.15.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/kotlin-reflect-2.0.20.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/moshi-adapters-1.15.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-exporter-otlp-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-exporter-sender-okhttp-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/okhttp-4.12.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/sam-ocr-connector-5.3.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/sam-ocr-raw-image-5.3.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/sam-ocr-jna-wrapper-document-5.3.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/moshi-1.15.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/okio-jvm-3.6.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/kotlin-stdlib-jdk8-2.0.20.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/protobuf-kotlin-3.25.5.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/kotlinx-serialization-core-jvm-1.6.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/kotlinx-serialization-protobuf-jvm-1.6.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/kotlin-stdlib-jdk7-2.0.20.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/kotlin-stdlib-2.0.20.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/guava-32.1.2-jre.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/s3-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/sts-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/apache-client-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/httpclient-4.5.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/commons-codec-1.15.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/iface-connector-main-6.2.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/sdk-commons-main-1.2.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jna-5.12.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-oauth2-jose-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/nimbus-jose-jwt-9.37.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-registry-prometheus-1.13.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/annotations-23.0.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/failureaccess-1.0.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/java-24.1.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jsr305-3.0.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/checker-qual-3.33.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/error_prone_annotations-2.18.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/metadata-extractor-2.19.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/icu4j-68.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/onnxruntime-1.13.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/commons-text-1.12.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/xmemcached-2.4.8.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/lettuce-core-6.3.2.RELEASE.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ehcache-3.10.8.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ehcache-3.10.8.jar/org/ehcache/sizeof/impl/sizeof-agent.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] No such POM in the central repositories	file="sizeof-agent.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/cache-api-1.1.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-tracing-bridge-otel-1.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/bcprov-jdk18on-1.78.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/json-20231013.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/swagger-ui-5.10.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-jakarta9-1.13.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-webmvc-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-webflux-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-oauth2-resource-server-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-web-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-oauth2-core-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-web-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-config-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-core-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-core-1.13.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-tracing-1.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-boot-autoconfigure-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-boot-actuator-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-boot-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-data-redis-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-context-support-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-data-keyvalue-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-context-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-observation-1.13.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-aop-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/aspectjweaver-1.9.22.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/tomcat-embed-el-10.1.30.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/hibernate-validator-8.0.1.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/prometheus-metrics-core-1.2.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/prometheus-metrics-tracer-common-1.2.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/prometheus-metrics-exposition-formats-1.2.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-core-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-io-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-learning-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-reconstruction-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-recognition-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/models-0.5.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/io-0.5.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jarchivelib-1.2.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/commons-compress-1.26.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/commons-lang3-3.14.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/logback-classic-1.5.8.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/log4j-to-slf4j-2.23.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jul-to-slf4j-2.0.16.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/aws-xml-protocol-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/aws-query-protocol-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/protocol-core-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/aws-core-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/auth-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/regions-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/sdk-core-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/crt-core-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/arns-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/profiles-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-nio-client-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/http-client-spi-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/metrics-spi-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/json-utils-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/utils-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-data-commons-3.3.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/slf4j-api-2.0.16.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jakarta.annotation-api-2.1.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-tx-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-oxm-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-beans-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-expression-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-core-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/snakeyaml-2.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/xmpcore-6.1.11.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/endpoints-spi-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/annotations-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/third-party-jackson-core-2.20.78.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/javase-3.5.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/core-3.5.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/protobuf-java-3.25.5.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/reactor-netty-http-1.1.22.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-codec-http2-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/reactor-netty-core-1.1.22.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-handler-proxy-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-codec-http-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-resolver-dns-native-macos-4.1.113.Final-osx-x86_64.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-resolver-dns-classes-macos-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-resolver-dns-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-handler-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-transport-native-epoll-4.1.113.Final-linux-x86_64.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-transport-classes-epoll-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-transport-native-unix-common-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-codec-dns-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-codec-socks-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-codec-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-transport-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-resolver-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-buffer-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/netty-common-4.1.113.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/reactor-core-3.6.10.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jaxb-runtime-4.0.5.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/micrometer-commons-1.13.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-exporter-otlp-common-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-exporter-common-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-sdk-extension-autoconfigure-spi-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-sdk-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-sdk-trace-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-sdk-metrics-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-sdk-logs-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-sdk-common-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-extension-trace-propagators-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-instrumentation-api-semconv-1.33.3-alpha.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-instrumentation-api-1.33.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-api-incubator-1.38.0-alpha.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-api-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-semconv-1.23.1-alpha.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentracing-util-0.33.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentracing-noop-0.33.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentracing-api-0.33.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/gson-2.10.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jakarta.validation-api-3.0.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jboss-logging-3.5.3.Final.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/classmate-1.7.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/tomcat-embed-websocket-10.1.30.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/tomcat-embed-core-10.1.30.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-security-crypto-6.3.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/HdrHistogram-2.2.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/LatencyUtils-2.0.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/prometheus-metrics-model-1.2.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/prometheus-metrics-config-1.2.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/prometheus-metrics-shaded-protobuf-1.2.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-jcl-6.1.13.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jcommander-1.82.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jai-imageio-core-1.4.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-sfm-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-ip-multiview-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-feature-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-geo-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-ip-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/boofcv-types-1.1.6.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/georegression-0.27.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ddogleg-0.23.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/trove4j-3.0.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/reactive-streams-1.0.4.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jaxb-core-4.0.5.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/context-propagation-1.1.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/aopalliance-1.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/opentelemetry-context-1.37.0.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jcip-annotations-1.0-1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/logback-core-1.5.8.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/log4j-api-2.23.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/eventstream-1.0.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/httpcore-4.4.16.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-simple-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-fsparse-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-fdense-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-dsparse-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-ddense-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-cdense-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-zdense-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/ejml-core-0.43.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/commons-io-2.16.1.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/learning-0.5.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/main-0.5.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jakarta.xml.bind-api-4.0.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/angus-activation-2.0.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/jakarta.activation-api-2.1.3.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/txw2-4.0.5.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/istack-commons-runtime-4.1.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/swagger-annotations-jakarta-2.2.19.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/commons-logging-1.2.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/zip4j-2.11.5.jar"
2024-09-20T15:21:41+02:00	DEBUG	[jar] Parsing Java artifacts...	file_path="app.jar/BOOT-INF/lib/spring-boot-jarmode-tools-3.3.4.jar"
2024-09-20T15:21:42+02:00	DEBUG	[jar] No such POM in the central repositories	file="app.jar"
2024-09-20T15:21:42+02:00	DEBUG	OS is not detected.
2024-09-20T15:21:42+02:00	DEBUG	Detected OS: unknown
2024-09-20T15:21:42+02:00	INFO	Number of language-specific files	num=1
2024-09-20T15:21:42+02:00	INFO	[jar] Detecting vulnerabilities...
2024-09-20T15:21:42+02:00	DEBUG	[jar] Scanning packages for vulnerabilities	file_path=""
2024-09-20T15:21:42+02:00	DEBUG	[vex] VEX filtering is disabled
2024-09-20T15:21:42+02:00	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                           Title                           │
├─────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ com.google.protobuf:protobuf-kotlin │ CVE-2024-7254 │ HIGH     │ fixed  │ 3.25.0            │ 3.25.5, 4.27.5, 4.28.2 │ protobuf: StackOverflow vulnerability in Protocol Buffers │
│ (app.jar)  │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2024-7254                 │
└─────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────────────┘

Operating System

MacOS Sequoia (M1 Pro | ARM64) / Rocky Linux 9 (AMD64)

Version

Version: 0.55.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-20 06:12:54.353543232 +0000 UTC
  NextUpdate: 2024-09-20 12:12:54.353542941 +0000 UTC
  DownloadedAt: 2024-09-20 12:11:12.194054 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-09-20 01:06:28.762321776 +0000 UTC
  NextUpdate: 2024-09-23 01:06:28.762321626 +0000 UTC
  DownloadedAt: 2024-09-20 12:17:33.704766 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

Answered by DmitriyLewen

Sep 24, 2024

Hello @dhladik @concreted

You found very interesting case.

Trivy uses the following steps to find Artifact from jar file:

Check pom.properties and MANIFEST.MF files (https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/java/#jarwarparear)
Find artifact in trivy-java-db by sha1.
...

protobuf-kotlin-3.25.5.jar doesn't have pom.properties file.
MANIFEST.MF file doesn't contain required info:

Manifest-Version: 1.0
Created-By: mergejars
Target-Label: @//java/kotlin:well_known_protos_kotlin
Injecting-Rule-Kind: kt_jvm_library

Therefore, Trivy tries to find artifact by sha1.

I downloaded this file and found sha1 for this file:

➜ shasum protobuf-kotlin-3.25.5.jar 
c102af05b1429abf…

View full answer

concreted · 2024-09-23T19:14:43Z

concreted
Sep 23, 2024

I am also having the same issue, on Ubuntu 18.04. Trivy scan of the .jar file reports the wrong protobuf-kotlin version:

          "VulnerabilityID": "CVE-2024-7254",
          "PkgName": "com.google.protobuf:protobuf-kotlin",
          "PkgPath": "app.jar/BOOT-INF/lib/protobuf-kotlin-3.25.5.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/com.google.protobuf/protobuf-kotlin@3.25.0",
            "UID": "4888d3219afc9437"
          },
          "InstalledVersion": "3.25.0",

Scanning the pom.xml directly does not report this CVE.

0 replies

DmitriyLewen · 2024-09-24T11:24:32Z

DmitriyLewen
Sep 24, 2024
Maintainer

Hello @dhladik @concreted

You found very interesting case.

Trivy uses the following steps to find Artifact from jar file:

Check pom.properties and MANIFEST.MF files (https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/java/#jarwarparear)
Find artifact in trivy-java-db by sha1.
...

protobuf-kotlin-3.25.5.jar doesn't have pom.properties file.
MANIFEST.MF file doesn't contain required info:

Manifest-Version: 1.0
Created-By: mergejars
Target-Label: @//java/kotlin:well_known_protos_kotlin
Injecting-Rule-Kind: kt_jvm_library

Therefore, Trivy tries to find artifact by sha1.

I downloaded this file and found sha1 for this file:

➜ shasum protobuf-kotlin-3.25.5.jar 
c102af05b1429abf6ad42de8675b615b8fcfa17f  protobuf-kotlin-3.25.5.jar

sha1 for this file (protobuf-kotlin-3.25.5.jar.sha1) from maven central (we use maven central for trivy-java-db) is c102af05b1429abf6ad42de8675b615b8fcfa17f (see https://repo1.maven.org/maven2/com/google/protobuf/protobuf-kotlin/3.25.5/protobuf-kotlin-3.25.5.jar.sha1)
But sha1 for 3.25.0 version is same (see https://repo1.maven.org/maven2/com/google/protobuf/protobuf-kotlin/3.25.0/protobuf-kotlin-3.25.0.jar.sha1).

We don't include duplicates of sha1 in trivy-java-db because this is strange case when different versions use same sha1.

summation:
trivy-java-db contains first found artifact with c102af05b1429abf6ad42de8675b615b8fcfa17f (protobuf-kotlin-3.25.0).
Trivy detects artifact by sha1 and you see 3.25.0 version.

Regards, Dmitriy

0 replies

dhladik · 2024-09-24T11:28:12Z

dhladik
Sep 24, 2024
Author

@DmitriyLewen

Thanks for the explanation! This is really interesting. Should the Google Protobuf team be contacted so they can fix this? So far, we have to explain this to our customers and our pipelines are marked as false positives.

3 replies

DmitriyLewen Sep 24, 2024
Maintainer

Unfortunately, we cannot catch all such cases and this should be resolved on the side of the developer of jar file.

Should the Google Protobuf team be contacted so they can fix this?

It would be great if you contacted them and pointed out this problem.

So far, we have to explain this to our customers and our pipelines are marked as false positives.

Trivy supports modules for similar cases.
Also you can filter this CVE.

dhladik Sep 24, 2024
Author

@DmitriyLewen Thank you, I will contact them and let them fix it. I will look into the modules, or worst-case scenario, filter it out. Thank you!

dhladik Sep 24, 2024
Author

For posterity, reported here: protocolbuffers/protobuf#18484

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Maven: Trivy reports vulnerability based on wrong dependency version #7567

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 3 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Maven: Trivy reports vulnerability based on wrong dependency version #7567

dhladik Sep 20, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 3 replies

concreted Sep 23, 2024

DmitriyLewen Sep 24, 2024 Maintainer

dhladik Sep 24, 2024 Author

DmitriyLewen Sep 24, 2024 Maintainer

dhladik Sep 24, 2024 Author

dhladik Sep 24, 2024 Author

dhladik
Sep 20, 2024

Replies: 3 comments 3 replies

concreted
Sep 23, 2024

DmitriyLewen
Sep 24, 2024
Maintainer

dhladik
Sep 24, 2024
Author

DmitriyLewen Sep 24, 2024
Maintainer

dhladik Sep 24, 2024
Author

dhladik Sep 24, 2024
Author