Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(java): mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev #6213

Merged

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Feb 27, 2024

Description

Mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev.
This is necessary to add an option to skip/show these dependencies using --include-dev-deps flag.
See more in #5787

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Feb 27, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review February 27, 2024 12:40
@codefromthecrypt
Copy link
Contributor

from functionality POV, looks good to me. I ran against openzipkin/brave after building from your branch. Fuzz detected is in the benchmarks project (which is a separate thing and I'm not really interested in chasing that down right now). The important part is there are no more "invoker test" deps in the default output.

$ ../trivy/main repo .
2024-03-05T12:19:57.779+0800	INFO	Vulnerability scanning is enabled
2024-03-05T12:19:57.780+0800	INFO	Secret scanning is enabled
2024-03-05T12:19:57.780+0800	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-05T12:19:57.780+0800	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-03-05T12:22:40.695+0800	INFO	Number of language-specific files: 66
2024-03-05T12:22:40.695+0800	INFO	Detecting pom vulnerabilities...

instrumentation/benchmarks/pom.xml (pom)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 1)

┌──────────────────────────────────────┬──────────────────┬──────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library                │  Vulnerability   │ Severity │  Status  │ Installed Version │     Fixed Version      │                            Title                             │
├──────────────────────────────────────┼──────────────────┼──────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client             │ CVE-2023-46120   │ MEDIUM   │ fixed    │ 5.9.0             │ 5.18.0                 │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│                                      │                  │          │          │                   │                        │ to Remote DoS...                                             │
│                                      │                  │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-46120                   │
├──────────────────────────────────────┼──────────────────┤          ├──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.resteasy:resteasy-undertow │ CVE-2023-0482    │          │ affected │ 3.15.6.Final      │                        │ RESTEasy: creation of insecure temp files                    │
│                                      │                  │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-0482                    │
├──────────────────────────────────────┼──────────────────┤          ├──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.amqp:spring-amqp │ CVE-2021-22095   │          │ fixed    │ 2.3.6             │ 2.2.19, 2.3.11         │ Deserialization of Untrusted Data in Spring AMQP             │
│                                      │                  │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-22095                   │
│                                      ├──────────────────┤          │          │                   │                        ├──────────────────────────────────────────────────────────────┤
│                                      │ CVE-2021-22097   │          │          │                   │                        │ Deserialization of Untrusted Data in Spring AMQP             │
│                                      │                  │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-22097                   │
├──────────────────────────────────────┼──────────────────┤          │          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-messaging │ CVE-2022-22971   │          │          │ 5.3.5             │ 5.3.20, 5.2.22.RELEASE │ DoS with STOMP over WebSocket                                │
│                                      │                  │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22971                   │
├──────────────────────────────────────┼──────────────────┼──────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web       │ CVE-2016-1000027 │ CRITICAL │          │ 5.3.32            │ 6.0.0                  │ spring: HttpInvokerServiceExporter readRemoteInvocation      │
│                                      │                  │          │          │                   │                        │ method untrusted java deserialization                        │
│                                      │                  │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2016-1000027                 │
└──────────────────────────────────────┴──────────────────┴──────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

@codefromthecrypt
Copy link
Contributor

after this change to brave, which re-classifies benchmark deps as test, we now have a 100pct clean run! Thanks so much

Signed-off-by: knqyf263 <knqyf263@gmail.com>
// Mark integration test pom files for `maven-invoker-plugin` as Dev to skip them by default.
if isIntegrationTestDir(filePath) {
for i := range res.Applications {
res.Applications[i].Libraries = lo.Map(res.Applications[i].Libraries, func(lib types.Package, _ int) types.Package {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is no big deal, but lo.Map generates another map, and it is better just to overwrite the Dev field from the memory perspective.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in b86dff8

@knqyf263 knqyf263 enabled auto-merge March 8, 2024 09:53
@knqyf263 knqyf263 added this pull request to the merge queue Mar 8, 2024
Merged via the queue into aquasecurity:main with commit 617c3e3 Mar 8, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants