-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(java): mark dependencies from maven-invoker-plugin
integration tests pom.xml files as Dev
#6213
feat(java): mark dependencies from maven-invoker-plugin
integration tests pom.xml files as Dev
#6213
Conversation
from functionality POV, looks good to me. I ran against openzipkin/brave after building from your branch. Fuzz detected is in the benchmarks project (which is a separate thing and I'm not really interested in chasing that down right now). The important part is there are no more "invoker test" deps in the default output. $ ../trivy/main repo .
2024-03-05T12:19:57.779+0800 INFO Vulnerability scanning is enabled
2024-03-05T12:19:57.780+0800 INFO Secret scanning is enabled
2024-03-05T12:19:57.780+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-05T12:19:57.780+0800 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-03-05T12:22:40.695+0800 INFO Number of language-specific files: 66
2024-03-05T12:22:40.695+0800 INFO Detecting pom vulnerabilities...
instrumentation/benchmarks/pom.xml (pom)
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 1)
┌──────────────────────────────────────┬──────────────────┬──────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────┼──────────────────┼──────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client │ CVE-2023-46120 │ MEDIUM │ fixed │ 5.9.0 │ 5.18.0 │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│ │ │ │ │ │ │ to Remote DoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46120 │
├──────────────────────────────────────┼──────────────────┤ ├──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.resteasy:resteasy-undertow │ CVE-2023-0482 │ │ affected │ 3.15.6.Final │ │ RESTEasy: creation of insecure temp files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0482 │
├──────────────────────────────────────┼──────────────────┤ ├──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.amqp:spring-amqp │ CVE-2021-22095 │ │ fixed │ 2.3.6 │ 2.2.19, 2.3.11 │ Deserialization of Untrusted Data in Spring AMQP │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22095 │
│ ├──────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22097 │ │ │ │ │ Deserialization of Untrusted Data in Spring AMQP │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22097 │
├──────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-messaging │ CVE-2022-22971 │ │ │ 5.3.5 │ 5.3.20, 5.2.22.RELEASE │ DoS with STOMP over WebSocket │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22971 │
├──────────────────────────────────────┼──────────────────┼──────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web │ CVE-2016-1000027 │ CRITICAL │ │ 5.3.32 │ 6.0.0 │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│ │ │ │ │ │ │ method untrusted java deserialization │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-1000027 │
└──────────────────────────────────────┴──────────────────┴──────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘ |
after this change to brave, which re-classifies benchmark deps as test, we now have a 100pct clean run! Thanks so much |
// Mark integration test pom files for `maven-invoker-plugin` as Dev to skip them by default. | ||
if isIntegrationTestDir(filePath) { | ||
for i := range res.Applications { | ||
res.Applications[i].Libraries = lo.Map(res.Applications[i].Libraries, func(lib types.Package, _ int) types.Package { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is no big deal, but lo.Map
generates another map, and it is better just to overwrite the Dev
field from the memory perspective.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in b86dff8
Description
Mark dependencies from
maven-invoker-plugin
integration tests pom.xml files asDev
.This is necessary to add an option to skip/show these dependencies using
--include-dev-deps
flag.See more in #5787
Checklist