Ignore pom artifacts from maven

[afdesk]

trivy doesn't detect CVE-2021-33037 for tomcat 9.0.46

I investigated issue False negative in scanning tomcat 9.0.46 and it reproduces:

trivy fs apache-tomcat-9.0.46/
trivy i tomcat:9.0.46 | grep 33037

also I've tested it for tomcat 9.0.46. the issue also exists.

Reason

There are several packaging types for Maven packages: jar, war, pom etc.

CVE-2021-33037 describes the vulnerabilities for package org.apache.tomcat:tomcat. this package has pom type, and doesn't have jar file.

trivy detects only jar files (tomcat-juli.jar, tomcat-jdbc.jar etc), the trivy db doesn't contain information about these artifacts.

pom packaging type is an aggregator or multi-module project assembles submodules coming from different sources. Speaking about tomcat it means that org.apache.tomcat:tomcat package is a binary distribution of Apache Tomcat.

Problem

maven has API that allows us to determine a type of packaging:

• request for :tomcat-jdbc:9.0.46: https://search.maven.org/solrsearch/select?q=id:%22org.apache.tomcat:tomcat-jdbc:9.0.46%22&core=gav&rows=20&wt=json
• request for :tomcat:9.0.46: https://search.maven.org/solrsearch/select?q=id:%22org.apache.tomcat:tomcat:9.0.46%22&core=gav&rows=20&wt=json.

but I have no ideas how to detect that a scope of files is pom package.