Skip to content

Commit

Permalink
feat(java): add support for line numbers for pom.xml files (#5991)
Browse files Browse the repository at this point in the history
  • Loading branch information
DmitriyLewen authored Jan 25, 2024
1 parent fb36c4e commit b4b90cf
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 9 deletions.
13 changes: 7 additions & 6 deletions docs/docs/coverage/language/java.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ Each artifact supports the following scanners:

The following table provides an outline of the features Trivy offers.

| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] |
|------------------|:---------------------:|:----------------:|:------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - |
| pom.xml | Maven repository [^1] | Exclude ||
| *gradle.lockfile | - | Exclude | - |
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - |
| pom.xml | Maven repository [^1] | Exclude ||[^7] |
| *gradle.lockfile | - | Exclude | - | - |

These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
Expand Down Expand Up @@ -46,7 +46,7 @@ If your machine doesn't have the necessary files - Trivy tries to find the infor

!!! Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources_1).
Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).

You can disable connecting to the maven repository with the `--offline-scan` flag.
The `--offline-scan` flag does not affect the Trivy database.
Expand All @@ -67,5 +67,6 @@ It doesn't require the internet access.
[^4]: e.g. when parent pom.xml file has `../pom.xml` path
[^5]: When you use dependency path in `relativePath` field in pom.xml file
[^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
[^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.

[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/alicebob/miniredis/v2 v2.31.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.94.1
github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562
github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -328,8 +328,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.94.1 h1:lk44bfUltm0f0Dw4DbO3Ka9d/bf3N8cWclSdHXMyKF4=
github.com/aquasecurity/defsec v0.94.1/go.mod h1:wiX9BX0SOG0ZWjVIPYGPl46fyO3Gu8lJnk4rmhFR7IA=
github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562 h1:jdymGFJpArgx1ZZW7yqgCV8Tt+sEZ4jKxjQufPYRSXE=
github.com/aquasecurity/go-dep-parser v0.0.0-20231229070651-5f0903175562/go.mod h1:B+gSaiuXV258CtyfBwFvG87+GE/FOh6W4N+LMuQxvVA=
github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4 h1:Ex+YahhZPTu0WF9IKngLr/oRWgW5TN9ed0n4Twsq2Hw=
github.com/aquasecurity/go-dep-parser v0.0.0-20240124102329-7be7d210a3d4/go.mod h1:P0PmelcN1ABKJrDzRbPnn6hK7RvgI+xmjiV/9uPaNnY=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-mock-aws v0.0.0-20240109054747-49e4b5da33cb h1:dNxUB2bSbiLGNYcXkbBKrrfuY96+dXhA9FahEFZ4THQ=
Expand Down
31 changes: 31 additions & 0 deletions pkg/fanal/analyzer/language/java/pom/pom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,25 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
Type: types.Pom,
FilePath: "testdata/happy/pom.xml",
Libraries: types.Packages{
{
ID: "com.example:example-api:2.0.0",
Name: "com.example:example-api",
Version: "2.0.0",
Locations: []types.Location{
{
StartLine: 28,
EndLine: 32,
},
},
},
{
ID: "com.example:example:1.0.0",
Name: "com.example:example",
Version: "1.0.0",
Licenses: []string{"Apache-2.0"},
DependsOn: []string{
"com.example:example-api:2.0.0",
},
},
},
},
Expand All @@ -50,11 +64,25 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
Type: types.Pom,
FilePath: "pom.xml",
Libraries: types.Packages{
{
ID: "com.example:example-api:2.0.0",
Name: "com.example:example-api",
Version: "2.0.0",
Locations: []types.Location{
{
StartLine: 28,
EndLine: 32,
},
},
},
{
ID: "com.example:example:1.0.0",
Name: "com.example:example",
Version: "1.0.0",
Licenses: []string{"Apache-2.0"},
DependsOn: []string{
"com.example:example-api:2.0.0",
},
},
},
},
Expand Down Expand Up @@ -104,6 +132,9 @@ func Test_pomAnalyzer_Analyze(t *testing.T) {
Dir: tt.inputDir,
FilePath: tt.inputFile,
Content: f,
Options: analyzer.AnalysisOptions{
Offline: true,
},
})
if tt.wantErr != "" {
require.NotNil(t, err)
Expand Down
8 changes: 8 additions & 0 deletions pkg/fanal/analyzer/language/java/pom/testdata/happy/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,12 @@
<url>https://github.com/knqyf263</url>
</developer>
</developers>

<dependencies>
<dependency>
<groupId>com.example</groupId>
<artifactId>example-api</artifactId>
<version>2.0.0</version>
</dependency>
</dependencies>
</project>

0 comments on commit b4b90cf

Please sign in to comment.