Trivy does not identify certain imported pom files #5841

ishapirovArnica · 2023-12-29T19:58:11Z

ishapirovArnica
Dec 29, 2023

IDs

CVE-2022-31159

Description

Trivy is not able to correctly identify the following imported pom file (Full files in the Reproduction Steps section):

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>Hoxton.SR5</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

This means it's not able to properly find the version for dependencies such as org.springframework.cloud:spring-cloud-starter-aws. Example:

<dependency>
  <groupId>org.springframework.cloud</groupId>
  <artifactId>spring-cloud-starter-aws</artifactId>
</dependency>

This results in CVE-2022-31159 not being found, a vulnerability on the transitive dependency of package com.amazonaws:aws-java-sdk-s3:jar:1.11.415

Reproduction Steps

1. Create a pom.xml file which imports the `org.springframework.cloud:spring-cloud-dependencies:Hoxton.SR5` pom and adds a dependency which will derive its version from this pom (In this case I used `org.springframework.cloud:spring-cloud-starter-aws`). 

In this pom I also imported the `org.springframework.boot:spring-boot-starter-parent:2.3.0.RELEASE` pom and the `org.springframework.boot:spring-boot-starter-security` dependency as an example of where trivy does correctly identify the version of the package. Through testing, excluding this additional pom or adding it as a parent instead does not affect results.

The pom.xml I used:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

 <groupId>my.project</groupId>
  <artifactId>test</artifactId>
  <version>1.0.0</version>
  <packaging>jar</packaging>

  <repositories>
      <repository>
          <id>confluent</id>
          <url>https://packages.confluent.io/maven/</url>
      </repository>
  </repositories>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>Hoxton.SR5</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>2.3.0.RELEASE</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
      </dependency>

      <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-aws</artifactId>
      </dependency>
    </dependencies>
  </project>

Run mvn dependency:tree on this file. You should see both dependencies correctly found.

Output:

[INFO] --- dependency:3.6.0:tree (default-cli) @ test ---
[INFO] my.project:test:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.3.0.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.3.0.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.3.0.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.3.0.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.3.0.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  +- org.springframework:spring-core:jar:5.2.6.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-jcl:jar:5.2.6.RELEASE:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.26:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.2.6.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.2.6.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:5.3.2.RELEASE:compile
[INFO] |  |  +- org.springframework.security:spring-security-core:jar:5.3.2.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context:jar:5.2.6.RELEASE:compile
[INFO] |  \- org.springframework.security:spring-security-web:jar:5.3.2.RELEASE:compile
[INFO] |     +- org.springframework:spring-expression:jar:5.2.6.RELEASE:compile
[INFO] |     \- org.springframework:spring-web:jar:5.2.6.RELEASE:compile
[INFO] \- org.springframework.cloud:spring-cloud-starter-aws:jar:2.2.2.RELEASE:compile
[INFO]    +- org.springframework.cloud:spring-cloud-aws-context:jar:2.2.2.RELEASE:compile
[INFO]    |  \- org.springframework.cloud:spring-cloud-aws-core:jar:2.2.2.RELEASE:compile
[INFO]    |     +- com.amazonaws:aws-java-sdk-core:jar:1.11.415:compile
[INFO]    |     |  +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO]    |     |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO]    |     |  |  \- commons-codec:commons-codec:jar:1.14:compile
[INFO]    |     |  +- software.amazon.ion:ion-java:jar:1.0.2:compile
[INFO]    |     |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:compile
[INFO]    |     |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.0:compile
[INFO]    |     |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.0:compile
[INFO]    |     |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.11.0:compile
[INFO]    |     |  \- joda-time:joda-time:jar:2.8.1:compile
[INFO]    |     +- com.amazonaws:aws-java-sdk-s3:jar:1.11.415:compile
[INFO]    |     |  +- com.amazonaws:aws-java-sdk-kms:jar:1.11.415:compile
[INFO]    |     |  \- com.amazonaws:jmespath-java:jar:1.11.415:compile
[INFO]    |     +- com.amazonaws:aws-java-sdk-ec2:jar:1.11.415:compile
[INFO]    |     \- com.amazonaws:aws-java-sdk-cloudformation:jar:1.11.415:compile
[INFO]    +- org.springframework.cloud:spring-cloud-aws-autoconfigure:jar:2.2.2.RELEASE:compile
[INFO]    +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO]    \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.012 s
[INFO] Finished at: 2023-12-29T14:46:16-05:00
[INFO] ------------------------------------------------------------------------

Execute trivy fs --format cyclonedx --scanners vuln .
In the dependencies section find the ref for the project (pkg:maven/my.project/[email protected]). Notice how only the pkg:maven/org.springframework.boot/[email protected] is found. No mention of spring-cloud-starter-aws nor com.amazonaws:aws-java-sdk-s3 can be found in the results.

Output snippet (full output in Debug Output section):

{
  "ref": "pkg:maven/my.project/[email protected]",
  "dependsOn": [
    "pkg:maven/org.springframework.boot/[email protected]"
  ]
}

Target

Filesystem

Scanner

Vulnerability

Target OS

macOS Sonoma 14.0

Debug Output

2023-12-29T14:53:13.620-0500    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-12-29T14:53:13.620-0500    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-29T14:53:13.621-0500    DEBUG   Ignore statuses {"statuses": null}
2023-12-29T14:53:13.667-0500    DEBUG   cache dir:  /Users/ivanshapirov/Library/Caches/trivy
2023-12-29T14:53:13.668-0500    DEBUG   DB update was skipped because the local DB is the latest
2023-12-29T14:53:13.668-0500    DEBUG   DB Schema: 2, UpdatedAt: 2023-12-29 18:11:48.457591728 +0000 UTC, NextUpdate: 2023-12-30 00:11:48.457591317 +0000 UTC, DownloadedAt: 2023-12-29 18:14:12.028665 +0000 UTC
2023-12-29T14:53:13.670-0500    INFO    Vulnerability scanning is enabled
2023-12-29T14:53:13.670-0500    DEBUG   Vulnerability type:  [os library]
2023-12-29T14:53:13.670-0500    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-29T14:53:13.670-0500    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-12-29T14:53:13.671-0500    DEBUG   Walk the file tree rooted at '.' in parallel
2023-12-29T14:53:13.673-0500    DEBUG   Resolving org.springframework.cloud:spring-cloud-dependencies:Hoxton.SR5...
2023-12-29T14:53:13.675-0500    DEBUG   Start parent: org.springframework.cloud:spring-cloud-dependencies-parent:2.3.0.RELEASE
2023-12-29T14:53:13.677-0500    DEBUG   Exit parent: org.springframework.cloud:spring-cloud-dependencies-parent:2.3.0.RELEASE
2023-12-29T14:53:13.677-0500    DEBUG   Resolving org.springframework.boot:spring-boot-starter-parent:2.3.0.RELEASE...
2023-12-29T14:53:13.679-0500    DEBUG   Start parent: org.springframework.boot:spring-boot-dependencies:2.3.0.RELEASE
2023-12-29T14:53:13.687-0500    DEBUG   Exit parent: org.springframework.boot:spring-boot-dependencies:2.3.0.RELEASE
2023-12-29T14:53:13.690-0500    DEBUG   Resolving org.springframework.boot:spring-boot-starter-security:2.3.0.RELEASE...
2023-12-29T14:53:13.693-0500    DEBUG   Resolving org.springframework.cloud:spring-cloud-starter-aws:...
2023-12-29T14:53:14.135-0500    DEBUG   org.springframework.cloud:spring-cloud-starter-aws: was not found in local/remote repositories
2023-12-29T14:53:14.135-0500    DEBUG   Resolving org.springframework.boot:spring-boot-starter:2.3.0.RELEASE...
2023-12-29T14:53:14.139-0500    DEBUG   Resolving org.springframework:spring-aop:...
2023-12-29T14:53:14.620-0500    DEBUG   org.springframework:spring-aop: was not found in local/remote repositories
2023-12-29T14:53:14.620-0500    DEBUG   Resolving org.springframework.security:spring-security-config:...
2023-12-29T14:53:15.015-0500    DEBUG   org.springframework.security:spring-security-config: was not found in local/remote repositories
2023-12-29T14:53:15.015-0500    DEBUG   Resolving org.springframework.security:spring-security-web:...
2023-12-29T14:53:15.380-0500    DEBUG   org.springframework.security:spring-security-web: was not found in local/remote repositories
2023-12-29T14:53:15.380-0500    DEBUG   Resolving org.springframework.boot:spring-boot:2.3.0.RELEASE...
2023-12-29T14:53:15.389-0500    DEBUG   Resolving org.springframework.boot:spring-boot-autoconfigure:2.3.0.RELEASE...
2023-12-29T14:53:15.392-0500    DEBUG   Resolving org.springframework.boot:spring-boot-starter-logging:2.3.0.RELEASE...
2023-12-29T14:53:15.394-0500    DEBUG   Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2023-12-29T14:53:15.395-0500    DEBUG   Start parent: jakarta.annotation:ca-parent:1.3.5
2023-12-29T14:53:15.396-0500    DEBUG   Start parent: org.eclipse.ee4j:project:1.0.5
2023-12-29T14:53:15.397-0500    DEBUG   Exit parent: org.eclipse.ee4j:project:1.0.5
2023-12-29T14:53:15.397-0500    DEBUG   Exit parent: jakarta.annotation:ca-parent:1.3.5
2023-12-29T14:53:15.397-0500    DEBUG   Resolving org.springframework:spring-core:...
2023-12-29T14:53:15.747-0500    DEBUG   org.springframework:spring-core: was not found in local/remote repositories
2023-12-29T14:53:15.747-0500    DEBUG   Resolving org.yaml:snakeyaml:1.26...
2023-12-29T14:53:15.753-0500    DEBUG   Resolving org.springframework:spring-context:...
2023-12-29T14:53:16.103-0500    DEBUG   org.springframework:spring-context: was not found in local/remote repositories
2023-12-29T14:53:16.103-0500    DEBUG   Resolving ch.qos.logback:logback-classic:1.2.3...
2023-12-29T14:53:16.107-0500    DEBUG   Start parent: ch.qos.logback:logback-parent:1.2.3
2023-12-29T14:53:16.109-0500    DEBUG   Exit parent: ch.qos.logback:logback-parent:1.2.3
2023-12-29T14:53:16.114-0500    DEBUG   Resolving org.apache.logging.log4j:log4j-to-slf4j:2.13.2...
2023-12-29T14:53:16.115-0500    DEBUG   Start parent: org.apache.logging.log4j:log4j:2.13.2
2023-12-29T14:53:16.120-0500    DEBUG   Start parent: org.apache:apache:21
2023-12-29T14:53:16.122-0500    DEBUG   Exit parent: org.apache:apache:21
2023-12-29T14:53:16.122-0500    DEBUG   Exit parent: org.apache.logging.log4j:log4j:2.13.2
2023-12-29T14:53:16.123-0500    DEBUG   Resolving org.slf4j:jul-to-slf4j:1.7.30...
2023-12-29T14:53:16.124-0500    DEBUG   Start parent: org.slf4j:slf4j-parent:1.7.30
2023-12-29T14:53:16.126-0500    DEBUG   Exit parent: org.slf4j:slf4j-parent:1.7.30
2023-12-29T14:53:16.126-0500    DEBUG   Resolving ch.qos.logback:logback-core:1.2.3...
2023-12-29T14:53:16.127-0500    DEBUG   Start parent: ch.qos.logback:logback-parent:1.2.3
2023-12-29T14:53:16.127-0500    DEBUG   Exit parent: ch.qos.logback:logback-parent:1.2.3
2023-12-29T14:53:16.128-0500    DEBUG   Resolving org.slf4j:slf4j-api:1.7.30...
2023-12-29T14:53:16.129-0500    DEBUG   Start parent: org.slf4j:slf4j-parent:1.7.30
2023-12-29T14:53:16.129-0500    DEBUG   Exit parent: org.slf4j:slf4j-parent:1.7.30
2023-12-29T14:53:16.129-0500    DEBUG   Resolving org.apache.logging.log4j:log4j-api:2.13.2...
2023-12-29T14:53:16.130-0500    DEBUG   Start parent: org.apache.logging.log4j:log4j:2.13.2
2023-12-29T14:53:16.130-0500    DEBUG   Exit parent: org.apache.logging.log4j:log4j:2.13.2
2023-12-29T14:53:16.175-0500    DEBUG   OS is not detected.
2023-12-29T14:53:16.175-0500    DEBUG   Detected OS: unknown
2023-12-29T14:53:16.175-0500    INFO    Number of language-specific files: 1
2023-12-29T14:53:16.175-0500    INFO    Detecting pom vulnerabilities...
2023-12-29T14:53:16.175-0500    DEBUG   Detecting library vulnerabilities, type: pom, path: pom.xml
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:d3e069f8-b0d9-4cfd-bb20-a6166085a2fc",
  "version": 1,
  "metadata": {
    "timestamp": "2023-12-29T19:53:16+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.48.1"
      }
    ],
    "component": {
      "bom-ref": "5c5c9ef7-ef03-4881-a226-90286a6f7e05",
      "type": "application",
      "name": ".",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "c1d29157-71e3-48c9-bf30-33a8c7194ec7",
      "type": "application",
      "name": "pom.xml",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/ch.qos.logback/[email protected]",
      "type": "library",
      "name": "ch.qos.logback:logback-classic",
      "version": "1.2.3",
      "licenses": [
        {
          "license": {
            "name": "Eclipse Public License - v 1.0"
          }
        },
        {
          "license": {
            "name": "GNU Lesser General Public License"
          }
        }
      ],
      "purl": "pkg:maven/ch.qos.logback/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "ch.qos.logback:logback-classic:1.2.3"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/ch.qos.logback/[email protected]",
      "type": "library",
      "name": "ch.qos.logback:logback-core",
      "version": "1.2.3",
      "licenses": [
        {
          "license": {
            "name": "Eclipse Public License - v 1.0"
          }
        },
        {
          "license": {
            "name": "GNU Lesser General Public License"
          }
        }
      ],
      "purl": "pkg:maven/ch.qos.logback/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "ch.qos.logback:logback-core:1.2.3"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/jakarta.annotation/[email protected]",
      "type": "library",
      "name": "jakarta.annotation:jakarta.annotation-api",
      "version": "1.3.5",
      "licenses": [
        {
          "license": {
            "name": "EPL 2.0"
          }
        },
        {
          "license": {
            "name": "GPL2 w/ CPE"
          }
        }
      ],
      "purl": "pkg:maven/jakarta.annotation/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "jakarta.annotation:jakarta.annotation-api:1.3.5"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/my.project/[email protected]",
      "type": "library",
      "name": "my.project:test",
      "version": "1.0.0",
      "purl": "pkg:maven/my.project/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "my.project:test:1.0.0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.apache.logging.log4j/[email protected]",
      "type": "library",
      "name": "org.apache.logging.log4j:log4j-api",
      "version": "2.13.2",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.apache.logging.log4j/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.apache.logging.log4j:log4j-api:2.13.2"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.apache.logging.log4j/[email protected]",
      "type": "library",
      "name": "org.apache.logging.log4j:log4j-to-slf4j",
      "version": "2.13.2",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.apache.logging.log4j/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.apache.logging.log4j:log4j-to-slf4j:2.13.2"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.slf4j/[email protected]",
      "type": "library",
      "name": "org.slf4j:jul-to-slf4j",
      "version": "1.7.30",
      "licenses": [
        {
          "license": {
            "name": "MIT License"
          }
        }
      ],
      "purl": "pkg:maven/org.slf4j/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.slf4j:jul-to-slf4j:1.7.30"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.slf4j/[email protected]",
      "type": "library",
      "name": "org.slf4j:slf4j-api",
      "version": "1.7.30",
      "licenses": [
        {
          "license": {
            "name": "MIT License"
          }
        }
      ],
      "purl": "pkg:maven/org.slf4j/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.slf4j:slf4j-api:1.7.30"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
      "type": "library",
      "name": "org.springframework.boot:spring-boot-autoconfigure",
      "version": "2.3.0.RELEASE",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework.boot/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springframework.boot:spring-boot-autoconfigure:2.3.0.RELEASE"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
      "type": "library",
      "name": "org.springframework.boot:spring-boot-starter-logging",
      "version": "2.3.0.RELEASE",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework.boot/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springframework.boot:spring-boot-starter-logging:2.3.0.RELEASE"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
      "type": "library",
      "name": "org.springframework.boot:spring-boot-starter-security",
      "version": "2.3.0.RELEASE",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework.boot/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springframework.boot:spring-boot-starter-security:2.3.0.RELEASE"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
      "type": "library",
      "name": "org.springframework.boot:spring-boot-starter",
      "version": "2.3.0.RELEASE",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework.boot/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springframework.boot:spring-boot-starter:2.3.0.RELEASE"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
      "type": "library",
      "name": "org.springframework.boot:spring-boot",
      "version": "2.3.0.RELEASE",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework.boot/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springframework.boot:spring-boot:2.3.0.RELEASE"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.yaml/[email protected]",
      "type": "library",
      "name": "org.yaml:snakeyaml",
      "version": "1.26",
      "licenses": [
        {
          "license": {
            "name": "Apache License, Version 2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.yaml/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.yaml:snakeyaml:1.26"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "5c5c9ef7-ef03-4881-a226-90286a6f7e05",
      "dependsOn": [
        "c1d29157-71e3-48c9-bf30-33a8c7194ec7"
      ]
    },
    {
      "ref": "c1d29157-71e3-48c9-bf30-33a8c7194ec7",
      "dependsOn": [
        "pkg:maven/my.project/[email protected]",
        "pkg:maven/org.springframework.boot/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/ch.qos.logback/[email protected]",
      "dependsOn": [
        "pkg:maven/ch.qos.logback/[email protected]",
        "pkg:maven/org.slf4j/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/ch.qos.logback/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/jakarta.annotation/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/my.project/[email protected]",
      "dependsOn": [
        "pkg:maven/org.springframework.boot/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.apache.logging.log4j/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/org.apache.logging.log4j/[email protected]",
      "dependsOn": [
        "pkg:maven/org.apache.logging.log4j/[email protected]",
        "pkg:maven/org.slf4j/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.slf4j/[email protected]",
      "dependsOn": [
        "pkg:maven/org.slf4j/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.slf4j/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/org.springframework.boot/[email protected]",
      "dependsOn": [
        "pkg:maven/org.springframework.boot/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.springframework.boot/[email protected]",
      "dependsOn": [
        "pkg:maven/ch.qos.logback/[email protected]",
        "pkg:maven/org.apache.logging.log4j/[email protected]",
        "pkg:maven/org.slf4j/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.springframework.boot/[email protected]",
      "dependsOn": [
        "pkg:maven/org.springframework.boot/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.springframework.boot/[email protected]",
      "dependsOn": [
        "pkg:maven/jakarta.annotation/[email protected]",
        "pkg:maven/org.springframework.boot/[email protected]",
        "pkg:maven/org.springframework.boot/[email protected]",
        "pkg:maven/org.springframework.boot/[email protected]",
        "pkg:maven/org.yaml/[email protected]"
      ]
    },
    {
      "ref": "pkg:maven/org.springframework.boot/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/org.yaml/[email protected]",
      "dependsOn": []
    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-2021-42550",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 8.5,
          "severity": "high",
          "method": "CVSSv2",
          "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "cwes": [
        502
      ],
      "description": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.",
      "recommendation": "Upgrade ch.qos.logback:logback-core to version 1.2.9",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2021-42550"
        },
        {
          "url": "http://logback.qos.ch/news.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2022/Jul/11"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-42550"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"
        },
        {
          "url": "https://cve.report/CVE-2021-42550"
        },
        {
          "url": "https://github.com/cn-panda/logbackRceDemo"
        },
        {
          "url": "https://github.com/qos-ch/logback"
        },
        {
          "url": "https://github.com/qos-ch/logback/blob/1502cba4c1dfd135b2e715bc0cf80c0045d4d128/logback-site/src/site/pages/news.html"
        },
        {
          "url": "https://github.com/qos-ch/logback/commit/87291079a1de9369ac67e20dc70a8fdc7cc4359c"
        },
        {
          "url": "https://github.com/qos-ch/logback/commit/ef4fc4186b74b45ce80d86833820106ff27edd42"
        },
        {
          "url": "https://jira.qos.ch/browse/LOGBACK-1591"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42550"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211229-0001/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-42550"
        }
      ],
      "published": "2021-12-16T19:15:08+00:00",
      "updated": "2022-12-12T21:13:07+00:00",
      "affects": [
        {
          "ref": "pkg:maven/ch.qos.logback/[email protected]",
          "versions": [
            {
              "version": "1.2.3",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-1471",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 8.3,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 9.8,
          "severity": "critical",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 9.8,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        }
      ],
      "cwes": [
        502,
        20
      ],
      "description": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 2.0",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-1471"
        },
        {
          "url": "http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/11/19/1"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2022:9058"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-1471"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471"
        },
        {
          "url": "https://bugzilla.redhat.com/2150009"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471"
        },
        {
          "url": "https://errata.almalinux.org/8/ALSA-2022-9058.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2022:9058"
        },
        {
          "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
        },
        {
          "url": "https://github.com/mbechler/marshalsec"
        },
        {
          "url": "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2022-1471.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2022-9058-1.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230818-0015/"
        },
        {
          "url": "https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
        },
        {
          "url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
        }
      ],
      "published": "2022-12-01T11:15:10+00:00",
      "updated": "2023-11-19T15:15:20+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-38749",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787,
        121
      ],
      "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 1.31",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-38749"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-38749"
        },
        {
          "url": "https://arxiv.org/pdf/2306.05534.pdf"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open"
        },
        {
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38749"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
        },
        {
          "url": "https://security.gentoo.org/glsa/202305-28"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5944-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
        }
      ],
      "published": "2022-09-05T10:15:09+00:00",
      "updated": "2023-05-21T22:15:13+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-38750",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787,
        121
      ],
      "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 1.31",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-38750"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-38750"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027"
        },
        {
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38750"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
        },
        {
          "url": "https://security.gentoo.org/glsa/202305-28"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5944-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
        }
      ],
      "published": "2022-09-05T10:15:09+00:00",
      "updated": "2023-05-21T22:15:13+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2023-20883",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        400
      ],
      "description": "In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.",
      "recommendation": "Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.0.7, 2.7.12, 2.6.15, 2.5.15",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-20883"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-20883"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot/commit/418dd1ba5bdad79b55a043000164bfcbda2acd78"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot/issues/35552"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot/releases/tag/v2.5.15"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot/releases/tag/v2.6.15"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot/releases/tag/v2.7.12"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230703-0008/"
        },
        {
          "url": "https://spring.io/security/cve-2023-20883"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
        }
      ],
      "published": "2023-05-26T17:15:14+00:00",
      "updated": "2023-07-03T16:15:09+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/[email protected]",
          "versions": [
            {
              "version": "2.3.0.RELEASE",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2023-6378",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        502
      ],
      "description": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n",
      "recommendation": "Upgrade ch.qos.logback:logback-classic to version 1.3.12, 1.4.12, 1.2.13; Upgrade ch.qos.logback:logback-core to version 1.3.12, 1.4.12, 1.2.13",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-6378"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-6378"
        },
        {
          "url": "https://github.com/qos-ch/logback"
        },
        {
          "url": "https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb"
        },
        {
          "url": "https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731"
        },
        {
          "url": "https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3"
        },
        {
          "url": "https://github.com/qos-ch/logback/issues/745#issuecomment-1836227158"
        },
        {
          "url": "https://logback.qos.ch/manual/receivers.html"
        },
        {
          "url": "https://logback.qos.ch/news.html#1.2.13"
        },
        {
          "url": "https://logback.qos.ch/news.html#1.3.12"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-6378"
        }
      ],
      "published": "2023-11-29T12:15:07+00:00",
      "updated": "2023-12-05T21:00:10+00:00",
      "affects": [
        {
          "ref": "pkg:maven/ch.qos.logback/[email protected]",
          "versions": [
            {
              "version": "1.2.3",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/ch.qos.logback/[email protected]",
          "versions": [
            {
              "version": "1.2.3",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-38751",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787,
        121
      ],
      "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 1.31",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-38751"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-38751"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/src/master/src/test/java/org/yaml/snakeyaml/issues/issue530/Fuzzy47039Test.java"
        },
        {
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38751"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
        },
        {
          "url": "https://security.gentoo.org/glsa/202305-28"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5944-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
        }
      ],
      "published": "2022-09-05T10:15:09+00:00",
      "updated": "2023-05-21T22:15:13+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-38752",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        787,
        121
      ],
      "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 1.32",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-38752"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-38752"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081"
        },
        {
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752"
        },
        {
          "url": "https://security.gentoo.org/glsa/202305-28"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
        }
      ],
      "published": "2022-09-05T10:15:09+00:00",
      "updated": "2023-05-21T22:15:13+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-41854",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        787,
        121
      ],
      "description": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 1.32",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-41854"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-41854"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/531/"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
        },
        {
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
        }
      ],
      "published": "2022-11-11T13:15:11+00:00",
      "updated": "2023-11-07T03:53:03+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2023-34055",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "description": "In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n  *  the application uses Spring MVC or Spring WebFlux\n  *  org.springframework.boot:spring-boot-actuator is on the classpath\n\n\n\n",
      "recommendation": "Upgrade org.springframework.boot:spring-boot to version 2.7.18, 3.0.13, 3.1.6",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-34055"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-34055"
        },
        {
          "url": "https://github.com/spring-projects/spring-boot"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34055"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231221-0010/"
        },
        {
          "url": "https://spring.io/security/cve-2023-34055"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-34055"
        }
      ],
      "published": "2023-11-28T09:15:07+00:00",
      "updated": "2023-12-21T22:15:13+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/[email protected]",
          "versions": [
            {
              "version": "2.3.0.RELEASE",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2022-25857",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        776
      ],
      "description": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.",
      "recommendation": "Upgrade org.yaml:snakeyaml to version 1.31",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-25857"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2022:6820"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-25857"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
        },
        {
          "url": "https://bugzilla.redhat.com/2126789"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857"
        },
        {
          "url": "https://errata.almalinux.org/8/ALSA-2022-6820.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2022:6820"
        },
        {
          "url": "https://github.com/snakeyaml/snakeyaml"
        },
        {
          "url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2022-25857.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2022-6820.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
        },
        {
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-5944-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
        }
      ],
      "published": "2022-08-30T05:15:07+00:00",
      "updated": "2023-08-08T14:22:24+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.yaml/[email protected]",
          "versions": [
            {
              "version": "1.26",
              "status": "affected"
            }
          ]
        }
      ]
    }
  ]
}

Version

0.48.1

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2024-01-09T10:20:12Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy does not identify certain imported pom files #5841

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Trivy does not identify certain imported pom files #5841

ishapirovArnica Dec 29, 2023

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment

DmitriyLewen Jan 9, 2024 Maintainer

ishapirovArnica
Dec 29, 2023

DmitriyLewen
Jan 9, 2024
Maintainer