Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy: follow-up about having maven-invoker-plugin integration tests skipped by default. #228

Closed
codefromthecrypt opened this issue Dec 14, 2023 · 0 comments · Fixed by #262
Closed

trivy: follow-up about having maven-invoker-plugin integration tests skipped by default. #228

codefromthecrypt opened this issue Dec 14, 2023 · 0 comments · Fixed by #262
Labels
techdebt

Comments

@codefromthecrypt
Copy link
Member

Describe the Bug

Currently, trivy reports vulnerabilities in intentionally old dependencies used in maven-invoker-plugin by default. While we can configure our setup to skip these tests, it can introduce FUD (fear, uncertainty and doubt) in folks who run trivy on their own and don't know about the src/it pattern used in integration testing.

Here is the discussion which has resulted so far in progress, a work around to manually skip like so:

$ trivy -q --skip-files "**/src/it/*/pom.xml" repo https://github.com/openzipkin/zipkin-reporter-java

Steps to Reproduce

$ trivy -q repo https://github.com/openzipkin/zipkin-reporter-java

amqp-client/src/it/amqp_v4/pom.xml (pom)

Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 2)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │     Installed Version     │     Fixed Version     │                            Title                             │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client            │ CVE-2018-11087 │ MEDIUM   │ fixed  │ @old-amqp-client.version@ │ 4.8.0, 5.4.0          │ Moderate severity vulnerability that affects                 │
│                                     │                │          │        │                           │                       │ com.rabbitmq:amqp-client and                                 │
│                                     │                │          │        │                           │                       │ org.springframework.amqp:spring-amqp                         │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2018-11087                   │
│                                     ├────────────────┤          │        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2023-46120 │          │        │                           │ 5.18.0                │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│                                     │                │          │        │                           │                       │ to Remote DoS...                                             │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2023-46120                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2021-44228 │ CRITICAL │        │ @log4j.version@           │ 2.15.0, 2.3.1, 2.12.2 │ Remote code execution in Log4j 2.x when logs contain an      │
│                                     │                │          │        │                           │                       │ attacker-controlled string...                                │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2021-44228                   │
│                                     ├────────────────┤          │        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45046 │          │        │                           │ 2.16.0, 2.12.2        │ log4j-core: DoS in log4j 2.x with thread context message     │
│                                     │                │          │        │                           │                       │ pattern and context...                                       │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2021-45046                   │
│                                     ├────────────────┼──────────┤        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45105 │ HIGH     │        │                           │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC)   │
│                                     │                │          │        │                           │                       │ input data...                                                │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2021-45105                   │
│                                     ├────────────────┼──────────┤        │                           ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2020-9488  │ LOW      │        │                           │ 2.13.2                │ improper validation of certificate with host mismatch in     │
│                                     │                │          │        │                           │                       │ SMTP appender                                                │
│                                     │                │          │        │                           │                       │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘

okhttp3/src/it/okhttp3_v3/pom.xml (pom)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 2)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2021-44228 │ CRITICAL │ fixed  │ @log4j.version@   │ 2.15.0, 2.3.1, 2.12.2 │ Remote code execution in Log4j 2.x when logs contain an    │
│                                     │                │          │        │                   │                       │ attacker-controlled string...                              │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-44228                 │
│                                     ├────────────────┤          │        │                   ├───────────────────────┼────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45046 │          │        │                   │ 2.16.0, 2.12.2        │ log4j-core: DoS in log4j 2.x with thread context message   │
│                                     │                │          │        │                   │                       │ pattern and context...                                     │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-45046                 │
│                                     ├────────────────┼──────────┤        │                   ├───────────────────────┼────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-45105 │ HIGH     │        │                   │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) │
│                                     │                │          │        │                   │                       │ input data...                                              │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-45105                 │
│                                     ├────────────────┼──────────┤        │                   ├───────────────────────┼────────────────────────────────────────────────────────────┤
│                                     │ CVE-2020-9488  │ LOW      │        │                   │ 2.13.2                │ improper validation of certificate with host mismatch in   │
│                                     │                │          │        │                   │                       │ SMTP appender                                              │
│                                     │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2020-9488                  │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴────────────────────────────────────────────────────────────┘

Expected Behaviour

I would expect no output as personally believe maven-invoker-plugin should be detectable, that way doing good practice like testing with old versions for the sake of compatibility won't look like a bad thing by default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
techdebt
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

benchmarks: moves dependency scope to test openzipkin/zipkin-reporter-java
1 participant
@codefromthecrypt