-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy security scan failing for jmx_prometheus_javaagent-0.16.0.jar #618
Comments
This should not happen, as the whole purpose of the 0.16.0 release was to build a version with snakeyaml 1.29. I am not familiar with Trivy. Do you know why it concludes that snakeyaml 1.23 is in the JAR? |
The link jmx_prometheus_javaagent_java6-0.16.0.jar referenced in https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.16.0 returns a 404. Looking inside the supposed Java 7+ jar returns the following which is probably what Trivvy is looking at:
|
I removed the For reference: The metadata in Thanks for creating this issue. |
I can confirm this has cleared the notice in trivy for me. |
Since this has been resolved. I propose we should close this issue. |
Closing as resolved. |
jmx_prometheus_javaagent-0.16.0.jar
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+--------------------+------------------+----------+-------------------+---------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+--------------------+------------------+----------+-------------------+---------------+
| org.yaml:snakeyaml | CVE-2017-18640 | HIGH | 1.23 | 1.26 |
+--------------------+------------------+----------+-------------------+---------------+
The text was updated successfully, but these errors were encountered: