Support for Java Spring Boot application JAR files #4569
Replies: 2 comments 2 replies
-
|
Is this part of the Problem:
There is an issue open for that (tho specific to VM commands) #4548 However, for Java applications, it should be able to scan the JAR https://aquasecurity.github.io/trivy/v0.42/docs/scanner/vulnerability/language/java/#jarwarparear @masahiro331 can maybe provide more information (maybe for me) -- why should trivy detect JAR files in Java application but cannot find them in Spring Boot application? |
Beta Was this translation helpful? Give feedback.
-
|
@phoenixadb |
Beta Was this translation helpful? Give feedback.
-
|
@masahiro331 yes, this is the same. I tried with many containers and still no detection of the dependencies. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! Could you provide a pom that creates a jar for reproduces this issue?? |
Beta Was this translation helpful? Give feedback.
-
Description
Hello,
I recently discovered an issue related to the JAR scan included inside containers in the case of Java Spring Boot application.
Indeed, it doesn't detect the embedded libraries inside the JAR which are dependencies of the Java Spring Boot applications.
The problem seems to come from the parser used: https://github.com/aquasecurity/go-dep-parser/blob/main/pkg/java/jar/parse.go
The parser seems conformed to scan standard JAR files. (specifications: https://docs.oracle.com/en/java/javase/20/docs/specs/jar/jar.html)
But doesn't scan the Spring Boot application. (specifications: https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html)
As you can see the embedded librairies are inside the BOOT-INF/lib directory which is not scanned by the parser.
The solution will be in the scan this directory to add the dependencies.
Problem identified from 0.36.0 to 0.42.0 (The other versions have not been tested)
Target
Container Image
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions