Trivy seems to create wrong library dependency

[dev-sca]

Description

My application has transitive dependency library named "jaxb-core" and I created SBOM with my application via "trivy fs ... --format cyclonedx -o cyclonedx.json"
but in SBOM, it's appeared to be a directive dependency on my application.

Desired Behavior

my application's library depends on "hibernate-core"
"hibernate-core" depends on "jaxb-runtime"
"jaxb-runtime" depends on "jaxb-core"

Actual Behavior

my application's library depneds on "hibernate-core"
my application's library depneds on "jaxb-core"

"hibernate-core" depends on "jaxb-runtime"

"jaxb-runtime" depends on nothing

Reproduction Steps

1. trivy.exe fs <my application pom.xml path> --format cyclonedx -o cyclonedx.json
2.
3.
...

Target

Filesystem

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

2025-02-28T15:14:18+09:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-28T15:14:18+09:00       DEBUG   Cache dir       dir="C:\\Users\\Yong\\AppData\\Local\\trivy"
2025-02-28T15:14:18+09:00       DEBUG   Cache dir       dir="C:\\Users\\Yong\\AppData\\Local\\trivy"
2025-02-28T15:14:18+09:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-28T15:14:18+09:00       DEBUG   Ignore statuses statuses=[]
2025-02-28T15:14:18+09:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-28T15:14:18+09:00       DEBUG   [pkg] Package types     types=[os library]
2025-02-28T15:14:18+09:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2025-02-28T15:14:18+09:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-28T15:14:18+09:00       DEBUG   Initializing scan cache...      type="memory"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.springframework.boot:spring-boot-starter-parent:3.0.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.springframework.boot:spring-boot-dependencies:3.0.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.springframework.boot:spring-boot-dependencies:3.0.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.springframework.boot:spring-boot-starter-parent:3.0.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.zipkin.brave" artifact_id="brave-bom" version="5.14.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.zipkin.reporter2" artifact_id="zipkin-reporter-bom" version="2.16.3"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="com.datastax.oss" artifact_id="java-driver-bom" version="4.15.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.dropwizard.metrics" artifact_id="metrics-bom" version="4.2.15"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="io.dropwizard.metrics:metrics-parent:4.2.15"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="io.dropwizard.metrics:metrics-parent:4.2.15"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jaxb" artifact_id="jaxb-bom" version="4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.groovy" artifact_id="groovy-bom" version="4.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.infinispan" artifact_id="infinispan-bom" version="14.0.6.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.infinispan:infinispan-build-configuration-parent:14.0.6.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.jboss:jboss-parent:39"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.jboss:jboss-parent:39"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.infinispan:infinispan-build-configuration-parent:14.0.6.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.14.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.14"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:48"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:48"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.14"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jersey" artifact_id="jersey-bom" version="3.1.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.eclipse.jetty" artifact_id="jetty-bom" version="11.0.13"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.9.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-bom" version="1.7.22"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlinx" artifact_id="kotlinx-coroutines-bom" version="1.6.4"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-bom" version="2.19.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:5"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:24"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:24"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:5"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-bom" version="1.10.3"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.micrometer" artifact_id="micrometer-tracing-bom" version="1.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.mockito" artifact_id="mockito-bom" version="4.8.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-bom" version="4.1.87.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="com.squareup.okhttp3" artifact_id="okhttp-bom" version="4.10.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.opentelemetry" artifact_id="opentelemetry-bom" version="1.19.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="com.oracle.database.jdbc" artifact_id="ojdbc-bom" version="21.7.0.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.prometheus" artifact_id="simpleclient_bom" version="0.16.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="io.prometheus:parent:0.16.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="io.prometheus:parent:0.16.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="com.querydsl" artifact_id="querydsl-bom" version="5.0.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.projectreactor" artifact_id="reactor-bom" version="2022.0.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.rest-assured" artifact_id="rest-assured-bom" version="5.2.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="io.rsocket" artifact_id="rsocket-bom" version="1.1.3"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.batch" artifact_id="spring-batch-bom" version="5.0.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.data" artifact_id="spring-data-bom" version="2022.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework" artifact_id="spring-framework-bom" version="6.0.4"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.integration" artifact_id="spring-integration-bom" version="6.0.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.restdocs" artifact_id="spring-restdocs-bom" version="3.0.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.security" artifact_id="spring-security-bom" version="6.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.session" artifact_id="spring-session-bom" version="3.0.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.springframework.ws" artifact_id="spring-ws-bom" version="4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.hibernate" artifact_id="hibernate-core" version="5.4.1.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.jboss.logging" artifact_id="jboss-logging" version="3.5.0.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.jboss:jboss-parent:39"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.jboss:jboss-parent:39"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.8.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="javax.persistence" artifact_id="javax.persistence-api" version="2.2"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:5"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:5"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.javassist" artifact_id="javassist" version="3.24.0-GA"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="net.bytebuddy" artifact_id="byte-buddy" version="1.12.22"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="net.bytebuddy:byte-buddy-parent:1.12.22"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="net.bytebuddy:byte-buddy-parent:1.12.22"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="antlr" artifact_id="antlr" version="2.7.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.jboss.spec.javax.transaction" artifact_id="jboss-transaction-api_1.2_spec" version="1.1.1.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.jboss:jboss-parent:25"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.jboss:jboss-parent:25"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.jboss" artifact_id="jandex" version="2.0.5.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.jboss:jboss-parent:12"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.jboss:jboss-parent:12"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml" artifact_id="classmate" version="1.5.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:35"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:35"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="javax.activation" artifact_id="javax.activation-api" version="1.2.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.sun.activation:all:1.2.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.sun.activation:all:1.2.0"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.dom4j" artifact_id="dom4j" version="2.1.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.hibernate.common" artifact_id="hibernate-commons-annotations" version="5.1.0.Final"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="javax.xml.bind" artifact_id="jaxb-api" version="2.3.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="javax.xml.bind:jaxb-api-parent:2.3.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:5"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:5"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="javax.xml.bind:jaxb-api-parent:2.3.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Resolving...      group_id="org.glassfish.jaxb" artifact_id="jaxb-runtime" version="4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.sun.xml.bind.mvn:jaxb-runtime-parent:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.sun.xml.bind.mvn:jaxb-parent:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="com.sun.xml.bind:jaxb-bom-ext:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.glassfish.jaxb:jaxb-bom:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.7"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="org.glassfish.jaxb:jaxb-bom:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.sun.xml.bind:jaxb-bom-ext:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.sun.xml.bind.mvn:jaxb-parent:4.0.1"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Exit parent       artifact="com.sun.xml.bind.mvn:jaxb-runtime-parent:4.0.1"
2025-02-28T15:14:18+09:00       WARN    [pom] Dependency version cannot be determined. Child dependencies will not be found.    details="https://aquasecurity.github.io/trivy/v0.57/docs/coverage/language/java#empty-dependency-version"
2025-02-28T15:14:18+09:00       DEBUG   [pom] Dependency version cannot be determined.  GroupID="org.glassfish.jaxb" ArtifactID="jaxb-core"
2025-02-28T15:14:18+09:00       DEBUG   OS is not detected.
2025-02-28T15:14:18+09:00       DEBUG   Detected OS: unknown
2025-02-28T15:14:18+09:00       INFO    Number of language-specific files       num=1
2025-02-28T15:14:18+09:00       DEBUG   [vex] VEX filtering is disabled

Operating System

Windows

Version

Version: 0.57.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-26 06:20:05.940824519 +0000 UTC
  NextUpdate: 2025-02-27 06:20:05.940824239 +0000 UTC
  DownloadedAt: 2025-02-26 09:00:06.0073408 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @dev-sca
Thanks for your report!

We need to see your pom.xml file (you can create a test file that reproduces this case) to understand the cause of the problem.

Regards, Dmitriy

[dev-sca]

here's my pom.xml.
thank you

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>3.0.2</version>
		<relativePath/> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.watchtek.watchall</groupId>
	<artifactId>GuavaManager</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>GuavaManager</name>
	<description>WatchAll Guava Manager</description>
	<properties>
		<java.version>17</java.version>
		<aws.sdk.version>2.29.7</aws.sdk.version>
	</properties>

	<dependencies>
		<dependency>	
		   <groupId>org.hibernate</groupId>
		   <artifactId>hibernate-core</artifactId>
		   <version>5.4.1.Final</version>
		</dependency>	

	</dependencies>

	<build>
		<resources>
			<resource>
				<directory>src/main/resources</directory>
				<excludes>
					<exclude>**/*.java</exclude>
				</excludes>
			</resource>
			<resource>
				<directory>src/main/java</directory>
				<includes>
					<include>**/*.xml</include>
				</includes>
			</resource>
		</resources>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
			<plugin>
				<groupId>org.apache.maven.plugins</groupId>
				<artifactId>maven-compiler-plugin</artifactId>
				<configuration>
					<source>17</source>
					<target>17</target>
				</configuration>
			</plugin>
			<plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-dependency-plugin</artifactId>
            <configuration>
                <outputDirectory>${project.build.directory}/lib</outputDirectory>
                <excludeTransitive>false</excludeTransitive> 
                <stripVersion>false</stripVersion>
            </configuration>
            <executions>
                <execution>
                    <id>copy-dependencies</id>
                    <phase>package</phase>
                    <goals>
                        <goal>copy-dependencies</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <!-- Add LIB folder to classPath -->
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-jar-plugin</artifactId>
            <version>2.4</version>
            <configuration>
                <archive>
                    <manifest>
                        <addClasspath>true</addClasspath>
                        <classpathPrefix>lib/</classpathPrefix>
                    </manifest>
                </archive>
            </configuration>
        </plugin>
		</plugins>
	</build>

</project>

[DmitriyLewen]

Thanks!
v0.59.1 correctly builds dependency tree:

    {
      "ref": "pkg:maven/com.watchtek.watchall/GuavaManager@0.0.1-SNAPSHOT",
      "dependsOn": [
        "pkg:maven/org.hibernate/hibernate-core@5.4.1.Final"
      ]
    },
    {
      "ref": "pkg:maven/org.hibernate/hibernate-core@5.4.1.Final",
      "dependsOn": [
        "pkg:maven/antlr/antlr@2.7.7",
        "pkg:maven/com.fasterxml/classmate@1.5.1",
        "pkg:maven/javax.activation/javax.activation-api@1.2.0",
        "pkg:maven/javax.persistence/javax.persistence-api@2.2",
        "pkg:maven/javax.xml.bind/jaxb-api@2.3.1",
        "pkg:maven/net.bytebuddy/byte-buddy@1.12.22",
        "pkg:maven/org.dom4j/dom4j@2.1.1",
        "pkg:maven/org.glassfish.jaxb/jaxb-runtime@4.0.1",
        "pkg:maven/org.hibernate.common/hibernate-commons-annotations@5.1.0.Final",
        "pkg:maven/org.javassist/javassist@3.24.0-GA",
        "pkg:maven/org.jboss.logging/jboss-logging@3.5.0.Final",
        "pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.2_spec@1.1.1.Final",
        "pkg:maven/org.jboss/jandex@2.0.5.Final"
      ]
    },
    {
      "ref": "pkg:maven/org.glassfish.jaxb/jaxb-runtime@4.0.1",
      "dependsOn": [
        "pkg:maven/org.glassfish.jaxb/jaxb-core@4.0.1"
      ]
    },

Can you try to use v0.59.1?