Bug Report: Trivy fails to detect multi-module Gradle projects

[brain-zone]

Description

Bug Report: Trivy fails to detect multi-module Gradle projects

Version

Version: 0.67.2
Vulnerability DB:
  Version: 2

root/
[settings.gradle](http://github.matrix.net/repos/repo0)          # defines multi-module setup
gradlew
[gradlew.bat](http://github.matrix.net/repos/repo0)
module1/
  [build.gradle](http://github.matrix.net/repos/module1)
  src/
    main/
      java/
module2/
  [build.gradle](http://github.matrix.net/repos/module2)
  src/
    main/
      java/
commons/
  commons-lib1/
    [build.gradle](http://github.matrix.net/repos/commons-lib1)
    src/
      main/
        java/
  commons-lib2/
    [build.gradle](http://github.matrix.net/repos/commons-lib2)
    src/
      main/
        java/

Steps to Reproduce

1. Create a multi-module Gradle project with the above structure
2. Run: trivy repo --skip-db-update --offline-scan --scanners vuln,misconfig,secret,license .

Actual Output

...
INFO	Number of language-specific files	num=0
INFO	Detected config files	num=0
...

Expected Output

• Trivy should detect Gradle build files as configuration files
• Should identify Java source files as language-specific files
• Should perform vulnerability scanning on the Gradle dependencies

Additional Context

• trivy rootfs successfully detects and scans the built artifacts
• This suggests the issue is specifically with source/repository scanning
• Project uses standard Gradle multi-module conventions
• All build files are valid and project builds successfully

Impact

• This affects the ability to:

1. Scan source code for vulnerabilities
2. Detect misconfigurations in build files
3. Perform complete security a

Desired Behavior

Expected Output

• Trivy should detect Gradle build files as configuration files
• Should identify Java source files as language-specific files
• Should perform vulnerability scanning on the Gradle dependencies

Actual Behavior

Actual Output

...
INFO	Number of language-specific files	num=0
INFO	Detected config files	num=0
...

Reproduction Steps

1. Create a multi-module Gradle project with the above structure
1. Run: `trivy repo --skip-db-update --offline-scan --scanners vuln,misconfig,secret,license . `

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

Disllowed owing to IP restrictions.

Operating System

macOS Ventura

Version

Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-01 18:34:55.71579407 +0000 UTC
  NextUpdate: 2025-11-02 18:34:55.715793469 +0000 UTC
  DownloadedAt: 2025-11-01 19:02:26.210305 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @brain-zone
Thanks for your interest to Trivy!

settings.gradle # defines multi-module setup
gradlew
gradlew.bat
module1/
build.gradle

IIUC your project contains *.gradle, *.java, and other files, but doesn’t include a gradle.lock file.

Trivy supports only the lock file for Gradle and doesn’t scan source code files:
https://trivy.dev/latest/docs/coverage/language/java/

That’s why Trivy doesn’t show vulnerabilities for the project,
but it does show vulnerabilities for built JAR files (because Trivy supports them).

Regards, Dmitriy