Replies: 1 comment
-
|
Hello @mjia265 The However, this flag does not display omitted dependencies in the dependency tree. Regareds, Dmitriy |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Question
Trivy fs is currently show vulnerabilities for dependencies that are excluded from a pom. For example when running against this dependency in a pom.xml
<dependency> <groupId>io.github.hakky54</groupId> <artifactId>sslcontext-kickstart-for-netty</artifactId> <version>8.3.6</version> </dependency>https://repo1.maven.org/maven2/io/github/hakky54/sslcontext-kickstart-for-netty/8.3.6/sslcontext-kickstart-for-netty-8.3.6.pom
I'm getting
`
Dependency Origin Tree (Reversed)
pom.xml
├── io.netty.incubator:netty-incubator-codec-quic:0.0.20.Final, (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
│ └── ...(omitted)...
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
├── io.netty:netty-codec:4.1.70.Final, (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
│ └── ...(omitted)...
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
├── io.netty:netty-codec-http:4.1.70.Final, (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 0, CRITICAL: 0)
│ └── ...(omitted)...
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
├── io.netty:netty-codec-http2:4.1.70.Final, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
├── io.netty:netty-common:4.1.70.Final, (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
│ └── ...(omitted)...
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
├── io.netty:netty-handler:4.1.70.Final, (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
│ └── ...(omitted)...
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
├── io.projectreactor.netty:reactor-netty-core:1.0.13, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
│ └── ...(omitted)...
│ └── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
└── io.projectreactor.netty:reactor-netty-http:1.0.13, (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
└── ...(omitted)...
└── io.github.hakky54:sslcontext-kickstart-for-netty:8.3.6
`
for
trivy fs --scanners vuln --dependency-tree pom.xmlwhich can include this vuln
─────┤ │ io.netty:netty-codec │ CVE-2025-58057 │ │ │ 4.1.70.Final │ 4.1.125.Final │ netty-codec: netty-codec-compression: Netty's BrotliDecoder │ │ │ │ │ │ │ │ is vulnerable to DoS via zip bomb style... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58057 │ ├───────────────────────────────────────────────┼─────────────────────┤ │ │ ├────────────────────────────┼────────────────────────────────────────────────────────Is this expected? Or is this an issue with improper flagging on my end?
Target
Filesystem
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Operating System
mac
Version
Beta Was this translation helpful? Give feedback.
All reactions