-
-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TrivyAnalysisTaskIntegrationTest#test
fails with Trivy v0.51.2
#3737
Comments
Not a regression, but an API change: aquasecurity/trivy#6633
Following this rename in our code here: dependency-track/src/main/java/org/dependencytrack/parser/trivy/model/Application.java Lines 23 to 25 in e87c5cc
Makes the test pass again. Question is how do we deal with this. Updating to 0.51.2 behavior will break things for users with older Trivy versions. |
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists. It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information. Fields that the API does not expect are silently ignored. Fixes DependencyTrack#3737 Signed-off-by: nscuro <[email protected]>
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists. It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information. Fields that the API does not expect are silently ignored. Fixes DependencyTrack#3737 Signed-off-by: nscuro <[email protected]>
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists. It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information. Fields that the API does not expect are silently ignored. Fixes DependencyTrack#3737 Signed-off-by: nscuro <[email protected]>
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists. It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information. Fields that the API does not expect are silently ignored. Fixes DependencyTrack#3737 Signed-off-by: nscuro <[email protected]>
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists. It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information. Fields that the API does not expect are silently ignored. Fixes DependencyTrack#3737 Signed-off-by: nscuro <[email protected]>
Current Behavior
Trivy v0.51.2 was released today, and since our integration tests run against Trivy's
latest
tag, they picked up the new release.The test asserting for vulnerabilities in
woodstox-core
are failing. Trivy no longer reports vulnerabilities for it.dependency-track/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java
Lines 92 to 127 in e87c5cc
The test succeeds when pinning Trivy to v0.51.1. Looks like a regression in Trivy.
Steps to Reproduce
TrivyAnalysisTaskIntegrationTest#test
Expected Behavior
The test should not fail.
Dependency-Track Version
4.12.0-SNAPSHOT
Dependency-Track Distribution
Container Image, Executable WAR
Database Server
N/A
Database Server Version
No response
Browser
N/A
Checklist
The text was updated successfully, but these errors were encountered: