From 931c507d1a9ecc81263df411903bf80dfcd827f0 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Tue, 3 Sep 2024 14:28:49 +0600
Subject: [PATCH] feat(java): add `test` scope support for `pom.xml` files
(#7414)
---
docs/docs/coverage/language/java.md | 18 ++++++++----
pkg/dependency/parser/java/pom/artifact.go | 1 +
pkg/dependency/parser/java/pom/parse.go | 4 ++-
pkg/dependency/parser/java/pom/parse_test.go | 28 +++++++++++++++++++
pkg/dependency/parser/java/pom/pom.go | 1 +
.../parser/java/pom/testdata/happy/pom.xml | 6 ++++
6 files changed, 51 insertions(+), 7 deletions(-)
diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md
index 67cd8c135b9d..26bad288e552 100644
--- a/docs/docs/coverage/language/java.md
+++ b/docs/docs/coverage/language/java.md
@@ -12,12 +12,12 @@ Each artifact supports the following scanners:
The following table provides an outline of the features Trivy offers.
-| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
-| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
-| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
-| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
-| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
+| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|------------------|:---------------------:|:------------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
+| pom.xml | Maven repository [^1] | [Exclude](#scopes) | ✓ | ✓[^7] | - |
+| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
+| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
@@ -69,6 +69,11 @@ The vulnerability database will be downloaded anyway.
!!! Warning
Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
+### scopes
+Trivy supports `runtime`, `compile`, `test` and `import` (for `dependencyManagement`) [dependency scopes][dependency-scopes].
+Dependencies without scope are also detected.
+
+By default, Trivy doesn't report dependencies with `test` scope. Use the `--include-dev-deps` flag to include them.
### maven-invoker-plugin
Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
@@ -120,3 +125,4 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
[detection-priority]: ../../scanner/vulnerability.md#detection-priority
+[dependency-scopes]: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
diff --git a/pkg/dependency/parser/java/pom/artifact.go b/pkg/dependency/parser/java/pom/artifact.go
index b2e97efb229b..f691afac5ebd 100644
--- a/pkg/dependency/parser/java/pom/artifact.go
+++ b/pkg/dependency/parser/java/pom/artifact.go
@@ -27,6 +27,7 @@ type artifact struct {
Module bool
Relationship ftypes.Relationship
+ Test bool
Locations ftypes.Locations
}
diff --git a/pkg/dependency/parser/java/pom/parse.go b/pkg/dependency/parser/java/pom/parse.go
index cbd7bf47db17..57f41a1d32f4 100644
--- a/pkg/dependency/parser/java/pom/parse.go
+++ b/pkg/dependency/parser/java/pom/parse.go
@@ -214,6 +214,7 @@ func (p *Parser) parseRoot(root artifact, uniqModules map[string]struct{}) ([]ft
Licenses: result.artifact.Licenses,
Relationship: art.Relationship,
Locations: art.Locations,
+ Test: art.Test,
}
// save only dependency names
@@ -234,6 +235,7 @@ func (p *Parser) parseRoot(root artifact, uniqModules map[string]struct{}) ([]ft
Licenses: art.Licenses,
Relationship: art.Relationship,
Locations: art.Locations,
+ Dev: art.Test,
}
pkgs = append(pkgs, pkg)
@@ -400,7 +402,7 @@ func (p *Parser) parseDependencies(deps []pomDependency, props map[string]string
// Resolve dependencies
d = d.Resolve(props, depManagement, rootDepManagement)
- if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime") || d.Optional {
+ if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime" && d.Scope != "test") || d.Optional {
continue
}
diff --git a/pkg/dependency/parser/java/pom/parse_test.go b/pkg/dependency/parser/java/pom/parse_test.go
index 934085d5d536..77a47b5ecdac 100644
--- a/pkg/dependency/parser/java/pom/parse_test.go
+++ b/pkg/dependency/parser/java/pom/parse_test.go
@@ -61,6 +61,19 @@ func TestPom_Parse(t *testing.T) {
},
},
},
+ {
+ ID: "org.example:example-test:2.0.0",
+ Name: "org.example:example-test",
+ Version: "2.0.0",
+ Relationship: ftypes.RelationshipDirect,
+ Dev: true,
+ Locations: ftypes.Locations{
+ {
+ StartLine: 49,
+ EndLine: 54,
+ },
+ },
+ },
},
wantDeps: []ftypes.Dependency{
{
@@ -68,6 +81,7 @@ func TestPom_Parse(t *testing.T) {
DependsOn: []string{
"org.example:example-api:1.7.30",
"org.example:example-runtime:1.0.0",
+ "org.example:example-test:2.0.0",
},
},
},
@@ -109,6 +123,19 @@ func TestPom_Parse(t *testing.T) {
},
},
},
+ {
+ ID: "org.example:example-test:2.0.0",
+ Name: "org.example:example-test",
+ Version: "2.0.0",
+ Relationship: ftypes.RelationshipDirect,
+ Dev: true,
+ Locations: ftypes.Locations{
+ {
+ StartLine: 49,
+ EndLine: 54,
+ },
+ },
+ },
},
wantDeps: []ftypes.Dependency{
{
@@ -116,6 +143,7 @@ func TestPom_Parse(t *testing.T) {
DependsOn: []string{
"org.example:example-api:1.7.30",
"org.example:example-runtime:1.0.0",
+ "org.example:example-test:2.0.0",
},
},
},
diff --git a/pkg/dependency/parser/java/pom/pom.go b/pkg/dependency/parser/java/pom/pom.go
index 889d107c3c6c..d27f995217d6 100644
--- a/pkg/dependency/parser/java/pom/pom.go
+++ b/pkg/dependency/parser/java/pom/pom.go
@@ -303,6 +303,7 @@ func (d pomDependency) ToArtifact(opts analysisOptions) artifact {
Exclusions: exclusions,
Locations: locations,
Relationship: ftypes.RelationshipIndirect, // default
+ Test: d.Scope == "test",
}
}
diff --git a/pkg/dependency/parser/java/pom/testdata/happy/pom.xml b/pkg/dependency/parser/java/pom/testdata/happy/pom.xml
index 1f3c9697a17d..9dfc1c75bd65 100644
--- a/pkg/dependency/parser/java/pom/testdata/happy/pom.xml
+++ b/pkg/dependency/parser/java/pom/testdata/happy/pom.xml
@@ -46,5 +46,11 @@
999
provided
+
+ org.example
+ example-test
+ 2.0.0
+ test
+