Vulnerability scans of splunk-library-javalogging 1.11.8 produce no findings where Maven has high CVEs

[AustinIvey]

Description

Trivy fs scan on splunk-library-javalogging 1.11.8 indicates no vulnerabilities, but maven has three highs documented.

We initially did this with the repo command rather than the fs command and were seeing the same issue. Just wanted to validate it with fs as there were multiple threads out there saying that could fix issues with dependency tree

Desired Behavior

Show vulnerabilities that are present in Maven if they are present in this artifact.

Maven Identified CVEs
splunk-library-javalogging Github

Actual Behavior

Trivy detects no vulnerabilities

git clone https://github.com/splunk/splunk-library-javalogging
cd splunk-library-javalogging
git checkout  1.11.8
git branch
cd ..
docker run --mount src=~/splunk-library-javalogging,target=/test_container,type=bind aquasec/trivy:latest fs test_container/pom.xml --debug --dependency-tree
2025-02-04T19:55:17Z    DEBUG   No plugins loaded
2025-02-04T19:55:17Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-04T19:55:17Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-02-04T19:55:17Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-02-04T19:55:18Z    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2025-02-04T19:55:18Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-04T19:55:18Z    DEBUG   Ignore statuses statuses=[]
2025-02-04T19:55:18Z    DEBUG   [vulndb] There is no valid metadata file        err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2025-02-04T19:55:18Z    INFO    [vulndb] Need to update DB
2025-02-04T19:55:18Z    DEBUG   [vulndb] No metadata file
2025-02-04T19:55:18Z    INFO    [vulndb] Downloading vulnerability DB...
2025-02-04T19:55:18Z    INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
     INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-02-04T19:55:23Z    DEBUG   Updating database metadata...
2025-02-04T19:55:23Z    DEBUG   DB info schema=2 updated_at=2025-02-04T18:15:43.355242665Z next_update=2025-02-05T18:15:43.355242525Z downloaded_at=2025-02-04T19:55:23.489168372Z
2025-02-04T19:55:23Z    DEBUG   [pkg] Package types     types=[os library]
2025-02-04T19:55:23Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-04T19:55:23Z    INFO    [vuln] Vulnerability scanning is enabled
2025-02-04T19:55:23Z    INFO    [secret] Secret scanning is enabled
2025-02-04T19:55:23Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T19:55:23Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T19:55:23Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-04T19:55:23Z    DEBUG   Initializing scan cache...      type="memory"
2025-02-04T19:55:23Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.squareup.okhttp3" artifact_id="okhttp" version="4.11.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.squareup.okio" artifact_id="okio" version="3.5.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.google.code.gson" artifact_id="gson" version="2.9.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Start parent      artifact="com.google.code.gson:gson-parent:2.9.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2025-02-04T19:55:23Z    DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2025-02-04T19:55:23Z    DEBUG   [pom] Exit parent       artifact="com.google.code.gson:gson-parent:2.9.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib" version="1.6.20"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib-jdk8" version="1.6.20"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.squareup.okio" artifact_id="okio-jvm" version="3.5.0"
2025-02-04T19:55:24Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib-common" version="1.6.20"
2025-02-04T19:55:24Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains" artifact_id="annotations" version="13.0"
2025-02-04T19:55:24Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib-jdk7" version="1.6.20"
2025-02-04T19:55:24Z    DEBUG   OS is not detected.
2025-02-04T19:55:24Z    DEBUG   Detected OS: unknown
2025-02-04T19:55:24Z    INFO    Number of language-specific files       num=1
2025-02-04T19:55:24Z    INFO    [pom] Detecting vulnerabilities...
2025-02-04T19:55:24Z    DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2025-02-04T19:55:24Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-04T19:55:24Z    DEBUG   [vex] VEX filtering is disabled

Reproduction Steps

1. git clone https://github.com/splunk/splunk-library-javalogging
2. cd splunk-library-javalogging
3. git checkout  1.11.8
4. git branch
5. cd ..
docker run --mount src=~/splunk-library-javalogging,target=/test_container,type=bind aquasec/trivy:latest fs test_container/pom.xml --debug --dependency-tree

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Client/Server

Debug Output

git clone https://github.com/splunk/splunk-library-javalogging
cd splunk-library-javalogging
git checkout  1.11.8
git branch
cd ..
docker run --mount src=~/splunk-library-javalogging,target=/test_container,type=bind aquasec/trivy:latest fs test_container/pom.xml --debug --dependency-tree
2025-02-04T19:55:17Z    DEBUG   No plugins loaded
2025-02-04T19:55:17Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-04T19:55:17Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-02-04T19:55:17Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-02-04T19:55:18Z    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2025-02-04T19:55:18Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-04T19:55:18Z    DEBUG   Ignore statuses statuses=[]
2025-02-04T19:55:18Z    DEBUG   [vulndb] There is no valid metadata file        err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2025-02-04T19:55:18Z    INFO    [vulndb] Need to update DB
2025-02-04T19:55:18Z    DEBUG   [vulndb] No metadata file
2025-02-04T19:55:18Z    INFO    [vulndb] Downloading vulnerability DB...
2025-02-04T19:55:18Z    INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
     INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-02-04T19:55:23Z    DEBUG   Updating database metadata...
2025-02-04T19:55:23Z    DEBUG   DB info schema=2 updated_at=2025-02-04T18:15:43.355242665Z next_update=2025-02-05T18:15:43.355242525Z downloaded_at=2025-02-04T19:55:23.489168372Z
2025-02-04T19:55:23Z    DEBUG   [pkg] Package types     types=[os library]
2025-02-04T19:55:23Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-04T19:55:23Z    INFO    [vuln] Vulnerability scanning is enabled
2025-02-04T19:55:23Z    INFO    [secret] Secret scanning is enabled
2025-02-04T19:55:23Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T19:55:23Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T19:55:23Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-04T19:55:23Z    DEBUG   Initializing scan cache...      type="memory"
2025-02-04T19:55:23Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.squareup.okhttp3" artifact_id="okhttp" version="4.11.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.squareup.okio" artifact_id="okio" version="3.5.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.google.code.gson" artifact_id="gson" version="2.9.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Start parent      artifact="com.google.code.gson:gson-parent:2.9.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2025-02-04T19:55:23Z    DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2025-02-04T19:55:23Z    DEBUG   [pom] Exit parent       artifact="com.google.code.gson:gson-parent:2.9.0"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib" version="1.6.20"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib-jdk8" version="1.6.20"
2025-02-04T19:55:23Z    DEBUG   [pom] Resolving...      group_id="com.squareup.okio" artifact_id="okio-jvm" version="3.5.0"
2025-02-04T19:55:24Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib-common" version="1.6.20"
2025-02-04T19:55:24Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains" artifact_id="annotations" version="13.0"
2025-02-04T19:55:24Z    DEBUG   [pom] Resolving...      group_id="org.jetbrains.kotlin" artifact_id="kotlin-stdlib-jdk7" version="1.6.20"
2025-02-04T19:55:24Z    DEBUG   OS is not detected.
2025-02-04T19:55:24Z    DEBUG   Detected OS: unknown
2025-02-04T19:55:24Z    INFO    Number of language-specific files       num=1
2025-02-04T19:55:24Z    INFO    [pom] Detecting vulnerabilities...
2025-02-04T19:55:24Z    DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2025-02-04T19:55:24Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-04T19:55:24Z    DEBUG   [vex] VEX filtering is disabled

Operating System

docker container on Rhel 8

Version

latest - Version: 0.58.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @AustinIvey
Thanks for your report!

Package ch.qos.logback:logback-core contains these vulnerabilities.
But this package uses provided scope - https://github.com/splunk/splunk-library-javalogging/blob/70f80fa60d2098e81f5f819059964d9304b5f1d5/pom.xml#L207-L212

Trivy doesn't include dependencies with provided scope because these dependencies are not used at runtime - https://trivy.dev/latest/docs/coverage/language/java/#supported-scopes

Regards, Dmitriy