zipkin-reporter-java
zipkin-reporter-java copied to clipboard
openzipkin
trivy: follow-up about having maven-invoker-plugin integration tests skipped by default.
Describe the Bug
Currently, trivy reports vulnerabilities in intentionally old dependencies used in maven-invoker-plugin by default. While we can configure our setup to skip these tests, it can introduce FUD (fear, uncertainty and doubt) in folks who run trivy on their own and don't know about the src/it pattern used in integration testing.
Here is the discussion which has resulted so far in progress, a work around to manually skip like so:
$ trivy -q --skip-files "**/src/it/*/pom.xml" repo https://github.com/openzipkin/zipkin-reporter-java
Steps to Reproduce
$ trivy -q repo https://github.com/openzipkin/zipkin-reporter-java
amqp-client/src/it/amqp_v4/pom.xml (pom)
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 2)
┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client │ CVE-2018-11087 │ MEDIUM │ fixed │ @old-amqp-client.version@ │ 4.8.0, 5.4.0 │ Moderate severity vulnerability that affects │
│ │ │ │ │ │ │ com.rabbitmq:amqp-client and │
│ │ │ │ │ │ │ org.springframework.amqp:spring-amqp │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-11087 │
│ ├────────────────┤ │ │ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-46120 │ │ │ │ 5.18.0 │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│ │ │ │ │ │ │ to Remote DoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46120 │
├─────────────────────────────────────┼────────────────┼──────────┤ ├───────────────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2021-44228 │ CRITICAL │ │ @log4j.version@ │ 2.15.0, 2.3.1, 2.12.2 │ Remote code execution in Log4j 2.x when logs contain an │
│ │ │ │ │ │ │ attacker-controlled string... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44228 │
│ ├────────────────┤ │ │ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-45046 │ │ │ │ 2.16.0, 2.12.2 │ log4j-core: DoS in log4j 2.x with thread context message │
│ │ │ │ │ │ │ pattern and context... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45046 │
│ ├────────────────┼──────────┤ │ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-45105 │ HIGH │ │ │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) │
│ │ │ │ │ │ │ input data... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45105 │
│ ├────────────────┼──────────┤ │ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-9488 │ LOW │ │ │ 2.13.2 │ improper validation of certificate with host mismatch in │
│ │ │ │ │ │ │ SMTP appender │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-9488 │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘
okhttp3/src/it/okhttp3_v3/pom.xml (pom)
Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 2)
┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2021-44228 │ CRITICAL │ fixed │ @log4j.version@ │ 2.15.0, 2.3.1, 2.12.2 │ Remote code execution in Log4j 2.x when logs contain an │
│ │ │ │ │ │ │ attacker-controlled string... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44228 │
│ ├────────────────┤ │ │ ├───────────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2021-45046 │ │ │ │ 2.16.0, 2.12.2 │ log4j-core: DoS in log4j 2.x with thread context message │
│ │ │ │ │ │ │ pattern and context... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45046 │
│ ├────────────────┼──────────┤ │ ├───────────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2021-45105 │ HIGH │ │ │ 2.12.3, 2.17.0, 2.3.1 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) │
│ │ │ │ │ │ │ input data... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45105 │
│ ├────────────────┼──────────┤ │ ├───────────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2020-9488 │ LOW │ │ │ 2.13.2 │ improper validation of certificate with host mismatch in │
│ │ │ │ │ │ │ SMTP appender │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-9488 │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴────────────────────────────────────────────────────────────┘
Expected Behaviour
I would expect no output as personally believe maven-invoker-plugin should be detectable, that way doing good practice like testing with old versions for the sake of compatibility won't look like a bad thing by default.
