False detection of spark-core_2.12:3.4.2 as spark-core_2.12:3.0.1

[Tsuesun]

IDs

CVE-2023-22946

Description

Trivy seems to detect the wrong version of spark-core as a much earlier version than the one that is defined in the pom leading to a false positive detection

Reproduction Steps

1.Save the following pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>


	<artifactId>dummy</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>dummy</name>
	<description>Dummy pom</description>

	<properties>
		<spark.version>3.4.0</spark.version>
		<scala.bin.version>2.12</scala.bin.version>
		<elasticsearch.version>7.13.4</elasticsearch.version>
		<groovy.version>3.0.22</groovy.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.apache.spark</groupId>
			<artifactId>spark-core_${scala.bin.version}</artifactId>
			<version>${spark.version}</version>
			<scope>provided</scope>
		</dependency>
		<dependency>
			<groupId>org.elasticsearch</groupId>
			<artifactId>elasticsearch-spark-30_${scala.bin.version}</artifactId>
			<version>${elasticsearch.version}</version>
		</dependency>
	</dependencies>
</project>

2. run trivy filesystem pom.xml
3. Note the version detected does not match what is defined in the pom.xml
   ...

### Target

Filesystem

### Scanner

Vulnerability

### Target OS

_No response_

### Debug Output

```bash
2024-10-31T14:19:44+09:00       DEBUG   No plugins loaded
2024-10-31T14:19:44+09:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-31T14:19:44+09:00       DEBUG   Cache dir       dir="/home/skr/.cache/trivy"
2024-10-31T14:19:44+09:00       DEBUG   Cache dir       dir="/home/skr/.cache/trivy"
2024-10-31T14:19:44+09:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-31T14:19:44+09:00       DEBUG   Ignore statuses statuses=[]
2024-10-31T14:19:44+09:00       DEBUG   DB update was skipped because the local DB is the latest
2024-10-31T14:19:44+09:00       DEBUG   DB info schema=2 updated_at=2024-10-31T00:22:55.79859095Z next_update=2024-11-01T00:22:55.798590679Z downloaded_at=2024-10-31T04:47:36.62141726Z
2024-10-31T14:19:44+09:00       DEBUG   [pkg] Package types     types=[os library]
2024-10-31T14:19:44+09:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-10-31T14:19:44+09:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-31T14:19:44+09:00       INFO    [secret] Secret scanning is enabled
2024-10-31T14:19:44+09:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T14:19:44+09:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T14:19:44+09:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-31T14:19:44+09:00       DEBUG   Initializing scan cache...      type="memory"
2024-10-31T14:19:44+09:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.elasticsearch" artifact_id="elasticsearch-spark-30_2.12" version="7.13.4"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.scala-lang" artifact_id="scala-library" version="2.12.8"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.scala-lang" artifact_id="scala-reflect" version="2.12.8"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.spark" artifact_id="spark-core_2.12" version="3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Adding repository id="gcs-maven-central-mirror" url="https://maven-central.storage-download.googleapis.com/maven2/"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Adding repository id="central" url="https://repo.maven.apache.org/maven2"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:18"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:18"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.spark" artifact_id="spark-sql_2.12" version="3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.spark" artifact_id="spark-streaming_2.12" version="3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="slf4j-api" version="1.7.6"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:1.7.6"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:1.7.6"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="commons-logging" artifact_id="commons-logging" version="1.1.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:5"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:4"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:4"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:5"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="javax.xml.bind" artifact_id="jaxb-api" version="2.3.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="javax.xml.bind:jaxb-api-parent:2.3.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:5"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Adding repository id="jvnet-nexus-releases" url="https://maven.java.net/content/repositories/releases/"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:5"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="javax.xml.bind:jaxb-api-parent:2.3.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="com.google.protobuf" artifact_id="protobuf-java" version="2.5.0"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="com.google:google:1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="com.google:google:1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.spark" artifact_id="spark-catalyst_2.12" version="3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.spark" artifact_id="spark-yarn_2.12" version="3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Start parent      artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.spark:spark-parent_2.12:3.0.1"
2024-10-31T14:19:44+09:00       DEBUG   OS is not detected.
2024-10-31T14:19:44+09:00       DEBUG   Detected OS: unknown
2024-10-31T14:19:44+09:00       INFO    Number of language-specific files       num=1
2024-10-31T14:19:44+09:00       INFO    [pom] Detecting vulnerabilities...
2024-10-31T14:19:44+09:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2024-10-31T14:19:44+09:00       DEBUG   [vex] VEX filtering is disabled

Version

Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-31 00:22:55.79859095 +0000 UTC
  NextUpdate: 2024-11-01 00:22:55.798590679 +0000 UTC
  DownloadedAt: 2024-10-31 04:47:36.62141726 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @Tsuesun
Thanks for your report!

This problem related with provided scope.
Trivy doesn't support this scope and doesn't parse spark-core_2.12:3.4.0 (see more details in #7844).

I created #7844 for this case.

Regards, Dmitriy