Java
Trivy supports three types of Java scanning: JAR/WAR/PAR/EAR
, pom.xml
and *gradle.lockfile
files.
The following table provides an outline of the features Trivy offers.
Artifact | Internet access | Dev dependencies |
---|---|---|
JAR/WAR/PAR/EAR | Trivy Java DB | Include |
pom.xml | Maven repository 1 | Exclude |
*gradle.lockfile | - | Exclude |
These may be enabled or disabled depending on the target. See here for the detail.
JAR/WAR/PAR/EAR
To find information about your JAR2 file, Trivy parses pom.properties
and MANIFEST.MF
files in your JAR2 file and takes required properties3.
If those files don't exist or don't contain enough information - Trivy will try to find this JAR2 file in trivy-java-db. The Java DB will be automatically downloaded/updated when any JAR2 file is found. It is stored in the cache directory.
EXPERIMENTAL
Finding JARs in trivy-java-db
is an experimental function.
Base JAR2 may contain inner JARs2 within itself. To find information about these JARs2, the same logic is used as for the base JAR2.
pom.xml
Trivy parses your pom.xml
file and tries to find files with dependencies from these local locations.
If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the maven repository.
Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the maven repository
.
Information about data sources for Java you can see here.
You can disable connecting to the maven repository with the --offline-scan
flag.
The --offline-scan
flag does not affect the Trivy database.
The vulnerability database will be downloaded anyway.
Warning
Trivy may skip some dependencies (that were not found on your local machine) when the --offline-scan
flag is passed.
Gradle.lock
gradle.lock
files contain all necessary information about used dependencies.
Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
It doesn't require the internet access.
-
Uses maven repository to get information about dependencies. Internet access required. ↩
-
ArtifactID
,GroupID
andVersion
↩ -
e.g. when parent pom.xml file has
../pom.xml
path ↩ -
When you use dependency path in
relativePath
field in pom.xml file ↩ -
/Users/<username>/.m2/repository
(for Linux and Mac) andC:/Users/<username>/.m2/repository
(for Windows) by default ↩