Trivy supports three types of Java scanning:
Each artifact supports the following scanners:
The following table provides an outline of the features Trivy offers.
|Artifact||Internet access||Dev dependencies||Dependency graph|
|JAR/WAR/PAR/EAR||Trivy Java DB||Include||-|
|pom.xml||Maven repository 1||Exclude||✓|
These may be enabled or disabled depending on the target. See here for the detail.
If those files don't exist or don't contain enough information - Trivy will try to find this JAR2 file in trivy-java-db. The Java DB will be automatically downloaded/updated when any JAR2 file is found. It is stored in the cache directory.
Finding JARs in
trivy-java-db is an experimental function.
Trivy parses your
pom.xml file and tries to find files with dependencies from these local locations.
If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the maven repository.
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the
Information about data sources for Java you can see here.
You can disable connecting to the maven repository with the
--offline-scan flag does not affect the Trivy database.
The vulnerability database will be downloaded anyway.
Trivy may skip some dependencies (that were not found on your local machine) when the
--offline-scan flag is passed.
gradle.lock files contain all necessary information about used dependencies.
Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
It doesn't require the internet access.
Uses maven repository to get information about dependencies. Internet access required. ↩
e.g. when parent pom.xml file has
When you use dependency path in
relativePathfield in pom.xml file ↩
/Users/<username>/.m2/repository(for Linux and Mac) and
C:/Users/<username>/.m2/repository(for Windows) by default ↩