Recently at my company the devops have integrated trivy in our CI/CD.
Taking a look at the report in order to fix the vulnerabilies, I have noticed a lot of the packages are not present inside the project, even when looking at transitive dependencies through maven dependency tree.
I have also noticed that the infected packages are often the same between our project.
I tried to trace the origin package of trivy using the --dependency-tree argument but it doesn't help at all (in the result the vulnerable package are often at pom.xml root according to trivy).
When testing on a blank project using https://start.spring.io/ with spring boot LTS (only spring-boot-starter and spring-boot-starter-test in dependencies), I notice that trivy, again, gives the same vulnerabilities.
I ran local test with trivy and I have the same result as with the pipeline. Is there anything that could explain why I can't find the origin of the packages or is trivy giving us false positives?
EDIT this was tested with trivy 0.55, the 0.55.1 version seems to fix this
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.3</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<url/>
<licenses>
<license/>
</licenses>
<developers>
<developer/>
</developers>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<properties>
<java.version>21</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
It seems likely that the vulnerabilities are in dependencies of Maven plugins.
First I would make sure to use recent versions of all Maven plugins, including those for Spring.
If the problems persist, you probably need to look into the dependency trees of the plugins to figure out which plugin causes the problem.
Generally, you cannot really reliably update dependencies of plugins, so you need to choose whether you remove the plugin or accept the risk. The risk is usually low if the vulnerable dependency is only loaded during the build, and not at runtime in the program you are building.