false negative in transitive dependency pom.xml maven #7537

tamirsinai · 2024-09-18T09:18:26Z

tamirsinai
Sep 18, 2024

IDs

CVE-2024-29857

Description

Hey,
we have customer using pom.xml and has false negative.
the situation:
they have 2 pom.xml

"father" - /bom/pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>test</groupId>
    <artifactId>test2</artifactId>
    <version>1.1.0</version>
    <packaging>pom</packaging>
    <name>test3</name>

    <properties>
        <com.okta.sdk.version>16.0.0</com.okta.sdk.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>com.okta.sdk</groupId>
            <artifactId>okta-sdk-api</artifactId>
            <version>${com.okta.sdk.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>com.fasterxml.jackson.module</groupId>
                    <artifactId>jackson-module-jaxb-annotations</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.okta.sdk</groupId>
            <artifactId>okta-sdk-impl</artifactId>
            <version>${com.okta.sdk.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>com.fasterxml.jackson.module</groupId>
                    <artifactId>jackson-module-jaxb-annotations</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk18on</artifactId>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk18on</artifactId>
            <scope>compile</scope>
        </dependency>
    </dependencies>
</project>

"son" - /in/pom.xml

in-pom.txt

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>test</groupId>
        <artifactId>test2</artifactId>
        <version>1.1.0</version>
        <relativePath>../bom/pom.xml</relativePath>
    </parent>
    <artifactId>test4</artifactId>
    <packaging>pom</packaging>
    <name>test5</name>
    <description>test6</description>
    <properties>
        <maven.compiler.source>21</maven.compiler.source>
        <maven.compiler.target>21</maven.compiler.target>
        <org.bouncycastle.version>1.78.1</org.bouncycastle.version>
    </properties>
    <dependencyManagement>
        <dependencies>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk18on</artifactId>
            <version>${org.bouncycastle.version}</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk18on</artifactId>
            <version>${org.bouncycastle.version}</version>
            <scope>test</scope>
        </dependency>
        </dependencies>
    </dependencyManagement>
</project>

bcprov-jdk18on dependecny on version 1.77 has CVE-2024-29857. they defined the version to be 1.78.1 which fixes the CVE.
but, trivy finds the CVE in the dependency okta-sdk-impl (they use 16.0.0) which uses also bcprov-jdk18on on version 1.77.
but when running mvn dependency:tree its says the using version of bcprov-jdk18on is version 1.78.

Thanks.

Reproduction Steps

`trivy fs .` in root folder of the pom.xml's

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

▶ trivy fs . --debug                                                                                                                                                                          
2024-09-19T14:58:00+03:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-19T14:58:00+03:00       DEBUG   Cache dir       dir="/Users/tamirsinai/Library/Caches/trivy"
2024-09-19T14:58:00+03:00       DEBUG   Cache dir       dir="/Users/tamirsinai/Library/Caches/trivy"
2024-09-19T14:58:00+03:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-19T14:58:00+03:00       DEBUG   Ignore statuses statuses=[]
2024-09-19T14:58:00+03:00       DEBUG   DB update was skipped because the local DB is the latest
2024-09-19T14:58:00+03:00       DEBUG   DB info schema=2 updated_at=2024-09-19T06:12:22.986098678Z next_update=2024-09-19T12:12:22.986098548Z downloaded_at=2024-09-19T08:35:55.323066Z
2024-09-19T14:58:00+03:00       DEBUG   [pkg] Package types     types=[os library]
2024-09-19T14:58:00+03:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-09-19T14:58:00+03:00       INFO    [vuln] Vulnerability scanning is enabled
2024-09-19T14:58:00+03:00       INFO    [secret] Secret scanning is enabled
2024-09-19T14:58:00+03:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-19T14:58:00+03:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-19T14:58:00+03:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-19T14:58:00+03:00       DEBUG   Initializing scan cache...      type="memory"
2024-09-19T14:58:00+03:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.sdk" artifact_id="okta-sdk-api" version="16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="test:test2:1.1.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="test:test2:1.1.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.sdk" artifact_id="okta-sdk-api" version="16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta:okta-aggregator:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta:okta-aggregator:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta:okta-aggregator:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta:okta-aggregator:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:58"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:58"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:58"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:58"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.sdk" artifact_id="okta-sdk-impl" version="16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.sdk" artifact_id="okta-sdk-impl" version="16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.commons" artifact_id="okta-config-check" version="1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.sdk:okta-sdk-root:16.0.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.bouncycastle" artifact_id="bcprov-jdk18on" version=""
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Repository error  err="Version missing for org.bouncycastle:bcprov-jdk18on"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.bouncycastle" artifact_id="bcpkix-jdk18on" version=""
2024-09-19T14:58:00+03:00       DEBUG   [pom] Repository error  err="Version missing for org.bouncycastle:bcpkix-jdk18on"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.commons" artifact_id="okta-config-check" version="1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.commons" artifact_id="okta-http-api" version="1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta:okta-parent:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.commons" artifact_id="okta-commons-lang" version="1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.commons" artifact_id="okta-http-api" version="1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="slf4j-api" version="2.0.7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.okta.commons" artifact_id="okta-commons-lang" version="1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:2.0.7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.okta.commons:okta-commons-root:1.3.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="slf4j-api" version="2.0.7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:2.0.7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:2.0.7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="javax.annotation" artifact_id="javax.annotation-api" version="1.3.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:2.0.7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:3"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="javax.annotation" artifact_id="javax.annotation-api" version="1.3.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="jvnet-nexus-snapshots" url="https://maven.java.net/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:3"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.swagger" artifact_id="swagger-annotations" version="1.6.8"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:3"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="jvnet-nexus-snapshots" url="https://maven.java.net/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:3"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.swagger" artifact_id="swagger-annotations" version="1.6.8"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.swagger:swagger-project:1.6.8"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.swagger:swagger-project:1.6.8"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.swagger:swagger-project:1.6.8"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.google.code.findbugs" artifact_id="jsr305" version="3.0.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.swagger:swagger-project:1.6.8"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.google.code.findbugs" artifact_id="jsr305" version="3.0.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents.client5" artifact_id="httpclient5" version="5.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents.client5" artifact_id="httpclient5" version="5.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents.client5:httpclient5-parent:5.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents.client5:httpclient5-parent:5.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:27"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:27"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:27"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:27"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents.client5:httpclient5-parent:5.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents.client5:httpclient5-parent:5.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-core" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-core" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-annotations" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-annotations" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.17"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-databind" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-databind" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.jaxrs" artifact_id="jackson-jaxrs-json-provider" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.jaxrs" artifact_id="jackson-jaxrs-json-provider" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.openapitools" artifact_id="jackson-databind-nullable" version="0.2.6"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.openapitools" artifact_id="jackson-databind-nullable" version="0.2.6"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.datatype" artifact_id="jackson-datatype-jsr310" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.datatype" artifact_id="jackson-datatype-jsr310" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.module:jackson-modules-java8:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.github.jknack" artifact_id="handlebars" version="4.4.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.github.jknack" artifact_id="handlebars" version="4.4.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.github.jknack:handlebars.java:4.4.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.github.jknack:handlebars.java:4.4.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.github.jknack:handlebars.java:4.4.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.github.jknack:handlebars.java:4.4.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.github.jknack" artifact_id="handlebars-jackson2" version="4.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.github.jknack" artifact_id="handlebars-jackson2" version="4.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.github.jknack:handlebars.java:4.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.github.jknack:handlebars.java:4.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.github.jknack:handlebars.java:4.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.yaml" artifact_id="snakeyaml" version="2.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.github.jknack:handlebars.java:4.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.yaml" artifact_id="snakeyaml" version="2.2"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.bouncycastle" artifact_id="bcprov-jdk18on" version="1.77"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.jsonwebtoken" artifact_id="jjwt-api" version="0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.bouncycastle" artifact_id="bcpkix-jdk18on" version="1.77"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.jsonwebtoken" artifact_id="jjwt-api" version="0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="ossrh" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.jsonwebtoken" artifact_id="jjwt-impl" version="0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Adding repository id="ossrh" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.jsonwebtoken" artifact_id="jjwt-jackson" version="0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.jsonwebtoken" artifact_id="jjwt-impl" version="0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents.core5" artifact_id="httpcore5" version="5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="io.jsonwebtoken" artifact_id="jjwt-jackson" version="0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="io.jsonwebtoken:jjwt-root:0.12.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents.core5" artifact_id="httpcore5" version="5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-parent:13"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.9.3"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.9.3"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents.core5" artifact_id="httpcore5-h2" version="5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents.core5" artifact_id="httpcore5-h2" version="5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="net.bytebuddy" artifact_id="byte-buddy" version="1.14.9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents.core5:httpcore5-parent:5.2.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="net.bytebuddy" artifact_id="byte-buddy" version="1.14.9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="net.bytebuddy:byte-buddy-parent:1.14.9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="net.bytebuddy:byte-buddy-parent:1.14.9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="net.bytebuddy:byte-buddy-parent:1.14.9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.jaxrs" artifact_id="jackson-jaxrs-base" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="net.bytebuddy:byte-buddy-parent:1.14.9"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.jaxrs" artifact_id="jackson-jaxrs-base" version="2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers:2.17.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-lang3" version="3.14.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-lang3" version="3.14.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-text" version="1.11.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-text" version="1.11.0"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.openjdk.nashorn" artifact_id="nashorn-core" version="15.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.bouncycastle" artifact_id="bcutil-jdk18on" version="1.77"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:64"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.openjdk.nashorn" artifact_id="nashorn-core" version="15.4"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-commons" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-commons" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-tree" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-tree" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-util" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-util" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-analysis" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Resolving...      group_id="org.ow2.asm" artifact_id="asm-analysis" version="7.3.1"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Start parent      artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Exit parent       artifact="org.ow2:ow2:1.5"
2024-09-19T14:58:00+03:00       DEBUG   OS is not detected.
2024-09-19T14:58:00+03:00       DEBUG   Detected OS: unknown
2024-09-19T14:58:00+03:00       INFO    Number of language-specific files       num=2
2024-09-19T14:58:00+03:00       INFO    [pom] Detecting vulnerabilities...
2024-09-19T14:58:00+03:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="bom/pom.xml"
2024-09-19T14:58:00+03:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="in/pom.xml"
2024-09-19T14:58:00+03:00       DEBUG   [vex] VEX filtering is disabled

bom/pom.xml (pom)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│             Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├─────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk18on │ CVE-2024-29857 │ MEDIUM   │ fixed  │ 1.77              │ 1.78          │ org.bouncycastle: Importing an EC certificate with crafted │
│                                 │                │          │        │                   │               │ F2m parameters may lead to...                              │
│                                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-29857                 │
│                                 ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│                                 │ CVE-2024-30171 │          │        │                   │               │ bc-java: BouncyCastle vulnerable to a timing variant of    │
│                                 │                │          │        │                   │               │ Bleichenbacher (Marvin Attack)                             │
│                                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-30171                 │
│                                 ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│                                 │ CVE-2024-30172 │          │        │                   │               │ org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519  │
│                                 │                │          │        │                   │               │ verification in the ScalarUtil class                       │
│                                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-30172                 │
│                                 ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────────────────────┤
│                                 │ CVE-2024-34447 │ LOW      │        │                   │               │ org.bouncycastle: Use of Incorrectly-Resolved Name or      │
│                                 │                │          │        │                   │               │ Reference                                                  │
│                                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-34447                 │
└─────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

tamir/dan/default-dental                                                                                                                                                                        
▶

Version

Version: 0.55.2
Java DB:
  Version: 1
  UpdatedAt: 2024-08-20 01:05:23.967239003 +0000 UTC
  NextUpdate: 2024-08-23 01:05:23.967238833 +0000 UTC
  DownloadedAt: 2024-08-20 12:49:11.009138 +0000 UTC
Check Bundle:
  Digest: sha256:47361022572537534c4953a9ab7618d1284b5d7eee0d8fc9b1f2aa5aa3c95e02
  DownloadedAt: 2024-05-30 12:18:06.420214 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2024-09-18T10:17:15Z

DmitriyLewen
Sep 18, 2024
Maintainer

Hello @tamirsinai
Thanks for your report!

Trivy overwrites scope from depManagement from root pom.xml file (test in your case).
But Trivy doesn't check test dependencies - that is why you don't see bcprov-jdk18on:1.78.1 dependencies.

Created #7539 for this task.

Regards, Dmitriy

6 replies

DmitriyLewen Sep 18, 2024
Maintainer

hmm... let me check that.
Perhaps using org.bouncycastle.version also creates the problem.

tamirsinai Sep 18, 2024
Author

@DmitriyLewen Thanks, waiting for your response

DmitriyLewen Sep 19, 2024
Maintainer

Hi @tamirsinai
I'm a bit confused.
I can't reproduce your case.

For me, Trivy skips bcprov-jdk18on and bcpkix-jdk18on dependencies (because it doesn't get the test scope correctly).
But I can't get version 1.77.

Maybe there are some differences between the pom files you sent and yours?

tamirsinai Sep 19, 2024
Author

@DmitriyLewen hey,
its happening when you run trivy from root folder of those files.
i updated the xml files, they didnt paste correctly before, now its fixed. i still added them here and to the main description
bom-pom.txt
in-pom.txt

DmitriyLewen Sep 20, 2024
Maintainer

I found problem:
You are scanning root folder, but in this case Trivy scans 2 files:

in/pom.xml (in this case Trivy also parses bom/pom.xml as a parent of in/pom.xml). In this case Trivy v0.52.2 skips jdk18on dependencies because we are not inheriting scopes correctly (test in this case).
bom/pom.xml file. For this scan Trivy doesn't check in/pom.xml file. That's why Trivy detects 1.77.

You can use -f json --list-all-pkgs flags to see more info about scan.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

false negative in transitive dependency pom.xml maven #7537

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

false negative in transitive dependency pom.xml maven #7537

tamirsinai Sep 18, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment · 6 replies

DmitriyLewen Sep 18, 2024 Maintainer

DmitriyLewen Sep 18, 2024 Maintainer

tamirsinai Sep 18, 2024 Author

DmitriyLewen Sep 19, 2024 Maintainer

tamirsinai Sep 19, 2024 Author

DmitriyLewen Sep 20, 2024 Maintainer

tamirsinai
Sep 18, 2024

Replies: 1 comment 6 replies

DmitriyLewen
Sep 18, 2024
Maintainer

DmitriyLewen Sep 18, 2024
Maintainer

tamirsinai Sep 18, 2024
Author

DmitriyLewen Sep 19, 2024
Maintainer

tamirsinai Sep 19, 2024
Author

DmitriyLewen Sep 20, 2024
Maintainer