Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignoring Java test dependencies #985

Open
lossurdo opened this issue Nov 7, 2022 · 3 comments · May be fixed by #1345
Open

Ignoring Java test dependencies #985

lossurdo opened this issue Nov 7, 2022 · 3 comments · May be fixed by #1345
Labels
enhancement New feature or request

Comments

@lossurdo
Copy link

lossurdo commented Nov 7, 2022

What would you like to be added:

Some way to ignore Java test dependencies like this vulnerable-legacy log4j:

<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.17</version>
    <scope>test</scope>
</dependency>

Why is this needed:

Test libs are not packaged in final JAR/WAR file. Scope "provided" is not package too.

Additional context:

Grype reporting log4j test libs:

log4j                 1.2.17                       java-archive  CVE-2022-23307       High
log4j                 1.2.17                       java-archive  GHSA-2qrg-x229-3v8q  Critical
log4j                 1.2.17                       java-archive  CVE-2022-23305       Critical
log4j                 1.2.17                       java-archive  GHSA-w9p3-5cr8-m3jj  High
log4j                 1.2.17                       java-archive  CVE-2020-9493        Critical
log4j                 1.2.17                       java-archive  CVE-2022-23302       High
log4j                 1.2.17                       java-archive  CVE-2019-17571       Critical
log4j                 1.2.17                       java-archive  GHSA-65fg-84f6-3jq3  Critical
log4j                 1.2.17                       java-archive  GHSA-fp5r-v3w9-4333  High
@lossurdo lossurdo added the enhancement New feature or request label Nov 7, 2022
@kzantow
Copy link
Contributor

kzantow commented Nov 8, 2022

This sounds like a very good enhancement @lossurdo.

It seems to me there is a possibility that a test dependency gets hijacked and results in executing malicious code of some sort during test runs, so this information would probably be good to include by default.

But adding a flag to the Java cataloger to only include "packaged" dependencies or something of the sort might be fairly straightforward. Would this accomplish what you are looking for?

@kzantow kzantow added this to OSS Nov 8, 2022
@kzantow
Copy link
Contributor

kzantow commented Nov 10, 2022

I think what we might like to do here is:

  1. if scanning a jar that has an embedded pom.xml, we would assume this is a runtime dependency and exclude test, provided and maybe more
  2. if scanning source, we probably want to include test dependencies because these will be executed while running tests, perhaps we add a flag to omit these

cc: @wagoodman

@lossurdo
Copy link
Author

lossurdo commented Nov 10, 2022

Hi @kzantow!

Maybe something like this on Grype ignoring YAML:

ignore:
  - pom:
      scope: test

ignore:
  - pom:
      scope: provided

No matter if pom.xml is found on source code or inside a WAR/EAR file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Backlog
Development

Successfully merging a pull request may close this issue.

2 participants