docs/guide/coverage/language/java.md
Trivy supports four types of Java scanning: JAR/WAR/PAR/EAR, pom.xml, *gradle.lockfile and *.sbt.lock files.
Each artifact supports the following scanners:
| Artifact | SBOM | Vulnerability | License |
|---|---|---|---|
| JAR/WAR/PAR/EAR | ✓ | ✓ | ✓1 |
| pom.xml | ✓ | ✓ | ✓ |
| *gradle.lockfile | ✓ | ✓ | ✓ |
| *.sbt.lock | ✓ | ✓ | - |
The following table provides an outline of the features Trivy offers.
| Artifact | Internet access | Dev dependencies | Dependency graph | Position | Detection Priority |
|---|---|---|---|---|---|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository 2 | Exclude | ✓ | ✓3 | - |
| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
These may be enabled or disabled depending on the target. See here for the detail.
To find information about your JAR4 file, Trivy parses pom.properties and MANIFEST.MF files in your JAR4 file and takes required properties5.
If those files don't exist or don't contain enough information - Trivy will try to find this JAR4 file in trivy-java-db. The Java DB will be automatically downloaded/updated when any JAR4 file is found. It is stored in the cache directory.
!!! warning "EXPERIMENTAL"
Finding JARs in trivy-java-db is an experimental function.
Base JAR4 may contain inner JARs4 within itself. To find information about these JARs4, the same logic is used as for the base JAR4.
table format only contains the name of root JAR4 . To get the full path to inner JARs4 use the json format.
Trivy detects licenses for a JAR4 from two sources, in this order:
<licenses> block of the embedded META-INF/maven/<groupId>/<artifactId>/pom.xml, matched to the package by groupId:artifactId.LICENSE, LICENCE or COPYRIGHT files (including variants like LICENSE.txt) located at the JAR4 root or directly under META-INF/. Their content is classified with the license classifier. A license file carries no groupId:artifactId, so it is attached only when the JAR4 contains a single artifact; in uber/shaded JARs4 (multiple artifacts) the owner is ambiguous and such files are skipped.Notes and limitations:
pom.xml) or ship no Maven descriptor at all.Trivy parses your pom.xml file and tries to find files with dependencies from these local locations.
If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the remote repositories:
Trivy reproduces Maven's repository selection and priority:
!!! Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the maven repository.
Information about data sources for Java you can see here.
You can disable connecting to the maven repository with the --offline-scan flag.
The --offline-scan flag does not affect the Trivy database.
The vulnerability database will be downloaded anyway.
!!! Warning
Trivy may skip some dependencies (that were not found on your local machine) when the --offline-scan flag is passed.
Trivy only scans import, compile, runtime and empty maven scopes. Other scopes and Optional dependencies are not currently being analyzed.
There are cases when Trivy cannot determine the version of dependencies:
In these cases, Trivy uses an empty version for the dependency.
!!! Warning Trivy doesn't detect child dependencies for dependencies without a version.
Typically, the integration tests directory (**/[src|target]/it/*/pom.xml) of maven-invoker-plugin doesn't contain actual pom.xml files and should be skipped to avoid noise.
Trivy marks dependencies from these files as the development dependencies and skip them by default.
If you need to show them, use the --include-dev-deps flag.
gradle.lock files only contain information about used dependencies.
!!!note All necessary files are checked locally. Gradle file scanning doesn't require internet access.
By default, Trivy doesn't report development dependencies.
Use the --include-dev-deps flag to include them in the results.
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy finds child dependencies from *.pom files in the cache9 directory.
But there is no reliable way to determine direct dependencies (even using other files). Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
Trivy also can detect licenses for dependencies.
Make sure that you have cache9 directory to find licenses from *.pom dependency files.
build.sbt.lock files only contain information about used dependencies. This requires a lockfile generated using the
sbt-dependency-lock plugin.
!!!note All necessary files are checked locally. SBT file scanning doesn't require internet access.
Uses maven repository to get information about dependencies. Internet access required. ↩
To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file. ↩
It means *.jar, *.war, *.par and *.ear file ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8 ↩9 ↩10 ↩11 ↩12 ↩13 ↩14 ↩15
ArtifactID, GroupID and Version ↩
e.g. when parent pom.xml file has ../pom.xml path ↩
When you use dependency path in relativePath field in pom.xml file ↩
/Users/<username>/.m2/repository (for Linux and Mac) and C:/Users/<username>/.m2/repository (for Windows) by default ↩
The supported directories are $GRADLE_USER_HOME/caches and $HOME/.gradle/caches (%HOMEPATH%\.gradle\caches for Windows). ↩ ↩2