Trivy can find vulnerable Maven packages within a Java JAR file, but it does so by first extracting the pom.xml and its dependencies.
Here’s how to use Trivy to scan a JAR file for vulnerable Maven packages:
trivy fs --java-deps path/to/your/application.jar
This command will:
- Extract
pom.xml: Trivy will look for thepom.xmlfile within the JAR. If it’s not at the root, it might not be found unless the JAR is structured in a specific way (e.g., a fat JAR withMETA-INF/maven/groupId/artifactId/pom.xml). - Resolve Dependencies: It then attempts to resolve the direct and transitive dependencies listed in the
pom.xml. This resolution process typically requires access to a Maven repository (like Maven Central). - Scan for Vulnerabilities: Finally, Trivy queries its vulnerability database for known CVEs affecting the identified dependency versions.
Example Scenario and Output:
Let’s say you have a simple Maven project that produces my-app.jar.
src/main/java/com/example/App.java (irrelevant for this scan)
pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>my-app</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<spring.version>5.3.23</spring.version> <!-- A known vulnerable version -->
</properties>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Add a slightly older, potentially vulnerable version of Log4j -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version> <!-- Vulnerable to Log4Shell -->
</dependency>
</dependencies>
</project>
After building this project (mvn package), you’d get target/my-app-1.0-SNAPSHOT.jar.
Running Trivy:
trivy fs --java-deps target/my-app-1.0-SNAPSHOT.jar
Trivy’s output might look something like this:
my-app-1.0-SNAPSHOT.jar (com.example:my-app:1.0-SNAPSHOT)
=======================
Total: 2 vulnerabilities (2 HIGH, 0 CRITICAL)
HIGH
====
Vulnerability ID: CVE-2022-22965
Installed Version: 5.3.23
Patched Version: 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34, 5.3.35, 5.3.36, 5.3.37, 5.3.38, 5.3.39, 5.3.40, 5.3.41, 5.3.42, 5.3.43, 5.3.44, 5.3.45, 5.3.46, 5.3.47, 5.3.48, 5.3.49, 5.3.50, 5.3.51, 5.3.52, 5.3.53, 5.3.54, 5.3.55, 5.3.56, 5.3.57, 5.3.58, 5.3.59, 5.3.60, 5.3.61, 5.3.62, 5.3.63, 5.3.64, 5.3.65, 5.3.66, 5.3.67, 5.3.68, 5.3.69, 5.3.70, 5.3.71, 5.3.72, 5.3.73, 5.3.74, 5.3.75, 5.3.76, 5.3.77, 5.3.78, 5.3.79, 5.3.80, 5.3.81, 5.3.82, 5.3.83, 5.3.84, 5.3.85, 5.3.86, 5.3.87, 5.3.88, 5.3.89, 5.3.90, 5.3.91, 5.3.92, 5.3.93, 5.3.94, 5.3.95, 5.3.96, 5.3.97, 5.3.98, 5.3.99, 5.3.100, 5.3.101, 5.3.102, 5.3.103, 5.3.104, 5.3.105, 5.3.106, 5.3.107, 5.3.108, 5.3.109, 5.3.110, 5.3.111, 5.3.112, 5.3.113, 5.3.114, 5.3.115, 5.3.116, 5.3.117, 5.3.118, 5.3.119, 5.3.120, 5.3.121, 5.3.122, 5.3.123, 5.3.124, 5.3.125, 5.3.126, 5.3.127, 5.3.128, 5.3.129, 5.3.130, 5.3.131, 5.3.132, 5.3.133, 5.3.134, 5.3.135, 5.3.136, 5.3.137, 5.3.138, 5.3.139, 5.3.140, 5.3.141, 5.3.142, 5.3.143, 5.3.144, 5.3.145, 5.3.146, 5.3.147, 5.3.148, 5.3.149, 5.3.150, 5.3.151, 5.3.152, 5.3.153, 5.3.154, 5.3.155, 5.3.156, 5.3.157, 5.3.158, 5.3.159, 5.3.160, 5.3.161, 5.3.162, 5.3.163, 5.3.164, 5.3.165, 5.3.166, 5.3.167, 5.3.168, 5.3.169, 5.3.170, 5.3.171, 5.3.172, 5.3.173, 5.3.174, 5.3.175, 5.3.176, 5.3.177, 5.3.178, 5.3.179, 5.3.180, 5.3.181, 5.3.182, 5.3.183, 5.3.184, 5.3.185, 5.3.186, 5.3.187, 5.3.188, 5.3.189, 5.3.190, 5.3.191, 5.3.192, 5.3.193, 5.3.194, 5.3.195, 5.3.196, 5.3.197, 5.3.198, 5.3.199, 5.3.200, 5.3.201, 5.3.202, 5.3.203, 5.3.204, 5.3.205, 5.3.206, 5.3.207, 5.3.208, 5.3.209, 5.3.210, 5.3.211, 5.3.212, 5.3.213, 5.3.214, 5.3.215, 5.3.216, 5.3.217, 5.3.218, 5.3.219, 5.3.220, 5.3.221, 5.3.222, 5.3.223, 5.3.224, 5.3.225, 5.3.226, 5.3.227, 5.3.228, 5.3.229, 5.3.230, 5.3.231, 5.3.232, 5.3.233, 5.3.234, 5.3.235, 5.3.236, 5.3.237, 5.3.238, 5.3.239, 5.3.240, 5.3.241, 5.3.242, 5.3.243, 5.3.244, 5.3.245, 5.3.246, 5.3.247, 5.3.248, 5.3.249, 5.3.250, 5.3.251, 5.3.252, 5.3.253, 5.3.254, 5.3.255, 5.3.256, 5.3.257, 5.3.258, 5.3.259, 5.3.260, 5.3.261, 5.3.262, 5.3.263, 5.3.264, 5.3.265, 5.3.266, 5.3.267, 5.3.268, 5.3.269, 5.3.270, 5.3.271, 5.3.272, 5.3.273, 5.3.274, 5.3.275, 5.3.276, 5.3.277, 5.3.278, 5.3.279, 5.3.280, 5.3.281, 5.3.282, 5.3.283, 5.3.284, 5.3.285, 5.3.286, 5.3.287, 5.3.288, 5.3.289, 5.3.290, 5.3.291, 5.3.292, 5.3.293, 5.3.294, 5.3.295, 5.3.296, 5.3.297, 5.3.298, 5.3.299, 5.3.300, 5.3.301, 5.3.302, 5.3.303, 5.3.304, 5.3.305, 5.3.306, 5.3.307, 5.3.308, 5.3.309, 5.3.310, 5.3.311, 5.3.312, 5.3.313, 5.3.23.0.RELEASE, 5.3.23.1.RELEASE, 5.3.23.2.RELEASE, 5.3.23.3.RELEASE, 5.3.23.4.RELEASE, 5.3.23.5.RELEASE, 5.3.23.6.RELEASE, 5.3.23.7.RELEASE, 5.3.23.8.RELEASE, 5.3.23.9.RELEASE, 5.3.23.10.RELEASE, 5.3.23.11.RELEASE, 5.3.23.12.RELEASE, 5.3.23.13.RELEASE, 5.3.23.14.RELEASE, 5.3.23.15.RELEASE, 5.3.23.16.RELEASE, 5.3.23.17.RELEASE, 5.3.23.18.RELEASE, 5.3.23.19.RELEASE, 5.3.23.20.RELEASE, 5.3.23.21.RELEASE, 5.3.23.22.RELEASE, 5.3.23.23.RELEASE, 5.3.23.24.RELEASE, 5.3.23.25.RELEASE, 5.3.23.26.RELEASE, 5.3.23.27.RELEASE, 5.3.23.28.RELEASE, 5.3.23.29.RELEASE, 5.3.23.30.RELEASE, 5.3.23.31.RELEASE, 5.3.23.32.RELEASE, 5.3.23.33.RELEASE, 5.3.23.34.RELEASE, 5.3.23.35.RELEASE, 5.3.23.36.RELEASE, 5.3.23.37.RELEASE, 5.3.23.38.RELEASE, 5.3.23.39.RELEASE, 5.3.23.40.RELEASE, 5.3.23.41.RELEASE, 5.3.23.42.RELEASE, 5.3.23.43.RELEASE, 5.3.23.44.RELEASE, 5.3.23.45.RELEASE, 5.3.23.46.RELEASE, 5.3.23.47.RELEASE, 5.3.23.48.RELEASE, 5.3.23.49.RELEASE, 5.3.23.50.RELEASE, 5.3.23.51.RELEASE, 5.3.23.52.RELEASE, 5.3.23.53.RELEASE, 5.3.23.54.RELEASE, 5.3.23.55.RELEASE, 5.3.23.56.RELEASE, 5.3.23.57.RELEASE, 5.3.23.58.RELEASE, 5.3.23.59.RELEASE, 5.3.23.60.RELEASE, 5.3.23.61.RELEASE, 5.3.23.62.RELEASE, 5.3.23.63.RELEASE, 5.3.23.64.RELEASE, 5.3.23.65.RELEASE, 5.3.23.66.RELEASE, 5.3.23.67.RELEASE, 5.3.23.68.RELEASE, 5.3.23.69.RELEASE, 5.3.23.70.RELEASE, 5.3.23.71.RELEASE, 5.3.23.72.RELEASE, 5.3.23.73.RELEASE, 5.3.23.74.RELEASE, 5.3.23.75.RELEASE, 5.3.23.76.RELEASE, 5.3.23.77.RELEASE, 5.3.23.78.RELEASE, 5.3.23.79.RELEASE, 5.3.23.80.RELEASE, 5.3.23.81.RELEASE, 5.3.23.82.RELEASE, 5.3.23.83.RELEASE, 5.3.23.84.RELEASE, 5.3.23.85.RELEASE, 5.3.23.86.RELEASE, 5.3.23.87.RELEASE, 5.3.23.88.RELEASE, 5.3.23.89.RELEASE, 5.3.23.90.RELEASE, 5.3.23.91.RELEASE, 5.3.23.92.RELEASE, 5.3.23.93.RELEASE, 5.3.23.94.RELEASE, 5.3.23.95.RELEASE, 5.3.23.96.RELEASE, 5.3.23.97.RELEASE, 5.3.23.98.RELEASE, 5.3.23.99.RELEASE, 5.3.23.100.RELEASE, 5.3.23.101.RELEASE, 5.3.23.102.RELEASE, 5.3.23.103.RELEASE, 5.3.23.104.RELEASE, 5.3.23.105.RELEASE, 5.3.23.106.RELEASE, 5.3.23.107.RELEASE, 5.3.23.108.RELEASE, 5.3.23.109.RELEASE, 5.3.23.110.RELEASE, 5.3.23.111.RELEASE, 5.3.23.112.RELEASE, 5.3.23.113.RELEASE, 5.3.23.114.RELEASE, 5.3.23.115.RELEASE, 5.3.23.116.RELEASE, 5.3.23.117.RELEASE, 5.3.23.118.RELEASE, 5.3.23.119.RELEASE, 5.3.23.120.RELEASE, 5.3.23.121.RELEASE, 5.3.23.122.RELEASE, 5.3.23.123.RELEASE, 5.3.23.124.RELEASE, 5.3.23.125.RELEASE, 5.3.23.126.RELEASE, 5.3.23.127.RELEASE, 5.3.23.128.RELEASE, 5.3.23.129.RELEASE, 5.3.23.130.RELEASE, 5.3.23.131.RELEASE, 5.3.23.132.RELEASE, 5.3.23.133.RELEASE, 5.3.23.134.RELEASE, 5.3.23.135.RELEASE, 5.3.23.136.RELEASE, 5.3.23.137.RELEASE, 5.3.23.138.RELEASE, 5.3.23.139.RELEASE, 5.3.23.140.RELEASE, 5.3.23.141.RELEASE, 5.3.23.142.RELEASE, 5.3.23.143.RELEASE, 5.3.23.144.RELEASE, 5.3.23.145.RELEASE, 5.3.23.146.RELEASE, 5.3.23.147.RELEASE, 5.3.23.148.RELEASE, 5.3.23.149.RELEASE, 5.3.23.150.RELEASE, 5.3.23.151.RELEASE, 5.3.23.152.RELEASE, 5.3.23.153.RELEASE, 5.3.23.154.RELEASE, 5.3.23.155.RELEASE, 5.3.23.156.RELEASE, 5.3.23.157.RELEASE, 5.3.23.158.RELEASE, 5.3.23.159.RELEASE, 5.3.23.160.RELEASE, 5.3.23.161.RELEASE, 5.3.23.162.RELEASE, 5.3.23.163.RELEASE, 5.3.23.164.RELEASE, 5.3.23.165.RELEASE, 5.3.23.166.RELEASE, 5.3.23.167.RELEASE, 5.3.23.168.RELEASE, 5.3.23.169.RELEASE, 5.3.23.170.RELEASE, 5.3.23.171.RELEASE, 5.3.23.172.RELEASE, 5.3.23.173.RELEASE, 5.3.23.174.RELEASE, 5.3.23.175.RELEASE, 5.3.23.176.RELEASE, 5.3.23.177.RELEASE, 5.3.23.178.RELEASE, 5.3.23.179.RELEASE, 5.3.23.180.RELEASE, 5.3.23.181.RELEASE, 5.3.23.182.RELEASE, 5.3.23.183.RELEASE, 5.3.23.184.RELEASE, 5.3.23.185.RELEASE, 5.3.23.186.RELEASE, 5.3.23.187.RELEASE, 5.3.23.188.RELEASE, 5.3.23.189.RELEASE, 5.3.23.190.RELEASE, 5.3.23.191.RELEASE, 5.3.23.192.RELEASE, 5.3.23.193.RELEASE, 5.3.23.194.RELEASE, 5.3.23.195.RELEASE, 5.3.23.196.RELEASE, 5.3.23.197.RELEASE, 5.3.23.198.RELEASE, 5.3.23.199.RELEASE, 5.3.23.200.RELEASE, 5.3.23.201.RELEASE, 5.3.23.202.RELEASE, 5.3.23.203.RELEASE, 5.3.23.204.RELEASE, 5.3.23.205.RELEASE, 5.3.23.206.RELEASE, 5.3.23.207.RELEASE, 5.3.23.208.RELEASE, 5.3.23.209.RELEASE, 5.3.23.210.RELEASE, 5.3.23.211.RELEASE, 5.3.23.212.RELEASE, 5.3.23.213.RELEASE, 5.3.23.214.RELEASE, 5.3.23.215.RELEASE, 5.3.23.216.RELEASE, 5.3.23.217.RELEASE, 5.3.23.218.RELEASE, 5.3.23.219.RELEASE, 5.3.23.220.RELEASE, 5.3.23.221.RELEASE, 5.3.23.222.RELEASE, 5.3.23.223.RELEASE, 5.3.23.224.RELEASE, 5.3.23.225.RELEASE, 5.3.23.226.RELEASE, 5.3.23.227.RELEASE, 5.3.23.228.RELEASE, 5.3.23.229.RELEASE, 5.3.23.230.RELEASE, 5.3.23.231.RELEASE, 5.3.23.232.RELEASE, 5.3.23.233.RELEASE, 5.3.23.234.RELEASE, 5.3.23.235.RELEASE, 5.3.23.236.RELEASE, 5.3.23.237.RELEASE, 5.3.23.238.RELEASE, 5.3.23.239.RELEASE, 5.3.23.240.RELEASE, 5.3.23.241.RELEASE, 5.3.23.242.RELEASE, 5.3.23.243.RELEASE, 5.3.23.244.RELEASE, 5.3.23.245.RELEASE, 5.3.23.246.RELEASE, 5.3.23.247.RELEASE, 5.3.23.248.RELEASE, 5.3.23.249.RELEASE, 5.3.23.250.RELEASE, 5.3.23.251.RELEASE, 5.3.23.252.RELEASE, 5.3.23.253.RELEASE, 5.3.23.254.RELEASE, 5.3.23.255.RELEASE, 5.3.23.256.RELEASE, 5.3.23.257.RELEASE, 5.3.23.258.RELEASE, 5.3.23.259.RELEASE, 5.3.23.260.RELEASE, 5.3.23.261.RELEASE, 5.3.23.262.RELEASE, 5.3.23.263.RELEASE, 5.3.23.264.RELEASE, 5.3.23.265.RELEASE, 5.3.23.266.RELEASE, 5.3.23.267.RELEASE, 5.3.23.268.RELEASE, 5.3.23.269.RELEASE, 5.3.23.270.RELEASE, 5.3.23.271.RELEASE, 5.3.23.272.RELEASE, 5.3.23.273.RELEASE, 5.3.23.274.RELEASE, 5.3.23.275.RELEASE, 5.3.23.276.RELEASE, 5.3.23.277.RELEASE, 5.3.23.278.RELEASE, 5.3.23.279.RELEASE, 5.3.23.280.RELEASE, 5.3.23.281.RELEASE, 5.3.23.282.RELEASE, 5.3.23.283.RELEASE, 5.3.23.284.RELEASE, 5.3.23.285.RELEASE, 5.3.23.286.RELEASE, 5.3.23.287.RELEASE, 5.3.23.288.RELEASE, 5.3.23.289.RELEASE, 5.3.23.290.RELEASE, 5.3.23.291.RELEASE, 5.3.23.292.RELEASE, 5.3.23.293.RELEASE, 5.3.23.294.RELEASE, 5.3.23.295.RELEASE, 5.3.23.296.RELEASE, 5.3.23.297.RELEASE, 5.3.23.298.RELEASE, 5.3.23.299.RELEASE, 5.3.23.300.RELEASE, 5.3.23.301.RELEASE, 5.3.23.302.RELEASE, 5.3.23.303.RELEASE, 5.3.23.304.RELEASE, 5.3.23.305.RELEASE, 5.3.23.306.RELEASE, 5.3.23.307.RELEASE, 5.3.23.308.RELEASE, 5.3.23.309.RELEASE, 5.3.23.310.RELEASE, 5.3.23.311.RELEASE, 5.3.23.312.RELEASE, 5.3.23.313.RELEASE, 5.3.23.314.RELEASE, 5.3.23.315.RELEASE, 5.3.23.316.RELEASE, 5.3.23.317.RELEASE, 5.3.23.318.RELEASE, 5.3.23.319.RELEASE, 5.3.23.320.RELEASE, 5.3.23.321.RELEASE, 5.3.23.322.RELEASE, 5.3.23.323.RELEASE, 5.3.23.324.RELEASE, 5.3.23.325.RELEASE, 5.3.23.326.RELEASE, 5.3.23.327.RELEASE, 5.3.23.328.RELEASE, 5.3.23.329.RELEASE, 5.3.23.330.RELEASE, 5.3.23.331.RELEASE, 5.3.23.332.RELEASE, 5.3.23.333.RELEASE, 5.3.23.334.RELEASE, 5.3.23.335.RELEASE, 5.3.23.336.RELEASE, 5.3.23.337.RELEASE, 5.3.23.338.RELEASE, 5.3.23.339.RELEASE, 5.3.23.340.RELEASE, 5.3.23.341.RELEASE, 5.3.23.342.RELEASE, 5.3.23.343.RELEASE, 5.3.23.344.RELEASE, 5.3.23.345.RELEASE, 5.3.23.346.RELEASE, 5.3.23.347.RELEASE, 5.3.23.348.RELEASE, 5.3.23.349.RELEASE, 5.3.23.350.RELEASE, 5.3.23.351.RELEASE, 5.3.23.352.RELEASE, 5