Trivy is missing some of jackson-mapper-asl vulnerabilities

[MaciejBala]

IDs

CVE-2019-14439, CVE-2019-12086, CVE-2018-5968, CVE-2020-36188, CVE-2020-36189, CVE-2020-36183, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182

Description

Hi,

Trivy DOES list jackson-mapper-asl related vulnerabilities, but only two of them - CVE-2019-10202 and CVE-2019-10172. And it's fine, as it is the same amout that maven lists for this version.

What I do not understand is the following.
We've got a jFrog raport for our application image that lists above mentioned vulnerabilities. There's more, 58 in total.

JFrog lists vulnerabilities found in:

myApplicationName.jar/BOOT-INF/lib/jackson-mapper-asl-1.9.13.jar

So I thought that JFrog found all of these in myApplicationName.jar\BOOT-INF\lib\jackson-mapper-asl-1.9.13.jar\META-INF\MANIFEST.MF
as this is what I've found inside :), So it seems like a good hint, but Trivy does list some of them, so I don't know where the difference comes from.

Manifest-Version: 1.0 Export-Package: org.codehaus.jackson.schema;uses:="org.codehaus.jackso n.node,org.codehaus.jackson.map,org.codehaus.jackson.annotate,org.cod ehaus.jackson";version="1.9.13",org.codehaus.jackson.map.deser.impl;u ses:="org.codehaus.jackson.map.type,org.codehaus.jackson.type,org.cod ehaus.jackson.map.deser,org.codehaus.jackson.map,org.codehaus.jackson .util,org.codehaus.jackson.map.introspect,org.codehaus.jackson,org.co dehaus.jackson.map.deser.std,org.codehaus.jackson.map.util";version=" 1.9.13",org.codehaus.jackson.map.exc;uses:="org.codehaus.jackson.map, org.codehaus.jackson";version="1.9.13",org.codehaus.jackson.map.annot ate;uses:="org.codehaus.jackson.map,org.codehaus.jackson.annotate";ve rsion="1.9.13",org.codehaus.jackson.map.ser.std;uses:="org.codehaus.j ackson.schema,org.codehaus.jackson.map.annotate,org.codehaus.jackson. map.ser.impl,org.codehaus.jackson.map.type,org.codehaus.jackson.type, org.codehaus.jackson.io,org.codehaus.jackson.node,org.codehaus.jackso n.map,org.codehaus.jackson.util,org.codehaus.jackson.map.introspect,o rg.codehaus.jackson.map.util,org.codehaus.jackson,org.codehaus.jackso n.map.ser";version="1.9.13",org.codehaus.jackson.map.ser.impl;uses:=" org.codehaus.jackson.io,org.codehaus.jackson.map,org.codehaus.jackson .map.ser.std,org.codehaus.jackson,org.codehaus.jackson.map.ser,org.co dehaus.jackson.type";version="1.9.13",org.codehaus.jackson.map.type;u ses:="org.codehaus.jackson.map,org.codehaus.jackson.map.util,org.code haus.jackson,org.codehaus.jackson.type";version="1.9.13",org.codehaus .jackson.map.module;uses:="org.codehaus.jackson.map.deser,org.codehau s.jackson.map,org.codehaus.jackson.map.type,org.codehaus.jackson,org. codehaus.jackson.type";version="1.9.13",org.codehaus.jackson.node;use s:="org.codehaus.jackson.io,org.codehaus.jackson.map,org.codehaus.jac kson.util,org.codehaus.jackson.impl,org.codehaus.jackson";version="1. 9.13",org.codehaus.jackson.map.ext;uses:="org.codehaus.jackson.map.se r.std,javax.xml.parsers,org.codehaus.jackson.type,org.w3c.dom,org.xml .sax,javax.xml.datatype,javax.xml.namespace,org.codehaus.jackson.node ,org.codehaus.jackson.map,org.codehaus.jackson,org.codehaus.jackson.m ap.deser.std,org.codehaus.jackson.map.util";version="1.9.13",org.code haus.jackson.map;uses:="org.codehaus.jackson.format,org.codehaus.jack son.schema,org.codehaus.jackson.map.annotate,org.codehaus.jackson.ann otate,org.codehaus.jackson.map.type,org.codehaus.jackson.type,org.cod ehaus.jackson.io,org.codehaus.jackson.node,org.codehaus.jackson.map.d eser,org.codehaus.jackson.util,org.codehaus.jackson.map.introspect,or g.codehaus.jackson.map.jsontype,org.codehaus.jackson,org.codehaus.jac kson.map.util,org.codehaus.jackson.map.ser,org.codehaus.jackson.map.j sontype.impl";version="1.9.13",org.codehaus.jackson.map.deser;uses:=" org.codehaus.jackson.map.exc,org.codehaus.jackson.map.deser.impl,org. codehaus.jackson.map.annotate,org.codehaus.jackson.annotate,org.codeh aus.jackson.map.type,org.codehaus.jackson.type,org.codehaus.jackson.i o,org.codehaus.jackson.node,org.codehaus.jackson.map.ext,org.codehaus .jackson.map,org.codehaus.jackson.util,org.codehaus.jackson.map.intro spect,org.codehaus.jackson.map.jsontype,org.codehaus.jackson.map.util ,org.codehaus.jackson,org.codehaus.jackson.map.deser.std";version="1. 9.13",org.codehaus.jackson.map.introspect;uses:="org.codehaus.jackson .map.annotate,org.codehaus.jackson.map.ser.std,org.codehaus.jackson.a nnotate,org.codehaus.jackson.map.type,org.codehaus.jackson.type,org.c odehaus.jackson.map,org.codehaus.jackson.map.jsontype,org.codehaus.ja ckson.map.util,org.codehaus.jackson.map.jsontype.impl";version="1.9.1 3",org.codehaus.jackson.map.jsontype;uses:="org.codehaus.jackson.map, org.codehaus.jackson.annotate,org.codehaus.jackson.map.introspect,org .codehaus.jackson.type";version="1.9.13",org.codehaus.jackson.map.uti l;uses:="org.codehaus.jackson.io,org.codehaus.jackson.map,org.codehau s.jackson.map.type,org.codehaus.jackson.map.introspect,org.codehaus.j ackson,org.codehaus.jackson.type";version="1.9.13",org.codehaus.jacks on.map.deser.std;uses:="org.codehaus.jackson.map.deser.impl,org.codeh aus.jackson.map.annotate,org.codehaus.jackson.map.type,org.codehaus.j ackson.type,org.codehaus.jackson.io,org.codehaus.jackson.node,org.cod ehaus.jackson.map,org.codehaus.jackson.map.deser,org.codehaus.jackson .util,org.codehaus.jackson.map.introspect,org.codehaus.jackson,org.co dehaus.jackson.map.util";version="1.9.13",org.codehaus.jackson.map.js ontype.impl;uses:="org.codehaus.jackson.annotate,org.codehaus.jackson .map.type,org.codehaus.jackson.type,org.codehaus.jackson.map,org.code haus.jackson.util,org.codehaus.jackson.map.introspect,org.codehaus.ja ckson.map.jsontype,org.codehaus.jackson,org.codehaus.jackson.map.util ";version="1.9.13",org.codehaus.jackson.map.ser;uses:="org.codehaus.j ackson.map.annotate,org.codehaus.jackson.node,org.codehaus.jackson.ma p.ext,org.codehaus.jackson.map,org.codehaus.jackson.map.introspect,or g.codehaus.jackson.map.jsontype,org.codehaus.jackson.map.util,org.cod ehaus.jackson.schema,org.codehaus.jackson.map.ser.std,org.codehaus.ja ckson.map.ser.impl,org.codehaus.jackson.map.type,org.codehaus.jackson .type,org.codehaus.jackson.io,org.codehaus.jackson.util,org.codehaus. jackson";version="1.9.13" Private-Package: org.codehaus.jackson.map.ext Implementation-Title: Data mapper for Jackson JSON processor Implementation-Version: 1.9.13 Built-By: tsaloranta Tool: Bnd-unknown version Bundle-Name: Data mapper for Jackson JSON processor Created-By: 1.7.0_10-ea (Oracle Corporation) Bundle-RequiredExecutionEnvironment: J2SE-1.5, JavaSE-1.6 Implementation-Vendor: http://fasterxml.com DynamicImport-Package: org.joda.time, org.joda.time.format, org.w3c.d om.ls, org.w3c.dom.bootstrap Bundle-Vendor: http://fasterxml.com Bundle-Version: 1.9.13 Bnd-LastModified: 1373857386892 Bundle-ManifestVersion: 2 Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt Import-Package: javax.xml.datatype,javax.xml.namespace,javax.xml.parse rs,org.codehaus.jackson;version="1.9.13",org.codehaus.jackson.annotat e;version="1.9.13",org.codehaus.jackson.format;version="1.9.13",org.c odehaus.jackson.impl;version="1.9.13",org.codehaus.jackson.io;version ="1.9.13",org.codehaus.jackson.type;version="1.9.13",org.codehaus.jac kson.util;version="1.9.13",org.w3c.dom,org.xml.sax Bundle-SymbolicName: jackson-mapper-asl

Reproduction Steps

1. Generate report with Trivy
2. Generate report with JFrog
3. Compare

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

Vulnerabilites have not been detected.

Version

0.56.2

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @MaciejBala

Usually maven includes pom.properties file or jar file for each dependency used.
That is why we check these files to find dependencies.

To detect GAV (GroupID, ArtifactID and Version) of scanned jar file - we also check MANIFEST.MF file.
https://aquasecurity.github.io/trivy/v0.57/docs/coverage/language/java/#jarwarparear
But we don't get dependencies from MANIFEST.MF file.
MANIFEST.MF does not have a strict format.
so we do not check and validate all strings
The list of supported strings can be found here:

trivy/pkg/dependency/parser/java/jar/parse.go

Lines 334 to 355 in a7a304d

	switch {
	case strings.HasPrefix(line, "Implementation-Version:"):
	m.implementationVersion = strings.TrimPrefix(line, "Implementation-Version:")
	case strings.HasPrefix(line, "Implementation-Title:"):
	m.implementationTitle = strings.TrimPrefix(line, "Implementation-Title:")
	case strings.HasPrefix(line, "Implementation-Vendor:"):
	m.implementationVendor = strings.TrimPrefix(line, "Implementation-Vendor:")
	case strings.HasPrefix(line, "Implementation-Vendor-Id:"):
	m.implementationVendorId = strings.TrimPrefix(line, "Implementation-Vendor-Id:")
	case strings.HasPrefix(line, "Specification-Version:"):
	m.specificationVersion = strings.TrimPrefix(line, "Specification-Version:")
	case strings.HasPrefix(line, "Specification-Title:"):
	m.specificationTitle = strings.TrimPrefix(line, "Specification-Title:")
	case strings.HasPrefix(line, "Specification-Vendor:"):
	m.specificationVendor = strings.TrimPrefix(line, "Specification-Vendor:")
	case strings.HasPrefix(line, "Bundle-Version:"):
	m.bundleVersion = strings.TrimPrefix(line, "Bundle-Version:")
	case strings.HasPrefix(line, "Bundle-Name:"):
	m.bundleName = strings.TrimPrefix(line, "Bundle-Name:")
	case strings.HasPrefix(line, "Bundle-SymbolicName:"):
	m.bundleSymbolicName = strings.TrimPrefix(line, "Bundle-SymbolicName:")
	}

Regards, Dmitriy