Infinite recursion when resolving dependencies #5125

kiwiz · 2023-09-05T20:24:50Z

kiwiz
Sep 5, 2023

Description

Trivy fails to correctly scan the pom.xml included in the Reproduction Steps.

Desired Behavior

The scan should finish/not loop forever.

Actual Behavior

The scan recurses infinitely and eventually triggers a Stack overflow.

Reproduction Steps

1. Create a pom.xml file with the following contents:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <dependencies>
    <dependency>
      <groupId>com.google.inject</groupId>
      <artifactId>guice</artifactId>
      <version>4.2.3</version>
    </dependency>
  </dependencies>
</project>

2. Run `trivy filesystem pom.xml --scanners vuln

Target

Filesystem

Scanner

Vulnerability

Output Format

SARIF

Mode

Standalone

Debug Output

2023-09-05T16:23:39.547-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-05T16:23:39.548-0400    DEBUG   Ignore statuses {"statuses": null}
2023-09-05T16:23:39.592-0400    DEBUG   cache dir:  /Users/user/Library/Caches/trivy
2023-09-05T16:23:39.593-0400    DEBUG   DB update was skipped because the local DB is the latest
2023-09-05T16:23:39.593-0400    DEBUG   DB Schema: 2, UpdatedAt: 2023-09-05 18:20:23.243743326 +0000 UTC, NextUpdate: 2023-09-06 00:20:23.243742926 +0000 UTC, DownloadedAt: 2023-09-05
 20:21:33.145289 +0000 UTC
2023-09-05T16:23:39.593-0400    INFO    Vulnerability scanning is enabled
2023-09-05T16:23:39.593-0400    DEBUG   Vulnerability type:  [os library]
2023-09-05T16:23:39.593-0400    DEBUG   Walk the file tree rooted at 'pom.xml' in parallel
2023-09-05T16:23:39.594-0400    DEBUG   Resolving com.google.inject:guice:4.2.3...
2023-09-05T16:23:39.594-0400    DEBUG   Start parent: com.google.inject:guice-parent:4.2.3
2023-09-05T16:23:39.595-0400    DEBUG   Start parent: com.google:google:5
2023-09-05T16:23:39.596-0400    DEBUG   Exit parent: com.google:google:5
2023-09-05T16:23:39.596-0400    DEBUG   Exit parent: com.google.inject:guice-parent:4.2.3
2023-09-05T16:23:39.596-0400    DEBUG   Resolving javax.inject:javax.inject:1...
2023-09-05T16:23:39.596-0400    DEBUG   Resolving aopalliance:aopalliance:1.0...
2023-09-05T16:23:39.596-0400    DEBUG   Resolving com.google.guava:guava:27.1-jre...
2023-09-05T16:23:39.596-0400    DEBUG   Start parent: com.google.guava:guava-parent:27.1-jre
2023-09-05T16:23:39.597-0400    DEBUG   Start parent: org.sonatype.oss:oss-parent:9
2023-09-05T16:23:39.597-0400    DEBUG   Exit parent: org.sonatype.oss:oss-parent:9
2023-09-05T16:23:39.597-0400    DEBUG   Exit parent: com.google.guava:guava-parent:27.1-jre
2023-09-05T16:23:39.597-0400    DEBUG   Resolving com.google.guava:failureaccess:1.0.1...
2023-09-05T16:23:39.597-0400    DEBUG   Start parent: com.google.guava:guava-parent:26.0-android
2023-09-05T16:23:39.598-0400    DEBUG   Start parent: org.sonatype.oss:oss-parent:9
2023-09-05T16:23:39.598-0400    DEBUG   Exit parent: org.sonatype.oss:oss-parent:9
2023-09-05T16:23:39.598-0400    DEBUG   Exit parent: com.google.guava:guava-parent:26.0-android
2023-09-05T16:23:39.598-0400    DEBUG   Resolving com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava...
2023-09-05T16:23:39.598-0400    DEBUG   Start parent: com.google.guava:guava-parent:26.0-android
2023-09-05T16:23:39.598-0400    DEBUG   Exit parent: com.google.guava:guava-parent:26.0-android
2023-09-05T16:23:39.598-0400    DEBUG   Resolving com.google.code.findbugs:jsr305:3.0.2...
2023-09-05T16:23:39.598-0400    DEBUG   Start parent: com.google.code.findbugs:jsr305:3.0.2
2023-09-05T16:23:39.599-0400    DEBUG   Start parent: com.google.code.findbugs:jsr305:3.0.2
...

Operating System

macOS Ventura

Version

0.45.0

Checklist

Run trivy image --reset
Read the troubleshooting

nikpivkin · 2023-09-06T04:56:44Z

nikpivkin
Sep 6, 2023
Maintainer

Hi @kiwiz !

I scanned your pom.xml and I didn't have any problems:

trivy filesystem pom.xml --scanners vuln -d
2023-09-06T11:54:19.721+0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-06T11:54:19.722+0700    DEBUG   Ignore statuses {"statuses": null}
2023-09-06T11:54:19.753+0700    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-09-06T11:54:19.753+0700    DEBUG   DB update was skipped because the local DB is the latest
2023-09-06T11:54:19.753+0700    DEBUG   DB Schema: 2, UpdatedAt: 2023-09-06 00:18:07.72565789 +0000 UTC, NextUpdate: 2023-09-06 06:18:07.72565749 +0000 UTC, DownloadedAt: 2023-09-06 04:50:56.531946 +0000 UTC
2023-09-06T11:54:19.753+0700    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-09-06T11:54:19.753+0700    INFO    Vulnerability scanning is enabled
2023-09-06T11:54:19.753+0700    DEBUG   Vulnerability type:  [os library]
2023-09-06T11:54:19.753+0700    DEBUG   Walk the file tree rooted at 'pom.xml' in parallel
2023-09-06T11:54:19.753+0700    DEBUG   Resolving com.google.inject:guice:4.2.3...
2023-09-06T11:54:19.754+0700    DEBUG   Start parent: com.google.inject:guice-parent:4.2.3
2023-09-06T11:54:19.755+0700    DEBUG   Start parent: com.google:google:5
2023-09-06T11:54:19.755+0700    DEBUG   Exit parent: com.google:google:5
2023-09-06T11:54:19.755+0700    DEBUG   Exit parent: com.google.inject:guice-parent:4.2.3
2023-09-06T11:54:19.755+0700    DEBUG   Resolving javax.inject:javax.inject:1...
2023-09-06T11:54:19.755+0700    DEBUG   Resolving aopalliance:aopalliance:1.0...
2023-09-06T11:54:19.755+0700    DEBUG   Resolving com.google.guava:guava:27.1-jre...
2023-09-06T11:54:19.755+0700    DEBUG   Start parent: com.google.guava:guava-parent:27.1-jre
2023-09-06T11:54:19.756+0700    DEBUG   Start parent: org.sonatype.oss:oss-parent:9
2023-09-06T11:54:19.756+0700    DEBUG   Exit parent: org.sonatype.oss:oss-parent:9
2023-09-06T11:54:19.756+0700    DEBUG   Exit parent: com.google.guava:guava-parent:27.1-jre
2023-09-06T11:54:19.756+0700    DEBUG   Resolving com.google.guava:failureaccess:1.0.1...
2023-09-06T11:54:19.756+0700    DEBUG   Start parent: com.google.guava:guava-parent:26.0-android
2023-09-06T11:54:19.756+0700    DEBUG   Start parent: org.sonatype.oss:oss-parent:9
2023-09-06T11:54:19.756+0700    DEBUG   Exit parent: org.sonatype.oss:oss-parent:9
2023-09-06T11:54:19.756+0700    DEBUG   Exit parent: com.google.guava:guava-parent:26.0-android
2023-09-06T11:54:19.756+0700    DEBUG   Resolving com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava...
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: com.google.guava:guava-parent:26.0-android
2023-09-06T11:54:19.757+0700    DEBUG   Exit parent: com.google.guava:guava-parent:26.0-android
2023-09-06T11:54:19.757+0700    DEBUG   Resolving com.google.code.findbugs:jsr305:3.0.2...
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: org.sonatype.oss:oss-parent:7
2023-09-06T11:54:19.757+0700    DEBUG   Exit parent: org.sonatype.oss:oss-parent:7
2023-09-06T11:54:19.757+0700    DEBUG   Resolving org.checkerframework:checker-qual:2.5.2...
2023-09-06T11:54:19.757+0700    DEBUG   Resolving com.google.errorprone:error_prone_annotations:2.2.0...
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: com.google.errorprone:error_prone_parent:2.2.0
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: org.sonatype.oss:oss-parent:7
2023-09-06T11:54:19.757+0700    DEBUG   Exit parent: org.sonatype.oss:oss-parent:7
2023-09-06T11:54:19.757+0700    DEBUG   Exit parent: com.google.errorprone:error_prone_parent:2.2.0
2023-09-06T11:54:19.757+0700    DEBUG   Resolving com.google.j2objc:j2objc-annotations:1.1...
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: org.sonatype.oss:oss-parent:7
2023-09-06T11:54:19.757+0700    DEBUG   Exit parent: org.sonatype.oss:oss-parent:7
2023-09-06T11:54:19.757+0700    DEBUG   Resolving org.codehaus.mojo:animal-sniffer-annotations:1.17...
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: org.codehaus.mojo:animal-sniffer-parent:1.17
2023-09-06T11:54:19.757+0700    DEBUG   Start parent: org.codehaus.mojo:mojo-parent:40
2023-09-06T11:54:19.758+0700    DEBUG   Exit parent: org.codehaus.mojo:mojo-parent:40
2023-09-06T11:54:19.758+0700    DEBUG   Exit parent: org.codehaus.mojo:animal-sniffer-parent:1.17
2023-09-06T11:54:19.774+0700    DEBUG   OS is not detected.
2023-09-06T11:54:19.774+0700    DEBUG   Detected OS: unknown
2023-09-06T11:54:19.774+0700    INFO    Number of language-specific files: 1
2023-09-06T11:54:19.774+0700    INFO    Detecting pom vulnerabilities...
2023-09-06T11:54:19.774+0700    DEBUG   Detecting library vulnerabilities, type: pom, path: pom.xml

pom.xml (pom)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.guava:guava │ CVE-2023-2976 │ HIGH     │ fixed  │ 27.1-jre          │ 32.0.0        │ insecure temporary directory creation                        │
│                        │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2976                    │
│                        ├───────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2020-8908 │ LOW      │        │                   │ 30.0          │ local information disclosure via temporary directory created │
│                        │               │          │        │                   │               │ with unsafe permissions                                      │
│                        │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8908                    │
└────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

0 replies

kiwiz · 2023-09-07T13:55:00Z

kiwiz
Sep 7, 2023
Author

Thanks for the fast response! I can confirm this doesn't happen on a different host or with the image, so it's something specific to my environment.

0 replies

kiwiz · 2023-09-07T13:58:17Z

kiwiz
Sep 7, 2023
Author

Found it - there was a bad entry in my cache (~/.m2)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Infinite recursion when resolving dependencies #5125

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

Infinite recursion when resolving dependencies #5125

kiwiz Sep 5, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments

nikpivkin Sep 6, 2023 Maintainer

kiwiz Sep 7, 2023 Author

kiwiz Sep 7, 2023 Author

kiwiz
Sep 5, 2023

nikpivkin
Sep 6, 2023
Maintainer

kiwiz
Sep 7, 2023
Author

kiwiz
Sep 7, 2023
Author