Skip to content

bug(pom): Trivy incorrect inherit versions and scope from multiple dependencyManagements places #9574

New issue
New issue
Open
#9575
Open
bug(pom): Trivy incorrect inherit versions and scope from multiple dependencyManagements places#9574
#9575
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.
Milestone
v0.68.0
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Oct 3, 2025

Description

There are two problems with the current logic:

  1. mvn may fill version and scope from multiple dependencyManagement sections (root + parent POMs).
    For example, for a child dependency we might:
    • take the version from the parent, and
    • take the scope from the root POM.
  2. We should not overwrite the test scope from the root (upper) dependencyManagement.

Correct logic

We should use the following order to Resolve dependencies:

  1. Fill empty fields with values from dependencyManagement.
  2. Overwrite non-empty fields with values from the root dependencyManagement.
    2.1. Exception: if a dependency has the test scope (either defined explicitly or inherited from dependencyManagement), we must NOT overwrite itwith the value from the root dependencyManagement.

Tests

Test with different combinations of these fields can be found in this test - https://github.com/DmitriyLewen/trivy/blob/ffaa6a13bf586280fa18f1f21247d8908db53382/pkg/dependency/parser/java/pom/parse_test.go#L2141-L2201

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions