pom.xml fs fails due to parsing failure of indirect pom.xml

[eyalatox]

Description

What did you expect to happen?

trivy fs pom.xml should yield results
the pom content is pasted here:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <dependencies>
        <dependency>
            <groupId>org.apache.hive</groupId>
            <artifactId>hive-exec</artifactId>
            <version>2.3.3</version>
        </dependency>
    </dependencies>
</project>

What happened instead?

Number of language-specific files: 0

Output of run with -debug:

trivy fs --scanners vuln -d pom.xml 
2023-03-02T09:06:57.579+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-02T09:06:57.618+0200    DEBUG   cache dir:  /Users/eyal/Library/Caches/trivy
2023-03-02T09:06:57.619+0200    DEBUG   DB update was skipped because the local DB is the latest
2023-03-02T09:06:57.619+0200    DEBUG   DB Schema: 2, UpdatedAt: 2023-03-02 06:07:58.28189642 +0000 UTC, NextUpdate: 2023-03-02 12:07:58.28189602 +0000 UTC, DownloadedAt: 2023-03-02 06:54:37.786915 +0000 UTC
2023-03-02T09:06:57.620+0200    INFO    Vulnerability scanning is enabled
2023-03-02T09:06:57.620+0200    DEBUG   Vulnerability type:  [os library]
2023-03-02T09:06:57.620+0200    DEBUG   Walk the file tree rooted at 'pom.xml' in parallel
2023-03-02T09:06:57.621+0200    DEBUG   Resolving org.apache.hive:hive-exec:2.3.3...
2023-03-02T09:06:57.632+0200    DEBUG   Resolving org.slf4j:slf4j-api:1.7.10...
2023-03-02T09:06:57.634+0200    DEBUG   Resolving org.apache.hive:hive-vector-code-gen:2.3.3...
2023-03-02T09:06:57.634+0200    DEBUG   Resolving org.apache.hive:hive-llap-tez:2.3.3...
2023-03-02T09:06:57.635+0200    DEBUG   Resolving org.apache.hive:hive-shims:2.3.3...
2023-03-02T09:06:57.636+0200    DEBUG   Resolving commons-codec:commons-codec:1.4...
2023-03-02T09:06:57.637+0200    DEBUG   Resolving commons-httpclient:commons-httpclient:3.0.1...
2023-03-02T09:06:57.638+0200    DEBUG   Resolving commons-io:commons-io:2.4...
2023-03-02T09:06:57.640+0200    DEBUG   Resolving org.apache.logging.log4j:log4j-1.2-api:2.6.2...
2023-03-02T09:06:57.644+0200    DEBUG   Resolving org.apache.logging.log4j:log4j-slf4j-impl:2.6.2...
2023-03-02T09:06:57.645+0200    DEBUG   Resolving org.antlr:antlr-runtime:3.5.2...
2023-03-02T09:06:57.646+0200    DEBUG   Resolving org.antlr:ST4:4.0.4...
2023-03-02T09:06:57.647+0200    DEBUG   Resolving org.apache.ant:ant:1.9.1...
2023-03-02T09:06:57.648+0200    DEBUG   Resolving org.apache.commons:commons-compress:1.9...
2023-03-02T09:06:57.650+0200    DEBUG   Resolving org.apache.ivy:ivy:2.4.0...
2023-03-02T09:06:57.651+0200    DEBUG   Resolving org.apache.zookeeper:zookeeper:3.4.6...
2023-03-02T09:06:57.651+0200    DEBUG   Resolving org.apache.curator:curator-framework:2.7.1...
2023-03-02T09:06:57.654+0200    DEBUG   Analysis error: pom.xml parse error: failed to parse pom.xml: module error (curator-client): unable to open the relative path: stat /Users/eyal/.m2/repository/org/apache/curator/apache-curator/2.7.1/curator-client: no such file or directory
2023-03-02T09:06:57.693+0200    DEBUG   OS is not detected.
2023-03-02T09:06:57.693+0200    DEBUG   Detected OS: unknown
2023-03-02T09:06:57.693+0200    INFO    Number of language-specific files: 0

Output of trivy -v:

Version: 0.38.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-02 06:07:58.28189642 +0000 UTC
  NextUpdate: 2023-03-02 12:07:58.28189602 +0000 UTC
  DownloadedAt: 2023-03-02 06:54:37.786915 +0000 UTC

Additional details (base image name, container registry info...):

Apple M1 Pro

[afdesk]

@eyalatox I could reproduce your issue.
Trivy tries to resolve dependencies and cannot do it.

as a workaround you can run offline scan:

$ trivy fs --offline-scan .
2023-03-02T18:13:31.576+0600	INFO	Vulnerability scanning is enabled
2023-03-02T18:13:31.576+0600	INFO	Secret scanning is enabled
2023-03-02T18:13:31.576+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-02T18:13:31.576+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-03-02T18:13:31.577+0600	INFO	Number of language-specific files: 1
2023-03-02T18:13:31.577+0600	INFO	Detecting pom vulnerabilities...

pom.xml (pom)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│          Library          │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                   Title                    │
├───────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ org.apache.hive:hive-exec │ CVE-2018-11777 │ HIGH     │ 2.3.3             │ 2.3.4         │ Improper Authentication in hive:hive-exec  │
│                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-11777 │
└───────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

[eyalatox]

thanks @afdesk
I think a better solution is just to skip the problematic pom of org.apache.curator:curator-framework:2.7.1 rather then fail the entire process.
Because according to what I see, trivy parse all of the other indirect dependencies very well.

[lior-orca]

@afdesk is the above suggestion something that trivy considers?

[liorj-orca]

I opened a PR for this issue - aquasecurity/go-dep-parser#210 by skipping those missing modules