Parsing pom.xml inside JAR files #8451

blueocean2025 · 2025-02-27T02:46:47Z

blueocean2025
Feb 27, 2025

Question

Hi everyone,

I am new to Trivy, and also new to Java. As I am exploring Trivy and reading documentation, I noticed Trivy only parses pom.properties and MANIFEST.MF files in JAR/WAR/PAR/EAR (https://trivy.dev/v0.56/docs/coverage/language/java/). Could you please teach me why Trivy does not consider parsing pom.xml inside JAR? Also, assuming if we were to support pom.xml parser in the JAR, what are the difficulties and downsides?

Thank you all

Target

None

Scanner

None

Output Format

None

Mode

None

Operating System

No response

Version

0.59.1

DmitriyLewen · 2025-02-27T06:22:51Z

DmitriyLewen
Feb 27, 2025
Maintainer

Hello @blueocean2025
Thanks for your interest to Trivy.

But default jar file doesn't include dependencies. It contains only source code.
For imported dependencies maven creates pom.properties or nested jar files.

So to exclude unused dependencies - we don't parse pom.xml files.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parsing pom.xml inside JAR files #8451

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Parsing pom.xml inside JAR files #8451

blueocean2025 Feb 27, 2025

Question

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 1 comment

DmitriyLewen Feb 27, 2025 Maintainer

blueocean2025
Feb 27, 2025

DmitriyLewen
Feb 27, 2025
Maintainer