Trivy seems to create wrong library dependency

[dev-sca]

Description

My application has activemq-pool@5.9.1 library
and it has 5 dependencies:

1. activemq-client@5.9.1
2. activemq-jms-pool@5.9.1
3. commons-pool@1.6
4. geronimo-jta_1.0.1B_spec@1.0.1
5. slf4j-api@1.7.25

but when I create sbom via trivy fs --format cyclonedx -o cyclonedx.json <my application path>
it shows like this

it has 3,4,5 but 1,2 is missing
and I found 1,2 in my applications' directive dependencies

Desired Behavior

"activemq-client@5.9.1", "activemq-jms-pool@5.9.1" should be dependency of "activemq-pool@5.9.1"
not application's directive one

Actual Behavior

"activemq-client@5.9.1", "activemq-jms-pool@5.9.1" are direct dependencies of application

Reproduction Steps

fs --format cyclonedx -o cyclonedx.json <my application pom.xml path>

Target

Filesystem

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

2025-02-28T15:23:00+09:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-28T15:23:00+09:00       DEBUG   Cache dir       dir="C:\\Users\\Yong\\AppData\\Local\\trivy"
2025-02-28T15:23:00+09:00       DEBUG   Cache dir       dir="C:\\Users\\Yong\\AppData\\Local\\trivy"
2025-02-28T15:23:00+09:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-28T15:23:00+09:00       DEBUG   Ignore statuses statuses=[]
2025-02-28T15:23:00+09:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-28T15:23:00+09:00       DEBUG   [pkg] Package types     types=[os library]
2025-02-28T15:23:00+09:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-28T15:23:00+09:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-28T15:23:00+09:00       DEBUG   Initializing scan cache...      type="memory"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.activemq" artifact_id="activemq-pool" version="5.9.1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.apache.activemq:activemq-parent:5.9.1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:11"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:11"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.activemq:activemq-parent:5.9.1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="slf4j-api" version="1.7.5"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:1.7.5"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:1.7.5"
2025-02-28T15:23:00+09:00       WARN    [pom] Dependency version cannot be determined. Child dependencies will not be found.    details="https://aquasecurity.github.io/trivy/v0.58/docs/coverage/language/java#empty-dependency-version"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Dependency version cannot be determined.  GroupID="org.apache.activemq" ArtifactID="activemq-jms-pool"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Dependency version cannot be determined.  GroupID="org.apache.activemq" ArtifactID="activemq-client"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Resolving...      group_id="org.apache.geronimo.specs" artifact_id="geronimo-jta_1.0.1B_spec" version="1.0.1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.apache.geronimo.specs:specs:1.1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.geronimo.specs:specs:1.1"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Resolving...      group_id="commons-pool" artifact_id="commons-pool" version="1.6"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:22"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:9"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:9"
2025-02-28T15:23:00+09:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:22"
2025-02-28T15:23:00+09:00       DEBUG   OS is not detected.
2025-02-28T15:23:00+09:00       DEBUG   Detected OS: unknown
2025-02-28T15:23:00+09:00       INFO    Number of language-specific files       num=1
2025-02-28T15:23:00+09:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-28T15:23:00+09:00       DEBUG   [vex] VEX filtering is disabled

Operating System

Windows

Version

Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-28 00:25:40.860438929 +0000 UTC
  NextUpdate: 2025-03-01 00:25:40.860438759 +0000 UTC
  DownloadedAt: 2025-02-28 03:18:05.2224316 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @dev-sca

We need to see your pom.xml file (you can create a test file that reproduces this case) to understand the cause of the problem.

Regards, Dmitriy

[dev-sca]

here's my pom.xml.
thank you

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>com.watchtek.watchall</groupId>
	<artifactId>WatchAll_Common</artifactId>
	<version>12.0.1</version>
	
	<properties>
		<watchall.version>12.0.1</watchall.version>
		<spring.version>5.3.39</spring.version>
		<spring.security.version>5.8.15</spring.security.version>
		<spring.batch.version>4.3.8</spring.batch.version>
		<aws.sdk.version>2.17.29</aws.sdk.version>
		<jackson.core.version>2.15.2</jackson.core.version>
		<jackson.dataformat.version>2.15.2</jackson.dataformat.version>
		<poi.version>5.2.1</poi.version>
		
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <build.timestamp>${maven.build.timestamp}</build.timestamp>
        <maven.build.timestamp.format>yyMMddHHmm</maven.build.timestamp.format>		
        
        <slf4j.version>1.7.25</slf4j.version> 
        <watchai.version>0.0.1</watchai.version>
	</properties>	

	<repositories>
		<repository>
			<id>central.maven.org</id>
			<name>Central Repository</name>
			<!-- <url>http://central.maven.org/maven2/</url> -->
			<url>https://repo.maven.apache.org/maven2</url>
		</repository>
		<repository>
			<id>repository.apache.org</id>
			<name>Apache Releases Repository</name>
			<url>https://repository.apache.org/content/repositories/releases/</url>
		</repository>		
		<repository>
			<id>repo.spring.io</id>
			<name>Spring Plugins Repository</name>
			<url>http://repo.spring.io/plugins-release/</url>
		</repository>
		
		<repository>
			<id>maven.repository.redhat.com</id>
			<name>Redhat GA Repositoryy</name>
			<url>https://maven.repository.redhat.com/ga/</url>
		</repository>
		<repository>
			<id>ida.fel.cvut.cz</id>
			<name>IDA Repository</name>
			<url>http://ida.fel.cvut.cz/maven/</url>
		</repository>
		<repository>
			<id>oracle</id>
			<name>ORACLE JDBC Repository</name>
			<url>https://maven.oracle.com</url>
		</repository>			
		<repository>
			<id>Local Repo</id>
			<name>Local Repo</name>
			<url>file://${project.basedir}/../../MavenRepo/</url>
		</repository>	
	</repositories>

	<build>
		<resources>
			<resource>
				<directory>src/main/resources</directory>
				<excludes>
					<exclude>**/*.java</exclude>
				</excludes>
			</resource>
			<resource>
				<directory>src/main/java</directory>
				<includes>
					<include>**/*.xml</include>
				</includes>
			</resource>
		</resources>
		<pluginManagement>
			<plugins>
				<plugin>
					<artifactId>maven-compiler-plugin</artifactId>
					<version>3.0</version>
					<configuration>
						<source>1.8</source>
						<target>1.8</target>               
						<encoding>UTF-8</encoding>
					</configuration>
				</plugin>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-jar-plugin</artifactId>
					<version>2.3.2</version>
					<configuration>
						<excludes>
							<exclude>spring/**/*.xml</exclude>
							<exclude>properties/**/*.properties</exclude>
						</excludes>
					</configuration>
				</plugin>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-remote-resources-plugin</artifactId>
					<version>1.4</version>
					<executions>
						<execution>
							<goals>
								<goal>bundle</goal>
							</goals>
							<configuration>
								<includes>
									<include>**/*.*</include>
								</includes>
							</configuration>
						</execution>
					</executions>
				</plugin>
				<!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.-->
				<plugin>
					<groupId>org.eclipse.m2e</groupId>
					<artifactId>lifecycle-mapping</artifactId>
					<version>1.0.0</version>
					<configuration>
						<lifecycleMappingMetadata>
							<pluginExecutions>
								<pluginExecution>
									<pluginExecutionFilter>
										<groupId>
											com.keyboardsamurais.maven
										</groupId>
										<artifactId>
											maven-timestamp-plugin
										</artifactId>
										<versionRange>
											[1.0,)
										</versionRange>
										<goals>
											<goal>create</goal>
										</goals>
									</pluginExecutionFilter>
									<action>
										<ignore></ignore>
									</action>
								</pluginExecution>
								<pluginExecution>
									<pluginExecutionFilter>
										<groupId>
											org.apache.maven.plugins
										</groupId>
										<artifactId>
											maven-remote-resources-plugin
										</artifactId>
										<versionRange>
											[1.4,)
										</versionRange>
										<goals>
											<goal>bundle</goal>
										</goals>
									</pluginExecutionFilter>
									<action>
										<ignore></ignore>
									</action>
								</pluginExecution>
							</pluginExecutions>
						</lifecycleMappingMetadata>
					</configuration>
				</plugin>
			</plugins>
		</pluginManagement>
	</build>

	<dependencies>

		<dependency>
			<groupId>org.apache.activemq</groupId>
			<artifactId>activemq-pool</artifactId>
			<version>5.9.1</version>
		</dependency>

	</dependencies>
</project>

[DmitriyLewen]

Please try to use v0.59.1:

    {
      "ref": "pkg:maven/org.apache.activemq/activemq-pool@5.9.1",
      "dependsOn": [
        "pkg:maven/commons-pool/commons-pool@1.6",
        "pkg:maven/org.apache.activemq/activemq-client@5.9.1",
        "pkg:maven/org.apache.activemq/activemq-jms-pool@5.9.1",
        "pkg:maven/org.apache.geronimo.specs/geronimo-jta_1.0.1B_spec@1.0.1",
        "pkg:maven/org.slf4j/slf4j-api@1.7.5"
      ]
    },