Trivy dependency vuln scan show incorrect results for org.yaml:snakeyaml

[vlsecurity]

Description

Hi, I have possibly noticed a bug for repository scan with recent trivy versions.
When I do
mvn dependency:tree -Dverbose
I see in output

[INFO] +- org.yaml:snakeyaml:jar:2.0:compile
...
[INFO] +- org.liquibase:liquibase-core:jar:3.5.1:test
...
[INFO] |  +- (org.yaml:snakeyaml:jar:1.30:test - version managed from 1.13; omitted for conflict with 2.0)
...

I see snakeyaml dependency version 2.0 in my mvn dependency tree, and for version 1.30 I see following messages
[INFO] | | \- (org.yaml:snakeyaml:jar:1.30:compile - version managed from 1.30; omitted for conflict with 2.0)
But trivy Version: 0.45.0 detects presence of lib version 1.30 and reports it. Same with v0.43.1
Trivy 0.38.2 detects version correctly.
Looks like new trivy has different Dependency mediation approach from described here https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html

Appreciate any help or let me know if you notice similar behaviour. (edited)

I also attach path of Dependency Origin Tree generated by trivy

Dependency Origin Tree (Reversed)
=================================
pom.xml
...
└── org.yaml:snakeyaml:1.30, (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 1)
    └── org.liquibase:liquibase-core:3.5.1

Desired Behavior

Doesn't show omitted libraries in results.

Actual Behavior

Results for omitted library is shown

Reproduction Steps

Compare results of `trivy fs . --scanners vuln` with `mvn dependency:tree -Dverbose`

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

-

Operating System

MasOS, Ubuntu

Version

Version: 0.45.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-04 06:15:04.597487258 +0000 UTC
  NextUpdate: 2023-09-04 12:15:04.597486858 +0000 UTC
  DownloadedAt: 2023-09-04 10:51:21.026382 +0000 UTC
Policy Bundle:
  Digest: sha256:714272c66dfff71107a717b64960f00d54883d7268e30e321cbe89c9ecac0f93
  DownloadedAt: 2023-03-27 10:40:23.391924 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

@nikpivkin Can you please take a look?

[nikpivkin]

Hi @vlsecurity

I can't reproduce your problem. Could you provide an example of your pom.xml ?

mvn dependency:tree -Dverbose
[INFO] Scanning for projects...
[INFO] 
[INFO] ----------------------< com.mycompany.app:my-app >----------------------
[INFO] Building my-app 1.0-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:3.6.0:tree (default-cli) @ my-app ---
[INFO] com.mycompany.app:my-app:jar:1.0-SNAPSHOT
[INFO] +- org.yaml:snakeyaml:jar:2.0:compile
[INFO] \- org.liquibase:liquibase-core:jar:3.5.1:compile
[INFO]    \- (org.yaml:snakeyaml:jar:1.30:compile - version managed from 1.13; omitted for conflict with 2.0)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.569 s
[INFO] Finished at: 2023-09-05T14:14:14+07:00
[INFO] ------------------------------------------------------------------------

Dependency Origin Tree (Reversed)
=================================
pom.xml
└── org.liquibase:liquibase-core:3.5.1, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

[vlsecurity]

@nikpivkin,
I have following structure of pom.xml files in my project.
Dependency Origin Tree (Reversed)

web/pom.xml - here snakeyaml v2.0 explicitly set
database/pom.xml
....
└── org.yaml:snakeyaml:1.30, (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 1)
└── org.liquibase:liquibase-core:3.5.1

I found that the issue is on my side, as only one pom.xml was updated in repo. In the second dependency was transitive. I confirm that snakeyaml:1.30 was in one of resulting JAR, so no issues on trivy side.