Ignore maven integration test poms (src/it/*/pom.xml) #5787
Replies: 3 comments 24 replies
-
|
Hi @codefromthecrypt ! You can use the |
Beta Was this translation helpful? Give feedback.
-
|
Hello @codefromthecrypt About skipping these files by default: |
Beta Was this translation helpful? Give feedback.
-
|
sure. I don't think that there is any way to change the relative directory path src/it when using the maven-invoker-plugin. Any project within that can have a pom file, but they are not deployable artifacts. Here's an example from their site: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html Another way to know this probably should be skipped is seeing that the version variables are templated. e.g. In general, I think there are ways to heuristically check that this is an ignorable subproject by default. One way is to simply exclude |
Beta Was this translation helpful? Give feedback.
-
|
I opened this on one of our projects, but the more important one will be brave (zipkin instrumentation library), as it will have many examples of this, as it is similarly required to do interop testing with old versions, using maven-invoker-plugin to keep those versions out of production dependency trees. Opened for follow-up as I will be out for a while in a few days. openzipkin/zipkin-reporter-java#228 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for this information! It really makes sense. Let's wait a little and see what users think. |
Beta Was this translation helpful? Give feedback.
-
|
cool. here's an example of a user accidentally tripping, though not sure it was related to Trivy or another scanner openzipkin/brave#1348 |
Beta Was this translation helpful? Give feedback.
-
|
I feel like the experience is still quite bad. I hope folks can reconsider after having some time to digest, and remove the "it" from the default expression. You can see it doesn't understand template variables |
Beta Was this translation helpful? Give feedback.
-
|
another example.. trivy is looking at files in the "target" directory which are definitely not source. This is just a side effect of the invoker plugin, used to run integration tests and needing a scratch area |
Beta Was this translation helpful? Give feedback.
-
Yes, I believe this case is classified into testing dependencies. Therefore, we should hide them by default, but need to display them in some cases.
It sounds reasonable, but let's start with |
Beta Was this translation helpful? Give feedback.
-
|
agreed. I didn't know they were suppressed and somehow guessed there was some ranking going on. With the warning I wouldn't have mis-guessed, so good idea! |
Beta Was this translation helpful? Give feedback.
-
ok let's come back fast if the former is approved as otherwise you will get noise unless you have a clean checkout (due to side-effects of tests running) |
Beta Was this translation helpful? Give feedback.
-
|
well, the generalized thing (anything in target) can be deferred as long as the "it" reclassification also applies to target, just seeing anything in target (say you enable that flag) would seem fishy # after running a build, depending on config, an "it" pom is copied to the target directory
$ find . -name pom.xml |grep it
./context/log4j12/target/it/log4j12/pom.xml
./context/log4j12/src/it/log4j12/pom.xml
./brave/target/it/no_deps/pom.xml
./brave/src/it/no_deps/pom.xml
./instrumentation/servlet/target/it/servlet25/pom.xml
./instrumentation/servlet/src/it/servlet25/pom.xml
./instrumentation/httpclient/target/it/httpclient_v43/pom.xml
./instrumentation/httpclient/src/it/httpclient_v43/pom.xml
./instrumentation/kafka-clients/target/it/kafka1/pom.xml
./instrumentation/kafka-clients/src/it/kafka1/pom.xml
./instrumentation/grpc/target/it/grpc12/pom.xml
./instrumentation/grpc/src/it/grpc12/pom.xml
./instrumentation/jms-jakarta/target/it/jms30/pom.xml
./instrumentation/jms-jakarta/src/it/jms30/pom.xml
./instrumentation/spring-rabbit/pom.xml
./instrumentation/okhttp3/target/it/okhttp3_v3/pom.xml
./instrumentation/okhttp3/src/it/okhttp3_v3/pom.xml
./instrumentation/spring-web/target/it/spring3/pom.xml
./instrumentation/spring-web/src/it/spring3/pom.xml
./instrumentation/jms/target/it/jms11/pom.xml
./instrumentation/jms/src/it/jms11/pom.xml
./instrumentation/spring-webmvc/target/it/spring25/pom.xml
./instrumentation/spring-webmvc/target/it/servlet25/pom.xml
./instrumentation/spring-webmvc/src/it/spring25/pom.xml
./instrumentation/spring-webmvc/src/it/servlet25/pom.xml
./spring-beans/src/it/spring25/pom.xml |
Beta Was this translation helpful? Give feedback.
-
|
Ah, ok. |
Beta Was this translation helpful? Give feedback.
-
Description
Please ignore
src/it/*/pom.xmlfiles when analyzing for vulnerabilities.Maven has a convention for integration tests,
src/it/*/pom.xml, which are run with themaven-invoker-plugin. In zipkin, we use this style to ensure old clients can still pass tests. However, the old libraries configured in the integration tests are setting off vulnerability notices. I think they should not be treated as any priority as they will not result in production code.Here's an example https://github.com/openzipkin/zipkin-reporter-java
If there is another way to hint to Trivy run by arbitrary users to not detect this (via something in our repo), an alternate is welcome!
Target
Git Repository
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions