Description

After #6171, increased Trivy runtime for pom.xml files.
This is due to repositories which contains in pom.xml files, but don't contain dependencies (e.g. when we try to find release dependencies, but repository only contains snapshot dependencies).

To avoid this, we add new flag - java-scan-options.
This flag is required to set options to scan java files:

• trivy-java-db - to allow the use of trivy-java-db when scanning jar files (without this flag Trivy doesn't download/use trivy-java-db).
• maven-central to enable maven central as repository to search dependencies, if local cache doesn't contain them.
• releases - to enable release repositories for pom.xml files.
• snapshots - to enable snapshot repositories for pom.xml files.
• offline¹ - to disable all previous options.
  • With this option Trivy doesn't use trivy-java-db (take GAV² only from pom.properties and MANIFEST.MF files).
  • Also Trivy checks only local cache directory to detect dependencies of pom.xml files.

By default we enable trivy-java-db and maven-central options (as it was before #6171).

Warning

This PR marks the --offline-scan flag as deprecated. --java-scan-options offline should be used instead of the flag.

Related issues

• Close 0.50.0 : big time increase of FS scanning vs 0.49.1 #6374

Related PRs

• feat(java): add support for fetching packages from repos mentioned in pom.xml #6171

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).