fix(java): add flag for java scan options #6375
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
After #6171, increased Trivy runtime for
pom.xml
files.This is due to repositories which contains in pom.xml files, but don't contain dependencies (e.g. when we try to find release dependencies, but repository only contains snapshot dependencies).
To avoid this, we add new flag -
java-scan-options
.This flag is required to set options to scan java files:
trivy-java-db
- to allow the use oftrivy-java-db
when scanningjar
files (without this flag Trivy doesn't download/use trivy-java-db).maven-central
to enable maven central as repository to search dependencies, if local cache doesn't contain them.releases
- to enable release repositories forpom.xml
files.snapshots
- to enable snapshot repositories forpom.xml
files.offline
1 - to disable all previous options.trivy-java-db
(take GAV2 only frompom.properties
andMANIFEST.MF
files).pom.xml
files.By default we enable
trivy-java-db
andmaven-central
options (as it was before #6171).Warning
This PR marks the
--offline-scan
flag as deprecated.--java-scan-options offline
should be used instead of the flag.Related issues
Related PRs
Checklist
Footnotes
This option replace --offline-scan flag. ↩
GroupID, ArtifactID and Version of artifact. ↩