Bom module in maven multimodule project is not used correctly without first installing the artifacts #10470

askoog · 2026-04-01T19:12:50Z

askoog
Apr 1, 2026

Description

In a maven multimodule project where one module is a bom containing only <dependencyManagement> trivy fails to use it correctly for sub modules without any built artifacts in maven local repo. Trivy fails to find the managed dependencies, rendering erroneous output.

Example project structure:

.
├── bom
│   └── pom.xml
├── pom.xml
└── project
    └── pom.xml

root pom:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.acme.group</groupId>
    <artifactId>trivy-test</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>pom</packaging>
    
    <modules>
        <module>bom</module>
        <module>project</module>
    </modules>
</project>

bom/pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>com.acme.group</groupId>
        <artifactId>trivy-test</artifactId>
        <version>1.0-SNAPSHOT</version>
    </parent>
    <artifactId>bom</artifactId>
    <packaging>pom</packaging>
    
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>io.netty</groupId>
                <artifactId>netty-codec-http</artifactId>
                <version>4.1.132.Final</version>
            </dependency>
            <dependency>
                <groupId>io.netty</groupId>
                <artifactId>netty-codec-http2</artifactId>
                <version>4.1.132.Final</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

project/pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>com.acme.group</groupId>
        <artifactId>trivy-test</artifactId>
        <version>1.0-SNAPSHOT</version>
    </parent>
    <artifactId>project</artifactId>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>com.acme.group</groupId>
                <artifactId>bom</artifactId>
                <version>${project.version}</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
        </dependencies>
    </dependencyManagement>
    
    <dependencies>
        <dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-netty</artifactId>
            <version>1.77.1</version>
        </dependency>
    </dependencies>
    
</project>

The io.grpc:grpc-netty:1.77.1 dependency provides (among others) transitive dependencies to io.netty:netty-codec-http:4.1.127.Final and io.netty:netty-codec-http2:4.1.127.Final. These artifacts have reported CVEs that are fixed in the 4.1.132.Final version which is managed in the bom module.

Running trivy fs . generates


Report Summary

┌─────────────────┬──────┬─────────────────┬─────────┐
│     Target      │ Type │ Vulnerabilities │ Secrets │
├─────────────────┼──────┼─────────────────┼─────────┤
│ bom/pom.xml     │ pom  │        0        │    -    │
├─────────────────┼──────┼─────────────────┼─────────┤
│ pom.xml         │ pom  │        0        │    -    │
├─────────────────┼──────┼─────────────────┼─────────┤
│ project/pom.xml │ pom  │        3        │    -    │
└─────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


project/pom.xml (pom)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version        │                           Title                            │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http  │ CVE-2026-33870 │ HIGH     │ fixed  │ 4.1.127.Final     │ 4.1.132.Final, 4.2.10.Final │ io.netty/netty-codec-http: Netty: Request smuggling via    │
│                            │                │          │        │                   │                             │ incorrect parsing of HTTP/1.1 chunked transfer encoding... │
│                            │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33870                 │
│                            ├────────────────┼──────────┤        │                   ├─────────────────────────────┼────────────────────────────────────────────────────────────┤
│                            │ CVE-2025-67735 │ MEDIUM   │        │                   │ 4.2.8.Final, 4.1.129.Final  │ netty-codec-http: Netty (netty-codec-http): Request        │
│                            │                │          │        │                   │                             │ Smuggling via CRLF Injection                               │
│                            │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-67735                 │
├────────────────────────────┼────────────────┼──────────┤        │                   ├─────────────────────────────┼────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http2 │ CVE-2026-33871 │ HIGH     │        │                   │ 4.1.132.Final, 4.2.11.Final │ netty: Netty: Denial of Service via HTTP/2 CONTINUATION    │
│                            │                │          │        │                   │                             │ frame flood                                                │
│                            │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33871                 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴────────────────────────────────────────────────────────────┘

Which is not correct, the transitive dependencies in project/pom.xml are managed to versions that doesn't contain the CVE:S.

See output from mvn dependency:tree -Dverbose=true

...
[INFO] -----------------------< com.acme.group:project >-----------------------
[INFO] Building project 1.0-SNAPSHOT                                      [3/3]
[INFO]   from project/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:3.7.0:tree (default-cli) @ project ---
[INFO] com.acme.group:project:jar:1.0-SNAPSHOT
[INFO] \- io.grpc:grpc-netty:jar:1.77.1:compile
[INFO]    +- io.grpc:grpc-api:jar:1.77.1:compile (scope not updated to compile)
[INFO]    |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO]    |  +- (com.google.errorprone:error_prone_annotations:jar:2.36.0:compile - omitted for duplicate)
[INFO]    |  \- (com.google.guava:guava:jar:33.4.8-android:runtime - omitted for duplicate)
[INFO]    +- org.codehaus.mojo:animal-sniffer-annotations:jar:1.24:compile (scope not updated to compile)
[INFO]    +- io.netty:netty-codec-http2:jar:4.1.132.Final:compile (version managed from 4.1.127.Final)
...
[INFO]    |  \- io.netty:netty-codec-http:jar:4.1.132.Final:compile (version managed from 4.1.132.Final)
...
[INFO] ------------------------------------------------------------------------

However, if I first build the code with mvn install, the output from trivy fs . is:


Report Summary

┌─────────────────┬──────┬─────────────────┬─────────┐
│     Target      │ Type │ Vulnerabilities │ Secrets │
├─────────────────┼──────┼─────────────────┼─────────┤
│ bom/pom.xml     │ pom  │        0        │    -    │
├─────────────────┼──────┼─────────────────┼─────────┤
│ pom.xml         │ pom  │        0        │    -    │
├─────────────────┼──────┼─────────────────┼─────────┤
│ project/pom.xml │ pom  │        0        │    -    │
└─────────────────┴──────┴─────────────────┴─────────┘

which is correct. (note that mvn install is required, mvn package is not sufficient)

Note also that running trivy with --debug without first installing the artifacts prints an error row indicating that the bom is not used:

2026-04-01T21:03:15+02:00       DEBUG   [pom] Repository error  err="com.acme.group:bom:1.0-SNAPSHOT was not found in local/remote repositories"

Desired Behavior

Running trivy fs . without first installing the maven artifacts should render the second output with no warnings

Actual Behavior

trivy reported findings that are incorrect, not using the managed version

Reproduction Steps

1. run "trivy fs ." on a project structure like the one described above

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2026-04-01T21:03:15+02:00       DEBUG   No plugins loaded
2026-04-01T21:03:15+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-04-01T21:03:15+02:00       DEBUG   Cache dir       dir="/Users/andreasskoog/Library/Caches/trivy"
2026-04-01T21:03:15+02:00       DEBUG   Cache dir       dir="/Users/andreasskoog/Library/Caches/trivy"
2026-04-01T21:03:15+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-04-01T21:03:15+02:00       DEBUG   Ignore statuses statuses=[]
2026-04-01T21:03:15+02:00       DEBUG   DB update was skipped because the local DB is the latest
2026-04-01T21:03:15+02:00       DEBUG   DB info schema=2 updated_at=2026-04-01T12:46:51.249010054Z next_update=2026-04-02T12:46:51.249009763Z downloaded_at=2026-04-01T18:43:34.032632Z
2026-04-01T21:03:15+02:00       DEBUG   [pkg] Package types     types=[os library]
2026-04-01T21:03:15+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2026-04-01T21:03:15+02:00       INFO    [vuln] Vulnerability scanning is enabled
2026-04-01T21:03:15+02:00       INFO    [secret] Secret scanning is enabled
2026-04-01T21:03:15+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-04-01T21:03:15+02:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-04-01T21:03:15+02:00       DEBUG   [notification] Running version check
2026-04-01T21:03:15+02:00       DEBUG   Initializing scan cache...      type="memory"
2026-04-01T21:03:15+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2026-04-01T21:03:15+02:00       DEBUG   [fs] Analyzing...       root="."
2026-04-01T21:03:15+02:00       DEBUG   Created process-specific temp directory path="/var/folders/sb/spc7gtp11ml69_5lwnj3wbjw0000gn/T/trivy-19728"
2026-04-01T21:03:15+02:00       DEBUG   [secret] Using streaming scanner        file_path="bom/pom.xml"
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanStream called      file_path="bom/pom.xml" buffer_size=65536 overlap_size=4096
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanChunk called       file_path="bom/pom.xml" content_len=1006 num_rules=87
2026-04-01T21:03:15+02:00       DEBUG   [secret] Using streaming scanner        file_path="pom.xml"
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanStream called      file_path="pom.xml" buffer_size=65536 overlap_size=4096
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanChunk called       file_path="pom.xml" content_len=553 num_rules=87
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanChunk called       file_path="bom/pom.xml" content_len=1006 num_rules=87
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanChunk called       file_path="pom.xml" content_len=553 num_rules=87
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [secret] Using streaming scanner        file_path="project/pom.xml"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanStream called      file_path="project/pom.xml" buffer_size=65536 overlap_size=4096
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanChunk called       file_path="project/pom.xml" content_len=1097 num_rules=87
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [secret] scanChunk called       file_path="project/pom.xml" content_len=1097 num_rules=87
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.acme.group" artifact_id="bom" version="1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Repository error  err="com.acme.group:bom:1.0-SNAPSHOT was not found in local/remote repositories"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.acme.group:trivy-test:1.0-SNAPSHOT"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-netty" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-netty" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-api" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-api" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="org.codehaus.mojo" artifact_id="animal-sniffer-annotations" version="1.24"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="org.codehaus.mojo" artifact_id="animal-sniffer-annotations" version="1.24"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.codehaus.mojo:animal-sniffer-parent:1.24"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.codehaus.mojo:animal-sniffer-parent:1.24"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.codehaus.mojo:mojo-parent:84"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.codehaus.mojo:mojo-parent:84"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.codehaus.mojo:mojo-parent:84"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.codehaus.mojo:mojo-parent:84"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.codehaus.mojo:animal-sniffer-parent:1.24"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.codehaus.mojo:animal-sniffer-parent:1.24"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-http2" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-http2" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-core" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-handler-proxy" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-core" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-handler-proxy" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="guava" version="33.4.8-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="guava" version="33.4.8-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:33.4.8-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:33.4.8-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:33.4.8-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.errorprone" artifact_id="error_prone_annotations" version="2.36.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:33.4.8-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.errorprone:error_prone_parent:2.36.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.errorprone" artifact_id="error_prone_annotations" version="2.36.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.errorprone:error_prone_parent:2.36.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.errorprone:error_prone_parent:2.36.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.perfmark" artifact_id="perfmark-api" version="0.27.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport-native-unix-common" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.errorprone:error_prone_parent:2.36.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.perfmark" artifact_id="perfmark-api" version="0.27.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport-native-unix-common" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-util" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-util" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.code.findbugs" artifact_id="jsr305" version="3.0.2"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.code.findbugs" artifact_id="jsr305" version="3.0.2"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-common" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-common" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-buffer" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-buffer" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-transport" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-handler" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-handler" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-http" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-http" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.code.gson" artifact_id="gson" version="2.11.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.code.gson:gson-parent:2.11.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.code.gson:gson-parent:2.11.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.android" artifact_id="annotations" version="4.1.1.4"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-context" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-socks" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.code.gson" artifact_id="gson" version="2.11.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.code.gson:gson-parent:2.11.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.code.gson:gson-parent:2.11.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.android" artifact_id="annotations" version="4.1.1.4"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="failureaccess" version="1.0.3"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:33.4.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.grpc" artifact_id="grpc-context" version="1.77.1"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-codec-socks" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:33.4.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="listenablefuture" version="9999.0-empty-to-avoid-conflict-with-guava"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:26.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:26.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="org.jspecify" artifact_id="jspecify" version="1.0.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.j2objc" artifact_id="j2objc-annotations" version="3.0.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-resolver" version="4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="failureaccess" version="1.0.3"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:33.4.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.132.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:33.4.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="listenablefuture" version="9999.0-empty-to-avoid-conflict-with-guava"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:26.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:26.0-android"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="org.jspecify" artifact_id="jspecify" version="1.0.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="com.google.j2objc" artifact_id="j2objc-annotations" version="3.0.0"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Resolving...      group_id="io.netty" artifact_id="netty-resolver" version="4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Exit parent       artifact="io.netty:netty-parent:4.1.127.Final"
2026-04-01T21:03:15+02:00       DEBUG   OS is not detected.
2026-04-01T21:03:15+02:00       DEBUG   Detected OS: unknown
2026-04-01T21:03:15+02:00       INFO    Number of language-specific files       num=3
2026-04-01T21:03:15+02:00       INFO    [pom] Detecting vulnerabilities...
2026-04-01T21:03:15+02:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="bom/pom.xml"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2026-04-01T21:03:15+02:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="project/pom.xml"
2026-04-01T21:03:15+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2026-04-01T21:03:15+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌─────────────────┬──────┬─────────────────┬─────────┐
│     Target      │ Type │ Vulnerabilities │ Secrets │
├─────────────────┼──────┼─────────────────┼─────────┤
│ bom/pom.xml     │ pom  │        0        │    -    │
├─────────────────┼──────┼─────────────────┼─────────┤
│ pom.xml         │ pom  │        0        │    -    │
├─────────────────┼──────┼─────────────────┼─────────┤
│ project/pom.xml │ pom  │        3        │    -    │
└─────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


project/pom.xml (pom)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version        │                           Title                            │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http  │ CVE-2026-33870 │ HIGH     │ fixed  │ 4.1.127.Final     │ 4.1.132.Final, 4.2.10.Final │ io.netty/netty-codec-http: Netty: Request smuggling via    │
│                            │                │          │        │                   │                             │ incorrect parsing of HTTP/1.1 chunked transfer encoding... │
│                            │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33870                 │
│                            ├────────────────┼──────────┤        │                   ├─────────────────────────────┼────────────────────────────────────────────────────────────┤
│                            │ CVE-2025-67735 │ MEDIUM   │        │                   │ 4.2.8.Final, 4.1.129.Final  │ netty-codec-http: Netty (netty-codec-http): Request        │
│                            │                │          │        │                   │                             │ Smuggling via CRLF Injection                               │
│                            │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-67735                 │
├────────────────────────────┼────────────────┼──────────┤        │                   ├─────────────────────────────┼────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http2 │ CVE-2026-33871 │ HIGH     │        │                   │ 4.1.132.Final, 4.2.11.Final │ netty: Netty: Denial of Service via HTTP/2 CONTINUATION    │
│                            │                │          │        │                   │                             │ frame flood                                                │
│                            │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2026-33871                 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴────────────────────────────────────────────────────────────┘
2026-04-01T21:03:15+02:00       DEBUG   Cleaning up temp directory      path="/var/folders/sb/spc7gtp11ml69_5lwnj3wbjw0000gn/T/trivy-19728"

Operating System

mac os and linux

Version

$ trivy --version   
Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-04-01 12:46:51.249010054 +0000 UTC
  NextUpdate: 2026-04-02 12:46:51.249009763 +0000 UTC
  DownloadedAt: 2026-04-01 18:43:34.032632 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2026-04-07T07:22:35Z

DmitriyLewen
Apr 7, 2026
Maintainer

Hi @askoog, thank you for the detailed report with a clear reproduction case!

We investigated this and here's what's happening.

How Maven handles this

Maven uses a two-phase approach for multi-module projects. In the first phase, it collects all reactor module POMs and registers their coordinates in an in-memory pool (ReactorModelPool — essentially a Map<groupId:artifactId:version, File>). In the second phase, when resolving <scope>import</scope> BOM dependencies, Maven's ProjectModelResolver checks this reactor pool first, before falling back to the local repository (~/.m2/repository/) and remote repositories. This is why mvn dependency:tree works without a prior mvn install — the BOM POM is found directly on disk via the reactor pool.

How Trivy handles this

Trivy performs static analysis of pom.xml files without running the Maven lifecycle. It processes modules sequentially as it encounters them and resolves dependencies along the way. For <scope>import</scope> BOM dependencies, Trivy currently follows the same resolution path as for any other dependency — local repository, then remote repositories. It does not have an equivalent of Maven's ReactorModelPool that pre-registers all module POMs before resolution begins.

Implementing a reactor-like mechanism in Trivy would require significant changes to the POM parsing logic, which is already one of the more complex parts of the codebase.

Workaround

For now, please install the BOM module into your local Maven repository before running Trivy:

# Install just the BOM module
mvn install -pl bom

# Now Trivy will correctly resolve the BOM import
trivy fs .

Feedback welcome

We'd like to understand how common this scenario is before committing to the implementation effort. If you or others are frequently hitting this limitation, please let us know — it will help us prioritize this work. Feel free to upvote this discussion as well.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bom module in maven multimodule project is not used correctly without first installing the artifacts #10470

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Bom module in maven multimodule project is not used correctly without first installing the artifacts #10470

Uh oh!

askoog Apr 1, 2026

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

Uh oh!

DmitriyLewen Apr 7, 2026 Maintainer

How Maven handles this

How Trivy handles this

Workaround

Feedback welcome

askoog
Apr 1, 2026

DmitriyLewen
Apr 7, 2026
Maintainer