bug(java): We should parse dependencies with unsupported scopes to correctly detect version/skip dependency

[DmitriyLewen]

Description

IIUC mvn checks dependency version without regard to scope.
it means that if you add test dependency (as example), transitive dependency of another dependency will use version of test dependency:

➜ cat pom.xml           
    <groupId>com.example</groupId>
    <artifactId>test</artifactId>
    <version>1.0.0</version>

    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-annotations</artifactId>
            <version>2.18.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.18.1</version>
        </dependency>
    </dependencies>
</project>

➜ mvn dependency:resolve
...
[INFO] The following files have been resolved:
[INFO]    com.fasterxml.jackson.core:jackson-annotations:jar:2.18.0:test -- module com.fasterxml.jackson.annotation
[INFO]    com.fasterxml.jackson.core:jackson-databind:jar:2.18.1:compile -- module com.fasterxml.jackson.databind
[INFO]    com.fasterxml.jackson.core:jackson-core:jar:2.18.1:compile -- module com.fasterxml.jackson.core
...

But Trivy parses only import, runtime, compile and empty scopes:

trivy/pkg/dependency/parser/java/pom/parse.go

Line 430 in 57e24aa

if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime") || d.Optional {

So for this example Trivy skips new test com.fasterxml.jackson.core:jackson-annotations:2.18.0 dependency (as test scope), and includes com.fasterxml.jackson.core:jackson-annotations:2.18.1 into report:

➜ trivy -q fs ./pom.xml -f json --list-all-pkgs | grep jackson-annotations
            "com.fasterxml.jackson.core:jackson-annotations:2.18.1",

This is wrong behavior.
I am not sure about the right way:

• (most likely case) we need to skip jackson-annotations as test dependency
• we should use version 2.18.0 for jackson-annotations, because, UUIC, maven will use jackson-annotations:2.18.0 in package jackson-databind (I may be wrong)

Anyway, we need to analyze all scopes and resolve dependencies after that.
But we already added support for test scope (We are reverting these changes - because the running time on trivi has increased a lot)

We need to think how we can handle this case.
for example, mvn always downloads all required files before resolving dependencies. Maybe we can do something like this.

@aquasecurity/trivy Do you have any ideas?

Discussed in #7836