Skip to content

bug(java): pom parser reuses remote repositories across sibling dependencies #9747

New issue
New issue
Open
Bug
Open
bug(java): pom parser reuses remote repositories across sibling dependencies#9747
Bug
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.
Milestone
v0.69.0
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Nov 4, 2025

Summary

When scanning Maven projects, Trivy’s Java POM parser persists remote repositories discovered while parsing one dependency and then reuses them for other, sibling dependencies. As a result, the repository from the first parsed dependency can be incorrectly applied to subsequent dependencies that declare different repositories.

This appears to come from saving repositories globally in the parser, rather than scoping them to the dependency being resolved. See code around these lines:

trivy/pkg/dependency/parser/java/pom/parse.go

Lines 377 to 379 in eff52eb

pomRepos := pom.repositories(p.servers)
p.remoteRepos.pom = lo.UniqBy(append(pomRepos, p.remoteRepos.pom...), func(r repository) url.URL {
return r.url

Reproduction

Consider a multi-module project or a root POM A with two direct dependencies B and C, each hosted on different remote repositories:

A -> B  (available only in remote repo1)
A -> C  (available only in remote repo2)

What happens

  1. Trivy parses dependency B first and records repo1.
  2. When Trivy proceeds to dependency C, it still uses repo1 (saved from B) to resolve C.
  3. This leads to incorrect repository selection for C (and potentially resolution failures or wrong results).

New test case - https://github.com/DmitriyLewen/trivy/blob/84a0ffb4a41cac870481409d5f3dc2fa3022adc4/pkg/dependency/parser/java/pom/parse_private_test.go

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions