Ignore maven integration test poms (src/it/*/pom.xml) #5787
Replies: 3 comments 24 replies
-
Hi @codefromthecrypt ! You can use the |
Beta Was this translation helpful? Give feedback.
-
I feel like the experience is still quite bad. I hope folks can reconsider after having some time to digest, and remove the "it" from the default expression. You can see it doesn't understand template variables
|
Beta Was this translation helpful? Give feedback.
-
another example.. trivy is looking at files in the "target" directory which are definitely not source. This is just a side effect of the invoker plugin, used to run integration tests and needing a scratch area
|
Beta Was this translation helpful? Give feedback.
-
Description
Please ignore
src/it/*/pom.xml
files when analyzing for vulnerabilities.Maven has a convention for integration tests,
src/it/*/pom.xml
, which are run with themaven-invoker-plugin
. In zipkin, we use this style to ensure old clients can still pass tests. However, the old libraries configured in the integration tests are setting off vulnerability notices. I think they should not be treated as any priority as they will not result in production code.Here's an example https://github.com/openzipkin/zipkin-reporter-java
If there is another way to hint to Trivy run by arbitrary users to not detect this (via something in our repo), an alternate is welcome!
Target
Git Repository
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions