Authentication with maven doesn't work when using encrypted password.

[Smasherr]

Description

When using an encrypted password trivy doesn't try to decrypt it before authenticating. The consequence is the decrypted password is used for authentication as if it were clear text.

Desired Behavior

Trivy should use settings-security.xml containing the master password to decrypt server passwords in settings.xml.

Actual Behavior

1. There is no feedback on whether resolving the dependencies works or it doesn't. The scanning exits successfully and says there are no vulnerabilities detected.

+ trivy filesystem --exit-code 1 --no-progress --skip-dirs http/ --skip-dirs target/ --severity HIGH,CRITICAL --scanners vuln .
2024-03-26T19:06:40.484Z	INFO	Need to update DB
2024-03-26T19:06:40.484Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-03-26T19:06:40.484Z	INFO	Downloading DB...
2024-03-26T19:06:43.132Z	INFO	Vulnerability scanning is enabled
2024-03-26T19:06:46.919Z	INFO	Number of language-specific files: 1
2024-03-26T19:06:46.919Z	INFO	Detecting pom vulnerabilities...
pom.xml (pom)
=============
Total: 0 (HIGH: 0, CRITICAL: 0)

Only if using --debug there are error messages:

...
2024-03-26T19:50:21.770Z	DEBUG	Walk the file tree rooted at '.' in parallel
2024-03-26T19:50:21.773Z	DEBUG	Adding repository [MASKED]: https://[MASKED]
2024-03-26T19:50:21.774Z	DEBUG	Adding repository confluent: https://packages.confluent.io/maven/
2024-03-26T19:50:21.774Z	DEBUG	Start parent: org.springframework.boot:spring-boot-starter-parent:3.2.3
2024-03-26T19:50:21.948Z	DEBUG	Failed to fetch from [MASKED]/org/springframework/boot/spring-boot-starter-parent/3.2.3/spring-boot-starter-parent-3.2.3.pom
2024-03-26T19:50:22.624Z	DEBUG	Failed to fetch from packages.confluent.io/maven/org/springframework/boot/spring-boot-starter-parent/3.2.3/spring-boot-starter-parent-3.2.3.pom
...

2. A big unforeseen effect on the server side can be user blocking due to multiple incorrect login attempts, for example when using the fail2ban method.

Reproduction Steps

1. Have a private repository manager. If you don't have any you can start Sonatype Nexus in a container, configure maven-central as a remote repository, add a user, and disable the anonymous access.
2. Use settings.xml for Maven with a server setting for the private repository manager and an encrypted server password. Documentation: https://maven.apache.org/guides/mini/guide-encryption.html
3. Use Trivy filesystem vulnerability scan on any Maven project. For example, generate one using Spring Initializr https://start.spring.io/

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

See actual behavoir

Operating System

Alpine Linux in a Docker container

Version

Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-26 18:10:27.317281487 +0000 UTC
  NextUpdate: 2024-03-27 00:10:27.317281116 +0000 UTC
  DownloadedAt: 2024-03-26 19:47:14.084410037 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @Smasherr
Sorry for the long answer.

Unfortunately, we do not have a tool for decoding passwords or information on how to write one yourself.
Therefore, at the moment we cannot implement this functionality.

If you have ideas on how we can do that using Go - we always happy new contributors.

Regards, Dmitriy