Trivy does not include Spring Boot 4.0.4+ JAR in SBOM #10501

jpalomaki · 2026-04-09T07:22:46Z

jpalomaki
Apr 9, 2026

Description

Running trivy to produce an SBOM that includes Spring Boot 4.0.4+ JARs does not seem to work.

NOTE: Spring Boot JARs <= 4.0.3 seem to be detected correctly and are included in SBOM.

I wonder if this is an issue with the Java DB?

Desired Behavior

Spring Boot JAR is listed in SBOM

Actual Behavior

Spring Boot JAR is not listed in SBOM

Reproduction Steps

Easiest way to reproduce this is to do:

1. wget https://repo1.maven.org/maven2/org/springframework/boot/spring-boot/4.0.5/spring-boot-4.0.5.jar
2. trivy rootfs --format spdx-json --output sbom.json .
3. grep spring-boot sbom.json

I also see the same behavior when scanning a docker image that contains Spring Boot JARs: trivy image --format json --list-all-pkgs ...

Target

Filesystem

Scanner

None

Output Format

SPDX

Mode

Standalone

Debug Output

2026-04-09T10:08:23+03:00 DEBUG [jar] Parsing Java artifacts... file_path="spring-boot-4.0.5.jar"
2026-04-09T10:08:23+03:00 DEBUG [jar] No such POM in the central repositories file="spring-boot-4.0.5.jar"

Operating System

MacOS Tahoe 26.4

Version

Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-04-09 00:34:39.595733358 +0000 UTC
  NextUpdate: 2026-04-10 00:34:39.595733088 +0000 UTC
  DownloadedAt: 2026-04-09 06:09:41.273803 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2026-03-19 01:17:54.395813642 +0000 UTC
  NextUpdate: 2026-03-22 01:17:54.39581332 +0000 UTC
  DownloadedAt: 2026-04-09 06:10:15.073205 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

Answered by DmitriyLewen

Apr 10, 2026

Hello @jpalomaki
spring-boot-4.0.5.jar file does not contain GAV (GroupID, ArtifactID, Version) inside it, which is required for Trivy's supported file formats. (see https://trivy.dev/docs/latest/guide/coverage/language/java/#jarwarparear).

<= 4.0.3 versions were identified by the SHA1 hash of the JAR file, however due to a recent incident, the trivy-java-db update is currently on hold (#10425 (comment)) and our database does not yet contain this new artifact.
Once the database is updated, Trivy will be able to detect this version.

Regards, Dmitriy

View full answer

DmitriyLewen · 2026-04-10T11:19:34Z

DmitriyLewen
Apr 10, 2026
Maintainer

Hello @jpalomaki
spring-boot-4.0.5.jar file does not contain GAV (GroupID, ArtifactID, Version) inside it, which is required for Trivy's supported file formats. (see https://trivy.dev/docs/latest/guide/coverage/language/java/#jarwarparear).

<= 4.0.3 versions were identified by the SHA1 hash of the JAR file, however due to a recent incident, the trivy-java-db update is currently on hold (#10425 (comment)) and our database does not yet contain this new artifact.
Once the database is updated, Trivy will be able to detect this version.

Regards, Dmitriy

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy does not include Spring Boot 4.0.4+ JAR in SBOM #10501

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Trivy does not include Spring Boot 4.0.4+ JAR in SBOM #10501

Uh oh!

Uh oh!

jpalomaki Apr 9, 2026

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

Uh oh!

DmitriyLewen Apr 10, 2026 Maintainer

jpalomaki
Apr 9, 2026

DmitriyLewen
Apr 10, 2026
Maintainer