Trivy scans a library declared as "test" in a dependency module

[thboileau]

Description

I set up a sample Maven project with two submodules:

• mainModule
• dependencyModule

mainModule depends on dependencyModule.
dependencyModule declares a dependency on com.fasterxml.jackson.core:jackson-core:2.16.0 with test scope.

Trivy tells me that there is a CVE in the mainModule.

Here is the sample project
testTrivy.zip

Desired Behavior

I expect that no CVE is declared in any module

Actual Behavior

Trivy indicates that there is a CVE in the `mainModule``

Reproduction Steps

1. unzip the provided testTrivy.zip
2. go to the root directory and run this command line:

trivy fs . --scanners vuln --dependency-tree --format table

3. Notice that Trivy reports a CVE.

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

None

Debug Output

trivy repo . --format json --scanners vuln --dependency-tree --format table --debug
2026-03-30T17:55:58+02:00	DEBUG	No plugins loaded
2026-03-30T17:55:58+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2026-03-30T17:55:58+02:00	DEBUG	Cache dir	dir="/Users/thierry.boileau/Library/Caches/trivy"
2026-03-30T17:55:58+02:00	DEBUG	Cache dir	dir="/Users/thierry.boileau/Library/Caches/trivy"
2026-03-30T17:55:58+02:00	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2026-03-30T17:55:58+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-03-30T17:55:58+02:00	DEBUG	Ignore statuses	statuses=[]
2026-03-30T17:55:58+02:00	DEBUG	DB update was skipped because the local DB is the latest
2026-03-30T17:55:58+02:00	DEBUG	DB info	schema=2 updated_at=2026-03-30T13:22:17.259279391Z next_update=2026-03-31T13:22:17.259279101Z downloaded_at=2026-03-30T14:51:01.163144Z
2026-03-30T17:55:58+02:00	DEBUG	[pkg] Package types	types=[library]
2026-03-30T17:55:58+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2026-03-30T17:55:58+02:00	INFO	[vuln] Vulnerability scanning is enabled
2026-03-30T17:55:58+02:00	DEBUG	Initializing scan cache...	type="fs"
2026-03-30T17:55:58+02:00	DEBUG	[notification] Running version check
2026-03-30T17:55:58+02:00	DEBUG	[repo] Analyzing...	root="."
2026-03-30T17:55:58+02:00	DEBUG	Created process-specific temp directory	path="/var/folders/gf/lz8py40n33s59hqxvd3m3_tr0000gp/T/trivy-34325"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Resolving...	group_id="com.example" artifact_id="dependencyModule" version="1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Resolving...	group_id="com.fasterxml.jackson.core" artifact_id="jackson-core" version="2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Adding repository	id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml.jackson:jackson-base:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml.jackson:jackson-bom:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Resolving...	group_id="com.example" artifact_id="dependencyModule" version="1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.example:testTrivy:1.0-SNAPSHOT"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Resolving...	group_id="com.fasterxml.jackson.core" artifact_id="jackson-core" version="2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Adding repository	id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml.jackson:jackson-base:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml.jackson:jackson-parent:2.16"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml.jackson:jackson-bom:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml:oss-parent:56"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml.jackson:jackson-parent:2.16"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml:oss-parent:56"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Start parent	artifact="com.fasterxml:oss-parent:56"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml.jackson:jackson-parent:2.16"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml.jackson:jackson-bom:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml.jackson:jackson-base:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Resolving...	group_id="org.junit" artifact_id="junit-bom" version="5.9.3"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml:oss-parent:56"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml.jackson:jackson-parent:2.16"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml.jackson:jackson-bom:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Exit parent	artifact="com.fasterxml.jackson:jackson-base:2.16.0"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Resolving...	group_id="org.junit" artifact_id="junit-bom" version="5.9.3"
2026-03-30T17:55:58+02:00	DEBUG	OS is not detected.
2026-03-30T17:55:58+02:00	INFO	Number of language-specific files	num=3
2026-03-30T17:55:58+02:00	INFO	[pom] Detecting vulnerabilities...
2026-03-30T17:55:58+02:00	DEBUG	[pom] Scanning packages for vulnerabilities	file_path="dependencyModule/pom.xml"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Scanning packages for vulnerabilities	file_path="mainModule/pom.xml"
2026-03-30T17:55:58+02:00	DEBUG	[pom] Scanning packages for vulnerabilities	file_path="pom.xml"
2026-03-30T17:55:58+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2026-03-30T17:55:58+02:00	DEBUG	[vex] VEX filtering is disabled

Operating System

macOS Tahoe Version 26.3.1

Version

Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-30 13:22:17.259279391 +0000 UTC
  NextUpdate: 2026-03-31 13:22:17.259279101 +0000 UTC
  DownloadedAt: 2026-03-30 14:51:01.163144 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2026-03-19 01:17:54.395813642 +0000 UTC
  NextUpdate: 2026-03-22 01:17:54.39581332 +0000 UTC
  DownloadedAt: 2026-03-30 13:25:19.781595 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @thboileau
Thanks for your report!

I checked your archive.
all pom.xml files don't have test scope.

dependencyModule declares a dependency on com.fasterxml.jackson.core:jackson-core:2.16.0 with test scope.

Also i added test scope for dependencyModule and don't see com.fasterxml.jackson.core:jackson-core:2.16.0 package.

➜ trivy -q fs . -f json | grep jackson-core || echo "no found"
no found

Regards, Dmitriy