Skip to content

Commit

Permalink
docs: add note about Bun (aquasecurity#6001)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
nikpivkin and knqyf263 authored Jan 26, 2024
1 parent 70dd572 commit 4df9363
Showing 1 changed file with 18 additions and 8 deletions.
26 changes: 18 additions & 8 deletions docs/docs/coverage/language/nodejs.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
# Node.js

Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1].

The following scanners are supported.

| Artifact | SBOM | Vulnerability | License |
| -------- | :---: | :-----------: | :-----: |
| npm ||||
| Yarn ||||
| pnpm ||| - |
| Artifact | SBOM | Vulnerability | License |
|----------|:----:|:-------------:|:-------:|
| npm ||||
| Yarn ||||
| pnpm ||| - |
| Bun ||||

The following table provides an outline of the features Trivy offers.

Expand All @@ -17,11 +18,12 @@ The following table provides an outline of the features Trivy offers.
| npm | package-lock.json || [Excluded](#npm) |||
| Yarn | yarn.lock || [Excluded](#yarn) |||
| pnpm | pnpm-lock.yaml || Excluded || - |
| Bun | yarn.lock || [Excluded](#yarn) |||

In addition, Trivy scans installed packages with `package.json`.

| File | Dependency graph | Position | License |
| ------------ | :--------------: | :------: | :-----: |
|--------------|:----------------:|:--------:|:-------:|
| package.json | - | - ||

These may be enabled or disabled depending on the target.
Expand Down Expand Up @@ -53,11 +55,19 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.

### Bun
Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.

!!! note
`bun.lockb` is not supported.

## Packages
Trivy parses the manifest files of installed packages in container image scanning and so on.

### package.json
Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
It only extracts package names, versions and licenses for those packages.

[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

[^1]: [yarn.lock](#bun) must be generated

0 comments on commit 4df9363

Please sign in to comment.