feat(vuln): add --pkg-relationships
#7237
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
| By default, all relationships are included in the scan. | ||
|
|
||
| !!! info | ||
| This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation. |
There was a problem hiding this comment.
Let's add warning that this flag can't be used with --dependency-tree, --vex or --format spdx|spdx-json|cyclonedx|github.
There was a problem hiding this comment.
I deleted the warning in aaea1ea as it now returns an error. Do you want to document it?
There was a problem hiding this comment.
Yes, I think it won't be superfluous
pkg/commands/app.go
Outdated
There was a problem hiding this comment.
I assume that users will want to use new flag in convert mode.
e.g. scan image once, but show 2 tables - with direct and indirect dependencies.
But for this change we need to change location of new logic.
So I suggest waiting for user requests.
There was a problem hiding this comment.
Actually, I was also thinking about it. --include-dev-deps and --pkg-types cannot be used in convert now. Detecting vulnerabilities is not expensive. We might want to move it in the filtering process.
There was a problem hiding this comment.
--include-dev-deps and --pkg-types cannot be used in convert now.
Users can't use --pkg-types (--vuln-type) in v0.53.0 (or earlier) in convert mode:
➜ trivy -d convert --vuln-type os
...
2024-07-29T11:42:11+06:00 FATAL Fatal error unknown flag: --vuln-typeBut I haven't seen any requests to add this flag for convert mode.
We might want to wait for user feedback on --pkg-relationships.
Signed-off-by: knqyf263 <knqyf263@gmail.com>
romulets
added a commit
to romulets/cloudbeat
that referenced
this pull request
Aug 9, 2024
Package relationship has been introduced on aquasecurity/trivy#7237 and using CLI there are default relationship values (all). Using the library directly there is no default value and having 0 relationships and retrieving 0 finginds. Therefore on this commit we added the default value with all relationships
romulets
added a commit
to elastic/cloudbeat
that referenced
this pull request
Aug 9, 2024
* Bump trivy to v0.54.1 and fix breaking changes * Add default cli values of --pkg-relationships Package relationship has been introduced on aquasecurity/trivy#7237 and using CLI there are default relationship values (all). Using the library directly there is no default value and having 0 relationships and retrieving 0 finginds. Therefore on this commit we added the default value with all relationships
romulets
added a commit
to elastic/cloudbeat
that referenced
this pull request
Aug 13, 2024
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; \n- Adopt package relationships aquasecurity/trivy#7237
romulets
added a commit
to romulets/cloudbeat
that referenced
this pull request
Aug 13, 2024
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; \n- Adopt package relationships aquasecurity/trivy#7237
romulets
added a commit
to elastic/cloudbeat
that referenced
this pull request
Aug 13, 2024
* Bump trivy to v0.49.1
* Bump trivy to v0.51.4
- Fix registry version aquasecurity/trivy#6219;
- Fix replace zap with slog aquasecurity/trivy#6466;
- The fix with slog used a zap to slog bridge (official from zap, but exp). It didn't have a license file, so I hardcoded a commit version that had;
- Adopt opts.Align() to validate options object;
* Bump trivy to v0.52.2
* Temp change the workflow trigger to test changes
* Free up space on runner
* Bump trivy to v0.53.0
- Fix go clear cache aquasecurity/trivy#7010
* Bump trivy to v0.54.1
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104;
- Adopt package relationships aquasecurity/trivy#7237
* Rollback CI run on target
* Clean 'scan cache clean' code and add timeout to it
afsmeira
added a commit
to codacy/codacy-trivy
that referenced
this pull request
Aug 29, 2024
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
afsmeira
added a commit
to codacy/codacy-trivy
that referenced
this pull request
Aug 29, 2024
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
afsmeira
added a commit
to codacy/codacy-trivy
that referenced
this pull request
Aug 29, 2024
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
github-actions bot
pushed a commit
to codacy/codacy-trivy
that referenced
this pull request
Aug 29, 2024
…#83) * chore(deps): bump github.com/aquasecurity/trivy from 0.53.0 to 0.54.1 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.53.0 to 0.54.1. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/v0.54.1/CHANGELOG.md) - [Commits](aquasecurity/trivy@v0.53.0...v0.54.1) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * fix: Use new flag for vulnerability type See aquasecurity/trivy#7104 * bump: Trivy version for vulnerability DB updates * fix: Specify types of dependencies to analyze It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Meira <andre.meira@codacy.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add
--pkg-relationshipsto filter vulnerabilities by relationships. It cannot be used with--dependency-tree,--vexor--format spdx|spdx-json|cyclonedx|github.Usage
Withot
--pkg-relationshipsWith
--pkg-relationshipsWith
--pkg-relationshipsand--format spdxRelated issues
--relationshipflag to filter vulnerabilities by package relationship #6889Checklist