From 3ffab16ed6ec9e59a6602a673d9a726db769ed77 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Thu, 25 Jan 2024 15:18:25 +0700 Subject: [PATCH 1/3] docs: add note about Bun --- docs/docs/coverage/language/nodejs.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/docs/coverage/language/nodejs.md b/docs/docs/coverage/language/nodejs.md index 393491b34f46..b6e5f1de5200 100644 --- a/docs/docs/coverage/language/nodejs.md +++ b/docs/docs/coverage/language/nodejs.md @@ -53,6 +53,9 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de ### pnpm Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities. +### Bun +Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`. + ## Packages Trivy parses the manifest files of installed packages in container image scanning and so on. From 46217e8ff83523276f267f0d64a20d086e589095 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Fri, 26 Jan 2024 17:28:54 +0700 Subject: [PATCH 2/3] docs: update node.js tables --- docs/docs/coverage/language/nodejs.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/docs/coverage/language/nodejs.md b/docs/docs/coverage/language/nodejs.md index b6e5f1de5200..ba2d849d192e 100644 --- a/docs/docs/coverage/language/nodejs.md +++ b/docs/docs/coverage/language/nodejs.md @@ -1,6 +1,6 @@ # Node.js -Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`. +Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1]. The following scanners are supported. @@ -9,6 +9,7 @@ The following scanners are supported. | npm | ✓ | ✓ | ✓ | | Yarn | ✓ | ✓ | ✓ | | pnpm | ✓ | ✓ | - | +| Bun | ✓ | ✓ | ✓ | The following table provides an outline of the features Trivy offers. @@ -17,6 +18,7 @@ The following table provides an outline of the features Trivy offers. | npm | package-lock.json | ✓ | [Excluded](#npm) | ✓ | ✓ | | Yarn | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ | | pnpm | pnpm-lock.yaml | ✓ | Excluded | ✓ | - | +| Bun | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ | In addition, Trivy scans installed packages with `package.json`. @@ -63,4 +65,6 @@ Trivy parses the manifest files of installed packages in container image scannin Trivy searches for `package.json` files under `node_modules` and identifies installed packages. It only extracts package names, versions and licenses for those packages. -[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies \ No newline at end of file +[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies + +[^1]: [yarn.lock](#bun) must be generated From 24d2e37bf050a84b968428eee111deae2b90f69c Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Fri, 26 Jan 2024 14:48:06 +0400 Subject: [PATCH 3/3] docs: mention `bun.lockb` Signed-off-by: knqyf263 --- docs/docs/coverage/language/nodejs.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/docs/coverage/language/nodejs.md b/docs/docs/coverage/language/nodejs.md index ba2d849d192e..c371a1117178 100644 --- a/docs/docs/coverage/language/nodejs.md +++ b/docs/docs/coverage/language/nodejs.md @@ -4,12 +4,12 @@ Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and The following scanners are supported. -| Artifact | SBOM | Vulnerability | License | -| -------- | :---: | :-----------: | :-----: | -| npm | ✓ | ✓ | ✓ | -| Yarn | ✓ | ✓ | ✓ | -| pnpm | ✓ | ✓ | - | -| Bun | ✓ | ✓ | ✓ | +| Artifact | SBOM | Vulnerability | License | +|----------|:----:|:-------------:|:-------:| +| npm | ✓ | ✓ | ✓ | +| Yarn | ✓ | ✓ | ✓ | +| pnpm | ✓ | ✓ | - | +| Bun | ✓ | ✓ | ✓ | The following table provides an outline of the features Trivy offers. @@ -18,12 +18,12 @@ The following table provides an outline of the features Trivy offers. | npm | package-lock.json | ✓ | [Excluded](#npm) | ✓ | ✓ | | Yarn | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ | | pnpm | pnpm-lock.yaml | ✓ | Excluded | ✓ | - | -| Bun | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ | +| Bun | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ | In addition, Trivy scans installed packages with `package.json`. | File | Dependency graph | Position | License | -| ------------ | :--------------: | :------: | :-----: | +|--------------|:----------------:|:--------:|:-------:| | package.json | - | - | ✅ | These may be enabled or disabled depending on the target. @@ -58,6 +58,9 @@ Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [ ### Bun Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`. +!!! note + `bun.lockb` is not supported. + ## Packages Trivy parses the manifest files of installed packages in container image scanning and so on.