From 4839d3d4798fb96616672b47488031ce5a8b4ef5 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Fri, 26 Jul 2024 11:12:57 +0400 Subject: [PATCH] docs: add --pkg-relationships Signed-off-by: knqyf263 --- docs/docs/scanner/vulnerability.md | 42 +++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md index ba612ee06b28..58eceb3d5bc7 100644 --- a/docs/docs/scanner/vulnerability.md +++ b/docs/docs/scanner/vulnerability.md @@ -202,7 +202,8 @@ Currently, specifying a username and password is not supported. This section describes vulnerability-specific configuration. Other common options are documented [here](../configuration/index.md). -### Enabling a subset of package types +### Enabling a Subset of Package Types + It's possible to only enable certain package types if you prefer. You can do so by passing the `--pkg-types` option. This flag takes a comma-separated list of package types. @@ -268,6 +269,45 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2) +!!! info + This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation. + +### Filtering by Package Relationships + + +Trivy supports filtering vulnerabilities based on the relationship of packages within a project. +This is achieved through the `--pkg-relationships` flag. +This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies. + +In Trivy, there are four types of package relationships: + +1. `root`: The root package being scanned +2. `direct`: Direct dependencies of the root package +3. `indirect`: Transitive dependencies +4. `unknown`: Packages whose relationship cannot be determined + +The available relationships may vary depending on the ecosystem. +To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field: + +``` +$ trivy repo -f json --list-all-pkgs /path/to/project +``` + +To scan only the root package and its direct dependencies, you can use the flag as follows: + +``` +$ trivy repo --pkg-relationships root,direct /path/to/project +``` + +By default, all relationships are included in the scan. + +!!! info + This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation. + +!!! warning + As it may not provide a complete package list, it can lead to incomplete dependency trees when using `--dependency-tree` or generate incomplete SBOMs. + + [^1]: https://github.com/GoogleContainerTools/distroless [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464