Change `Indirect` field to be an ENUM instead of Bool #5729

john-d8r · 2023-12-05T11:36:26Z

john-d8r
Dec 5, 2023

Description

Trivy has the ability to detect whether a package is Indirect, for various languages like Node.js (lock files), PHP etc..

There are conditions where trivy can't give this info for supported languages. For example

when scanning composer.lock and there is no composer.json in the folder or if trivy was not able to detect it Indirect info not being populated for php image scans #5726
when scanning yarn.lock and there is no package.json in the folder
when scanning package-locks.json v1
and so on...

Would it make sense to change Indirect field to be an ENUM and show the same in JSON report
e.g. Indirect: "not_detected" or Indirect: "composer.json not found"

Currently we get only have an debug log
DEBUG Unable to determine the direct dependencies: manifest/composer.json not found

Target

SBOM

Scanner

Vulnerability

knqyf263 · 2024-02-09T12:09:24Z

knqyf263
Feb 9, 2024
Maintainer

Thanks. Created #6092 for tracking.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Change `Indirect` field to be an ENUM instead of Bool #5729

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Change Indirect field to be an ENUM instead of Bool #5729

john-d8r Dec 5, 2023

Description

Target

Scanner

Replies: 1 comment

knqyf263 Feb 9, 2024 Maintainer

Change `Indirect` field to be an ENUM instead of Bool #5729

john-d8r
Dec 5, 2023

knqyf263
Feb 9, 2024
Maintainer