feat(vuln): add --relationship flag to filter vulnerabilities by package relationship
#6889
Comments
knqyf263
added
the
kind/feature
|
@DmitriyLewen Any comments? |
We definitely need to add information about what relationships are available for files.
I think we need to start from disabling Otherwise looks like a very good idea 👍 |
Yes, we should document it. In most cases, |
Description
We have received some requests from the community to provide a way to view vulnerabilities only for directly dependent packages. Instead of adding a flag like
--ignore-indirect, it would be more flexible to introduce a--relationshipflag that allows filtering vulnerabilities based on the package's relationship.The
--relationshipflag would accept comma-separated values, such as--relationship root,direct, to specify the desired relationships. This approach leverages the recently added the relationship field, which expresses the relationship of a package within the project. In the future, this field may be expanded to accommodate Modules, Workspaces, and other concepts, and the--relationshipflag will be able to handle those cases as well.Furthermore, this flag would also allow users to view vulnerabilities only for transitive dependencies by specifying
--relationship indirect, providing additional flexibility in filtering the results.Considerations
It may be difficult to allow the
--dependency-treeflag to be used simultaneously with the--relationshipflag. When--relationship indirectis specified, it's unable to build the complete graph. Therefore, it would be better to prevent these flags from being specified together.Similarly, the implementation of
--relationshipfor SBOM might be challenging for the same reason as--dependency-tree. In the case of SBOM, it may be necessary to either disable the--relationshipflag or remove the dependencies section from the SBOM output.Discussed in #6876
The text was updated successfully, but these errors were encountered: