-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vuln): add --pkg-relationships
#7237
Conversation
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Left a couple of comments.
By default, all relationships are included in the scan. | ||
|
||
!!! info | ||
This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add warning that this flag can't be used with --dependency-tree, --vex or --format spdx|spdx-json|cyclonedx|github.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I deleted the warning in aaea1ea as it now returns an error. Do you want to document it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think it won't be superfluous
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
f0e1104
pkg/commands/app.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume that users will want to use new flag in convert
mode.
e.g. scan image once, but show 2 tables - with direct and indirect dependencies.
But for this change we need to change location of new logic.
So I suggest waiting for user requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I was also thinking about it. --include-dev-deps
and --pkg-types
cannot be used in convert
now. Detecting vulnerabilities is not expensive. We might want to move it in the filtering process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--include-dev-deps and --pkg-types cannot be used in convert now.
Users can't use --pkg-types
(--vuln-type
) in v0.53.0
(or earlier) in convert
mode:
➜ trivy -d convert --vuln-type os
...
2024-07-29T11:42:11+06:00 FATAL Fatal error unknown flag: --vuln-type
But I haven't seen any requests to add this flag for convert
mode.
We might want to wait for user feedback on --pkg-relationships
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it.
Signed-off-by: knqyf263 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Package relationship has been introduced on aquasecurity/trivy#7237 and using CLI there are default relationship values (all). Using the library directly there is no default value and having 0 relationships and retrieving 0 finginds. Therefore on this commit we added the default value with all relationships
* Bump trivy to v0.54.1 and fix breaking changes * Add default cli values of --pkg-relationships Package relationship has been introduced on aquasecurity/trivy#7237 and using CLI there are default relationship values (all). Using the library directly there is no default value and having 0 relationships and retrieving 0 finginds. Therefore on this commit we added the default value with all relationships
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; \n- Adopt package relationships aquasecurity/trivy#7237
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; \n- Adopt package relationships aquasecurity/trivy#7237
* Bump trivy to v0.49.1 * Bump trivy to v0.51.4 - Fix registry version aquasecurity/trivy#6219; - Fix replace zap with slog aquasecurity/trivy#6466; - The fix with slog used a zap to slog bridge (official from zap, but exp). It didn't have a license file, so I hardcoded a commit version that had; - Adopt opts.Align() to validate options object; * Bump trivy to v0.52.2 * Temp change the workflow trigger to test changes * Free up space on runner * Bump trivy to v0.53.0 - Fix go clear cache aquasecurity/trivy#7010 * Bump trivy to v0.54.1 - Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; - Adopt package relationships aquasecurity/trivy#7237 * Rollback CI run on target * Clean 'scan cache clean' code and add timeout to it
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
…#83) * chore(deps): bump github.com/aquasecurity/trivy from 0.53.0 to 0.54.1 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.53.0 to 0.54.1. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/v0.54.1/CHANGELOG.md) - [Commits](aquasecurity/trivy@v0.53.0...v0.54.1) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * fix: Use new flag for vulnerability type See aquasecurity/trivy#7104 * bump: Trivy version for vulnerability DB updates * fix: Specify types of dependencies to analyze It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Meira <[email protected]>
Description
Add
--pkg-relationships
to filter vulnerabilities by relationships. It cannot be used with--dependency-tree
,--vex
or--format spdx|spdx-json|cyclonedx|github
.Usage
Withot
--pkg-relationships
With
--pkg-relationships
With
--pkg-relationships
and--format spdx
Related issues
--relationship
flag to filter vulnerabilities by package relationship #6889Checklist