From 7bdc937612aa2f80a7bc7cfe500b87ad1d6fcf6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Meira?= <andre.meira@codacy.com>
Date: Thu, 29 Aug 2024 13:33:08 +0100
Subject: [PATCH] fix: Specify types of dependencies to analyze

It's only necessary to specifiy these types when running the scanners directly, as we do.
When running Trivy via the command line it's not necessary.

See https://github.com/aquasecurity/trivy/pull/7237
---
 internal/tool/tool.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/internal/tool/tool.go b/internal/tool/tool.go
index aa87c8e..070c7e3 100644
--- a/internal/tool/tool.go
+++ b/internal/tool/tool.go
@@ -11,8 +11,10 @@ import (
 	"strings"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/secret"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/aquasecurity/trivy/pkg/log"
+	ptypes "github.com/aquasecurity/trivy/pkg/types"
 	types "github.com/aquasecurity/trivy/pkg/types"
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/samber/lo"
@@ -97,7 +99,9 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution
 		},
 		PackageOptions: flag.PackageOptions{
 			// Only scan libraries not OS packages.
-			PkgTypes: []string{types.PkgTypeLibrary},
+			PkgTypes: []string{ptypes.PkgTypeLibrary},
+			// Scan packages with all possible relationships (direct, indirect, etc).
+			PkgRelationships: ftypes.Relationships,
 		},
 		ReportOptions: flag.ReportOptions{
 			// Listing all packages will allow to obtain the line number of a vulnerability.
@@ -106,7 +110,7 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution
 		ScanOptions: flag.ScanOptions{
 			// Do not try to connect to the internet to download vulnerability DBs, for example.
 			OfflineScan: true,
-			Scanners:    types.Scanners{types.VulnerabilityScanner},
+			Scanners:    ptypes.Scanners{ptypes.VulnerabilityScanner},
 			// Instead of scanning files individually, scan the whole source directory since it's faster.
 			// Then filter issues from files that were not supposed to be analysed.
 			Target: toolExecution.SourceDir,