Skip to content

Commit

Permalink
feat(cli): add include-dev-deps flag (aquasecurity#4700)
Browse files Browse the repository at this point in the history 
* add Dev field for Package

* fix integration test

* update docs

* feat(cli): add include-dev flag

* bump go-dep-parser

* update docs

* add integration test

* refactor

* refactor

* fix integration test

* refactor: rename flag to include-dev-deps

* update docs

* update docs

* filter dev deps when scanning packages

* add flag support for server mode

* refactor: remove comment that might confuse

* refactor: move --include-dev-deps to the scanner flag group

* refactor: not return apps

* docs: update

---------

Co-authored-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
@DmitriyLewen @knqyf263
DmitriyLewen and knqyf263 committed Jun 29, 2023
1 parent 790c805 commit 22463ab
Show file tree
Hide file tree
Showing 27 changed files with 892 additions and 409 deletions.
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ trivy filesystem [flags] PATH
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-dev-deps include development dependencies in the report (supported: npm)
--include-non-failures include successes and exceptions, available with '--scanners config'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--license-confidence-level float specify license classifier's confidence level (default 0.9)
Expand Down
1 change: 0 additions & 1 deletion docs/docs/references/configuration/cli/trivy_sbom.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ trivy sbom [flags] SBOM_PATH
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--server string server address in client mode
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-db-update skip updating vulnerability database
Expand Down
54 changes: 27 additions & 27 deletions docs/docs/scanner/vulnerability/language/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,33 @@

## Supported languages

| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] | Dev dependencies | Dependency location[^11] |
|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:---------------:|------------------|:------------------------:|
| Ruby | Gemfile.lock | - | - ||| included | - |
| | gemspec ||| - | - | included | - |
| [Python](python.md) | Pipfile.lock | - | - ||| excluded ||
| | poetry.lock | - | - ||| excluded | - |
| | requirements.txt | - | - ||| included | - |
| | egg package[^1] ||| - | - | excluded | - |
| | wheel package[^2] ||| - | - | excluded | - |
| [PHP](php.md) | composer.lock ||||| excluded ||
| [Node.js](nodejs.md) | package-lock.json | - | - ||| excluded ||
| | yarn.lock | - | - ||| included ||
| | pnpm-lock.yaml | - | - ||| excluded | - |
| | package.json ||| - | - | excluded | - |
| .NET | packages.lock.json ||||| included ||
| | packages.config ||||| excluded | - |
| | .deps.json ||||| excluded ||
| [Java](java.md) | JAR/WAR/PAR/EAR[^3] ||| - | - | included | - |
| | pom.xml[^4] | - | - ||| excluded | - |
| | *gradle.lockfile | - | - ||| excluded | - |
| [Go](golang.md) | Binaries built by Go[^5] ||| - | - | excluded | - |
| | go.mod[^6] | - | - ||| included | - |
| [Rust](rust.md) | Cargo.lock ||||| excluded ||
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) ||| - | - | excluded | - |
| C/C++ | conan.lock[^12] | - | - ||| excluded | - |
| Elixir | mix.lock[^12] | - | - ||| excluded ||
| Dart | pubspec.lock | - | - ||| included | - |
| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] | Dev dependencies | Dependency location[^11] |
|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:---------------:|------------------------------|:------------------------:|
| Ruby | Gemfile.lock | - | - ||| included | - |
| | gemspec ||| - | - | included | - |
| [Python](python.md) | Pipfile.lock | - | - ||| excluded ||
| | poetry.lock | - | - ||| excluded | - |
| | requirements.txt | - | - ||| included | - |
| | egg package[^1] ||| - | - | excluded | - |
| | wheel package[^2] ||| - | - | excluded | - |
| [PHP](php.md) | composer.lock ||||| excluded ||
| [Node.js](nodejs.md) | package-lock.json | - | - ||| [excluded](./nodejs.md#npm) ||
| | yarn.lock | - | - ||| [excluded](./nodejs.md#yarn) ||
| | pnpm-lock.yaml | - | - ||| excluded | - |
| | package.json ||| - | - | excluded | - |
| .NET | packages.lock.json ||||| included ||
| | packages.config ||||| excluded | - |
| | .deps.json ||||| excluded ||
| [Java](java.md) | JAR/WAR/PAR/EAR[^3] ||| - | - | included | - |
| | pom.xml[^4] | - | - ||| excluded | - |
| | *gradle.lockfile | - | - ||| excluded | - |
| [Go](golang.md) | Binaries built by Go[^5] ||| - | - | excluded | - |
| | go.mod[^6] | - | - ||| included | - |
| [Rust](rust.md) | Cargo.lock ||||| excluded ||
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) ||| - | - | excluded | - |
| C/C++ | conan.lock[^12] | - | - ||| excluded | - |
| Elixir | mix.lock[^12] | - | - ||| excluded ||
| Dart | pubspec.lock | - | - ||| included | - |

The path of these files does not matter.

Expand Down
12 changes: 7 additions & 5 deletions docs/docs/scanner/vulnerability/language/nodejs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@
Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
The following table provides an outline of the features Trivy offers.

| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
|:---------------:|-------------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
| npm | package-lock.json || Excluded ||||
| Yarn | yarn.lock || Excluded ||| - |
| pnpm | pnpm-lock.yaml || Excluded || - | - |
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
|:---------------:|-------------------|:-----------------------:|:-----------------:|:----------------:|:--------:|:-------:|
| npm | package-lock.json || [Excluded](#npm) ||||
| Yarn | yarn.lock || [Excluded](#yarn) ||| - |
| pnpm | pnpm-lock.yaml || Excluded || - | - |

In addition, Trivy scans installed packages with `package.json`.

Expand All @@ -29,6 +29,8 @@ Trivy parses `package-lock.json`.
To identify licenses, you need to download dependencies to `node_modules` beforehand.
Trivy analyzes `node_modules` for licenses.

By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.

### Yarn
Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`.
Expand Down
14 changes: 7 additions & 7 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/alicebob/miniredis/v2 v2.30.3
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.90.0
github.com/aquasecurity/go-dep-parser v0.0.0-20230614123559-76443063c1f1
github.com/aquasecurity/go-dep-parser v0.0.0-20230626110909-e7ea5097483b
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
Expand Down Expand Up @@ -94,10 +94,10 @@ require (
go.etcd.io/bbolt v1.3.7
go.uber.org/zap v1.24.0
golang.org/x/exp v0.0.0-20230321023759-10a507213a29
golang.org/x/mod v0.10.0
golang.org/x/mod v0.11.0
golang.org/x/sync v0.2.0
golang.org/x/term v0.8.0
golang.org/x/text v0.9.0
golang.org/x/term v0.9.0
golang.org/x/text v0.10.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/protobuf v1.30.0
gopkg.in/yaml.v3 v3.0.1
Expand Down Expand Up @@ -356,10 +356,10 @@ require (
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
golang.org/x/crypto v0.9.0 // indirect
golang.org/x/net v0.10.0 // indirect
golang.org/x/crypto v0.10.0 // indirect
golang.org/x/net v0.11.0 // indirect
golang.org/x/oauth2 v0.7.0 // indirect
golang.org/x/sys v0.8.0 // indirect
golang.org/x/sys v0.9.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.8.0 // indirect
google.golang.org/api v0.121.0 // indirect
Expand Down
Loading

0 comments on commit 22463ab

Please sign in to comment.