docs: add note about Bun (#6001)

Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
aquasecurity · Jan 26, 2024 · 4df9363 · 4df9363
1 parent 70dd572
commit 4df9363
Showing 1 changed file with 18 additions and 8 deletions.
diff --git a/docs/docs/coverage/language/nodejs.md b/docs/docs/coverage/language/nodejs.md
@@ -1,14 +1,15 @@
 # Node.js
 
-Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
+Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1].
 
 The following scanners are supported.
 
-| Artifact | SBOM  | Vulnerability | License |
-| -------- | :---: | :-----------: | :-----: |
-| npm      |   ✓   |       ✓       |    ✓    |
-| Yarn     |   ✓   |       ✓       |    ✓    |
-| pnpm     |   ✓   |       ✓       |    -    |
+| Artifact | SBOM | Vulnerability | License |
+|----------|:----:|:-------------:|:-------:|
+| npm      |  ✓   |       ✓       |    ✓    |
+| Yarn     |  ✓   |       ✓       |    ✓    |
+| pnpm     |  ✓   |       ✓       |    -    |
+| Bun      |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -17,11 +18,12 @@ The following table provides an outline of the features Trivy offers.
 |       npm       | package-lock.json |            ✓            | [Excluded](#npm)  |                  ✓                   |    ✓     |
 |      Yarn       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
 |      pnpm       | pnpm-lock.yaml    |            ✓            |     Excluded      |                  ✓                   |    -     |
+|       Bun       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
 
 In addition, Trivy scans installed packages with `package.json`.
 
 | File         | Dependency graph | Position | License |
-| ------------ | :--------------: | :------: | :-----: |
+|--------------|:----------------:|:--------:|:-------:|
 | package.json |        -         |    -     |    ✅    |
 
 These may be enabled or disabled depending on the target.
@@ -53,11 +55,19 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
 
+### Bun
+Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
+
+!!! note
+    `bun.lockb` is not supported.
+
 ## Packages
 Trivy parses the manifest files of installed packages in container image scanning and so on.
 
 ### package.json
 Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
 It only extracts package names, versions and licenses for those packages.
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+
+[^1]: [yarn.lock](#bun) must be generated