Ignore indirect npm package

[amiceli]

Question

I use trivy in front projects, I did not find a way to ignore indirect package.
For example ansi-regex is found by trivy but is a dependency of a dependency (depth 4) etc.

I test with policy with this rego example but ansi-regex is still in report.

There is a way to ignore indirect dependency or use pacjage.json instead of package-lock.json with trivy ?

Target

None

Scanner

Vulnerability

Output Format

Table

Mode

None

Operating System

No response

Version

Version: 0.50.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-05 12:12:01.993204553 +0000 UTC
  NextUpdate: 2024-06-05 18:12:01.993204253 +0000 UTC
  DownloadedAt: 2024-06-05 13:14:23.592954 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-10-12 08:14:44.51096 +0000 UTC

[knqyf263]

There is a way to ignore indirect dependency or use pacjage.json instead of package-lock.json with trivy ?

There is no way to do that. We might want to add a flag --relationship so Trivy can show direct dependencies with --relationship direct.

[amiceli]

Thanks, I wait this flag ;)