feat(dart): add graph support (#5374)

Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-23 15:37:50 -08:00 · 2023-10-20 15:16:23 +06:00
parent f2a12f5f90
commit 1a15a3adb1
12 changed files with 426 additions and 95 deletions
--- a/docs/docs/configuration/reporting.md
+++ b/docs/docs/configuration/reporting.md
@@ -41,32 +41,31 @@ In some cases, vulnerable dependencies are not linked directly, and it requires
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
 This flag is only available with the `--format table` flag.

-The following packages/languages are currently supported:
+The following OS package managers are currently supported:

- OS packages 
-    - apk
-    - dpkg
-    - rpm
- Node.js 
-    - npm: package-lock.json
-    - pnpm: pnpm-lock.yaml
-    - yarn: yarn.lock
- .NET
-    - NuGet: packages.lock.json
- Python 
-    - Poetry: poetry.lock
- Ruby
-    - Bundler: Gemfile.lock
- Rust
-    - Binaries built with [cargo-auditable][cargo-auditable]
- Go
-    - Modules: go.mod
- PHP
-    - Composer
- Java
-    - Maven: pom.xml
+| OS Package Managers |
+|---------------------|
+| apk                 |
+| dpkg                |
+| rpm                 |

-This tree is the reverse of the npm list command.
+The following languages are currently supported:
+
+| Language | File                                       |
+|----------|--------------------------------------------|
+| Node.js  | [package-lock.json][nodejs-package-lock]   |
+|          | [pnpm-lock.yaml][pnpm-lock]                |
+|          | [yarn.lock][yarn-lock]                     |
+| .NET     | [packages.lock.json][dotnet-packages-lock] |
+| Python   | [poetry.lock][poetry-lock]                 |
+| Ruby     | [Gemfile.lock][gemfile-lock]               |
+| Rust     | [cargo-auditable binaries][cargo-binaries] |
+| Go       | [go.mod][go-mod]                           |
+| PHP      | [composer.lock][composer-lock]             |
+| Java     | [pom.xml][pom-xml]                         |
+| Dart     | [pubspec.lock][pubspec-lock]               |
+
+This tree is the reverse of the dependency graph.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.

 In table output, it looks like:
@@ -408,4 +407,16 @@ $ trivy convert --format table --severity CRITICAL result.json
 [github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository

 [os_packages]: ../scanner/vulnerability.md#os-packages
-[language_packages]: ../scanner/vulnerability.md#language-specific-packages
+[language_packages]: ../scanner/vulnerability.md#language-specific-packages
+
+[nodejs-package-lock]: ../coverage/language/nodejs.md#npm
+[pnpm-lock]: ../coverage/language/nodejs.md#pnpm
+[yarn-lock]: ../coverage/language/nodejs.md#yarn
+[dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
+[poetry-lock]: ../coverage/language/python.md#poetry
+[gemfile-lock]: ../coverage/language/ruby.md#bundler
+[go-mod]: ../coverage/language/golang.md#go-modules
+[composer-lock]: ../coverage/language/php.md#composer
+[pom-xml]: ../coverage/language/java.md#pomxml
+[pubspec-lock]: ../coverage/language/dart.md#dart
+[cargo-binaries]: ../coverage/language/rust.md#binaries