diff --git a/docs/docs/vulnerability/examples/report.md b/docs/docs/vulnerability/examples/report.md index e0a24683d6..dd37a54e74 100644 --- a/docs/docs/vulnerability/examples/report.md +++ b/docs/docs/vulnerability/examples/report.md @@ -15,7 +15,7 @@ Modern software development relies on the use of third-party libraries. Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph. In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree. To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag. -This flag is available with the `--format table` flag only. +This flag is only available with the `fs` or `repo` commands and the `--format table` flag. This tree is the reverse of the npm list command. However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update. @@ -63,33 +63,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso !!! note Only Node.js (package-lock.json) is supported at the moment. -## JSON -Similar structure is included in JSON output format -```json - "VulnerabilityID": "CVE-2022-0235", - "PkgID": "node-fetch@1.7.3", - "PkgName": "node-fetch", - "PkgParents": [ - { - "ID": "isomorphic-fetch@2.2.1", - "Parents": [ - { - "ID": "fbjs@0.8.18", - "Parents": [ - { - "ID": "styled-components@3.1.3" - } - ] - } - ] - } - ], - -``` - -!!! caution -As of May 2022 the feature is supported for `npm` dependency parser only - ## JSON ``` diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 10be367745..0e47d8386f 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -215,7 +215,8 @@ func NewRootCommand(version string, globalFlags *flag.GlobalFlagGroup) *cobra.Co func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup := flag.NewReportFlagGroup() - reportFlagGroup.ReportFormat = nil // TODO: support --format summary + reportFlagGroup.DependencyTree = nil // disable '--dependency-tree' + reportFlagGroup.ReportFormat = nil // TODO: support --format summary imageFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), @@ -796,7 +797,8 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup := flag.NewReportFlagGroup() - reportFlagGroup.ReportFormat = nil // TODO: support --format summary + reportFlagGroup.DependencyTree = nil // disable '--dependency-tree' + reportFlagGroup.ReportFormat = nil // TODO: support --format summary scanFlags := flag.NewScanFlagGroup() scanFlags.SecurityChecks = nil // disable '--security-checks' as it always scans for vulnerabilities diff --git a/pkg/flag/report_flags.go b/pkg/flag/report_flags.go index 7a3d38b763..feb3da47e4 100644 --- a/pkg/flag/report_flags.go +++ b/pkg/flag/report_flags.go @@ -165,8 +165,11 @@ func (f *ReportFlagGroup) ToOptions(out io.Writer) (ReportOptions, error) { } // "--dependency-tree" option is available only with "--format table". - if dependencyTree && format != report.FormatTable { - log.Logger.Warn(`"--dependency-tree" can be used only with "--format table".`) + if dependencyTree { + log.Logger.Infof(`"--dependency-tree" only shows dependencies for "package-lock.json" files`) + if format != report.FormatTable { + log.Logger.Warn(`"--dependency-tree" can be used only with "--format table".`) + } } // Enable '--list-all-pkgs' if needed