fix: remove dependency-tree flag for image subcommand (#2492)

2025-12-23 07:29:00 -08:00 · 2022-07-13 17:08:54 +06:00
parent 57192bd5ae
commit 6b501219de
3 changed files with 10 additions and 32 deletions
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -15,7 +15,7 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is available with the `--format table` flag only.
+This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -63,33 +63,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 !!! note
    Only Node.js (package-lock.json) is supported at the moment.
 ## JSON
 Similar structure is included in JSON output format
 ```json
          "VulnerabilityID": "CVE-2022-0235",
          "PkgID": "node-fetch@1.7.3",
          "PkgName": "node-fetch",
          "PkgParents": [
            {
              "ID": "isomorphic-fetch@2.2.1",
              "Parents": [
                {
                  "ID": "fbjs@0.8.18",
                  "Parents": [
                    {
                      "ID": "styled-components@3.1.3"
                    }
                  ]
                }
              ]
            }
          ],
 ```
 !!! caution
 As of May 2022 the feature is supported for `npm` dependency parser only
 ## JSON
 ```
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -215,6 +215,7 @@ func NewRootCommand(version string, globalFlags *flag.GlobalFlagGroup) *cobra.Co
 func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ReportFormat = nil   // TODO: support --format summary
 	imageFlags := &flag.Flags{
@@ -796,6 +797,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ReportFormat = nil   // TODO: support --format summary
 	scanFlags := flag.NewScanFlagGroup()
--- a/pkg/flag/report_flags.go
+++ b/pkg/flag/report_flags.go
@@ -165,9 +165,12 @@ func (f *ReportFlagGroup) ToOptions(out io.Writer) (ReportOptions, error) {
 	}
 	// "--dependency-tree" option is available only with "--format table".
-	if dependencyTree && format != report.FormatTable {
+	if dependencyTree {
 		log.Logger.Infof(`"--dependency-tree" only shows dependencies for "package-lock.json" files`)
 		if format != report.FormatTable {
 			log.Logger.Warn(`"--dependency-tree" can be used only with "--format table".`)
 		}
 	}
 	// Enable '--list-all-pkgs' if needed
 	if f.forceListAllPkgs(format, listAllPkgs, dependencyTree) {