fix: remove dependency-tree flag for image subcommand (#2492)

2025-12-22 23:26:39 -08:00 · 2022-07-13 17:08:54 +06:00
parent 57192bd5ae
commit 6b501219de
3 changed files with 10 additions and 32 deletions
--- a/docs/docs/vulnerability/examples/report.md
+++ b/docs/docs/vulnerability/examples/report.md
@@ -15,7 +15,7 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is available with the `--format table` flag only.
+This flag is only available with the `fs` or `repo` commands and the `--format table` flag.

 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -63,33 +63,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
 !!! note
    Only Node.js (package-lock.json) is supported at the moment.

-## JSON
-Similar structure is included in JSON output format
-```json
-          "VulnerabilityID": "CVE-2022-0235",
-          "PkgID": "node-fetch@1.7.3",
-          "PkgName": "node-fetch",
-          "PkgParents": [
-            {
-              "ID": "isomorphic-fetch@2.2.1",
-              "Parents": [
-                {
-                  "ID": "fbjs@0.8.18",
-                  "Parents": [
-                    {
-                      "ID": "styled-components@3.1.3"
-                    }
-                  ]
-                }
-              ]
-            }
-          ],
-
-```
-
-!!! caution
-As of May 2022 the feature is supported for `npm` dependency parser only
-
 ## JSON

 ```
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -215,6 +215,7 @@ func NewRootCommand(version string, globalFlags *flag.GlobalFlagGroup) *cobra.Co

 func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
+	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ReportFormat = nil   // TODO: support --format summary

 	imageFlags := &flag.Flags{
@@ -796,6 +797,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {

 func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
+	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ReportFormat = nil   // TODO: support --format summary

 	scanFlags := flag.NewScanFlagGroup()
--- a/pkg/flag/report_flags.go
+++ b/pkg/flag/report_flags.go
@@ -165,9 +165,12 @@ func (f *ReportFlagGroup) ToOptions(out io.Writer) (ReportOptions, error) {
 	}

 	// "--dependency-tree" option is available only with "--format table".
-	if dependencyTree && format != report.FormatTable {
+	if dependencyTree {
+		log.Logger.Infof(`"--dependency-tree" only shows dependencies for "package-lock.json" files`)
+		if format != report.FormatTable {
 			log.Logger.Warn(`"--dependency-tree" can be used only with "--format table".`)
 		}
+	}

 	// Enable '--list-all-pkgs' if needed
 	if f.forceListAllPkgs(format, listAllPkgs, dependencyTree) {