gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(cli): change --list-all-pkgs default to true (#9510)

Browse Source
This commit is contained in:
Teppei Fukuda
2025-09-24 14:06:39 +04:00
committed by GitHub
parent 404abb3d91
commit 7b663d86ca
23 changed files with 38 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/docs/configuration/reporting.md
View File

@@ -617,19 +617,15 @@ For more details, please check [here](../plugin/user-guide.md#output-mode-suppor
To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
```shell
$ trivy image --format json -o result.json --list-all-pkgs debian:11
$ trivy image --format json -o result.json debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json
```
!!! note
Please note that if you want to convert to a format that requires a list of packages,
such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
[Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
```shell
# Output all severities in JSON
$ trivy image --format json -o result.json --list-all-pkgs debian:11
$ trivy image --format json -o result.json debian:11
# Output only critical issues in table format
$ trivy convert --format table --severity CRITICAL result.json

4
docs/docs/references/configuration/cli/trivy_convert.md
View File

@@ -10,7 +10,7 @@ trivy convert [flags] RESULT_JSON
```
# report conversion
$ trivy image --format json --output result.json --list-all-pkgs debian:11
$ trivy image --format json --output result.json debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json
```
@@ -37,7 +37,7 @@ trivy convert [flags] RESULT_JSON
-h, --help help for convert
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--report string specify a report format for the output (allowed values: all,summary) (default "all")

2
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -81,7 +81,7 @@ trivy filesystem [flags] PATH
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar

2
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -99,7 +99,7 @@ trivy image [flags] IMAGE_NAME
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--max-image-size string [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")

2
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -91,7 +91,7 @@ trivy kubernetes [flags] [CONTEXT]
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--no-progress suppress progress bar
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")

2
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -80,7 +80,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar

2
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -83,7 +83,7 @@ trivy rootfs [flags] ROOTDIR
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar

2
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -64,7 +64,7 @@ trivy sbom [flags] SBOM_PATH
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name

2
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -75,7 +75,7 @@ trivy vm [flags] VM_IMAGE
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar

2
docs/docs/references/configuration/config-file.md
View File

@@ -530,7 +530,7 @@ ignore-policy: ""
ignorefile: ".trivyignore"
# Same as '--list-all-pkgs'
list-all-pkgs: false
list-all-pkgs: true
# Same as '--output'
output: ""

6
docs/docs/scanner/vulnerability.md
View File

@@ -293,7 +293,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
</details>
!!! info
This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
### Filtering by Package Relationships
@@ -313,7 +313,7 @@ The available relationships may vary depending on the ecosystem.
To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
```
$ trivy repo -f json --list-all-pkgs /path/to/project
$ trivy repo -f json /path/to/project
```
To scan only the root package and its direct dependencies, you can use the flag as follows:
@@ -325,7 +325,7 @@ $ trivy repo --pkg-relationships root,direct /path/to/project
By default, all relationships are included in the scan.
!!! info
This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
!!! warning
As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.

4
integration/client_server_test.go
View File

@@ -679,8 +679,8 @@ func setupClient(t *testing.T, c csArgs, addr, cacheDir string) []string {
osArgs = append(osArgs, "--format", "json")
}
if c.ListAllPackages {
osArgs = append(osArgs, "--list-all-pkgs")
if !c.ListAllPackages {
osArgs = append(osArgs, "--list-all-pkgs=false")
}
if c.IgnoreUnfixed {

3
integration/config_test.go
View File

@@ -154,6 +154,7 @@ severity:
osArgs := []string{
"--format",
"json",
"--list-all-pkgs=false",
"--cache-dir",
cacheDir,
"--skip-db-update",
@@ -180,6 +181,7 @@ severity:
t.Setenv("TRIVY_OUTPUT", outputFile)
t.Setenv("TRIVY_FORMAT", "json")
t.Setenv("TRIVY_LIST_ALL_PKGS", "false")
t.Setenv("TRIVY_CACHE_DIR", cacheDir)
t.Setenv("TRIVY_SKIP_DB_UPDATE", "true")
t.Setenv("TRIVY_SKIP_POLICY_UPDATE", "true")
@@ -204,6 +206,7 @@ severity:
configFile := tt.args.configFile
configFile += fmt.Sprintf(`
format: json
list-all-pkgs: false
output: %s
cache:
dir: %s

4
integration/convert_test.go
View File

@@ -66,8 +66,8 @@ func TestConvert(t *testing.T) {
osArgs = append(osArgs, "--show-suppressed")
}
if tt.args.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs")
if !tt.args.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs=false")
}
// Set up the output file

1
integration/docker_engine_test.go
View File

@@ -247,6 +247,7 @@ func TestDockerEngine(t *testing.T) {
"image",
"--skip-update",
"--format=json",
"--list-all-pkgs=false",
}
if tt.ignoreUnfixed {

1
integration/module_test.go
View File

@@ -41,6 +41,7 @@ func TestModule(t *testing.T) {
"--ignore-unfixed",
"--format",
"json",
"--list-all-pkgs=false",
"--skip-db-update",
"--offline-scan",
"--quiet",

1
integration/registry_test.go
View File

@@ -271,6 +271,7 @@ func scan(t *testing.T, imageRef name.Reference, baseDir string, opt registryOpt
"image",
"--format",
"json",
"--list-all-pkgs=false",
"--image-src",
"remote",
"--skip-db-update",

4
integration/repo_test.go
View File

@@ -626,8 +626,8 @@ func buildArgs(t *testing.T, cacheDir, command string, format types.Format, test
"--vuln-severity-source", strings.Join(testArgs.vulnSeveritySources, ","),
)
}
if testArgs.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs")
if !testArgs.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs=false")
}
if testArgs.includeDevDeps {
osArgs = append(osArgs, "--include-dev-deps")

1
integration/sbom_test.go
View File

@@ -178,6 +178,7 @@ func TestSBOM(t *testing.T) {
tt.args.format,
"--scanners",
scanners,
"--list-all-pkgs=false",
}
// Set up the output file

4
integration/standalone_tar_test.go
View File

@@ -415,6 +415,7 @@ func TestTar(t *testing.T) {
"--format",
string(tt.args.Format),
"--skip-db-update",
"--list-all-pkgs=false",
}
if tt.args.IgnoreUnfixed {
@@ -518,6 +519,7 @@ func TestTarWithEnv(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Setenv("TRIVY_FORMAT", tt.testArgs.Format)
t.Setenv("TRIVY_LIST_ALL_PKGS", "false")
t.Setenv("TRIVY_CACHE_DIR", cacheDir)
t.Setenv("TRIVY_QUIET", "true")
t.Setenv("TRIVY_SKIP_UPDATE", "true")
@@ -554,6 +556,7 @@ func TestTarWithConfigFile(t *testing.T) {
input: "testdata/fixtures/images/alpine-39.tar.gz",
configFile: `quiet: true
format: json
list-all-pkgs: false
severity:
- HIGH
- CRITICAL
@@ -570,6 +573,7 @@ cache:
input: "testdata/fixtures/images/debian-buster.tar.gz",
configFile: `quiet: true
format: json
list-all-pkgs: false
vulnerability:
ignore-unfixed: true
cache:

1
integration/vm_test.go
View File

@@ -78,6 +78,7 @@ func TestVM(t *testing.T) {
"--skip-db-update",
"--format",
tt.args.format,
"--list-all-pkgs=false",
}
// Decompress the gzipped image file

2
pkg/commands/app.go
View File

@@ -540,7 +540,7 @@ func NewConvertCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
GroupID: groupUtility,
Short: "Convert Trivy JSON report into a different format",
Example: ` # report conversion
$ trivy image --format json --output result.json --list-all-pkgs debian:11
$ trivy image --format json --output result.json debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json
`,
PreRunE: func(cmd *cobra.Command, args []string) error {

6
pkg/flag/report_flags.go
View File

@@ -60,6 +60,7 @@ var (
ListAllPkgsFlag = Flag[bool]{
Name: "list-all-pkgs",
ConfigName: "list-all-pkgs",
Default: true,
Usage: "output all packages in the JSON report regardless of vulnerability",
TelemetrySafe: true,
}
@@ -228,8 +229,9 @@ func (f *ReportFlagGroup) ToOptions(opts *Options) error {
}
// "--list-all-pkgs" option is unavailable with other than "--format json".
// If user specifies "--list-all-pkgs" with "--format table" or other formats, we should warn it.
if listAllPkgs && format != types.FormatJSON {
// If user explicitly specifies "--list-all-pkgs" with "--format table" or other formats, we should warn it.
// We check if the flag was explicitly set by the user to avoid warning when using the default value.
if f.ListAllPkgs.IsSet() && listAllPkgs && format != types.FormatJSON {
log.Warn(`"--list-all-pkgs" is only valid for the JSON format, for other formats a list of packages is automatically included.`)
}