docs: restructure docs for new hosting (#9799)

2025-12-22 15:16:33 -08:00 · 2025-11-18 15:45:49 +00:00
parent f64e0daf25
commit 9da33b5aed
188 changed files with 178 additions and 3576 deletions
--- a/docs/guide/coverage/language/python.md
+++ b/docs/guide/coverage/language/python.md
@@ -0,0 +1,156 @@
+# Python
+
+Trivy supports three types of Python package managers: `pip`, `Pipenv` and `Poetry`.
+The following scanners are supported for package managers.
+
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| pip             |  ✓   |       ✓       |    ✓    |
+| Pipenv          |  ✓   |       ✓       |    -    |
+| Poetry          |  ✓   |       ✓       |    -    |
+| uv              |  ✓   |       ✓       |    -    |
+
+In addition, Trivy supports three formats of Python packages: `egg`, `wheel` and `conda`.
+The following scanners are supported for Python packages.
+
+| Packaging | SBOM | Vulnerability | License |
+|-----------|:----:|:-------------:|:-------:|
+| Egg       |  ✓   |       ✓       |    ✓    |
+| Wheel     |  ✓   |       ✓       |    ✓    |
+| Conda     |  ✓   |       -       |    -    |
+
+
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
+| Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
+| Poetry          | poetry.lock      |            ✓            |     [Exclude](#poetry)      |                  ✓                   |    -     |                Not needed                |
+| uv              | uv.lock          |            ✓            |     [Exclude](#uv)      |                  ✓                   |    -     |                Not needed                |          |
+
+
+| Packaging | Dependency graph |
+| --------- | :--------------: |
+| Egg       |        ✓         |
+| Wheel     |        ✓         |
+
+These may be enabled or disabled depending on the target.
+See [here](./index.md) for the detail.
+
+## Package managers
+Trivy parses your files generated by package managers in filesystem/repository scanning.
+
+### pip
+
+#### Dependency detection
+By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
+
+Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
+In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.
+
+```
+keyring >= 4.1.1            # Minimum version 4.1.1
+Mopidy-Dirble ~= 1.1        # Minimum version 1.1
+python-gitlab==2.0.*        # Minimum version 2.0.0
+```
+Also, there is a way to convert unsupported version specifiers - use either the `pip-compile` tool (which doesn't install the packages)
+or call `pip freeze` from the virtual environment where the requirements are already installed.
+
+```bash
+$ cat requirements.txt 
+boto3~=1.24.60
+click>=8.0
+json-fix==0.5.*
+$ pip install -r requirements.txt
+...
+$ pip freeze > requirements.txt 
+$ cat requirements.txt 
+boto3==1.24.96
+botocore==1.27.96
+click==8.1.7
+jmespath==1.0.1
+json-fix==0.5.2
+python-dateutil==2.8.2
+s3transfer==0.6.2
+setuptools==69.0.2
+six==1.16.0
+urllib3==1.26.18
+wheel==0.42.0
+```
+
+`requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
+Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.
+
+To detect transitive dependencies as well, you need to generate `requirements.txt` that contains them.
+Like described above, tou can do it with `pip freeze` or `pip-compile`.
+
+```zsh
+$ cat requirements.txt # it will only find `requests@2.28.2`.
+requests==2.28.2 
+$ pip install -r requirements.txt
+...
+
+$ pip freeze > requirements.txt   
+$ cat requirements.txt # it will also find the transitive dependencies of `requests@2.28.2`.
+certifi==2022.12.7
+charset-normalizer==3.1.0
+idna==3.4
+PyJWT==2.1.0
+requests==2.28.2
+urllib3==1.26.15
+```
+
+`pip freeze` also helps to resolve [extras](https://packaging.python.org/en/latest/tutorials/installing-packages/#installing-extras)(optional) dependencies (like `package[extras]=0.0.0`).
+
+`requirements.txt` files don't contain information about dependencies used for development.
+Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
+
+#### License detection
+
+`requirements.txt` files don't contain information about licenses.
+Therefore, Trivy checks `METADATA` files from `lib/site-packages` directory. 
+
+Trivy uses 3 ways to detect `site-packages` directory:
+
+- Checks `VIRTUAL_ENV` environment variable.
+- Detects path to `python`[^1] binary and checks `../lib/pythonX.Y/site-packages` directory.
+- Detects path to `python`[^1] binary and checks `../../lib/site-packages` directory.
+
+### Pipenv
+Trivy parses `Pipfile.lock`.
+`Pipfile.lock` files don't contain information about dependencies used for development.
+Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
+
+License detection is not supported for `Pipenv`.
+
+### Poetry
+Trivy uses `poetry.lock` to identify dependencies and find vulnerabilities.
+To build the correct dependency graph, `pyproject.toml` also needs to be present next to `poetry.lock`.
+
+License detection is not supported for `Poetry`.
+
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
+
+### uv
+Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.
+
+License detection is not supported for `uv`.
+
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
+## Packaging
+Trivy parses the manifest files of installed packages in container image scanning and so on.
+See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.
+
+### Egg
+Trivy looks for `*.egg-info`, `*.egg-info/METADATA`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
+
+### Wheel
+Trivy looks for `.dist-info/METADATA` to identify Python packages.
+
+[^1]: Trivy checks `python`, `python3`, `python2` and `python.exe` file names.
+
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority