mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 15:16:33 -08:00

Files

DmitriyLewen 22463ababd feat(cli): add include-dev-deps flag (#4700 )

* add Dev field for Package

* fix integration test

* update docs

* feat(cli): add include-dev flag

* bump go-dep-parser

* update docs

* add integration test

* refactor

* refactor

* fix integration test

* refactor: rename flag to include-dev-deps

* update docs

* update docs

* filter dev deps when scanning packages

* add flag support for server mode

* refactor: remove comment that might confuse

* refactor: move --include-dev-deps to the scanner flag group

* refactor: not return apps

* docs: update

---------

Co-authored-by: knqyf263 <knqyf263@gmail.com>

2023-06-29 13:15:52 +00:00

11 KiB

Raw Blame History

Language-specific Packages

Trivy automatically detects the following files and scans vulnerabilities in the application dependencies.

Supported languages

Language	File	Image¹	Rootfs²	Filesystem³	Repository⁴	Dev dependencies	Dependency location⁵
Ruby	Gemfile.lock	-	-	✅	✅	included	-
	gemspec	✅	✅	-	-	included	-
Python	Pipfile.lock	-	-	✅	✅	excluded	✅
	poetry.lock	-	-	✅	✅	excluded	-
	requirements.txt	-	-	✅	✅	included	-
	egg package⁶	✅	✅	-	-	excluded	-
	wheel package⁷	✅	✅	-	-	excluded	-
PHP	composer.lock	✅	✅	✅	✅	excluded	✅
Node.js	package-lock.json	-	-	✅	✅	excluded	✅
	yarn.lock	-	-	✅	✅	excluded	✅
	pnpm-lock.yaml	-	-	✅	✅	excluded	-
	package.json	✅	✅	-	-	excluded	-
.NET	packages.lock.json	✅	✅	✅	✅	included	✅
	packages.config	✅	✅	✅	✅	excluded	-
	.deps.json	✅	✅	✅	✅	excluded	✅
Java	JAR/WAR/PAR/EAR⁸	✅	✅	-	-	included	-
	pom.xml⁹	-	-	✅	✅	excluded	-
	*gradle.lockfile	-	-	✅	✅	excluded	-
Go	Binaries built by Go¹⁰	✅	✅	-	-	excluded	-
	go.mod¹¹	-	-	✅	✅	included	-
Rust	Cargo.lock	✅	✅	✅	✅	excluded	✅
	Binaries built with cargo-auditable	✅	✅	-	-	excluded	-
C/C++	conan.lock¹²	-	-	✅	✅	excluded	-
Elixir	mix.lock¹²	-	-	✅	✅	excluded	✅
Dart	pubspec.lock	-	-	✅	✅	included	-

The path of these files does not matter.

Example: Dockerfile

Data Sources

Language	Source	Commercial Use	Delay⁶
PHP	PHP Security Advisories Database	✅	-
	GitHub Advisory Database (Composer)	✅	-
Python	GitHub Advisory Database (pip)	✅	-
	Open Source Vulnerabilities (PyPI)	✅	-
Ruby	Ruby Advisory Database	✅	-
	GitHub Advisory Database (RubyGems)	✅	-
Node.js	Ecosystem Security Working Group	✅	-
	GitHub Advisory Database (npm)	✅	-
Java	GitLab Advisories Community	✅	1 month
	GitHub Advisory Database (Maven)	✅	-
Go	GitHub Advisory Database (Go)	✅	-
	The Go Vulnerability Database	✅	-
Rust	Open Source Vulnerabilities (crates.io)	✅	-
.NET	GitHub Advisory Database (NuGet)	✅	-
C/C++	GitLab Advisories Community	✅	1 month
Dart	GitHub Advisory Database (Pub)	✅	-
Elixir	GitHub Advisory Database (Erlang)	✅

✅ means "enabled" and - means "disabled" in the image scanning ↩︎
✅ means "enabled" and - means "disabled" in the rootfs scanning ↩︎
✅ means "enabled" and - means "disabled" in the filesystem scanning ↩︎
✅ means "enabled" and - means "disabled" in the git repository scanning ↩︎
✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in json and sarif formats. SARIF uses startline == 1 and endline == 1 for unsupported file types ↩︎
*.egg-info, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO ↩︎
.dist-info/META-DATA ↩︎
*.jar, *.war, *.par and *.ear ↩︎
It requires Internet access when the POM doesn't exist in your local repository ↩︎
UPX-compressed binaries don't work ↩︎
If smaller than go 1.17, go.sum is also required ↩︎
To scan a filename other than the default filename use file-patterns ↩︎

11 KiB Raw Blame History

Language-specific Packages

Supported languages

Data Sources

11 KiB

Raw Blame History