Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vuln): add --relationship flag to filter vulnerabilities by package relationship #6889

Open
knqyf263 opened this issue Jun 10, 2024 Discussed in #6876 · 3 comments
Open

feat(vuln): add --relationship flag to filter vulnerabilities by package relationship #6889

knqyf263 opened this issue Jun 10, 2024 Discussed in #6876 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@knqyf263
Copy link
Collaborator

Description

We have received some requests from the community to provide a way to view vulnerabilities only for directly dependent packages. Instead of adding a flag like --ignore-indirect, it would be more flexible to introduce a --relationship flag that allows filtering vulnerabilities based on the package's relationship.

The --relationship flag would accept comma-separated values, such as --relationship root,direct, to specify the desired relationships. This approach leverages the recently added the relationship field, which expresses the relationship of a package within the project. In the future, this field may be expanded to accommodate Modules, Workspaces, and other concepts, and the --relationship flag will be able to handle those cases as well.

Furthermore, this flag would also allow users to view vulnerabilities only for transitive dependencies by specifying --relationship indirect, providing additional flexibility in filtering the results.

Considerations

It may be difficult to allow the --dependency-tree flag to be used simultaneously with the --relationship flag. When --relationship indirect is specified, it's unable to build the complete graph. Therefore, it would be better to prevent these flags from being specified together.

Similarly, the implementation of --relationship for SBOM might be challenging for the same reason as --dependency-tree. In the case of SBOM, it may be necessary to either disable the --relationship flag or remove the dependencies section from the SBOM output.

Discussed in #6876
@knqyf263 knqyf263 added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 10, 2024
@knqyf263
Copy link
Collaborator Author

@DmitriyLewen Any comments?

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Jun 10, 2024
edited
Loading

--relationship root,direct

We definitely need to add information about what relationships are available for files.
e.g. only go and Rust binaries, pom and gomod files support root relationships.

it may be necessary to either disable the --relationship flag or remove the dependencies section from the SBOM output.

I think we need to start from disabling relationship flag for all sbom formats (cyclonedx, spdx, github).
For templates we can leave this flag (it will be same logic as for table format).

Otherwise looks like a very good idea 👍

@knqyf263
Copy link
Collaborator Author

We definitely need to add information about what relationships are available for files.
e.g. only go and Rust binaries, pom and gomod files support root relationships.

Yes, we should document it. In most cases, -f json helps to understand relationship types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Trivy Roadmap
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knqyf263 @DmitriyLewen