Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add workspaceRelationship #7889

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: add workspaceRelationship #7889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
91d415d
feat: add `workspace` relationship
DmitriyLewen Nov 7, 2024
c8555ef
refactor: RelationshipWorkspace == 2
DmitriyLewen Nov 7, 2024
59d8f7c
feat(parser): use `relationshipWorkspace` for maven modules
DmitriyLewen Nov 7, 2024
1a25771
feat(bom): add `relationshipWorkspace` to fill relationships
DmitriyLewen Nov 7, 2024
74f4a7b
mage test:updateGolden
DmitriyLewen Nov 7, 2024
745bc9c
mage docs:generate
DmitriyLewen Nov 8, 2024
542a380
test(bom): add test for multimodule project
DmitriyLewen Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_filesystem.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ trivy filesystem [flags] PATH
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_image.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ trivy image [flags] IMAGE_NAME
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_kubernetes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ trivy kubernetes [flags] [CONTEXT]
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
--redis-ca string redis ca file location, if using redis as cache backend
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_repository.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_rootfs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ trivy rootfs [flags] ROOTDIR
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_sbom.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ trivy sbom [flags] SBOM_PATH
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_vm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ trivy vm [flags] VM_IMAGE
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--pkg-relationships strings list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/config-file.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,7 @@ pkg:
relationships:
- unknown
- root
- workspace
- direct
- indirect

Expand Down
6 changes: 3 additions & 3 deletions integration/testdata/composer.lock.json.golden
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 8 additions & 8 deletions integration/testdata/conan.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"Name": "poco",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "312753cebe80c0eb"
"UID": "1c5e3b385e0d9c68"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have any idea why UID is different now?

Copy link
Contributor Author

@DmitriyLewen DmitriyLewen Nov 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added workspaceRelationship as 2:

trivy/pkg/fanal/types/package.go

Lines 17 to 21 in 542a380

RelationshipUnknown Relationship = iota
RelationshipRoot
RelationshipWorkspace // For maven `modules`. TODO use it for cargo and npm workspaces
RelationshipDirect
RelationshipIndirect

to correct sorting:

trivy/pkg/fanal/types/package.go

Lines 233 to 240 in 927c6e0

switch {
case pkgs[i].Relationship != pkgs[j].Relationship:
if pkgs[i].Relationship == RelationshipUnknown {
return false
} else if pkgs[j].Relationship == RelationshipUnknown {
return true
}
return pkgs[i].Relationship < pkgs[j].Relationship

So when we calc UID - we use 4 instead of 3 for IndirectRelationship (as example)

},
"Version": "1.9.4",
"Relationship": "direct",
Expand All @@ -50,7 +50,7 @@
"Name": "bzip2",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "6e2ff993df2d9107"
"UID": "fcee910413ab7575"
},
"Version": "1.0.8",
"Indirect": true,
Expand All @@ -68,7 +68,7 @@
"Name": "expat",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "71c2d92d60f7f21c"
"UID": "1a3fe92a43620875"
},
"Version": "2.4.8",
"Indirect": true,
Expand All @@ -86,7 +86,7 @@
"Name": "openssl",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "13c605db6afa69dd"
"UID": "d009c32d2d560ed1"
},
"Version": "1.1.1q",
"Indirect": true,
Expand All @@ -104,7 +104,7 @@
"Name": "pcre",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "4e01c692a67e12e4"
"UID": "452827dd216c920e"
},
"Version": "8.43",
"Indirect": true,
Expand All @@ -126,7 +126,7 @@
"Name": "sqlite3",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "43bc9c58092c7c9e"
"UID": "8e926335e2fce900"
},
"Version": "3.39.2",
"Indirect": true,
Expand All @@ -144,7 +144,7 @@
"Name": "zlib",
"Identifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "d6faf8d6dfd1985"
"UID": "dfef9b967a82df9f"
},
"Version": "1.2.12",
"Indirect": true,
Expand All @@ -165,7 +165,7 @@
"PkgName": "pcre",
"PkgIdentifier": {
"PURL": "pkg:conan/[email protected]",
"UID": "4e01c692a67e12e4"
"UID": "452827dd216c920e"
},
"InstalledVersion": "8.43",
"FixedVersion": "8.45",
Expand Down
8 changes: 4 additions & 4 deletions integration/testdata/gomod-skip.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "9d949a7b01249e68"
"UID": "782e16d5a74c9fa6"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand All @@ -54,7 +54,7 @@
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/[email protected]",
"UID": "e89e2b0d8977e2a"
"UID": "3e43f458a7c60c10"
},
"InstalledVersion": "v0.35.0",
"FixedVersion": "0.37.0",
Expand Down Expand Up @@ -101,7 +101,7 @@
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/[email protected]",
"UID": "3050088ce9eb2ce4"
"UID": "9c987ed7494d95be"
},
"InstalledVersion": "v0.3.6",
"FixedVersion": "0.3.7",
Expand Down Expand Up @@ -134,7 +134,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "2f7f0fa81860b8f1"
"UID": "97673687db393443"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand Down
8 changes: 4 additions & 4 deletions integration/testdata/gomod-vex.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "9d949a7b01249e68"
"UID": "782e16d5a74c9fa6"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand All @@ -54,7 +54,7 @@
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/[email protected]",
"UID": "3050088ce9eb2ce4"
"UID": "9c987ed7494d95be"
},
"InstalledVersion": "v0.3.6",
"FixedVersion": "0.3.7",
Expand Down Expand Up @@ -87,7 +87,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "2f7f0fa81860b8f1"
"UID": "97673687db393443"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand Down Expand Up @@ -121,7 +121,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "3ad40723ed2fce22"
"UID": "48e3a06649df4bd4"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand Down
10 changes: 5 additions & 5 deletions integration/testdata/gomod.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "9d949a7b01249e68"
"UID": "782e16d5a74c9fa6"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand All @@ -54,7 +54,7 @@
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/[email protected]",
"UID": "e89e2b0d8977e2a"
"UID": "3e43f458a7c60c10"
},
"InstalledVersion": "v0.35.0",
"FixedVersion": "0.37.0",
Expand Down Expand Up @@ -101,7 +101,7 @@
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/[email protected]",
"UID": "3050088ce9eb2ce4"
"UID": "9c987ed7494d95be"
},
"InstalledVersion": "v0.3.6",
"FixedVersion": "0.3.7",
Expand Down Expand Up @@ -134,7 +134,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "2f7f0fa81860b8f1"
"UID": "97673687db393443"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand Down Expand Up @@ -168,7 +168,7 @@
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/[email protected]%2Bincompatible",
"UID": "3ad40723ed2fce22"
"UID": "48e3a06649df4bd4"
},
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
Expand Down
6 changes: 3 additions & 3 deletions integration/testdata/nuget.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/[email protected]",
"UID": "d4249b2442e303e9"
"UID": "1cec16ca9d4718aa"
},
"Version": "12.0.3",
"Relationship": "direct",
Expand All @@ -43,7 +43,7 @@
"Name": "NuGet.Frameworks",
"Identifier": {
"PURL": "pkg:nuget/[email protected]",
"UID": "6fa0c117039de82a"
"UID": "ed284c615e250d47"
},
"Version": "5.7.0",
"Relationship": "direct",
Expand All @@ -66,7 +66,7 @@
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/[email protected]",
"UID": "d4249b2442e303e9"
"UID": "1cec16ca9d4718aa"
},
"InstalledVersion": "12.0.3",
"FixedVersion": "13.0.1",
Expand Down
8 changes: 4 additions & 4 deletions integration/testdata/pnpm.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/[email protected]",
"UID": "53ca18565a4b6a47"
"UID": "2a8ffed0b32cf950"
},
"Version": "3.3.9",
"Licenses": [
Expand All @@ -40,7 +40,7 @@
"Name": "lodash",
"Identifier": {
"PURL": "pkg:npm/[email protected]",
"UID": "31eadfcf58a6b128"
"UID": "29795971f23e7bf6"
},
"Version": "4.17.4",
"Licenses": [
Expand All @@ -57,7 +57,7 @@
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/[email protected]",
"UID": "53ca18565a4b6a47"
"UID": "2a8ffed0b32cf950"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
Expand Down Expand Up @@ -190,7 +190,7 @@
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/[email protected]",
"UID": "31eadfcf58a6b128"
"UID": "29795971f23e7bf6"
},
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.12",
Expand Down
8 changes: 4 additions & 4 deletions integration/testdata/poetry.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"Name": "click",
"Identifier": {
"PURL": "pkg:pypi/[email protected]",
"UID": "37edb5c90a97272e"
"UID": "d76da06fc75f0439"
},
"Version": "8.1.3",
"Relationship": "direct",
Expand All @@ -40,7 +40,7 @@
"Name": "werkzeug",
"Identifier": {
"PURL": "pkg:pypi/[email protected]",
"UID": "4176be111ad01070"
"UID": "d14d05cca13c7a6b"
},
"Version": "0.14",
"Relationship": "direct",
Expand All @@ -51,7 +51,7 @@
"Name": "colorama",
"Identifier": {
"PURL": "pkg:pypi/[email protected]",
"UID": "895013c17f373da3"
"UID": "c7ed705c1cc43242"
},
"Version": "0.4.6",
"Indirect": true,
Expand All @@ -66,7 +66,7 @@
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/[email protected]",
"UID": "4176be111ad01070"
"UID": "d14d05cca13c7a6b"
},
"InstalledVersion": "0.14",
"FixedVersion": "0.15.3",
Expand Down
Loading