DmitriyLewen

> Add the following in a package.json file. Starting from now on, we’ll call this directory the “workspace root”: IIUC (i didn't find info about cli flags) - you need...

> in the documentation and PR examples. I thought you want to change logic for these cases. About docs - i think your are right. There is no need to...

Correct me if I'm wrong: We use `Target` field for secrets and licenses. We also use `Target` or `PkgPath` for vulnerabilities. So for them `artifactLocation.uri` is always non-empty. This means...

thanks. I missed this comment. I found the reason for empty `Target`. It happens for SBOM files not generated by Trivy (when we can't determine filepath for Application). But I...

Hello @ZsoltPath Can you share some example for this?

@nikpivkin Can you take a look? IIUC target with this misconfig is empty. Is this possible?

Hello @coheigea yeah, this PR contains fix for that (https://github.com/aquasecurity/trivy/pull/7484/commits/dba9f9f7f03afe6dd3cb111e3a14bcb050233303) Can you test these changes in your project?

> We need to take the flag into account for cache key calculation. I didn't change the key for the cache - because all analyzers don't work for the image...

I'm not sure we need to enable `--include-non-failures` by default for the conversion mode. We need to use the same logic as for the scan command (`fs`/`image`/etc). It would be...

We already use similar logic for `--list-all-pkgs` - https://trivy.dev/latest/docs/configuration/reporting/#converting I consider such situations as follows: base `json` should include all possible information. Then for other reports the user can customize...