DmitriyLewen
DmitriyLewen
fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format
## Description When using Trivy as a library, there may be cases where the Result with vulnerabilities does not contain any packages. Trivy panics in these cases. To avoid panic...
## Description There are cases when users use only `vendor` dir (`go mod vendor`) command. For these cases we can't detect licenses from `$GOPATH/pkg/mod` dir. ## New logic ```mermaid graph...
## Description We added `--distro` flag (see #8065) to add/overwrite OS version. But this flag should work also for `sbom` mode, for cases when sbom file doesn't contain info about...
## Description We currently don't expose `workspace` as separate packages (only define direct and indirect dependencies on them). After #7889 we can add them with the `workspace` relationship. Required changes:...
## Description `mvn` handles `modules` separate. Trivy uses same logic: https://github.com/aquasecurity/trivy/blob/57e24aa85382f749df7f673e241caaf3fcbb45cb/pkg/dependency/parser/java/pom/parse.go#L142-L143 But `SPDX` format doesn't allow duplicate SPDXIDs - https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field Same for `CycloneDX` - https://cyclonedx.org/docs/1.6/json/#components ## Solutions 1. We will...
## Description There are cases when one package type relates to another package type (This is usually found in SBOM files). e.g. (see #8419 for full example): ```json { "SPDXID":...
## Description There are cases when report contains Packages with same `GAV` (GroupID, ArtifactID, version). But these are different packages (see https://github.com/aquasecurity/trivy/issues/7824#issuecomment-2446542674). To avoid confusing and build dependency graph correctly,...
## Description `viper` doesn't resolve env's from config file - https://github.com/spf13/viper/issues/315. But we wrap some logic - so we can do it. Most likely, `env` will be used for `string`...
## Description See #8436 Example: ```yaml cache: dir: "$HOME/.cache/trivy" ``` Before: ```bash 2025-02-24T11:48:13+06:00 DEBUG Cache dir dir="$HOME/.cache/trivy" ``` After: ```bash 2025-02-24T11:47:23+06:00 DEBUG Cache dir dir="/Users/dmitriy/.cache/trivy" ``` ## Related issues -...
## Description OpenSUSE has 2 server versions: - [MicroOS](https://en.opensuse.org/Portal:MicroOS) - [Leap Micro](https://get.opensuse.org/leapmicro/6.0/) We may add support for these OSes ## Vulnerability detection These OSes are based on Tumbleweed and Leap...