DmitriyLewen
DmitriyLewen
## Description We can only use licenses from [SPDX license list](https://spdx.org/licenses/) in `licenseConcluded` and `licenseDeclared` fields. For other licenses, we should create new `LicenseRef-*` component (see `hasExtractedLicensingInfos` field - https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/#d46-license-expressions-in-rdf)...
## Description IIUC AsymmetricPrivateKeys have size linits depending on the key type. Looks like minimal size is 128bit - https://www.cryptomathic.com/news-events/blog/classification-of-cryptographic-keys-functions-and-properties So we can calculate minimal number of characters between `--------BEGIN...
## Description We detect all dependencies and exclude dev dependencies in `scanner`. This worked well. But we added `test` scope for `pom.xml` files - #7414. And this is a problem...
## Description We added support of `test` scope. but we were forced to roll back these changes (see #7488). This PR adds support of `test` scope. Also this PR takes...
## Description Move dev(test) dependencies inclusion/exclusion in analyzers. See #7476 for more details. ## Related issues - Close #7476 ## Checklist - [x] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to...
## Description There are cases when SPDX license list doesn't contain license of dependency/package. We need to use [ExtractedLicensingInfo](https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/) field. Example: https://github.com/spdx/tools-java/blob/master/testResources/SPDXJSONExample-v2.2.spdx.json ### Discussed in https://github.com/aquasecurity/trivy/discussions/7366
## Description We currently get `repositories` from `pom.xml` files + `maven central`: https://github.com/aquasecurity/trivy/blob/57e24aa85382f749df7f673e241caaf3fcbb45cb/pkg/dependency/parser/java/pom/parse.go#L339-L342 But `settings.xml` file may also contain remote repositories. We need to add logic to get repositories from...
## Description When Trivy converts json report without `Packages` to table report with summary table - Trivy returns `panic`. **It works only if report contains aggregated packages** ``` 8537 trivy...
### Discussed in https://github.com/aquasecurity/trivy/discussions/5208 `.deps.json` files have `target` array with information about child dependencies. We can use it to build dependency tree.
## Description We [added](https://github.com/aquasecurity/trivy/pull/7889) `workspace` relationship. So we can add `Root` and `Workspace` packages for `yarn`. See #8012 for more details. example: ```bash ➜ ./trivy -q fs /Users/dmitriy/work/repositories/trivy/pkg/fanal/analyzer/language/nodejs/yarn/testdata/project-with-workspace-in-subdir -f json...