trivy
trivy copied to clipboard
Published
2 months ago
•
aquasecurity
aquasecurity
feat(cyclonedx): support dependency graph
Description
Command:
$ trivy image --format cyclonedx alpine:3.15.1
Before:
"dependencies": [
{
"ref": "ff234fde-bf88-42c4-821e-cb0365fef53c",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/ca-certificates-bundle@20211220-r0?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:oci/alpine@sha256:d6d0a0eb4d40ef96f2310ead734848b9c819bb97c9d846385c4aca1767186cd4?repository_url=index.docker.io%2Flibrary%2Falpine\u0026arch=amd64",
"dependsOn": [
"ff234fde-bf88-42c4-821e-cb0365fef53c"
]
}
],
After:
"dependencies": [
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/ca-certificates-bundle@20211220-r0?distro=3.15.1"
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/ca-certificates-bundle@20211220-r0?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1"
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1"
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/ca-certificates-bundle@20211220-r0?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:apk/alpine/[email protected]?distro=3.15.1",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "c57e968f-cfbb-4c2f-90c4-57bc2f72781f",
"dependsOn": [
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1",
"pkg:apk/alpine/[email protected]?distro=3.15.1"
]
},
{
"ref": "pkg:oci/alpine@sha256:d6d0a0eb4d40ef96f2310ead734848b9c819bb97c9d846385c4aca1767186cd4?repository_url=index.docker.io%2Flibrary%2Falpine\u0026arch=amd64",
"dependsOn": [
"c57e968f-cfbb-4c2f-90c4-57bc2f72781f"
]
}
],
The dependency graph should be equal next dependency tree:
$ trivy i --dependency-tree alpine:3.15.1
...
Dependency Origin Tree (Reversed)
=================================
alpine:3.15.1 (alpine 3.15.1)
├── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
│ └── [email protected]
├── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
│ ├── [email protected]
│ ├── [email protected]
│ │ └── [email protected]
│ └── [email protected]
├── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
│ └── [email protected]
├── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
│ ├── [email protected]
│ └── [email protected]
│ └── [email protected]
├── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
└── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)
└── [email protected]
References
- https://cyclonedx.org/use-cases/#dependency-graph
Related issues
- Close a part of #2451
- should close #3341
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
