Teppei Fukuda
Teppei Fukuda
>Our release process is already very expensive Unlike SBOMs, VEX generation doesn't necessarily need to be integrated into the release process since vulnerability disclosures don't align with release timing. For...
Trivy is not using Docker for image scanning, so `/var/lib/docker/overlay` should not be grown. Trivy uses its cache. Could you try the latest version?
Sure. You need to write a parser first. https://github.com/aquasecurity/trivy/tree/8995838e8d184ee9178d5b52d2d3fa9b4e403015/pkg/fanal/analyzer/language/nodejs
Right. I think it's a good idea to open a PR only with a parser implementation to keep the PR small.
Since we found [mirror.gcr.io](https://github.com/aquasecurity/trivy/issues/7938), we need to discuss it again.
We planned to host the vulnerability database on GitHub Releases or things like that, and this feature was supposed to help since we needed to download it via HTTP. However,...
All features are nice to have. But adding new features more or less increases maintenance costs. And it's hard to drop it once we add it. We should consider whether...
I found that [this test](https://github.com/aquasecurity/trivy/blob/2a21fd8cace586debb43858182697bbf778e21e6/pkg/fanal/analyzer/language/golang/mod/mod_test.go#L287-L340) doesn't respect the `vendor` dir as it is not added to mapfs. It just reads a license file from GOPATH. I'll fix it in another...
> hi, im interested in this issue, can i take it?, and also is there anything you'd like to see or avoid? thanks! Sure. I assigned you. Apart from asking...
No worries. @DicksenT can work on SPDX.