fix: Specify types of dependencies to analyze

afsmeira · afsmeira · commit ed7ab54b3600 · 2024-08-29T13:44:07.000+01:00
It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See aquasecurity/trivy#7237
diff --git a/internal/tool/tool.go b/internal/tool/tool.go
@@ -11,8 +11,10 @@ import (
 	"strings"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/secret"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/aquasecurity/trivy/pkg/log"
+	ptypes "github.com/aquasecurity/trivy/pkg/types"
 	types "github.com/aquasecurity/trivy/pkg/types"
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/samber/lo"
@@ -97,7 +99,9 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution
 		},
 		PackageOptions: flag.PackageOptions{
 			// Only scan libraries not OS packages.
-			PkgTypes: []string{types.PkgTypeLibrary},
+			PkgTypes: []string{ptypes.PkgTypeLibrary},
+			// Scan libraries with all possible relationships (direct, indirect, etc).
+			PkgRelationships: ftypes.Relationships,
 		},
 		ReportOptions: flag.ReportOptions{
 			// Listing all packages will allow to obtain the line number of a vulnerability.
@@ -106,7 +110,7 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution
 		ScanOptions: flag.ScanOptions{
 			// Do not try to connect to the internet to download vulnerability DBs, for example.
 			OfflineScan: true,
-			Scanners:    types.Scanners{types.VulnerabilityScanner},
+			Scanners:    ptypes.Scanners{ptypes.VulnerabilityScanner},
 			// Instead of scanning files individually, scan the whole source directory since it's faster.
 			// Then filter issues from files that were not supposed to be analysed.
 			Target: toolExecution.SourceDir,
diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go
@@ -10,7 +10,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
-	"github.com/aquasecurity/trivy/pkg/types"
+	ptypes "github.com/aquasecurity/trivy/pkg/types"
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
@@ -61,20 +61,21 @@ func TestRun(t *testing.T) {
 			SkipJavaDBUpdate: true,
 		},
 		PackageOptions: flag.PackageOptions{
-			PkgTypes: []string{types.PkgTypeLibrary},
+			PkgTypes:         []string{ptypes.PkgTypeLibrary},
+			PkgRelationships: ftypes.Relationships,
 		},
 		ReportOptions: flag.ReportOptions{
 			ListAllPkgs: true,
 		},
 		ScanOptions: flag.ScanOptions{
 			OfflineScan: true,
-			Scanners:    types.Scanners{types.VulnerabilityScanner},
+			Scanners:    ptypes.Scanners{ptypes.VulnerabilityScanner},
 			Target:      sourceDir,
 		},
 	}
 
-	report := types.Report{
-		Results: types.Results{
+	report := ptypes.Report{
+		Results: ptypes.Results{
 			{
 				Target: file1,
 				Packages: ftypes.Packages{
@@ -90,7 +91,7 @@ func TestRun(t *testing.T) {
 						ID: packageID2,
 					},
 				},
-				Vulnerabilities: []types.DetectedVulnerability{
+				Vulnerabilities: []ptypes.DetectedVulnerability{
 					{
 						PkgID:           packageID1,
 						VulnerabilityID: "vuln id",
@@ -119,13 +120,13 @@ func TestRun(t *testing.T) {
 			},
 			{
 				Target: file2,
-				Secrets: []types.DetectedSecret{
+				Secrets: []ptypes.DetectedSecret{
 					{
 						StartLine: 2,
 						Title:     "secret title",
 					},
 				},
-				Vulnerabilities: []types.DetectedVulnerability{
+				Vulnerabilities: []ptypes.DetectedVulnerability{
 					{
 						PkgID:           "packageID10",
 						VulnerabilityID: "no line",
@@ -138,7 +139,7 @@ func TestRun(t *testing.T) {
 			},
 			{
 				Target: "file-3",
-				Secrets: []types.DetectedSecret{
+				Secrets: []ptypes.DetectedSecret{
 					{
 						StartLine: 10,
 						Title:     "unkown file",
@@ -294,14 +295,15 @@ func TestRunScanFilesystemError(t *testing.T) {
 			SkipJavaDBUpdate: true,
 		},
 		PackageOptions: flag.PackageOptions{
-			PkgTypes: []string{types.PkgTypeLibrary},
+			PkgTypes:         []string{ptypes.PkgTypeLibrary},
+			PkgRelationships: ftypes.Relationships,
 		},
 		ReportOptions: flag.ReportOptions{
 			ListAllPkgs: true,
 		},
 		ScanOptions: flag.ScanOptions{
 			OfflineScan: true,
-			Scanners:    types.Scanners{types.VulnerabilityScanner},
+			Scanners:    ptypes.Scanners{ptypes.VulnerabilityScanner},
 			Target:      sourceDir,
 		},
 	}
@@ -315,7 +317,7 @@ func TestRunScanFilesystemError(t *testing.T) {
 	mockRunner.EXPECT().ScanFilesystem(
 		gomock.Eq(ctx),
 		gomock.Eq(config),
-	).Return(types.Report{}, assert.AnError).Times(1)
+	).Return(ptypes.Report{}, assert.AnError).Times(1)
 	mockRunner.EXPECT().Close(
 		gomock.Eq(ctx),
 	).Return(nil).Times(1)
