feat(vuln): add `--relationship` flag to filter vulnerabilities by package relationship
knqyf263 opened this issue · comments
Description
We have received some requests from the community to provide a way to view vulnerabilities only for directly dependent packages. Instead of adding a flag like --ignore-indirect
, it would be more flexible to introduce a --relationship
flag that allows filtering vulnerabilities based on the package's relationship.
The --relationship
flag would accept comma-separated values, such as --relationship root,direct
, to specify the desired relationships. This approach leverages the recently added the relationship field, which expresses the relationship of a package within the project. In the future, this field may be expanded to accommodate Modules, Workspaces, and other concepts, and the --relationship
flag will be able to handle those cases as well.
Furthermore, this flag would also allow users to view vulnerabilities only for transitive dependencies by specifying --relationship indirect
, providing additional flexibility in filtering the results.
Considerations
It may be difficult to allow the --dependency-tree
flag to be used simultaneously with the --relationship
flag. When --relationship indirect
is specified, it's unable to build the complete graph. Therefore, it would be better to prevent these flags from being specified together.
Similarly, the implementation of --relationship
for SBOM might be challenging for the same reason as --dependency-tree
. In the case of SBOM, it may be necessary to either disable the --relationship
flag or remove the dependencies section from the SBOM output.
Discussed in #6876
@DmitriyLewen Any comments?
--relationship root,direct
We definitely need to add information about what relationships are available for files.
e.g. only go and Rust binaries, pom and gomod files support root
relationships.
it may be necessary to either disable the --relationship flag or remove the dependencies section from the SBOM output.
I think we need to start from disabling relationship
flag for all sbom formats (cyclonedx, spdx, github).
For templates we can leave this flag (it will be same logic as for table
format).
Otherwise looks like a very good idea 👍
We definitely need to add information about what relationships are available for files.
e.g. only go and Rust binaries, pom and gomod files support root relationships.
Yes, we should document it. In most cases, -f json
helps to understand relationship types.