feat(vuln): add `--relationship` flag to filter vulnerabilities by package relationship

Question

feat(vuln): add `--relationship` flag to filter vulnerabilities by package relationship

knqyf263 opened this issue a month ago · comments

Description

We have received some requests from the community to provide a way to view vulnerabilities only for directly dependent packages. Instead of adding a flag like --ignore-indirect, it would be more flexible to introduce a --relationship flag that allows filtering vulnerabilities based on the package's relationship.

The --relationship flag would accept comma-separated values, such as --relationship root,direct, to specify the desired relationships. This approach leverages the recently added the relationship field, which expresses the relationship of a package within the project. In the future, this field may be expanded to accommodate Modules, Workspaces, and other concepts, and the --relationship flag will be able to handle those cases as well.

Furthermore, this flag would also allow users to view vulnerabilities only for transitive dependencies by specifying --relationship indirect, providing additional flexibility in filtering the results.

Considerations

It may be difficult to allow the --dependency-tree flag to be used simultaneously with the --relationship flag. When --relationship indirect is specified, it's unable to build the complete graph. Therefore, it would be better to prevent these flags from being specified together.

Similarly, the implementation of --relationship for SBOM might be challenging for the same reason as --dependency-tree. In the case of SBOM, it may be necessary to either disable the --relationship flag or remove the dependencies section from the SBOM output.

Discussed in #6876

Teppei Fukuda · Answer 1 · Mon Jun 10 2024 16:04:10 GMT+0800 (China Standard Time)

@DmitriyLewen Any comments?

DmitriyLewen · Answer 2 · Mon Jun 10 2024 16:17:13 GMT+0800 (China Standard Time)

--relationship root,direct

We definitely need to add information about what relationships are available for files.
e.g. only go and Rust binaries, pom and gomod files support root relationships.

it may be necessary to either disable the --relationship flag or remove the dependencies section from the SBOM output.

I think we need to start from disabling relationship flag for all sbom formats (cyclonedx, spdx, github).
For templates we can leave this flag (it will be same logic as for table format).

Otherwise looks like a very good idea 👍

Teppei Fukuda · Answer 3 · Mon Jun 10 2024 16:23:40 GMT+0800 (China Standard Time)

We definitely need to add information about what relationships are available for files.
e.g. only go and Rust binaries, pom and gomod files support root relationships.

Yes, we should document it. In most cases, -f json helps to understand relationship types.