admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-02-03 23:33:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Deployed b5e3b77f0 to dev with MkDocs 1.3.0 and mike 1.1.2

Browse Source
This commit is contained in:
knqyf263
2023-12-13 09:58:24 +00:00
parent 0be4c9cbc9
commit 31f5d75f40
7 changed files with 172 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
dev/docs/coverage/language/python/index.html
View File

@@ -3804,6 +3804,28 @@ See <a href="../">here</a> for the detail.</p>
<h2 id="package-managers">Package managers</h2>
<p>Trivy parses your files generated by package managers in filesystem/repository scanning.</p>
<h3 id="pip">pip</h3>
<p>Trivy only parses <a href="https://packaging.python.org/en/latest/specifications/version-specifiers/#id4">version specifiers</a> with <code>==</code> comparison operator and without <code>.*</code>.
To convert unsupported version specifiers - use the <code>pip freeze</code> command.</p>
<div class="highlight"><pre><span></span><code>$ cat requirements.txt
boto3~<span class="o">=</span><span class="m">1</span>.24.60
click&gt;<span class="o">=</span><span class="m">8</span>.0
json-fix<span class="o">==</span><span class="m">0</span>.5.*
$ pip install -r requirements.txt
...
$ pip freeze &gt; requirements.txt
$ cat requirements.txt
<span class="nv">boto3</span><span class="o">==</span><span class="m">1</span>.24.96
<span class="nv">botocore</span><span class="o">==</span><span class="m">1</span>.27.96
<span class="nv">click</span><span class="o">==</span><span class="m">8</span>.1.7
<span class="nv">jmespath</span><span class="o">==</span><span class="m">1</span>.0.1
json-fix<span class="o">==</span><span class="m">0</span>.5.2
python-dateutil<span class="o">==</span><span class="m">2</span>.8.2
<span class="nv">s3transfer</span><span class="o">==</span><span class="m">0</span>.6.2
<span class="nv">setuptools</span><span class="o">==</span><span class="m">69</span>.0.2
<span class="nv">six</span><span class="o">==</span><span class="m">1</span>.16.0
<span class="nv">urllib3</span><span class="o">==</span><span class="m">1</span>.26.18
<span class="nv">wheel</span><span class="o">==</span><span class="m">0</span>.42.0
</code></pre></div>
<p><code>requirements.txt</code> files usually contain only the direct dependencies and not contain the transitive dependencies.
Therefore, Trivy scans only for the direct dependencies with <code>requirements.txt</code>.</p>
<p>To detect transitive dependencies as well, you need to generate <code>requirements.txt</code> with <code>pip freeze</code>.</p>