admin/aquasecurity-trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2026-02-11 11:13:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Deployed 9bc326909 to dev with MkDocs 1.3.0 and mike 1.1.2

Browse Source
This commit is contained in:
knqyf263
2023-04-24 18:19:36 +00:00
parent 62a6f431f9
commit d9efe48818
7 changed files with 32 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
dev/docs/scanner/vulnerability/language/python/index.html
View File

@@ -3127,9 +3127,25 @@ See <a href="../">here</a> for the detail.</p>
<h2 id="package-managers">Package managers</h2>
<p>Trivy parses your files generated by package managers in filesystem/repository scanning.</p>
<h3 id="pip">pip</h3>
<p><code>requirements.txt</code> files contain only the direct dependencies and not contain the transitive dependencies.
<p><code>requirements.txt</code> files usually contain only the direct dependencies and not contain the transitive dependencies.
Therefore, Trivy scans only for the direct dependencies with <code>requirements.txt</code>.</p>
<p>Also, <code>requirements.txt</code> files don't contain information about dependencies used for development.
<p>To detect transitive dependencies as well, you need to generate <code>requirements.txt</code> with <code>pip freeze</code>.</p>
<div class="highlight"><pre><span></span><code>$ cat requirements.txt <span class="c1"># it will only find `requests@2.28.2`.</span>
<span class="nv">requests</span><span class="o">==</span><span class="m">2</span>.28.2
$ pip install -r requirements.txt
...
$ pip freeze &gt; requirements.txt
$ cat requirements.txt <span class="c1"># it will also find the transitive dependencies of `requests@2.28.2`.</span>
<span class="nv">certifi</span><span class="o">==</span><span class="m">2022</span>.12.7
charset-normalizer<span class="o">==</span><span class="m">3</span>.1.0
<span class="nv">idna</span><span class="o">==</span><span class="m">3</span>.4
<span class="nv">PyJWT</span><span class="o">==</span><span class="m">2</span>.1.0
<span class="nv">requests</span><span class="o">==</span><span class="m">2</span>.28.2
<span class="nv">urllib3</span><span class="o">==</span><span class="m">1</span>.26.15
</code></pre></div>
<p><code>pip freeze</code> also helps to resolve <a href="https://packaging.python.org/en/latest/tutorials/installing-packages/#installing-extras">extras</a>(optional) dependencies (like <code>package[extras]=0.0.0</code>).</p>
<p><code>requirements.txt</code> files don't contain information about dependencies used for development.
Trivy could detect vulnerabilities on the development packages, which not affect your production environment.</p>
<p>License detection is not supported for <code>pip</code>.</p>
<h3 id="pipenv">Pipenv</h3>