aquasecurity · knqyf263 · Jul 9, 2024 · Jul 5, 2024 · Jul 5, 2024 · Jul 5, 2024
@@ -63,6 +63,7 @@ trivy filesystem [flags] PATH
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-types strings                 comma-separated list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -89,7 +90,6 @@ trivy filesystem [flags] PATH
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -81,6 +81,7 @@ trivy image [flags] IMAGE_NAME
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-types strings                 comma-separated list of package types (os,library) (default [os,library])
       --platform string                   set platform in the form os/arch if image is multi-platform capable
       --podman-host string                unix podman socket path to use for podman scanning
       --redis-ca string                   redis ca file location, if using redis as cache backend
@@ -109,7 +110,6 @@ trivy image [flags] IMAGE_NAME
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -78,6 +78,7 @@ trivy kubernetes [flags] [CONTEXT]
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-types strings                 comma-separated list of package types (os,library) (default [os,library])
       --qps float                         specify the maximum QPS to the master from this client (default 5)
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -103,7 +104,6 @@ trivy kubernetes [flags] [CONTEXT]
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -63,6 +63,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-types strings                 comma-separated list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -89,7 +90,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -65,6 +65,7 @@ trivy rootfs [flags] ROOTDIR
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-types strings                 comma-separated list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -90,7 +91,6 @@ trivy rootfs [flags] ROOTDIR
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -43,6 +43,7 @@ trivy sbom [flags] SBOM_PATH
       --offline-scan                do not issue API requests to identify dependencies
   -o, --output string               output file name
       --output-plugin-arg string    [EXPERIMENTAL] output plugin arguments
+      --pkg-types strings           comma-separated list of package types (os,library) (default [os,library])
       --redis-ca string             redis ca file location, if using redis as cache backend
       --redis-cert string           redis certificate file location, if using redis as cache backend
       --redis-key string            redis key file location, if using redis as cache backend
@@ -61,7 +62,6 @@ trivy sbom [flags] SBOM_PATH
       --token string                for authentication in client/server mode
       --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
       --vex string                  [EXPERIMENTAL] file path to VEX
-      --vuln-type strings           comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -56,6 +56,7 @@ trivy vm [flags] VM_IMAGE
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
+      --pkg-types strings                 comma-separated list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -76,7 +77,6 @@ trivy vm [flags] VM_IMAGE
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

@@ -81,6 +81,13 @@ severity:
   - MEDIUM
   - HIGH
   - CRITICAL
+
+# Same as '--pkg-types'
+# Default is 'os,library'
+pkg-types:
+  - os
+  - library
+
 
 scan:
   # Same as '--compliance'
@@ -261,12 +268,6 @@ Available with vulnerability scanning
 
 ```yaml
 vulnerability:
-  # Same as '--vuln-type'
-  # Default is 'os,library'
-  type:
-    - os
-    - library
-
   # Same as '--ignore-unfixed'
   # Default is false
   ignore-unfixed: false

@@ -204,7 +204,7 @@ Other common options are documented [here](../configuration/index.md).
 
 ### Enabling a subset of package types
 It's possible to only enable certain package types if you prefer.
-You can do so by passing the `--vuln-type` option.
+You can do so by passing the `--pkg-types` option.
 This flag takes a comma-separated list of package types.
 
 Available values:
@@ -215,7 +215,7 @@ Available values:
     - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).
 
 ```bash
-$ trivy image --vuln-type os ruby:2.4.0
+$ trivy image --pkg-types os ruby:2.4.0
 ```
 
 

@@ -512,6 +512,8 @@ func NewConvertCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		ScanFlagGroup:   &flag.ScanFlagGroup{},
 		ReportFlagGroup: flag.NewReportFlagGroup(),
 	}
+	convertFlags.ReportFlagGroup.PkgTypes = nil // disable '--pkg-types'
+
 	cmd := &cobra.Command{
 		Use:     "convert [flags] RESULT_JSON",
 		Aliases: []string{"conv"},
@@ -679,6 +681,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	configFlags.ReportFlagGroup.ListAllPkgs = nil                                                        // disable '--list-all-pkgs'
 	configFlags.ReportFlagGroup.ExitOnEOL = nil                                                          // disable '--exit-on-eol'
 	configFlags.ReportFlagGroup.ShowSuppressed = nil                                                     // disable '--show-suppressed'
+	configFlags.ReportFlagGroup.PkgTypes = nil                                                           // disable '--pkg-types'
 	configFlags.ReportFlagGroup.ReportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
 	configFlags.CacheFlagGroup.CacheBackend.Default = string(cache.TypeMemory)
 

@@ -201,7 +201,7 @@ func (r *runner) scanFS(ctx context.Context, opts flag.Options) (types.Report, e
 
 func (r *runner) ScanRepository(ctx context.Context, opts flag.Options) (types.Report, error) {
 	// Do not scan OS packages
-	opts.VulnType = []string{types.VulnTypeLibrary}
+	opts.PkgTypes = []string{types.PkgTypeLibrary}
 
 	// Disable the OS analyzers, individual package analyzers and SBOM analyzer
 	opts.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
@@ -405,7 +405,7 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
 	}
 
 	// Do not analyze programming language packages when not running in 'library'
-	if !slices.Contains(opts.VulnType, types.VulnTypeLibrary) {
+	if !slices.Contains(opts.PkgTypes, types.PkgTypeLibrary) {
 		analyzers = append(analyzers, analyzer.TypeLanguages...)
 	}
 
@@ -473,7 +473,7 @@ func (r *runner) initScannerConfig(opts flag.Options) (ScannerConfig, types.Scan
 	}
 
 	scanOptions := types.ScanOptions{
-		VulnType:            opts.VulnType,
+		PkgTypes:            opts.PkgTypes,
 		Scanners:            opts.Scanners,
 		ImageConfigScanners: opts.ImageConfigScanners, // this is valid only for 'image' subcommand
 		ScanRemovedPackages: opts.ScanRemovedPkgs,     // this is valid only for 'image' subcommand
@@ -488,7 +488,7 @@ func (r *runner) initScannerConfig(opts flag.Options) (ScannerConfig, types.Scan
 
 	if opts.Scanners.Enabled(types.VulnerabilityScanner) {
 		log.Info("Vulnerability scanning is enabled")
-		log.Debug("Vulnerability type", log.Any("type", scanOptions.VulnType))
+		log.Debug("Package types", log.Any("types", scanOptions.PkgTypes))
 	}
 
 	// ScannerOption is filled only when config scanning is enabled.

@@ -106,6 +106,20 @@ var (
 		ConfigName: "scan.show-suppressed",
 		Usage:      "[EXPERIMENTAL] show suppressed vulnerabilities",
 	}
+	PkgTypesFlag = Flag[[]string]{
+		Name:       "pkg-types",
+		ConfigName: "pkg-types",
+		Default:    types.PkgTypes,
+		Values:     types.PkgTypes,
+		Usage:      "comma-separated list of package types",
+		Aliases: []Alias{
+			{
+				Name:       "vuln-type",
+				ConfigName: "vulnerability.type",
+				Deprecated: true, // --vuln-type was renamed to --pkg-types
+			},
+		},
+	}
 )
 
 // ReportFlagGroup composes common printer flag structs
@@ -125,6 +139,7 @@ type ReportFlagGroup struct {
 	Severity        *Flag[[]string]
 	Compliance      *Flag[string]
 	ShowSuppressed  *Flag[bool]
+	PkgTypes        *Flag[[]string]
 }
 
 type ReportOptions struct {
@@ -142,6 +157,7 @@ type ReportOptions struct {
 	Severities       []dbTypes.Severity
 	Compliance       spec.ComplianceSpec
 	ShowSuppressed   bool
+	PkgTypes         []string
 }
 
 func NewReportFlagGroup() *ReportFlagGroup {
@@ -160,6 +176,7 @@ func NewReportFlagGroup() *ReportFlagGroup {
 		Severity:        SeverityFlag.Clone(),
 		Compliance:      ComplianceFlag.Clone(),
 		ShowSuppressed:  ShowSuppressedFlag.Clone(),
+		PkgTypes:        PkgTypesFlag.Clone(),
 	}
 }
 
@@ -183,6 +200,7 @@ func (f *ReportFlagGroup) Flags() []Flagger {
 		f.Severity,
 		f.Compliance,
 		f.ShowSuppressed,
+		f.PkgTypes,
 	}
 }
 
@@ -252,6 +270,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		Severities:       toSeverity(f.Severity.Value()),
 		Compliance:       cs,
 		ShowSuppressed:   f.ShowSuppressed.Value(),
+		PkgTypes:         f.PkgTypes.Value(),
 	}, nil
 }
 

@@ -31,6 +31,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 		severities       string
 		compliance       string
 		debug            bool
+		pkgTypes         string
 	}
 	tests := []struct {
 		name     string
@@ -159,6 +160,28 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				Severities: []dbTypes.Severity{dbTypes.SeverityLow},
 			},
 		},
+		{
+			name: "happy path for OS packages",
+			fields: fields{
+				pkgTypes: "os",
+			},
+			want: flag.ReportOptions{
+				PkgTypes: []string{
+					types.PkgTypeOS,
+				},
+			},
+		},
+		{
+			name: "happy path for library packages",
+			fields: fields{
+				pkgTypes: "library",
+			},
+			want: flag.ReportOptions{
+				PkgTypes: []string{
+					types.PkgTypeLibrary,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -183,6 +206,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 			setValue(flag.OutputPluginArgFlag.ConfigName, tt.fields.outputPluginArgs)
 			setValue(flag.SeverityFlag.ConfigName, tt.fields.severities)
 			setValue(flag.ComplianceFlag.ConfigName, tt.fields.compliance)
+			setValue(flag.PkgTypesFlag.ConfigName, tt.fields.pkgTypes)
 
 			// Assert options
 			f := &flag.ReportFlagGroup{
@@ -198,6 +222,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				OutputPluginArg: flag.OutputPluginArgFlag.Clone(),
 				Severity:        flag.SeverityFlag.Clone(),
 				Compliance:      flag.ComplianceFlag.Clone(),
+				PkgTypes:        flag.PkgTypesFlag.Clone(),
 			}
 
 			got, err := f.ToOptions()

@@ -5,23 +5,9 @@ import (
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 var (
-	VulnTypeFlag = Flag[[]string]{
-		Name:       "vuln-type",
-		ConfigName: "vulnerability.type",
-		Default: []string{
-			types.VulnTypeOS,
-			types.VulnTypeLibrary,
-		},
-		Values: []string{
-			types.VulnTypeOS,
-			types.VulnTypeLibrary,
-		},
-		Usage: "comma-separated list of vulnerability types",
-	}
 	IgnoreUnfixedFlag = Flag[bool]{
 		Name:       "ignore-unfixed",
 		ConfigName: "vulnerability.ignore-unfixed",
@@ -42,21 +28,18 @@ var (
 )
 
 type VulnerabilityFlagGroup struct {
-	VulnType      *Flag[[]string]
 	IgnoreUnfixed *Flag[bool]
 	IgnoreStatus  *Flag[[]string]
 	VEXPath       *Flag[string]
 }
 
 type VulnerabilityOptions struct {
-	VulnType       []string
 	IgnoreStatuses []dbTypes.Status
 	VEXPath        string
 }
 
 func NewVulnerabilityFlagGroup() *VulnerabilityFlagGroup {
 	return &VulnerabilityFlagGroup{
-		VulnType:      VulnTypeFlag.Clone(),
 		IgnoreUnfixed: IgnoreUnfixedFlag.Clone(),
 		IgnoreStatus:  IgnoreStatusFlag.Clone(),
 		VEXPath:       VEXFlag.Clone(),
@@ -69,7 +52,6 @@ func (f *VulnerabilityFlagGroup) Name() string {
 
 func (f *VulnerabilityFlagGroup) Flags() []Flagger {
 	return []Flagger{
-		f.VulnType,
 		f.IgnoreUnfixed,
 		f.IgnoreStatus,
 		f.VEXPath,
@@ -105,7 +87,6 @@ func (f *VulnerabilityFlagGroup) ToOptions() (VulnerabilityOptions, error) {
 	log.Debug("Ignore statuses", log.Any("statuses", ignoreStatuses))
 
 	return VulnerabilityOptions{
-		VulnType:       f.VulnType.Value(),
 		IgnoreStatuses: ignoreStatuses,
 		VEXPath:        f.VEXPath.Value(),
 	}, nil