Replies: 2 comments 1 reply
-
Hello @menzbua We detect all dependencies first and don't include dev dependencies in report without only |
Beta Was this translation helpful? Give feedback.
-
Created #7476 for this task |
Beta Was this translation helpful? Give feedback.
-
Description
Hi,
since Trivy version 0.55.0 potentially we see an issue with the new "--include-dev-deps" feature. The test deps would not be ignored for child test deps. Here is a simple pom.xml file to illustrate the problem:
When you run
trivy filesystem --debug --scanners vuln,misconfig --exit-code 0 pom.xml
with version 0.55.0 you see an error that a repository cannot be found:There are so many additional dependencies that would be downloaded with 0.55.0
When you run the same command with Trivy 0.54.1, there is no error and the dependency is not tried to download and there are just a few deps:
Our project runs in a timeout because there are so many test dependencies that would be tried to download that are not needed because they are child deps.
Desired Behavior
There should not be downloaded more deps as needed:
Actual Behavior
Reproduction Steps
Target
Filesystem
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
Ubuntu 22.04
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions