search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.31k stars 2.2k forks source link

feat(cli): rename `--vuln-type` flag to `--pkg-types` flag #7104

Closed DmitriyLewen closed 2 weeks ago

DmitriyLewen commented 2 weeks ago

Description

Rename --vuln-type flag to --pkg-types flag. See #6269

Before:

➜ trivy -d image --vuln-type os aquasec/trivy
...
2024-07-05T15:45:36+06:00       DEBUG   Vulnerability type      type=[os]
...
aquasec/trivy (alpine 3.20.0)

Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 0, CRITICAL: 0)

➜ trivy -d image --vuln-type library aquasec/trivy
...
2024-07-05T15:45:46+06:00       DEBUG   Vulnerability type      type=[library]
...

usr/local/bin/trivy (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

After:

➜ trivy -d image --vuln-type os aquasec/trivy
2024/07/05 15:47:26 WARN '--vuln-type' is deprecated. Use '--pkg-types' instead.

➜ trivy -d image --pkg-types os aquasec/trivy
...
2024-07-05T15:47:59+06:00       DEBUG   Package types   types=[os]
...

aquasec/trivy (alpine 3.20.0)

Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 0, CRITICAL: 0)

➜ trivy -d image --pkg-types library aquasec/trivy
...
2024-07-05T15:48:11+06:00       DEBUG   Package types   types=[library]
...

usr/local/bin/trivy (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

Related issues

Checklist

knqyf263 commented 2 weeks ago

We can leverage aliases. https://github.com/aquasecurity/trivy/blob/a7a304d53e1ce230f881c28c4f35885774cf3b9a/pkg/flag/options.go#L68-L69

Example: https://github.com/aquasecurity/trivy/blob/a7a304d53e1ce230f881c28c4f35885774cf3b9a/pkg/flag/rego_flags.go#L19-L24

DmitriyLewen commented 2 weeks ago

I used Alias. But I thought the report.go file would be better suited for this flag. So i moved this flag to this file + rename flag + add Alias. https://github.com/aquasecurity/trivy/blob/5bc3fa79de38fa03e705c2db269b88acfc262b67/pkg/flag/report_flags.go#L109-L122

knqyf263 commented 2 weeks ago

I don't think it's a breaking change. People can keep using --vuln-type. We should announce the deprecation. After a while, we'll delete it, then it'll be a breaking change as the same command no longer works.

It is always difficult to determine the type of PR, but I think it will be a "refactor" when there is no user impact. In this case, UI will be changed. It's not a new feature or bug fix, but I think "feat" is the closest.

DmitriyLewen commented 2 weeks ago

I don't think it's a breaking change

I thought about this. I renamed VulnType to PkgTypes e.g.:

These are breaking changes for users using Trivy as a library.

It is always difficult to determine the type of PR, but I think it will be a "refactor" when there is no user impact. In this case, UI will be changed. It's not a new feature or bug fix, but I think "feat" is the closest.

hm... okay, i will change type of PR.

knqyf263 commented 2 weeks ago

These are breaking changes for users using Trivy as a library.

That's a good point. But Trivy is a CLI tool. We could consider whether changing to CLI usage is destructive. Of course, we should ensure the change is minimal for tools importing Trivy, though. Otherwise, adding arguments to an internal function will be a breaking change if it is exported.

@naortalmor1 @tamirkiviti13 @tonaim We changed a variable name. I don't think it will have a major impact, but I thought I'd let you know just in case.

DmitriyLewen commented 2 weeks ago

Okay. I got you. I updated type of PR

DmitriyLewen commented 2 weeks ago

It's not an issue from this PR, but logging doesn't seem to be enabled well. I mean our custom handler is not initialized, and the log format is different.

Created #7124 for this.