Can we get vuln-type filtering for licenses as well?

[mastacheata]

Description

Hey there,

it would be great if the license scanner results could be filtered by type before outputting them.

I think the vuln-type filter would be especially useful to filter out OS packages.
The typical use case for trivy is not people building new Linux distributions and sharing them publicly, but people building and sharing applications that just so happen to run on a Linux system. In the later case, the operating system packages being GPL licensed is of no concern at all, but a library-type dependency with a viral license is extremely important to consider.

So far, the only option around that is to filter the results by specifying a custom template or filtering the json or text outputs using third party tools.

Thanks for considering this.

Target

Container Image

Scanner

License

[knqyf263]

Thanks for your idea. It makes sense. --vuln-type was added a long time ago when Trivy had only a vulnerability scanner. Maybe --pkg-type is better now?

[mastacheata]

Maybe Target is the better wording? In the documentation you already refer to the vuln-type switch as filtering for Vulnerability Target, so generalizing that to just target sounds reasonable.

I don't have any strong opinions on the name of thing, though.

[knqyf263]

We already use the "Target" term. But thanks for your suggestion.
https://aquasecurity.github.io/trivy/v0.44/docs/

[mastacheata]

Any progress on this?
If you give me some hints on where to look I'd be happy to look into this myself, but I have a really hard time understanding the structure of trivy and what happens where.

[dus7eh]

That would be indeed useful. Right now we can do of course some post processing of json reports but this way we loose the ability to get proper exit code when library package of an unwanted severity is detected.