add option to support only some directories

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -66,6 +66,7 @@ trivy filesystem [flags] PATH
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
+      --retain-pkg-installed-files        retains the files installed by each package in the analysis output when set to true
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_image.md

@@ -87,6 +87,7 @@ trivy image [flags] IMAGE_NAME
       --report string                     specify a format for the compliance report. (all,summary) (default "summary")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
+      --retain-pkg-installed-files        retains the files installed by each package in the analysis output when set to true
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -78,6 +78,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --report string                     specify a report format for the output (all,summary) (default "all")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
+      --retain-pkg-installed-files        retains the files installed by each package in the analysis output when set to true
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners string                   comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_repository.md

@@ -65,6 +65,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
+      --retain-pkg-installed-files        retains the files installed by each package in the analysis output when set to true
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -67,6 +67,7 @@ trivy rootfs [flags] ROOTDIR
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
+      --retain-pkg-installed-files        retains the files installed by each package in the analysis output when set to true
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -20,47 +20,48 @@ trivy sbom [flags] SBOM_PATH
 ### Options
 
 ```
-      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --clear-cache                 clear image caches without scanning
-      --compliance string           compliance report to generate
-      --custom-headers strings      custom headers in client mode
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --download-db-only            download/update vulnerability database but don't run a scan
-      --download-java-db-only       download/update Java index database but don't run a scan
-      --exit-code int               specify exit code when any security issues are found
-      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-  -h, --help                        help for sbom
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
-      --ignore-unfixed              display only fixed vulnerabilities
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
-      --no-progress                 suppress progress bar
-      --offline-scan                do not issue API requests to identify dependencies
-  -o, --output string               output file name
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                       remove all caches and database
-      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --server string               server address in client mode
-  -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --skip-db-update              skip updating vulnerability database
-      --skip-dirs strings           specify the directories or glob patterns to skip
-      --skip-files strings          specify the files or glob patterns to skip
-      --skip-java-db-update         skip updating Java index database
-      --slow                        scan over time with lower CPU and memory utilization
-  -t, --template string             output template
-      --token string                for authentication in client/server mode
-      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
-      --vex string                  [EXPERIMENTAL] file path to VEX
-      --vuln-type strings           comma-separated list of vulnerability types (os,library) (default [os,library])
+      --cache-backend string         cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration           cache TTL when using redis as cache backend
+      --clear-cache                  clear image caches without scanning
+      --compliance string            compliance report to generate
+      --custom-headers strings       custom headers in client mode
+      --db-repository string         OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --download-db-only             download/update vulnerability database but don't run a scan
+      --download-java-db-only        download/update Java index database but don't run a scan
+      --exit-code int                specify exit code when any security issues are found
+      --exit-on-eol int              exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings        specify config file patterns
+  -f, --format string                format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -h, --help                         help for sbom
+      --ignore-policy string         specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings        comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed               display only fixed vulnerabilities
+      --ignorefile string            specify .trivyignore file (default ".trivyignore")
+      --java-db-repository string    OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --list-all-pkgs                enabling the option will output all packages regardless of vulnerability
+      --no-progress                  suppress progress bar
+      --offline-scan                 do not issue API requests to identify dependencies
+  -o, --output string                output file name
+      --redis-ca string              redis ca file location, if using redis as cache backend
+      --redis-cert string            redis certificate file location, if using redis as cache backend
+      --redis-key string             redis key file location, if using redis as cache backend
+      --redis-tls                    enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string             [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --reset                        remove all caches and database
+      --retain-pkg-installed-files   retains the files installed by each package in the analysis output when set to true
+      --sbom-sources strings         [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --server string                server address in client mode
+  -s, --severity strings             severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --skip-db-update               skip updating vulnerability database
+      --skip-dirs strings            specify the directories or glob patterns to skip
+      --skip-files strings           specify the files or glob patterns to skip
+      --skip-java-db-update          skip updating Java index database
+      --slow                         scan over time with lower CPU and memory utilization
+  -t, --template string              output template
+      --token string                 for authentication in client/server mode
+      --token-header string          specify a header name for token in client/server mode (default "Trivy-Token")
+      --vex string                   [EXPERIMENTAL] file path to VEX
+      --vuln-type strings            comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_vm.md

@@ -59,6 +59,7 @@ trivy vm [flags] VM_IMAGE
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
+      --retain-pkg-installed-files        retains the files installed by each package in the analysis output when set to true
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")

integration/testdata/conda-spdx.json.golden

@@ -3,14 +3,14 @@
   "dataLicense": "CC0-1.0",
   "SPDXID": "SPDXRef-DOCUMENT",
   "name": "testdata/fixtures/repo/conda",
-  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-08df146c-0996-4718-8648-b2a45769ab79",
+  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000001",
   "creationInfo": {
     "licenseListVersion": "",
     "creators": [
       "Organization: aquasecurity",
       "Tool: trivy-dev"
     ],
-    "created": "2023-06-27T05:37:40Z"
+    "created": "2020-09-10T14:20:30Z"
   },
   "packages": [
     {
@@ -23,7 +23,7 @@
     },
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-950f99cb9edd281",
+      "SPDXID": "SPDXRef-Package-c75d9dc75200186f",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -41,7 +41,7 @@
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-39020c06af94ca53",
+      "SPDXID": "SPDXRef-Package-195557cddf18e4a9",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -105,21 +105,21 @@
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-950f99cb9edd281",
+      "relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-950f99cb9edd281",
+      "spdxElementId": "SPDXRef-Package-c75d9dc75200186f",
       "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
       "relationshipType": "CONTAINS"
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-39020c06af94ca53",
+      "relatedSpdxElement": "SPDXRef-Package-195557cddf18e4a9",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-39020c06af94ca53",
+      "spdxElementId": "SPDXRef-Package-195557cddf18e4a9",
       "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
     }

pkg/commands/app.go

@@ -634,6 +634,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		SkipDirs:     &flag.SkipDirsFlag,
 		SkipFiles:    &flag.SkipFilesFlag,
 		FilePatterns: &flag.FilePatternsFlag,
+		OnlyDirs:     &flag.OnlyDirsFlag,
 	}
 
 	configFlags := &flag.Flags{

pkg/commands/artifact/run.go

@@ -627,6 +627,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			DisabledAnalyzers: disabledAnalyzers(opts),
 			SkipFiles:         opts.SkipFiles,
 			SkipDirs:          opts.SkipDirs,
+			OnlyDirs:          opts.OnlyDirs,
 			FilePatterns:      opts.FilePatterns,
 			Offline:           opts.OfflineScan,
 			NoProgress:        opts.NoProgress || opts.Quiet,
@@ -664,6 +665,10 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 				Full:                      opts.LicenseFull,
 				ClassifierConfidenceLevel: opts.LicenseConfidenceLevel,
 			},
+
+			// Retains the package's installed in the package information of
+			// the analysis result
+			RetainPkgInstalledFiles: opts.RetainPkgInstalledFiles,
 		},
 	}, scanOptions, nil
 }

pkg/fanal/analyzer/analyzer.go

@@ -146,18 +146,21 @@ type PostAnalysisInput struct {
 type AnalysisOptions struct {
 	Offline      bool
 	FileChecksum bool
+
+	// retain package installed files in the analysis result
+	RetainPkgInstalledFiles bool
 }
 
 type AnalysisResult struct {
-	m                    sync.Mutex
-	OS                   types.OS
-	Repository           *types.Repository
-	PackageInfos         []types.PackageInfo
-	Applications         []types.Application
-	Misconfigurations    []types.Misconfiguration
-	Secrets              []types.Secret
-	Licenses             []types.LicenseFile
-	SystemInstalledFiles []string // A list of files installed by OS package manager
+	m                 sync.Mutex
+	OS                types.OS
+	Repository        *types.Repository
+	PackageInfos      []types.PackageInfo
+	Applications      []types.Application
+	Misconfigurations []types.Misconfiguration
+	Secrets           []types.Secret
+	Licenses          []types.LicenseFile
+	PkgInstalledFiles []string // A list of files installed by OS package manager
 
 	// Digests contains SHA-256 digests of unpackaged files
 	// used to search for SBOM attestation.
@@ -178,7 +181,7 @@ func NewAnalysisResult() *AnalysisResult {
 
 func (r *AnalysisResult) isEmpty() bool {
 	return lo.IsEmpty(r.OS) && r.Repository == nil && len(r.PackageInfos) == 0 && len(r.Applications) == 0 &&
-		len(r.Misconfigurations) == 0 && len(r.Secrets) == 0 && len(r.Licenses) == 0 && len(r.SystemInstalledFiles) == 0 &&
+		len(r.Misconfigurations) == 0 && len(r.Secrets) == 0 && len(r.Licenses) == 0 && len(r.PkgInstalledFiles) == 0 &&
 		r.BuildInfo == nil && len(r.Digests) == 0 && len(r.CustomResources) == 0
 }
 
@@ -272,7 +275,7 @@ func (r *AnalysisResult) Merge(new *AnalysisResult) {
 	r.Misconfigurations = append(r.Misconfigurations, new.Misconfigurations...)
 	r.Secrets = append(r.Secrets, new.Secrets...)
 	r.Licenses = append(r.Licenses, new.Licenses...)
-	r.SystemInstalledFiles = append(r.SystemInstalledFiles, new.SystemInstalledFiles...)
+	r.PkgInstalledFiles = append(r.PkgInstalledFiles, new.PkgInstalledFiles...)
 
 	if new.BuildInfo != nil {
 		if r.BuildInfo == nil {
@@ -470,7 +473,7 @@ func (ag AnalyzerGroup) PostAnalyze(ctx context.Context, compositeFS *CompositeF
 			continue
 		}
 
-		skippedFiles := result.SystemInstalledFiles
+		skippedFiles := result.PkgInstalledFiles
 		for _, app := range result.Applications {
 			skippedFiles = append(skippedFiles, app.FilePath)
 			for _, lib := range app.Libraries {

pkg/fanal/analyzer/analyzer_test.go

@@ -347,7 +347,7 @@ func TestAnalyzerGroup_AnalyzeFile(t *testing.T) {
 						},
 					},
 				},
-				SystemInstalledFiles: []string{
+				PkgInstalledFiles: []string{
 					"lib/libc.musl-x86_64.so.1",
 					"lib/ld-musl-x86_64.so.1",
 				},