|
3 | 3 | Scanning dependencies with conan audit |
4 | 4 | ====================================== |
5 | 5 |
|
6 | | -A new command, `conan audit`, was added in **Conan 2.14**. It provides a built-in way to |
7 | | -**scan your dependencies for known CVEs**. |
| 6 | +The ``conan audit`` commands provide a built-in way to **scan your dependencies for known CVEs**. |
8 | 7 |
|
9 | 8 | For a step-by-step guide on authentication, usage examples, output formats, and setting up |
10 | 9 | private providers, see :ref:`Checking package vulnerabilities <devops_audit>`. In short: |
@@ -33,6 +32,30 @@ This command also supports using your own JFrog Platform as a private provider f |
33 | 32 | vulnerability scanning. See the :ref:`Adding private providers |
34 | 33 | <devops_audit_private_providers>` section for more details. |
35 | 34 |
|
| 35 | +Filtering queried packages |
| 36 | +-------------------------- |
| 37 | + |
| 38 | +By default, the ``conan audit scan`` command will query all packages in the dependency graph. |
| 39 | +You can filter the packages to be queried based on their context using the ``--context`` option, |
| 40 | +which accepts ``"host"``, or ``"build"`` as values, and when omitted, defaults to quering both contexts. |
| 41 | + |
| 42 | +This allows you to skip checking for CVEs in build requirements, which are not part of the final product |
| 43 | +and therefore less relevant (but still important!) for vulnerability scanning. |
| 44 | + |
| 45 | +It's also possible to perform this filter using the ``conan audit list`` command, |
| 46 | +by leveraging the packages list filtering from the ``conan list`` command. For example: |
| 47 | + |
| 48 | +.. code-block:: bash |
| 49 | + |
| 50 | + # Generate the dependency graph in JSON format |
| 51 | + $ conan graph info . --format=json > graph.json |
| 52 | + # Create a packages list for the resolved dependency graph, filtering to only contain the `host` context packages |
| 53 | + $ conan list --graph=graph.json --graph-context=host --format=json > pkglist.json |
| 54 | + # Scan the filtered packages list for vulnerabilities |
| 55 | + $ conan audit list --list=pkglist.json |
| 56 | + |
| 57 | + |
| 58 | + |
36 | 59 | .. seealso:: |
37 | 60 |
|
38 | 61 | - `JFrog Academy Conan 2 Essentials: Scanning C++ packages for Vulnerabilities using Conan Audit <https://academy.jfrog.com/conan-2-essentials/2164300?utm_source=Conan+Docs>`__ |
|
0 commit comments