Rust¶
Trivy supports Cargo, which is the Rust package manager. The following scanners are supported for Cargo.
Package manager | SBOM | Vulnerability | License |
---|---|---|---|
Cargo | ✓ | ✓ | - |
In addition, it supports binaries built with cargo-auditable.
Artifact | SBOM | Vulnerability | License |
---|---|---|---|
Binaries | ✓ | ✓ | - |
Features¶
The following table provides an outline of the features Trivy offers.
Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
---|---|---|---|---|---|
Cargo | Cargo.lock | ✓ | Excluded1 | ✓ | ✓ |
Artifact | Transitive dependencies | Dev dependencies | Dependency graph | Position |
---|---|---|---|---|
Binaries | ✓ | Excluded | - | - |
Cargo¶
Trivy searches for Cargo.lock
to detect dependencies.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in Cargo.lock
, Trivy parses Cargo.toml
, which should be located next to Cargo.lock
.
If you want to see the dependency tree, please ensure that Cargo.toml
is present.
Scan Cargo.lock
and Cargo.toml
together also removes developer dependencies.
Binaries¶
Trivy scans binaries built with cargo-auditable. If such a binary exists, Trivy will identify it as being built with cargo-audit and scan it.
-
When you scan Cargo.lock and Cargo.toml together. ↩