Skip to content

Commit 529e557

Browse files
AbrilRBSczoido
AbrilRBS
and
czoido
authored
Docs for conan audit context filter (#4239)
* Update! * Update args * Update security/audit.rst * Commands as code block --------- Co-authored-by: Carlos Zoido <[email protected]>
1 parent e2d08b7 commit 529e557

File tree

1 file changed

+25
-2
lines changed

1 file changed

+25
-2
lines changed

security/audit.rst

Lines changed: 25 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,7 @@
33
Scanning dependencies with conan audit
44
======================================
55

6-
A new command, `conan audit`, was added in **Conan 2.14**. It provides a built-in way to
7-
**scan your dependencies for known CVEs**.
6+
The ``conan audit`` commands provide a built-in way to **scan your dependencies for known CVEs**.
87

98
For a step-by-step guide on authentication, usage examples, output formats, and setting up
109
private providers, see :ref:`Checking package vulnerabilities <devops_audit>`. In short:
@@ -33,6 +32,30 @@ This command also supports using your own JFrog Platform as a private provider f
3332
vulnerability scanning. See the :ref:`Adding private providers
3433
<devops_audit_private_providers>` section for more details.
3534

35+
Filtering queried packages
36+
--------------------------
37+
38+
By default, the ``conan audit scan`` command will query all packages in the dependency graph.
39+
You can filter the packages to be queried based on their context using the ``--context`` option,
40+
which accepts ``"host"``, or ``"build"`` as values, and when omitted, defaults to quering both contexts.
41+
42+
This allows you to skip checking for CVEs in build requirements, which are not part of the final product
43+
and therefore less relevant (but still important!) for vulnerability scanning.
44+
45+
It's also possible to perform this filter using the ``conan audit list`` command,
46+
by leveraging the packages list filtering from the ``conan list`` command. For example:
47+
48+
.. code-block:: bash
49+
50+
# Generate the dependency graph in JSON format
51+
$ conan graph info . --format=json > graph.json
52+
# Create a packages list for the resolved dependency graph, filtering to only contain the `host` context packages
53+
$ conan list --graph=graph.json --graph-context=host --format=json > pkglist.json
54+
# Scan the filtered packages list for vulnerabilities
55+
$ conan audit list --list=pkglist.json
56+
57+
58+
3659
.. seealso::
3760

3861
- `JFrog Academy Conan 2 Essentials: Scanning C++ packages for Vulnerabilities using Conan Audit <https://academy.jfrog.com/conan-2-essentials/2164300?utm_source=Conan+Docs>`__

0 commit comments

Comments
 (0)