We are using syft +dependency tracker for managing SBOMs for different images, when we get some license issues for all transitive dependencies it will be seen as per policy which we have defined, is it possible to display direct package and its license only ? Thanks in advance, Anvitha
Hi @anvitha_haviligi, I’m not sure I completely understand. I sounds like you want Syft to report licenses only for direct dependencies?
Hi @willmurphy , yes is there any way to show ? or we have to use any other tool to get dependency graph for syft sbom json?
Syft doesn’t currently always distinguish between transitive and direct dependencies. There’s an issue tracking ecosystems where we can at Add support for package dependency relationships · Issue #572 · anchore/syft · GitHub .
My understanding however is that the licenses of transitive dependencies still apply, so that’s probably something to be careful of.
1 Like
Thank you for the explanation.
If i remove or resolve parent package which has license issue or vulnerability, indirectly transitive dependency also resolved rite ?
If you remove a direct dependency, and therefore a transitive dependency is removed, then Syft should stop finding that transitive dependency and you shouldn’t have it any more. But if multiple things pull in the same transitive dependency, you will still have it and Syft will still find it.
Transitive dependencies are as much a part of the app as direct dependencies, is all I’m saying.