trivet 3.1.0

The trivet Parser Library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# Miscellanea

## Minimum Supported Rust Version

This is determined by [cargo-msrv][].

```bash
$ cargo msrv find
  [Meta]   cargo-msrv 0.17.0  

Compatibility Check #1: Rust 1.70.0
  [OK]     Is compatible 

Compatibility Check #5: Rust 1.62.1
  [OK]     Is compatible 

Result:
   Considered (min … max):   Rust 1.56.1 … Rust 1.83.0 
   Search method:            bisect                    
   MSRV:                     1.62.1                    
   Target:                   aarch64-apple-darwin
```

This is then set in `Cargo.toml` as `rust-version`. Note that to run this correctly,
you have to first comment out `rust-version` or it will just block the compilation
tests.

## Checking Links in Documentation

Check the links in the documentation with the [cargo-deadlinks][].

```bash
$ cargo deadlinks --check-intra-doc-links
 Documenting trivet v3.0.0 (/Users/ypj/Projects/trivet)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.99s
   Generated /Users/ypj/Projects/trivet/target/doc/trivet/index.html
```

## Trivy

In general [Trivy][] looks for dependencies in `Cargo.lock`.  Since **Trivet** is intended to avoid dependencies, some forms of scanning will not be useful.

### Trivy and the SBOM

[Trivy][] is a vulnerability scanner.  You can use it to generate a SBOM for **Trivet** conforming to the [CycloneDX][] standard.  This depends on the `Cargo.lock` file being up to date, so make sure the project has been built.  The following command, run from the root of the distribution, will generate the SBOM.

```bash
$ trivy fs --format cyclonedx --scanners vuln --output sbom.cdx.json ./Cargo.lock
2025-01-06T14:08:54-06:00       INFO    [vuln] Vulnerability scanning is enabled
2025-01-06T14:08:54-06:00       INFO    Number of language-specific files      num=1
2025-01-06T14:08:54-06:00       INFO    [cargo] Detecting vulnerabilities...
```

The result is found in `sbom.cdx.json`.

### Trivy and Vulnerability and Secret Scanning

[Trivy][] can scan the file system (recognizing `Cargo`) using the following command, run from the root of the distribution.

```bash
$ trivy fs .
2025-01-06T14:21:59-06:00       INFO    [vuln] Vulnerability scanning is enabled
2025-01-06T14:21:59-06:00       INFO    [secret] Secret scanning is enabled
2025-01-06T14:21:59-06:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-06T14:21:59-06:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-06T14:22:01-06:00       INFO    Number of language-specific files       num=2
```

### Trivy and License Scanning

You can scan for files that may pose a business risk using [Trivy][].  To do this, run the following from the root of the distribution.

```bash
$ trivy fs . --scanners=license --license-full
2025-01-06T14:25:14-06:00       INFO    [license] Full license scanning is enabled

Loose File License(s) (license)
...
```

[cargo-msrv]: https://github.com/foresterre/cargo-msrv
[cargo-deadlinks]: https://github.com/deadlinks/cargo-deadlinks
[Trivy]: https://aquasecurity.github.io/trivy/
[CycloneDX]: https://cyclonedx.org/