C/C++

Trivy supports Conan C/C++ Package Manager (v1 and v2 with limitations).

The following scanners are supported.

Package manager	SBOM	Vulnerability	License
Conan	✓	✓	✓¹

The following table provides an outline of the features Trivy offers.

Package manager	File	Transitive dependencies	Dev dependencies	Dependency graph	Position
Conan (lockfile v1)	conan.lock²	✓	Excluded	✓	✓
Conan (lockfile v2)	conan.lock²	✓ ³	Excluded	-	✓

Conan

In order to detect dependencies, Trivy searches for conan.lock¹.

Licenses

The Conan lock file doesn't contain any license information. To obtain licenses we parse the conanfile.py files from the conan v1 cache directory and conan v2 cache directory. To correctly detection licenses, ensure that the cache directory contains all dependencies used.

The local cache should contain the dependencies used. See licenses. ↩ ↩²
conan.lock is default name. To scan a custom filename use file-patterns. ↩ ↩²
For conan.lock in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree ↩

C/C++

C/C++

Conan

Licenses

Footnotes