Skip to content

C/C++

Trivy supports Conan C/C++ Package Manager (v1 and v2 with limitations).

The following scanners are supported.

Package manager SBOM Vulnerability License
Conan 1

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
Conan (lockfile v1) conan.lock2 Excluded
Conan (lockfile v2) conan.lock2 3 Excluded -

Conan

In order to detect dependencies, Trivy searches for conan.lock1.

Licenses

The Conan lock file doesn't contain any license information. To obtain licenses we parse the conanfile.py files from the conan v1 cache directory and conan v2 cache directory. To correctly detection licenses, ensure that the cache directory contains all dependencies used.


  1. The local cache should contain the dependencies used. See licenses

  2. conan.lock is default name. To scan a custom filename use file-patterns

  3. For conan.lock in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree