feat(cli): change --list-all-pkgs default to true (#9510)

docs/docs/configuration/reporting.md

@@ -617,19 +617,15 @@ For more details, please check [here](../plugin/user-guide.md#output-mode-suppor
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.
 
 ```shell
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 $ trivy convert --format cyclonedx --output result.cdx result.json
 ```
 
-!!! note
-    Please note that if you want to convert to a format that requires a list of packages,
-    such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
-
 [Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
 
 ```shell
 # Output all severities in JSON
-$ trivy image --format json -o result.json --list-all-pkgs debian:11
+$ trivy image --format json -o result.json debian:11
 
 # Output only critical issues in table format
 $ trivy convert --format table --severity CRITICAL result.json

docs/docs/references/configuration/cli/trivy_convert.md

@@ -10,7 +10,7 @@ trivy convert [flags] RESULT_JSON
 
 ```
   # report conversion
-  $ trivy image --format json --output result.json --list-all-pkgs debian:11
+  $ trivy image --format json --output result.json debian:11
   $ trivy convert --format cyclonedx --output result.cdx result.json
 
 ```
@@ -37,7 +37,7 @@ trivy convert [flags] RESULT_JSON
   -h, --help                       help for convert
       --ignore-policy string       specify the Rego file path to evaluate each vulnerability
       --ignorefile string          specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability (default true)
   -o, --output string              output file name
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (allowed values: all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -81,7 +81,7 @@ trivy filesystem [flags] PATH
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_image.md

@@ -99,7 +99,7 @@ trivy image [flags] IMAGE_NAME
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --max-image-size string             [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -91,7 +91,7 @@ trivy kubernetes [flags] [CONTEXT]
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
       --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")

docs/docs/references/configuration/cli/trivy_repository.md

@@ -80,7 +80,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -83,7 +83,7 @@ trivy rootfs [flags] ROOTDIR
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -64,7 +64,7 @@ trivy sbom [flags] SBOM_PATH
       --ignored-licenses strings       specify a list of license to ignore
       --ignorefile string              specify .trivyignore file (default ".trivyignore")
       --java-db-repository strings     OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability (default true)
       --no-progress                    suppress progress bar
       --offline-scan                   do not issue API requests to identify dependencies
   -o, --output string                  output file name

docs/docs/references/configuration/cli/trivy_vm.md

@@ -75,7 +75,7 @@ trivy vm [flags] VM_IMAGE
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes, available with '--scanners misconfig'
       --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability (default true)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/config-file.md

@@ -530,7 +530,7 @@ ignore-policy: ""
 ignorefile: ".trivyignore"
 
 # Same as '--list-all-pkgs'
-list-all-pkgs: false
+list-all-pkgs: true
 
 # Same as '--output'
 output: ""

docs/docs/scanner/vulnerability.md

@@ -293,7 +293,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 </details>
 
 !!! info
-    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+    This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
 
 ### Filtering by Package Relationships
 
@@ -313,7 +313,7 @@ The available relationships may vary depending on the ecosystem.
 To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
 
 ```
-$ trivy repo -f json --list-all-pkgs /path/to/project
+$ trivy repo -f json /path/to/project
 ```
 
 To scan only the root package and its direct dependencies, you can use the flag as follows:
@@ -325,7 +325,7 @@ $ trivy repo --pkg-relationships root,direct /path/to/project
 By default, all relationships are included in the scan.
 
 !!! info
-    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+    This flag filters the packages themselves, so it also affects the list of detected packages in JSON reports and SBOM generation.
 
 !!! warning
     As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.