docs: move info about detection priority into coverage section (aquasecurity#9469)

DmitriyLewen · knqyf263 · web-flow · commit 842ebdcb4a24 · 2025-09-22T11:48:39.000Z
Co-authored-by: knqyf263 &lt;knqyf263@gmail.com&gt;
diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md
@@ -148,28 +148,17 @@ If you have software that is not managed by a package manager, Trivy can still d
 - [Rust Binaries with embedded information](../coverage/language/rust.md#binaries)
 - [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets)
 
-## Kubernetes
-
-Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
-
-### Data Sources
-
-| Vendor     | Source                                      |
-|------------|---------------------------------------------|
-| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
-
-[^1]: Some manual triage and correction has been made.
-
-## Databases
-The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
-For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
-
 ## Detection Behavior
 Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
 This approach is particularly relevant in two key areas:
 
-- Handling Software Installed via OS Packages
-- Handling Packages with Unspecified Versions
+- [Handling Software Installed via OS Packages](#handling-software-installed-via-os-packages)
+- [Handling Packages with Unspecified Versions](#handling-packages-with-unspecified-versions)
+
+Trivy can also detect only specific packages:
+
+- [Subset of Package Types](#enabling-a-subset-of-package-types)
+- [Specific package Relationship](#filtering-by-package-relationships)
 
 ### Handling Software Installed via OS Packages
 For files installed by OS package managers, such as `apt`, Trivy exclusively uses advisories from the OS vendor.
@@ -212,9 +201,29 @@ To detect potential vulnerabilities even with unspecified versions, use [--detec
 This option makes Trivy use the minimum version in the specified range for vulnerability detection.
 While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.
 
-## Configuration
-This section describes vulnerability-specific configuration.
-Other common options are documented [here](../configuration/index.md).
+## Package Detection
+Vulnerability detection is based on package detection.
+This section describes the specifics of package detection, which also affect SBOM generation.
+
+### Detection Priority
+
+Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in package/vulnerability detection.
+This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
+
+```bash
+$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
+```
+
+- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
+- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
+  It provides broader coverage but may increase the noise in the results.
+
+The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
+
+Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
+
+- `precise`: Review thoroughly, considering potential missed vulnerabilities.
+- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
 
 ### Enabling a Subset of Package Types
 
@@ -288,7 +297,6 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 
 ### Filtering by Package Relationships
 
-
 Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
 This is achieved through the `--pkg-relationships` flag.
 This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
@@ -322,25 +330,25 @@ By default, all relationships are included in the scan.
 !!! warning
     As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.
 
-### Detection Priority
+## Kubernetes
 
-Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in vulnerability detection.
-This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
+Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
 
-```bash
-$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
-```
+### Data Sources
 
-- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
-- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
-  It provides broader coverage but may increase the noise in the results.
+| Vendor     | Source                                      |
+|------------|---------------------------------------------|
+| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
 
-The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
+[^1]: Some manual triage and correction has been made.
 
-Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
+## Databases
+The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
+For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
 
-- `precise`: Review thoroughly, considering potential missed vulnerabilities.
-- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
+## Configuration
+This section describes vulnerability-specific configuration.
+Other common options are documented [here](../configuration/index.md).
 
 ### Overriding OS version
 By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.
diff --git a/docs/docs/supply-chain/sbom.md b/docs/docs/supply-chain/sbom.md
@@ -185,6 +185,8 @@ Trivy supports the following packages.
 - [OS packages][os_packages]
 - [Language-specific packages][language_packages]
 
+Trivy has a specific logic for package detection.
+See the [package detection](../scanner/vulnerability.md#package-detection) section for more information.
 
 ### Formats
 #### CycloneDX
