trivy

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/4903

Changelog

• d19c7d9f2 feat(repo): support local repositories (#4890)
• 3c1976187 bump go-dep-parser (#4893)
• e1c2a8c80 fix(misconf): add missing fields to proto (#4861)
• 8b8e0e83d fix: remove trivy-db package replacement (#4877)
• f9efe44fd chore(test): bump the integration test timeout to 15m (#4880)
• 7271d682f chore(deps): Update defsec to v0.91.0 (#4886)
• c3bc67c89 chore: update CODEOWNERS (#4871)
• 232ba823e feat(vuln): support vulnerability status (#4867)
• 11618c940 feat(misconf): Support custom URLs for policy bundle (#4834)
• 07075696d refactor: replace with sortable packages (#4858)
• fbe1c9eb1 docs: correct license scanning sample command (#4855)
• 20c2246a6 fix(report): close the file (#4842)
• 24a3e547d feat(nodejs): add support for include-dev-deps flag for yarn (#4812)
• a7bd7bb65 feat(misconf): Add support for independently enabling libraries (#4070)
• 4aa9ea096 feat(secret): add secret config file for cache calculation (#4837)
• 5d349d814 Fix a link in gitlab-ci.md (#4850)
• a61531c1f fix(flag): use globalstar to skip directories (#4854)
• 78cc20937 chore(deps): bump github.com/docker/docker from v23.0.5+incompatible to v23.0.7-0.20230714215826-f00e7af96042+incompatible (#4849)
• 93996041b fix(license): using common way for splitting licenses (#4434)
• 3e2416d77 fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
• ce77bb46c remove govulndb (#4783)
• c05caae43 fix(java): inherit licenses from parents (#4817)
• aca11b95d refactor: add allowed values for CLI flags (#4800)
• 4cecd17ea add example regex to allow rules (#4827)
• 4bc8d29c1 feat(misconf): Support custom data for rego policies for cloud (#4745)
• 88243a0ad docs: correcting the trivy k8s tutorial (#4815)
• 3c7d988d7 feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
• fd0fd104f fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
• d0d543b88 feat(misconf): enable --policy flag to accept directory and files both (#4777)
• b43a3e623 feat(python): add license fields (#4722)
• aef7b148a fix: support trivy k8s-version on k8s sub-command (#4786)

Changelog

• 5d76abadc chore(deps): Update defsec to v0.90.3 (#4793)
• fed446c51 chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#4752)
• df62927e5 chore(deps): bump alpine from 3.18.0 to 3.18.2 (#4748)
• 1b9b9a84f chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 (#4758)
• 3c16ca821 docs(image): fix the comment on the soft/hard link (#4740)
• e5bee5ccc check Type when filling pkgs in vulns (#4776)
• 4b9f310b9 feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
• 8e7fb7cc8 chore(deps): bump modernc.org/sqlite from 1.20.3 to 1.23.1 (#4756)
• a9badeaba fix(rocky): add architectures support for advisories (#4691)
• f8ebccc68 chore(deps): bump github.com/opencontainers/image-spec (#4751)
• 1c81948e0 chore(deps): bump github.com/package-url/packageurl-go (#4754)
• 497cc10d8 chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 (#4750)
• 065f0afa5 chore(deps): bump github.com/tetratelabs/wazero from 1.2.0 to 1.2.1 (#4755)
• e2603056d chore(deps): bump github.com/testcontainers/testcontainers-go (#4759)
• 0621402bf fix: documentation about reseting trivy image (#4733)
• 798fdbc01 fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
• 34a89293d fix: update Amazon Linux 1 EOL (#4761)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/4741

Changelog

• 600819248 chore(deps): Update defsec to v0.90.1 (#4739)
• 73734eab2 feat(nodejs): support yarn workspaces (#4664)
• 22463abab feat(cli): add include-dev-deps flag (#4700)
• 790c8054e fix(image): pass the secret scanner option to scan the img config (#4735)
• 86fec9c4a fix: scan job pod it not found on k8s-1.27.x (#4729)
• 26bc91160 feat(docker): add support for mTLS authentication when connecting to registry (#4649)
• d699e8c10 chore(deps): Update defsec to v0.90.0 (#4723)
• 1777878e8 fix: skip scanning the gpg-pubkey package (#4720)
• 9be08253a Fix http registry oci pull (#4701)
• 5d73b47db feat(misconf): Support skipping services (#4686)
• 46e784c8a docs: fix supported modes for pubspec.lock files (#4713)
• 0f61a8471 fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
• 8a1aa448a clarifying a dir path is required for custom policies (#4716)
• fbab9eea3 chore: update alpine base images (#4715)
• f84417bba fix last-history-created (#4697)
• 85c681d44 feat: kbom and cyclonedx v1.5 spec support (#4708)
• 46748ce6e docs: add information about Aqua (#4590)
• c6741bddf fix: k8s escape resource filename on windows os (#4693)
• a21acc7e0 ci: ignore merge queue branches (#4696)
• 32a3a3311 chore(deps): bump actions/checkout from 2.4.0 to 3.5.3 (#4695)
• cbb47dc7c chore(deps): bump aquaproj/aqua-installer from 2.1.1 to 2.1.2 (#4694)
• e3d10d251 feat: cyclondx sbom custom property support (#4688)
• e1770e046 ci: do not trigger tests in main (#4692)
• 337c0b70d add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
• 5ccee1430 use group field for jar in cyclonedx (#4674)
• 96db52c3f feat(java): capture licenses from pom.xml (#4681)
• 3e902a57a feat(helm): make sessionAffinity configurable (#4623)
• 904f1cf24 fix: Show the correct URL of the secret scanning (#4682)
• 7d48c5d5d document expected file pattern definition format (#4654)
• dcc73e964 fix: format arg error (#4642)
• 35c4262d0 feat(k8s): cyclonedx kbom support (#4557)
• 0e01851e9 fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
• 4d9b44449 fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
• c29197ab7 ci: update build IDs (#4641)
• d7637adc6 fix(debian): update EOL for Debian 12 (#4647)
• ef39eeedf chore(deps): bump go-containerregistry (#4639)
• 1ce8bb535 chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
• bc9513fc5 fix(db): change argument order in Exists query for JavaDB (#4595)
• aecd2f0bf feat(aws): Add support to see successes in results (#4427)
• 2cbf402b6 chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#4613)
• 0099b20e3 ci: do not trigger tests in main (#4614)
• a597a54fb chore(deps): bump sigstore/cosign-installer (#4609)
• b453fbec3 chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1 to 2 (#4608)
• 0e876d5aa ci: bypass the required status checks (#4611)
• a4f27d24a ci: support merge queue (#3652)
• 9e6411e9f ci: matrix build for testing (#4587)
• ef6538a17 feat: trivy k8s private registry support (#4567)
• 139f3e1e3 docs: add general coverage page (#3859)
• 479cfdd40 chore: create SECURITY.md (#4601)

Changelog

• 9a279fa7b ci: remove 32bit packages (#4585)
• d52b0b7bc fix(misconf): deduplicate misconf results (#4588)
• 9b531fa27 fix(vm): support sector size of 4096 (#4564)
• 8ca1bfdd2 fix(misconf): terraform relative paths (#4571)
• c20d46604 fix(purl): skip unsupported library type (#4577)
• 52cbe7975 fix(terraform): recursively detect all Root Modules (#4457)
• 4a5b91557 fix(vm): support post analyzer for vm command (#4544)
• 56cdc55f7 fix(nodejs): change the type of the devDependencies field (#4560)
• 17d753676 fix(sbom): export empty dependencies in CycloneDX (#4568)
• 2796abe1e refactor: add composite fs for post-analyzers (#4556)
• 22a157380 chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#4554)
• 43586659a chore(deps): bump helm/kind-action from 1.5.0 to 1.7.0 (#4526)
• 508139965 chore(deps): bump github.com/BurntSushi/toml from 1.2.1 to 1.3.0 (#4528)
• e1a38128a chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.2 to 2.30.3 (#4529)
• 283eef637 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 (#4536)
• bbd7b9874 chore(deps): bump github.com/tetratelabs/wazero from 1.0.0 to 1.2.0 (#4549)
• 11c81bf2f chore(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#4532)
• 2d8d63e61 chore(deps): bump github.com/testcontainers/testcontainers-go (#4537)
• a46839b1c chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#4530)
• 19715f5de chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4534)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/4541

Changelog

• 854b63940 chore(deps): bump github.com/sigstore/rekor from 1.2.0 to 1.2.1 (#4533)
• 59e1a8664 chore(deps): bump alpine from 3.17.3 to 3.18.0 (#4525)
• 9ef01133c feat: add SBOM analyzer (#4210)
• dadd1e10c fix(sbom): update logic for work with files in spdx format (#4513)
• 1a658210a feat: azure workload identity support (#4489)
• 411862c90 feat(ubuntu): add eol date for 18.04 ESM (#4524)
• 62a1aaf03 fix(misconf): Update required extensions for terraformplan (#4523)
• 48b2e15c2 refactor(cyclonedx): add intermediate representation (#4490)
• c15f269a9 fix(misconf): Remove debug print while scanning (#4521)
• b6ee08e55 fix(java): remove duplicates of jar libs (#4515)
• d4740401a fix(java): fix overwriting project props in pom.xml (#4498)
• 4cf2f94d0 docs: Update compilation instructions (#4512)
• 18ce1c336 fix(nodejs): update logic for parsing pnpm lock files (#4502)
• 87eed38c6 fix(secret): remove aws-account-id rule (#4494)
• b0c591ef6 feat(oci): add support for referencing an input image by digest (#4470)
• b84b5ecfc chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#4338)
• 305255a49 docs: fixed the format (#4503)
• d586de585 fix(java): add support of * for exclusions for pom.xml files (#4501)
• de6eef3b0 feat: adding issue template for documentation (#4453)
• 83a9c4a4c docs: switch glad to ghsa for Go (#4493)
• 537272257 chore(deps): Update defsec to v0.89.0 (#4474)
• 6fcd1538d feat(misconf): Add terraformplan support (#4342)
• 72e302cf8 feat(debian): add digests for dpkg (#4445)
• 7e99d08a1 chore(deps): bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 (#4478)
• 12a1789be feat(k8s): exclude node scanning by node labels (#4459)
• 919e8c92b docs: add info about multi-line mode for regexp from custom secret rules (#4159)
• 50fe43f14 feat(cli): convert JSON reports into a different format (#4452)
• 09db1d438 feat(image): add logic to guess base layer for docker-cis scan (#4344)
• 3f0721ff6 fix(cyclonedx): set original names for packages (#4306)
• 0ef0dadb1 feat: group subcommands (#4449)
• 3a7717fde feat(cli): add retry to cache operations (#4189)
• 63cfb2714 fix(vuln): report architecture for apk packages (#4247)
• e1361368a refactor: enable cases where return values are not needed in pipeline (#4443)
• 29b5f7e8e fix(image): resolve scan deadlock when error occurs in slow mode (#4336)
• 92ed344e8 docs(misconf): Update docs for kubernetes file patterns (#4435)
• 16af41be1 test: k8s integration tests (#4423)
• cab8569cd feat(redhat): add package digest for rpm (#4410)
• 92f9e98d0 feat(misconf): Add --reset-policy-bundle for policy bundle (#4167)
• 33fb04763 fix: typo (#4431)
• 8b162f287 add user instruction to imgconf (#4429)
• 3b7c9198d fix(k8s): add image sources (#4411)
• c75d35ff6 docs(scanning): Add versioning banner (#4415)
• d298415c0 feat(cli): add mage command to update golden integration test files (#4380)
• 1a56295ff feat: node-collector custom namespace support (#4407)
• 864ad10a3 chore(deps): bump owenrumney/go-sarif from v2.1.3 to v2.2.0 (#4378)
• 7a20d9622 refactor(sbom): use multiline json for spdx-json format (#4404)
• ea5fd75ff fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)
• 56a01ec6f refactor: code-optimization (#4214)
• 6a0e15265 feat(image): Add image-src flag to specify which runtime(s) to use (#4047)
• 50c8b418a test: skip wrong update of test golden files (#4379)
• 51ca6536c refactor: don't return error for package.json without version/name (#4377)
• e5e7ebcda docs: cmd error (#4376)
• 6ee496077 test(cli): add test for config file and env combination (#2666)
• c067b026e fix(report): set a correct file location for license scan output (#4326)
• ff6374829 ci: rpm repository for all versions and aarch64 (#4077)
• 0009b02bb chore(alpine): Update Alpine to 3.18 (#4351)
• d61ae8cc7 fix(alpine): add EOL date for Alpine 3.18 (#4308)
• 636ce808f chore(deps): bump github.com/docker/distribution (#4337)
• e859d10ee feat: allow root break for mapfs (#4094)
• a6ef37fa3 docs(misconf): Remove examples.md (#4256)
• dca8c039e fix(ubuntu): update eol dates for Ubuntu (#4258)
• b003f58b2 feat(alpine): add digests for apk packages (#4168)
• 86f001616 chore: add discussion templates (#4190)
• 2f318ce97 fix(terraform): Support tfvars (#4123)
• ec3906c24 chore: separate docs:generate (#4242)
• 37b25d28b chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4246)
• 45d5edb0d refactor: define vulnerability scanner interfaces (#4117)
• 090a00e71 feat: unified k8s scan resources (#4188)
• f2188eb56 chore(deps): Update defsec to v0.88.1 (#4178)
• b79850f41 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 (#4141)
• 36acdfa8d chore: trivy bin ignore (#4212)
• 55fb723a6 feat(image): enforce image platform (#4083)
• 9c87cb271 chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.2 to 2.1.3 (#4143)
• 21cf179f6 chore(deps): bump github.com/docker/docker (#4144)
• fbf7a77ae chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 (#4146)
• 547391c22 chore(deps): bump aquaproj/aqua-installer from 2.0.2 to 2.1.1 (#4140)
• 882bfdd78 fix(ubuntu): fix version selection logic for ubuntu esm (#4171)
• 949cd10c0 chore(deps): bump github.com/samber/lo from 1.37.0 to 1.38.1 (#4147)
• 93bc162ca chore(deps): bump github.com/hashicorp/go-getter from 1.7.0 to 1.7.1 (#4145)
• 57993ef67 chore(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.3 (#4138)
• dc4baeb35 chore(deps): bump github.com/testcontainers/testcontainers-go (#4150)
• 25d0255dc chore: install.sh support for windows (#4155)
• 73e54549f chore(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#4166)
• 08de7c613 chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#4149)
• ade4730fa docs: moving skipping files out of others (#4154)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/4135

Changelog

• 1be1e2e63 fix(spdx): add workaround for no src packages (#4118)
• 45bc9e0de test(golang): rename broken go.mod (#4129)
• 3334e78fa feat(sbom): add supplier field (#4122)
• 27fb1bfde test(misconf): skip downloading of policies for tests #4126
• 845ae31e5 refactor: use debug message for post-analyze errors (#4037)
• 11a5b91a1 feat(sbom): add VEX support (#4053)
• 5eab46498 feat(sbom): add primary package purpose field for SPDX (#4119)
• a00d00eb9 fix(k8s): fix quiet flag (#4120)
• 9bc326909 fix(python): parse of pip extras (#4103)
• 855984167 feat(java): use full path for nested jars (#3992)
• 0650e0e1d feat(license): add new flag for classifier confidence level (#4073)
• 43b649627 feat: config and fs compliance support (#4097)
• 9181bc1f7 chore(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 (#3952)
• 48e021ea6 feat(spdx): add support for SPDX 2.3 (#4058)
• 107752df6 fix: k8s all-namespaces support (#4096)
• bd0c60364 perf(misconf): replace with post-analyzers (#4090)
• 76662d5dd fix(helm): update networking API version detection (#4106)
• be47b688c feat(image): custom docker host option (#3599)
• cc18f92cf style: debug flag is incorrect and needs extra - (#4087)
• 572a6193e docs(vuln): Document inline vulnerability filtering comments (#4024)
• 914c6f092 feat(fs): customize error callback during fs walk (#4038)
• 3f02feeff fix(ubuntu): skip copyright files from subfolders (#4076)
• 57bb77c06 docs: restructure scanners (#3977)
• b19b56c34 fix: fix file does not exist error for post-analyzers (#4061)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/4074

Changelog

• b43b19ba5 feat(flag): Support globstar for --skip-files and --skip-directories (#4026)
• 14805002d chore(deps): bump actions/stale from 7 to 8 (#3955)
• 83bb97ab1 fix: return insecure option to download javadb (#4064)
• 79a1ba32d fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
• ff1c43a79 ci: add gpg signing for RPM packages (#4056)
• b608b116c fix(k8s): current context title (#4055)
• 2c3b60f4c fix(k8s): quit support on k8s progress bar (#4021)
• a6b864213 chore: add a note about Dockerfile.canary (#4050)
• 90b80662c ci: fix path to canary binaries (#4045)
• dcefc6bf3 fix(vuln): report architecture for debian packages (#4032)
• 601e25fb2 feat: add support for Chainguard's commercial distro (#3641)
• 0bebec19f ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979)
• 707ea9423 fix(vuln): fix error message for remote scanners (#4031)
• 8e1fe769e feat(report): add image metadata to SARIF (#4020)
• 4b36e97dc docs: fix broken cache link on Installation page (#3999)
• f0df725c5 fix: lock downloading policies and database (#4017)
• 009675c82 fix: avoid concurrent access to the global map (#4014)
• 3ed86aa3d feat(rust): add Cargo.lock v3 support (#4012)
• f31dea4bd feat: auth support oci download server subcommand (#4008)
• d37c50a2b chore(deps): bump github.com/docker/docker (#4009)
• 693d20516 chore: install.sh support for armv7 (#3985)
• 65d89b99d chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961)

Changelog

• a119ef86e fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
• c8283cebd fix(sbom): fix infinite loop for cyclonedx (#3998)
• 6c8b04254 chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954)
• c42f360f5 fix: use warning for errors from enrichment files for post-analyzers (#3972)
• 20c21cacc chore(deps): bump github.com/docker/docker (#3963)
• 54388ffd1 fix(helm): added annotation to psp configurable from values (#3893)
• 99a251981 chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962)
• d113b9313 fix(secret): update built-in rule tests (#3855)
• 5ab6d2588 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957)
• 0767cb844 test: rewrite scripts in Go (#3968)
• 428ee19ca docs(cli): Improve glob documentation (#3945)
• 3e00dc346 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959)
• cf2f0b2d1 ci: check CLI references (#3967)
• 70f507e1a chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951)
• befabc6b9 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956)
• ee69abb78 chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958)
• 8901f7be6 chore(deps): bump actions/setup-go from 3 to 4 (#3953)
• 4e6bbbc8c chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950)
• d70f346f5 chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965)
• 3efb2fded chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/3949

Changelog

• ed590966a docs(cli): added makefile and go file to create docs (#3930)
• a2f39a34c chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
• 5a1063102 chore: ignore gpg key (#3943)
• 4072115e5 feat(cyclonedx): support dependency graph (#3177)
• 7cad265b7 chore(deps): Bump defsec to v0.85.0 (#3940)
• f8b573311 feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919)
• 10796a291 feat(server): redis with public TLS certs support (#3783)
• abff1398c feat(flag): Add glob support to --skip-dirs and --skip-files (#3866)
• b40f60c40 chore: replace make with mage (#3932)
• 67236f6aa fix(sbom): add checksum to files (#3888)
• 00de24b16 chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928)
• 5976d1fa0 chore: remove unused mount volumes (#3927)
• f14bed453 feat: add auth support for downloading OCI artifacts (#3915)
• 1ee05189f refactor(purl): use epoch in qualifier (#3913)
• 0000252ce chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727)
• ca0d972cd feat(image): add registry options (#3906)
• 033655577 feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
• dd9cd9528 chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905)
• edb06826b feat(php): add support for location, licenses and graph for composer.lock files (#3873)
• c02b15b37 chore(deps): updates wazero to 1.0.0 (#3904)
• 63ef760c6 feat(image): discover SBOM in OCI referrers (#3768)
• 3fa703c03 docs: change cache-dir key in config file (#3897)
• 4d78747c4 fix(sbom): use release and epoch for SPDX package version (#3896)
• 67572dff6 ci: add gpg signing for RPM packages (#3612)
• e76d5ff98 docs: Update incorrect comment for skip-update flag (#3878)
• 011ea60db refactor(misconf): simplify policy filesystem (#3875)
• 6445309de feat(nodejs): parse package.json alongside yarn.lock (#3757)
• 6e9c2c36d fix(spdx): add PkgDownloadLocation field (#3879)
• 18eeea2f6 fix(report): try to guess direct deps for dependency tree (#3852)
• 02b691421 chore(amazon): update EOL (#3876)
• 79096e116 fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)
• fc2e80cfe feat(amazon): add al2023 support (#3854)
• 5f8d69d72 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.0 to 3.1.2 (#3736)
• 7916aafff docs(misconf): Add information about selectors (#3703)
• 1b1ed39c7 docs(cli): update CLI docs with cobra (#3815)
• 234a360a7 feat: k8s parallel processing (#3693)
• b864b3b92 docs: add DefectDojo in the Security Management section (#3871)
• ad34c989d chore(deps): updates wazero to 1.0.0-rc.2 (#3853)
• 7148de325 refactor: add pipeline (#3868)
• 927acf957 feat(cli): add javadb metadata to version info (#3835)
• 33074cfab chore(deps): Move compliance types to defsec (#3842)
• ba9b0410c feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)
• a754a04e2 feat: add node toleration option (#3823)
• 9e4b57fb4 fix: allow mapfs to open dirs (#3867)
• 09fd299f9 fix(report): update uri only for os class targets (#3846)
• 09e13022c feat(nodejs): Add v3 npm lock file support (#3826)
• 52cbfebcd feat(nodejs): parse package.json files alongside package-lock.json (#2916)
• d6a2d6369 docs(misconf): Fix links to built in policies (#3841)

Changelog

• a12f58be5 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827)
• ee518350c fix(java): skip empty files for jar post analyzer (#3832)
• 3987a679f fix(docker): build healthcheck command for line without /bin/sh prefix (#3831)
• 2bb25e766 refactor(license): use goyacc for license parser (#3824)
• 00c763bc1 chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586)
• cac5881bb fix: populate timeout context to node-collector (#3766)
• bd9c6e613 fix: exclude node collector scanning (#3771)
• 20f10673b fix: display correct flag in error message when skipping java db update #3808
• 1fac7bf1b fix: disable jar analyzer for scanners other than vuln (#3810)
• aaf265881 fix(sbom): fix incompliant license format for spdx (#3335)
• f8307635a fix(java): the project props take precedence over the parent's props (#3320)
• 1aa3b7dc2 docs: add canary build info to README.md (#3799)
• 57904c0f9 docs: adding link to gh token generation (#3784)
• bdccf7233 docs: changing docs in accordance with #3460 (#3787)

Changelog

• 800473a8b chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
• e6ab389f9 chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
• 6614398ab fix(license): disable jar analyzer for licence scan only (#3780)
• 1dc6fee78 bump trivy-issue-action to v0.0.0; skip pkg dir (#3781)
• 3357ed096 fix: skip checking dirs for required post-analyzers (#3773)
• 1064636b3 docs: add information about plugin format (#3749)
• 60b7ef5a5 fix(sbom): add trivy version to spdx creators tool field (#3756)

Changelog

• 497c955a4 feat(misconf): Add support to show policy bundle version (#3743)
• 5d54310d7 fix(python): fix error with optional dependencies in pyproject.toml (#3741)
• 44cf1e2f5 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
• 743b4b0d9 add id for package.json files (#3750)
• 6de43855f chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
• 9a0ceef16 chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
• 0501b46d4 chore(deps): bump github.com/google/go-containerregistry (#3731)
• ee3004d29 chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
• 5c8e604f5 chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/3719

Changelog

• bc0836623 fix(cli): pass integer to exit-on-eol (#3716)
• 23cdac02e feat: add kubernetes pss compliance (#3498)
• 302c8ae24 feat: Adding --module-dir and --enable-modules (#3677)
• 34120f420 feat: add special IDs for filtering secrets (#3702)
• e399ed843 chore(deps): Update defsec (#3713)
• ef7b762e4 docs(misconf): Add guide on input schema (#3692)
• 00daebc16 feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
• 98d103155 feat: docker multi credential support (#3631)
• b79136287 feat: summarize vulnerabilities in compliance reports (#3651)
• 719fdb1b1 feat(python): parse pyproject.toml alongside poetry.lock (#3695)
• 3ff5699b4 feat(python): add dependency tree for poetry lock file (#3665)
• 33909d9df fix(cyclonedx): incompliant affect ref (#3679)
• d85a3e087 chore(helm): update skip-db-update environment variable (#3657)
• 551899c24 fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
• 3aaa2cfb7 fix(sbom): export empty dependencies in CycloneDX (#3664)
• 9d1300c3e docs: java-db air-gap doc tweaks (#3561)
• 793cc43d4 feat(go): license support (#3683)
• 6a3294e47 feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
• e9dc21d88 fix(k8s): k8s label size (#3678)
• 12976d42d fix(cyclondx): fix array empty value, null to [] (#3676)
• 1dc2b349c refactor: rewrite gomod analyzer as post-analyzer (#3674)
• 92eaf636c feat: config outdated-api result filtered by k8s version (#3578)
• 9af436b99 fix: Update to Alpine 3.17.2 (#3655)
• 88ee68d0c feat: add support for virtual files (#3654)
• 75c96bd96 feat: add post-analyzers (#3640)
• baea3997d chore(deps): updates wazero to 1.0.0-pre.9 (#3653)
• 7ca0db17e chore(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#3528)
• 866999e45 chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 (#3633)
• b7bfb9a20 feat(python): add dependency locations for Pipfile.lock (#3614)
• 9badef27a chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3648)
• d856595b8 fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
• fe7c26a74 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.1 to 1.85.0 (#3607)
• f251dfc5c fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
• 9be8062c1 feat(cli): add command completion (#3061)
• 370098dbf docs(misconf): update dockerfile link (#3627)
• 32acd293f feat(flag): add exit-on-eosl option (#3423)
• aa8e185e0 chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#3533)
• 86603bb9c fix(cli): make java db repository configurable (#3595)
• 7b1e173f5 chore: bump trivy-kubernetes (#3613)

Changelog

• 85d5d61b chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
• 2c17260b chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
• c54f1aa8 chore(deps): bump golang/x/mod to v0.8.0 (#3606)
• 625ea581 chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
• 623c7f94 chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
• d291c34f ci: quote pros in c++ for semantic pr (#3605)
• 6cac6c91 fix(image): check proxy settings from env for remote images (#3604)

💔Breaking Change💔

Java DB

Added breaking change to Trivy Java DB.
Users who are using Trivy v0.37.0 or v0.37.1 for Java scanning need to remove the local cached Java DB with trivy image --reset and update Trivy to v0.37.2.

Changelog

• 12b563b9 BREAKING: use normalized trivy-java-db (#3583)
• 72a14c67 fix(image): add timeout for remote images (#3582)
• 4c01d73f chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
• 10dd5d1a chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
• 439c541f fix(misconf): handle dot files better (#3550)
• 200e04a7 chore: bump Go to 1.19 (#3551)
• a533ca87 chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
• 4bccbe6e chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
• d0562085 chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
• f5e65749 chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
• d3da459d chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)

Changelog

• 7f8868b7 fix(sbom): download the Java DB when generating SBOM (#3539)
• 364379b7 fix: use cgo free sqlite driver (#3521)
• 0205475f ci: fix path to dist folder (#3527)

Changelog

• e9d2af91 fix(image): close layers (#3517)
• b1694240 refactor: db client changed (#3515)
• 7bf1e192 feat(java): use trivy-java-db to get GAV (#3484)
• 023e45b8 docs: add note about the limitation in Rekor (#3494)
• 0fe62a93 docs: aggregate targets (#3503)
• 0373e082 deps: updates wazero to 1.0.0-pre.8 (#3510)
• a2e21f9b docs: add alma 9 and rocky 9 to supported os (#3513)
• 7d778b75 chore(deps): bump defsec to v0.82.9 (#3512)
• 9e9dbea7 chore: add missing target labels (#3504)
• d99a7b82 docs: add java vulnerability page (#3429)
• cb5af0b3 feat(image): add support for Docker CIS Benchmark (#3496)
• 6eec9ac0 feat(image): secret scanning on container image config (#3495)
• 1eca973c chore(deps): Upgrade defsec to v0.82.8 (#3488)
• fb0d8f3f feat(image): scan misconfigurations in image config (#3437)
• 501d424d chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
• 475dc17b feat(k8s): add node info resource (#3482)
• ed173b82 perf(secret): optimize secret scanning memory usage (#3453)
• 1b368be3 feat: support aliases in CLI flag, env and config (#3481)
• 66a83d5c fix(k8s): migrate rbac k8s (#3459)
• 81bee0f1 feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
• e1076085 refactor: rename security-checks to scanners (#3467)
• aaf845d0 chore: display the troubleshooting URL for the DB denial error (#3474)
• ed5bb0ba docs: yaml tabs to spaces, auto create namespace (#3469)
• 3158bfe6 docs: adding show-and-tell template to GH discussions (#3391)
• 85b6c4aa fix: Fix a temporary file leak in case of error (#3465)
• 60bddae6 fix(test): sort cyclonedx components (#3468)
• e0bb04c9 docs: fixing spelling mistakes (#3462)
• c25e826b ci: set paths triggering VM tests in PR (#3438)
• 07ddc85a docs: typo in --skip-files (#3454)
• e88507c9 feat(custom-forward): Extended advisory data (#3444)
• e2dfee20 docs: fix spelling error (#3436)
• c575d6f7 refactor(image): extend image config analyzer (#3434)
• 036d5a82 fix(nodejs): add ignore protocols to yarn parser (#3433)
• e6d7f157 fix(db): check proxy settings when using insecure flag (#3435)
• a1d4427c feat(misconf): Fetch policies from OCI registry (#3015)
• 682351a1 ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
• ff0c4516 ci: store URLs to Github Releases in RPM repository (#3414)
• ee12442b feat(server): add support of skip-db-update flag for hot db update (#3416)
• 2033e05b chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411)
• 6bc564e8 fix(image): handle wrong empty layer detection (#3375)
• b3b8d4dd test: fix integration tests for spdx and cycloneDX (#3412)
• b88bccae feat(python): Include Conda packages in SBOMs (#3379)
• fbd8a13d feat: add support pubspec.lock files for dart (#3344)
• 0f545cfa fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
• 76c883dc fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
• a8b671bc feat(server): log errors on server side (#3397)
• a5919ca3 chore(deps): bump defsec to address helm vulnerabilities (#3399)
• 89016da2 docs: rewrite installation docs and general improvements (#3368)
• c3759c6d chore: update code owners (#3393)
• 044fb976 chore: test docs separately from code (#3392)
• ad2e648b docs: use the formula maintained by Homebrew (#3389)
• ad25a776 docs: add Security Management section with SonarQube plugin

Changelog

• 9039df49 fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
• 60cf4fe4 feat(flag): early fail when the format is invalid (#3370)
• 9470e3cd chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
• d274d156 docs(aws): fix broken links (#3374)
• 2a870f8a chore(deps): bump actions/stale from 6 to 7 (#3360)
• 5974023b chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
• 02aa8c2c chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
• 6e6171fe chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
• 066f2779 chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
• 8cc32841 chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
• 8d713461 chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
• 5b944d20 chore(go): updates wazero to v1.0.0-pre.7 (#3355)
• 9c645b99 chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
• e2cd782d chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)

Changelog

• 4813cf5c docs: improve compliance docs (#3340)
• 025e5099 feat(deps): add yarn lock dependency tree (#3348)
• 4d59a1ef fix: compliance change id and title naming (#3349)
• eaa5bcf7 feat: add support for mix.lock files for elixir language (#3328)
• a8884409 feat: add k8s cis bench (#3315)
• 62b369ee test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
• c110c4e0 revert: cache merged layers (#3334)
• bc759efd feat(cyclonedx): add recommendation (#3336)
• fe3831e0 feat(ubuntu): added support ubuntu ESM versions (#1893)
• b0cebec3 fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
• a66d3fe3 chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
• 5190f956 feat: Adding support for Windows testing (#3037)
• b00f3c60 feat: add support for Alpine 3.17 (#3319)
• a70f8851 docs: change PodFile.lock to Podfile.lock (#3318)
• 1ec1fe64 fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
• 68eda793 feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
• b95d435a chore(go): remove experimental FS API usage in Wasm (#3299)
• ac6b7c33 ci: add workflow to add issues to roadmap project (#3292)
• cfabdf91 fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
• 56e3d8de chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
• bbccb448 feat(sbom): better support for third-party SBOMs (#3262)
• e879b069 docs: add information about languages with support for dependency locations (#3306)
• e92266f2 feat(vm): add region option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
• 01c7fb14 chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
• 23d06138 fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
• 407c2407 docs: remove comparisons (#3289)
• 93c5d2dc feat: add support for Wolfi Linux (#3215)
• 28097949 ci: add go.mod to canary workflow (#3288)
• 08b55c33 feat(python): skip dev dependencies (#3282)
• 52300e60 chore: update ubuntu version for Github action runnners (#3257)
• a7ac6aca fix(go): skip dep without Path for go-binaries (#3254)
• 4436a202 feat(rust): add ID for cargo pgks (#3256)
• 34d505ad chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
• ea956026 chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
• aea298b3 feat: add support for swift cocoapods lock files (#2956)
• c67fe17b fix(sbom): use proper constants (#3286)
• f9072556 chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
• 8f957435 test(vm): import relevant analyzers (#3285)
• 8744534c feat: support scan remote repository (#3131)
• c278d866 docs: fix typo in fluxcd (#3268)
• fa2281f7 docs: fix broken "ecosystem" link in readme (#3280)
• a3eece4f feat(misconf): Add compliance check support (#3130)
• 7a6cf5a2 docs: Adding Concourse resource for trivy (#3224)
• dd26bd23 chore(deps): change golang from 1.19.2 to 1.19 (#3249)
• cbba6d10 fix(sbom): duplicate dependson (#3261)
• fa2e3ac2 chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
• 5c434753 chore(go): updates wazero to 1.0.0-pre.4 (#3242)
• d29b0edc feat(report): add dependency locations to sarif format (#3210)
• 967e32f4 fix(rpm): add rocky to osVendors (#3241)
• 94774166 docs: fix a typo (#3236)
• 97ce61ee feat(dotnet): add dependency parsing for nuget lock files (#3222)
• 17e13c4d docs: add pre-commit hook to community tools (#3203)
• b1a2c4e9 feat(helm): pass arbitrary env vars to trivy (#3208)

Changelog

• bd30e983 chore(vm): update xfs filesystem parser for change log (#3230)
• 22d92e4a feat: add virtual machine scan command (#2910)
• 531eaa8f docs: reorganize index and readme (#3026)
• 8569d43a fix: slowSizeThreshold should be less than defaultSizeThreshold (#3225)
• 604a73d3 feat: Export functions for trivy plugin (#3204)
• 7594b1f0 feat(image): add support wildcard for platform os (#3196)
• fd5cafb2 fix: load compliance report from file system (#3161)
• 6ab9380b fix(suse): use package name to get advisories (#3199)
• 4a5d6435 docs(image): space issues during image scan (#3190)
• 2206e008 feat(containerd): scan image by digest (#3075)
• 861bc03e fix(vuln): add package name to title (#3183)
• f115895d fix: present control status instead of compliance percentage in compliance report (#3181)
• cc8cef19 perf(license): remove go-enry/go-license-detector. (#3187)
• a0033f6b fix: workdir command as empty layer (#3087)
• cb5744dc docs: reorganize ecosystem section (#3025)
• 1ddd6d30 feat(dotnet): add support dependency location for dotnet-core files (#3095)
• 30c8d756 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174)
• 8e7b44f7 chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109)
• dfff371f feat(dotnet): add support dependency location for nuget lock files (#3032)
• eb571fdc chore: update code owners for misconfigurations (#3176)
• 75717834 feat: add slow mode (#3084)
• 01df4758 docs: fix typo in enable-builin-rules mentions (#3118)
• 6b3be150 feat: Add maintainer field to OS packages (#3149)
• 9ebdc51d docs: fix some typo (#3171)
• 42e81ad0 chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175)
• 55ec8989 chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112)
• 0644ceba docs: fix links on Built-in Policies page (#3124)
• 50af7a2f chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117)
• c455d142 chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116)
• 8fb9d316 fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
• 8562b8cf chore: use newline for semantic pr (#3172)
• aff9a3e0 chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107)
• 001671ed chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106)
• 4e7ab484 chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105)
• a6091a7e chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104)
• 6da148cc fix(spdx): rename describes field in spdx (#3102)
• df9cf881 chore: handle GOPATH with several paths in make file (#3092)
• 32fe108c docs(flag): add "rego" configuration file options (#3165)
• 8fcca9c8 chore(go): updates wazero to 1.0.0-pre.3 (#3090)
• 02f77bc1 chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108)
• aa3ff09a docs(license): fix typo inside quick start (#3134)
• f26b4529 chore: update codeowners for docs (#3135)
• 3b6d7d8c fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
• e9a25499 fix: remove --security-checks none from image help (#3156)
• 3aa19122 fix: compliance flag description (#3160)
• fc820570 docs(k8s): fix a typo (#3163)
• 3a1f05e3 chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103)