trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
APACHE-2.0 License
Bot releases are visible (Hide)
Published by aqua-bot over 3 years ago
Changelog
f3f3029 Updated the Alpine Image to 3.14 (latest) (#1130)
0e52fde Added EOL for Ubuntu 21.10 (#1131)
9b3fba0 fix(image): disabled scanning of config files within container images (#1133)
1101634 docs: fixed typo (#1124)
499b7a6 update cyclonedx github action to v0.3.0 (#1127)
Docker images
docker pull aquasec/trivy:0.19.2docker pull ghcr.io/aquasecurity/trivy:0.19.2docker pull public.ecr.aws/aquasecurity/trivy:0.19.2docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
cea9b0b fix(policy): fix panic on the first run (#1116)
Docker images
docker pull aquasec/trivy:0.19.1docker pull ghcr.io/aquasecurity/trivy:0.19.1docker pull public.ecr.aws/aquasecurity/trivy:0.19.1docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
dea3428 docs(misconf): add comparison with Conftest and tfsec (#1111)
47d600a feat(report): add schema version (#1110)
eae4baf fix(scan): change unknown os from info to debug (#1109)
9e08bd4 docs: add misconfiguration (#1101)
d9883e4 fix(config): rename include-successes with include-non-failures (#1107)
e6f7e55 feat(config): support --trace (#1106)
4b84e79 fix(policy): reduce the Internet access (#1105)
05ae22a chore: bump golangci-lint to v1.41.1 (#1104)
a0e5c3a feat: support config scanning (#931)
712f9eb feat(report): add artifact metadata (#1079)
803b2f9 Generate SBOM (#1076)
92f980f fix(db): multiple prefixed data sources (#1070)
52e98f1 Add EOL date for Alpine 3.14 (#1072)
6cd9a32 suse: mark sle 15.3 as maintained, add opensuse 15.3 (#1059)
03a7366 docs: improve data sources (#1069)
a29d6d8 chore(label): add kind/security-advisory (#1068)
2a08969 fix(asff): replace slice with substr (#1058)
3a94b73 fix(helm-chart): parametrized ingress host path (#1049)
41d000c feat: support Google Artifact Repository (#1055)
78da283 Update ASFF template to use label for severity (#1047)
e362843 BREAKING: migrate to a new JSON schema (#782)
097b8d4 docs: Fix link to AWS Security Hub template (#1046)
3b6122f refactor(server): support gzip (#1045)
f75a369 chore(rpc): update protoc and twirp (#1044)
e4c32cd Added support for list all packages flag in client (#1032)
fb19abd chore: chart with 0.18.3 (#1033)
d2afc20 feat: add gitlab codequality template (#895)
43ff5f9 feat(plugin): add aqua plugin (#1029)
5e6a50b fix(go): if patchedVersion is empty mark it as vulnerable (#1030)
23b9533 docs(ubuntu): fix supported versions (#1028)
d1f8cfc Support Ubuntu 21.04 (#1027)
aa2336b chore: remove codecov (#1016)
e646172 fix typo on github-actions.md (#1022)
Docker images
docker pull aquasec/trivy:0.19.0docker pull ghcr.io/aquasecurity/trivy:0.19.0docker pull public.ecr.aws/aquasecurity/trivy:0.19.0docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
85e45ca chore(ci): change to more granular tokens (#1014)
9fa512a chore(ci): add Go scanning and update dependencies (#1001)
349371b docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013)
Docker images
docker pull aquasec/trivy:0.18.3docker pull ghcr.io/aquasecurity/trivy:0.18.3docker pull public.ecr.aws/aquasecurity/trivy:0.18.3docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
4446961 fix(image): disable go.sum scanning (#1007)
04473ad fix(gomod): handle go.sum with an empty line (#1006)
1b66b77 feat: prepare for config scanning (#1005)
8fc6ea6 Clarify that dev dependencies are excluded (#986)
Docker images
docker pull aquasec/trivy:0.18.2docker pull ghcr.io/aquasecurity/trivy:0.18.2docker pull public.ecr.aws/aquasecurity/trivy:0.18.2docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
eaf2da2 Include target value in Sarif template ruleID (#991)
083c157 chore(mkdocs): allow workflow_dispatch (#989)
Docker images
docker pull aquasec/trivy:0.18.1docker pull ghcr.io/aquasecurity/trivy:0.18.1docker pull public.ecr.aws/aquasecurity/trivy:0.18.1docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Release Note
https://github.com/aquasecurity/trivy/discussions/990
Changelog
e26e39a fix(vuln) unique vulnerabilities from different data sources (#984)
04e7cca feat(go): added support of gomod analyzer (#978)
Docker images
docker pull aquasec/trivy:0.18.0docker pull ghcr.io/aquasecurity/trivy:0.18.0docker pull public.ecr.aws/aquasecurity/trivy:0.18.0docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
415e1d8 fix: scan only regular files (#976)
3bb8852 docs: mention upx binaries (#974)
c0fddd9 chore: upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971)
Docker images
docker pull aquasec/trivy:0.17.2docker pull ghcr.io/aquasecurity/trivy:0.17.2docker pull public.ecr.aws/aquasecurity/trivy:0.17.2docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Changelog
41c066d fix(fs): skip dirs (#969)
Docker images
docker pull aquasec/trivy:0.17.1docker pull ghcr.io/aquasecurity/trivy:0.17.1docker pull public.ecr.aws/aquasecurity/trivy:0.17.1docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by aqua-bot over 3 years ago
Release Note
https://github.com/aquasecurity/trivy/discussions/966
Changelog
2316931 chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965)
77f3d55 chore(ci): clone trivy-repo after releasing binaries (#963)
b319579 docs: add golang support (#962)
0c0febe fix(table): skip zero vulnerabilities on java (#961)
d41736b chore(ci): create a release discussion (#959)
c88bbbd feat(go): support binary scan (#948)
d88b7cf feat(java): support GitLab Advisory Database (#917)
1385fa4 feat: show help message when the context's deadline passes (#955)
0346a10 chore(mkdocs): replace github token (#954)
60a4e7e Update SARIF report template (#935)
39ab6bd Update install docs to make commands consistent (#933)
0518d27 Docker multi-platform image build with buildx, using Goreleaser (#915)
a6b8ec3 Fix JUnit template for AWS CodeBuild compatibility (#904)
6d22387 break(cli): use StringSliceFlag for skip-dirs/files (#916)
7221579 docs: add white logo (#914)
ee29ffa add package name in ruleID (#913)
8935aa6 feat: gh-action for stale issues (#908)
288481f chore(triage): add lifecycle/active label (#909)
f961e99 feat: publish helm repository (#888)
0edf73b Fix Documentation Typo (#901)
f5b060a docs: migrate README to MkDocs (#884)
c26a3e4 refactor(internal): export internal packages (#887)
8b3b5d0 feat: support plugins (#878)
37edc66 chore(ci): deploy dev docs only for the main branch (#882)
becd508 add MkDocs implementation (#870)
e517bef docs(README): update ubuntu versions (#877)
da2b28a support Ubuntu 20.10 (#876)
965bb6d feat(cache): introduce versioned cache (#865)
0497286 chore: bump up Go to 1.16 (#861)
fcb9a93 fix: allow the latest tag (#864)
425eaf8 feat: disable analyzers (#846)
47ce996 chore(ci): push the official image to public ECR (#855)
e890ae0 chore(ci): migrate CircleCI to GitHub Actions (#850)
9bc3565 adds example with multistage build (#853)
a0cd5d7 remove SARIF helpUri if empty (#841) (#845)
3170dc3 Add Sprig to Template Engine (#832)
10ad2ed Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844)
c9f22f4 feat(java): support jar/war/ear (#837)
3047c52 fix(app): increase the default value of timeout (#842)
89e5295 Update README.md (#838)
Docker images
docker pull aquasec/trivy:0.17.0docker pull ghcr.io/aquasecurity/trivy:0.17.0docker pull public.ecr.aws/aquasecurity/trivy:0.17.0docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
Published by knqyf263 over 3 years ago
Features
Support Podman (#825)
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. For more details, see here
$ systemctl --user enable --now podman.socket
Then, you can scan your image in Podman.
$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/test latest efc372d4e0de About a minute ago 7.94 MB
$ trivy image test
Support modular packages in RHEL 8/CentOS 8 (#790)
Trivy is able to scan RHEL 8/CentOS 8 more accurately now.
Add redis cache backend configuration options in the Helm chart (#784)
Trivy can be deployed to Kubernetes with Redis cache.
Thanks, @czunker!
Support PEP 440 (#816)
Trivy is able to scan Python vulnerabilities more accurately now.
Support alpine 3.13 (#819)
Trivy is able to scan Alpine Linux 3.13 now.
Fixes
- Fix compatibility for Jenkins xunit plugin (#820)
- Update EOL dates (#824)
- Parse redis backend url (#804)
- Fix errors in SARIF format (#801)
- Fix env variable for github token (#796)
- Set unknown severity for empty values (#793)
- Remove global flags from filesystem command (#772)
- Fix formatting of log message (#785)
Changelog
cdabe7f Fix compatibility for Jenkins xunit plugin (#820)
b0fe439 README: add Gitlab job that uses a container with trivy (#823)
6685cd4 feat: support Podman (#825)
7a683bd fix(eol): update EOL dates (#824)
6ed03a8 fix(python): follow PEP 440 (#816)
182cb80 Support alpine 3.13 (#819)
2acd1ca Changed the output string to "Using your github token". (#814)
dd35bfd Align comment with code (#812)
1f17e71 Parse redis backend url (#804)
0954f6b Update README.md (#810)
6b29bf1 Added nodeSelector, affinity and tolerations to helm chart (#803)
f6afdf0 Fix readme typo in policy flag (#805)
412847d Fix errors in SARIF format (#801)
5b27862 Fix env variable for github token (#796)
6ed25c1 fix(vulnerability): set unknown severity for empty values (#793)
e2c483f Remove global flags from filesystem command (#772)
5c5e0cb Add imagePullSecrets to helm Chart (#789)
b9b84cd Add redis cache backend configuration options (#784)
e517bcc Update README.md (#735)
7f5a6d4 feat(redhat): support modular packages (#790)
8de09dd Fix formatting of log message (#785)
e08ae8d chore(ci): migrate unit tests to GitHub Actions (#779)
a00d719 shifted: brews.github to brews.tap (#780)
Docker images
docker pull docker.io/aquasec/trivy:0.16.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.16.0docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 almost 4 years ago
Features
NuGet Scanner (#686)
Trivy now supports a lock file packages.lock.json of NuGet.
packages.lock.json
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| MessagePack | CVE-2020-5234 | MEDIUM | 1.9.10 | 2.1.90, 1.9.11 | Untrusted data can lead to DoS |
| | | | | | attack due to hash collisions and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-5234 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
Thanks to @Johannestegner
Redis support as the cache backend (#770)
For the detail, see here
$ docker run -d --name redis -p 6379:6379 redis:5.0
$ trivy server --cache-backend redis://localhost:6379
$ trivy client alpine:3.11
HTML template (#567)
$ trivy image -f template --template "@contrib/html.tpl" -o report.html alpine:3.12
Thanks to @irrandon
Helm chart (#751, #769)
For the detail, see here
$ cd helm/trivy
$ helm install my-release .
Thanks to @czunker
Fixes
redhat: skip modular packages (#776)
Close https://github.com/aquasecurity/trivy/issues/771 and https://github.com/aquasecurity/trivy/issues/741
Thanks to @masahiro331
Make the table output less wide. (#763)
alpine:3.10 (alpine 3.10.5)
===========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2020-1971 | MEDIUM | 1.1.1g-r0 | 1.1.1i-r0 | openssl: EDIPARTYNAME |
| | | | | | NULL pointer de-reference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |
+--------------+ + + + + +
| libssl1.1 | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+---------------+---------------------------------------+
| musl | CVE-2020-28928 | | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |
| | | | | | wcsnrtombs mishandles particular |
| | | | | | combinations of destination buffer... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
Changelog
08ca1b0 Feat: NuGet Scanner (#686)
7b86f81 feat(cache): support Redis (#770)
8cd4afe fix(redhat): skip module packages (#776)
b606b62 chore: migrate from master to main (#778)
5c2b14b chore(circleci): remove gofmt (#777)
a19a023 chore(README): remove experimental (#775)
e6cef75 NVD: Add timestamps. (#761)
1371f72 (fix): Make the table output less wide. (#763)
8ecaa2f Add gitHubToken to prevent rate limit problems (#769)
8132174 Add helm chart to install trivy in server mode. (#751)
bcc2850 chore(docs): add nix install (#762)
cb36972 HTML template (#567)
Docker images
docker pull docker.io/aquasec/trivy:0.15.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.15.0docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 almost 4 years ago
Features
Add primary URLs (#752)
Trivy shows a primary URL in the result as follows.
alpine:3.10 (alpine 3.10.5)
===========================
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | URL |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| musl | CVE-2020-28928 | UNKNOWN | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, | avd.aquasec.com/nvd/cve-2020-28928 |
| | | | | | wcsnrtombs mishandles | |
| | | | | | particular combinations of | |
| | | | | | destination buffer... | |
+------------+ + + + + + +
| musl-utils | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
[
{
"Target": "alpine:3.10 (alpine 3.10.5)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-28928",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928",
...
}
]
}
]
In these cases, you can see https://avd.aquasec.com/nvd/cve-2020-28928 as a primary URL.
Remove rpm dependency (#753)
Trivy no longer requires the rpm command on the host. You can scan a RHEL-based image without rpm.
$ rpm
bash: rpm: command not found
$ trivy image -o /dev/null centos:7
centos:7 (centos 7.9.2009)
==========================
Total: 601 (UNKNOWN: 0, LOW: 358, MEDIUM: 240, HIGH: 3, CRITICAL: 0)
Bug fixes
--light shows less results (#755)
There was a bug where vulnerabilities with unknown severity do not appear in the result when using the --light option.
Changelog
9bdbeab feat: remove rpm dependency (#753)
d85cb77 fix(vulnerability): make an empty severity UNKNOWN (#759)
1bee83c chore(README): add TRIVY_INSECURE (#760)
4d18943 feat(vulnerability): add primary URLs (#752)
Docker images
docker pull docker.io/aquasec/trivy:0.14.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.14.0docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 almost 4 years ago
Important change
Support npm and RubyGems versioning semantics (#740)
npm and RubyGems have different versioning/constraint semantics from other languages, so we developed libraries for them. In the future, we will probably develop libraries for other languages such as Python.
New features
Skip downloading DB if a remote DB is not updated (#717)
Once the vulnerability DB is downloaded, it will not be updated within one hour so that Trivy will not download the same DB many times by mistake.
Support
Add back support for FreeBSD & OpenBSD (#728)
Provide binaries for FreeBSD & OpenBSD
Add support for ppc64le architecture (#724)
Provide binaries for the ppc64le (Power) architecture.
Bug fixes
Handle ksplice advisories of Oracle Linux(#745)
Skip ksplice advisories when the installed package is not a ksplice package during Oracle Linux scanning. Also, if the package is a ksplice one, we should not use the normal advisories.
Skip packages from unsupported repository (remi) (#695)
Skip scanning RPM packages installed from the remi repository
Changelog
1391b3b fix(oracle): handle ksplice advisories (#745)
b6d5b82 fix: version comparison (#740)
9dfb0fe updated Readme.md (#737)
4555469 Add suse sles 15.2 to the EOL list as well (#734)
c189aa6 Update README.md (#731)
8442528 Warn when a user attempts to use trivy without a detectable lockfile (#729)
d09787e Add back support for FreeBSD & OpenBSD (#728)
0285a89 Add support for ppc64le architecture (#724)
7d7784f Skip packages from unsupported repository (remi) (#695)
ca6f196 Skip downloading DB if a remote DB is not updated (#717)
e621cf2 Sunsetting VendorVectors (#718)
906ab54 Add GitHub Container Registry to README (#712)
1549c25 update BUG_REPORT.md using H2 instead of bold formatting (#714)
fe1d07e fix(ci/deb): do not remove old packages for EOL versions (#706)
793a1aa Add linter check support (#679)
4a94477 Optimize images (#696)
9bc2b19 Update triage.md (#701)
Docker images
docker pull docker.io/aquasec/trivy:0.13.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.13.0docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 about 4 years ago
New features
Add --skip-files option (#624)
Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.
$ trivy image --skip-files "/Gemfile.lock,/app/Pipfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
Add health check endpoint to trivy server (#644)
$ trivy server &
$ curl http://127.0.0.1:4954/healthz
ok
Add --skip-update option to fs and repo subcommand (#641)
$ trivy fs -h | grep skip-update
--skip-update skip db update (default: false) [$TRIVY_SKIP_UPDATE]
Publish the official image in GitHub Container Registry (#627)
$ docker pull ghcr.io/aquasecurity/trivy:latest
Add CWE-ID (#614)
Trivy server responds CWE-ID in a scan result.
Fixes
Show help for subcommands (#628, #629)
$ trivy image
NAME:
trivy image - scan an image
USAGE:
trivy image [command options] image_name
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
...
Changelog
49691ba ci(circle): update remote docker version (#683)
87ff0c1 suse: update end of life dates for SLES service packs (#676)
de30c3f update readme for parallel run issue (#660)
4c3bfb8 fix link for Clear images section in README (#659)
8b21cfe add link to Gitlab CI pipeline in README (#658)
46700f7 test: add tests for mux (#645)
014be7e chore: bump up Go to 1.15 (#646)
b3ff2c3 Add contrib/ to the release chain for Docker (#638)
9c786de Add health check endpoint to trivy server (#644)
188e108 fix(cli): show help for subcommands (#629)
7d7842f Add --skip-update option to fs and repo subcommand (#641)
901a371 goreleaser.yml: Add all templates to archive (#636)
095b5ce fix(cli): show help when no argument is passed (#628)
1d3f70e chore(image): push the official image to GitHub Container Registry as well (#627)
5e308da feat(cli): add --skip-files option (#624)
2231e40 chore(docs): update comparison table (#623)
b3680f0 logo: Add new Trivy logo (#615)
8952779 fix(Readme) - Results using a template (#622)
165d593 Improve Gitlab CI installation step in README (#621)
d8b0962 feat(rpc): add CWE-ID (#614)
d35e8ec Add all templates to the docker image (#619)
Docker images
docker pull docker.io/aquasec/trivy:0.12.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.12.0docker pull ghcr.io/aquasecurity/trivy:latest
Published by knqyf263 about 4 years ago
New features
Support AWS Security Hub (#594)
See here for the detail.
Support --skip-dirs option (#595)
Specify the directory where the traversal is skipped.
$ trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge
Support custom data sources (#613)
Your custom data source can be added into trivy-db. See #613 for details.
Fixes
fix(alpine): use source package (#607)
IMPORTANT: Trivy shows sub packages which are actually installed in the image, instead of an origin package. You should clear the cache once after Trivy is updated to v0.11.0.
For example, the origin package of libcrypto1.1 is openssl and Trivy used to display vulnerabilities of openssl even when openssl is not installed. Now, Trivy displays vulnerabilities of libcrypto1.1.
Before:
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
After
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 8, HIGH: 0, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+
| libcrypto1.1 | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+--------------+------------------+----------+ + +--------------------------------+
| libssl1.1 | CVE-2019-1549 | MEDIUM | | | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+--------------+------------------+----------+-------------------+---------------+--------------------------------
fix: remove error using no options (#539)
Before:
$ trivy
2020-06-18T10:28:44.983+0100 ERROR trivy requires at least 1 argument or --input option
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
...
After:
$ trivy
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
...
Changelog
f50b0ce feat(library): support a custom data source (#613)
ed8607b fix(alpine): use source package (#607)
ea28d3b test(vulnerability): fix usages of new trivy-db refactor changes (#611)
827cea3 refactor(bundler): remove unnecessary code (#610)
b2a0d83 codecov: Move into root directory (#608)
85e0139 fix: fullDescription field in SARIF output is not correctly escaped (#605)
80d5df0 chore(docs): add AWS Security Hub (#598)
3a54e5b refactor(writer): define the constructor for TemplateWriter (#597)
acc6a9b circleci: Allow coverage changes without a failure (#599)
96af6dc feat: add --skip-directories option (#595)
675e1b4 Added test and support of ASFF template (#594)
8ca484f fix: remove error using no options (#539)
Docker images
docker pull docker.io/aquasec/trivy:0.11.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 4 years ago
Changelog
9a25f4f Fix comparison table to use words instead of symbols (#587)
467ec46 sarif: Remove extra periods from short descriptions (#590)
52feff2 Added template fucntion to escape string before output (#583)
Docker images
docker pull docker.io/aquasec/trivy:0.10.2docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 4 years ago
Changelog
add65f2 Revert Dockerfile changes (#581)
Docker images
docker pull docker.io/aquasec/trivy:0.10.1docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 about 4 years ago
Changes
Ensure trivy docker image runs as a non root user (#519)
This change has been reverted in v0.10.1.
Trivy runs as a non-root user in the docker image. If you run Trivy in the docker image and specify the root directory as a cache directory as follows, it may fail due to permission denied.
$ docker run --rm -v $PWD:/root/.cache/ aquasec/trivy:latest --cache-dir /root/.cache image centos:7
In that case, you can try a different directory like
$ docker run --rm -v $PWD:/tmp/.cache/ aquasec/trivy:latest --cache-dir /tmp/.cache image centos:7
See also: https://github.com/aquasecurity/trivy#others
Only show severity total from filter flags (#559)
$ trivy image --severity MEDIUM alpine:3.10.2
2020-07-30T16:16:37.890+0300 INFO Detecting Alpine vulnerabilities...
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 4 (MEDIUM: 4)
New features
Support OPA to filter vulnerabilities (#562)
Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.
$ trivy image --policy contrib/example_filter/basic.rego centos:7
For more details: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy
Add CWE-ID (#561)
$ trivy image -f json alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"CweIDs": [
"CWE-330"
],
...
Add --list-all-pkgs option (#574)
--list-all-pkgs option outputs all the installed packages/libraries even though there are no vulnerabilities.
$ trivy image -f json --list-all-pkgs alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Packages": [
{
"Name": "alpine-baselayout",
"Version": "3.1.2-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
{
"Name": "alpine-keys",
"Version": "2.1-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
...
Add sarif template (#558)
Fixes
- improve ruby comparison version check. (#552)
- Fix --timeout flag (#569)
- rpc: Add CVSS information to client/server (#564)
Changelog
20f2bae Fix non-root directory permission denied error (#578)
8eb9df8 .circleci: Add code coverage (#572)
88aaffa Added support of list-all-packages (#574)
469c0b4 fix: only show severity total from filter flags (#559)
4a34f72 Update README.md (#575)
4d721e1 SARIF: Tweak format for GitHub UI (#571)
9c91da8 Add non root user (#570)
5b9d942 rpc: Add CVSS information to client/server (#564)
d6b37cb Fix --timeout flag (#569)
9c6f077 feat(report): support OPA to filter vulnerabilities (#562)
0b5d936 Fixed case when pre-release is in suffix (#565)
6eebed3 improve ruby comparison version check. (#552)
43085a8 Added sarif template (#558)
4f90b11 feat(vulnerability): add CWE-ID (#561)
Docker images
docker pull docker.io/aquasec/trivy:0.10.0docker pull docker.io/aquasec/trivy:latest
Published by knqyf263 over 4 years ago
New Features
Support JUnit XML (#541)
You can see the result on the dashboard if your CI service supports JUnit XML. This is an example of CircleCI.
Azure DevOps (Thank you, @lgulliver)
This is implemented by @rahul2393.
Include CVSS score info in a result (#530)
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 1.9,
"V3Score": 4.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
...
}
Bug fixes
- fix(writer):
Error retrieving template from pathwhen --format is not template but template is provided (#556) - fix(log): write error messages to stderr (#538)
- fix(alpine): replace go-deb-version with go-apk-version (#520)
- fix: MissingBlobs is implemented different in FS and S3 the method log… (#522)
Changelog
d9fa353 Fixing Error retrieving template from path when --format is not template but template is provided (#556)
9a1d746 Adding contrib/junit.tpl to docker image (#554)
d18d17b db: Update trivy-db to include CVSS score info (#530)
4b57c0d docs: fix markdown (#553)
ccd9b2d Added function to escape string in failure message title and descriptions (#551)
ec770cd Added JUNIT support (#541)
b7ec633 chore(docs): mention air-gapped environment (#544)
7aabff1 chore(README): add programming languages (#543)
9dc1bdf fix(log): write error messages to stderr (#538)
2ac672a Use StoreMetadata from trivy-db (#509)
11ae6b2 docs: add more CI options to README (#535)
f201f59 chore(Dockerfile): bump up alpine to 3.12 (#528)
25d45e1 fix(alpine): replace go-deb-version with go-apk-version (#520)
298ba99 fix: MissingBlobs is implemented different in FS and S3 the method log… (#522)
Docker images
docker pull docker.io/aquasec/trivy:0.9.2docker pull docker.io/aquasec/trivy:latest
