Merge branch 'main' into feat/spdx_unmarshal

.github/workflows/reusable-release.yaml

@@ -13,7 +13,6 @@ on:
         type: string
 
 env:
-  GO_VERSION: "1.18"
   GH_USER: "aqua-bot"
 
 jobs:
@@ -60,16 +59,16 @@ jobs:
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
 
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Checkout code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
       - name: Generate SBOM
         uses: CycloneDX/gh-gomod-generate-sbom@v1
         with:
@@ -106,4 +105,4 @@ jobs:
           # use 'github.sha' to create a unique cache folder for each run.
           # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
           # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/test.yaml

@@ -10,8 +10,7 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.24.0"
+  TINYGO_VERSION: "0.25.0"
 jobs:
   test:
     name: Test
@@ -22,7 +21,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: go mod tidy
         run: |
@@ -35,7 +34,7 @@ jobs:
       - name: Lint
         uses: golangci/golangci-lint-action@v3.2.0
         with:
-          version: v1.45
+          version: v1.49
           args: --deadline=30m
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
 
@@ -51,36 +50,34 @@ jobs:
     name: Integration Test
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
 
-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration
 
   module-test:
     name: Module Integration Test
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
+          go-version-file: go.mod
 
       - name: Install TinyGo
         run: |
           wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
           sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
 
-      - name: Checkout
-        uses: actions/checkout@v3
-
       - name: Run module integration tests
         run: |
           make test-module-integration
@@ -107,7 +104,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
 
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v3

.golangci.yaml

@@ -21,18 +21,17 @@ linters-settings:
     local-prefixes: github.com/aquasecurity
   gosec:
     excludes:
+      - G114
       - G204
       - G402
 
 linters:
   disable-all: true
   enable:
-    - structcheck
+    - unused
     - ineffassign
     - typecheck
     - govet
-    - varcheck
-    - deadcode
     - revive
     - gosec
     - unconvert
@@ -43,7 +42,7 @@ linters:
     - misspell
 
 run:
-  go: 1.18
+  go: 1.19
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM golang:1.18.4
+FROM golang:1.19.0
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

Makefile

@@ -26,7 +26,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
 
 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
 
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest

docs/docs/integrations/azure-devops.md

@@ -4,6 +4,11 @@
 
 ![trivy-azure](https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/screenshot.png?raw=true)
 
+### [Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster][azure2]
+
+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
+
+ Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged. An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
 ### [Microsoft Defender for container registries and Trivy][azure]
 
 This blog explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.
@@ -14,4 +19,4 @@ The findings of the CI/CD scans are an enrichment to the existing registry scan
 
 [action]: https://github.com/aquasecurity/trivy-azure-pipelines-task
 [azure]: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd
-
+[azure2]: https://docs.microsoft.com/en-us/azure/aks/image-cleaner?tabs=azure-cli

go.mod

@@ -1,6 +1,6 @@
 module github.com/aquasecurity/trivy
 
-go 1.18
+go 1.19
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0

pkg/fanal/analyzer/pkg/rpm/rpm.go

@@ -160,10 +160,12 @@ func (a rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) ([]types.Package, []string, e
 	return pkgs, installedFiles, nil
 }
 
-// splitFileName returns a name, version, release, epoch, arch
-// e.g.
-//    foo-1.0-1.i386.rpm returns foo, 1.0, 1, i386
-//    1:bar-9-123a.ia64.rpm returns bar, 9, 123a, 1, ia64
+// splitFileName returns a name, version, release, epoch, arch:
+//
+//	e.g.
+//		foo-1.0-1.i386.rpm => foo, 1.0, 1, i386
+//		1:bar-9-123a.ia64.rpm => bar, 9, 123a, 1, ia64
+//
 // https://github.com/rpm-software-management/yum/blob/043e869b08126c1b24e392f809c9f6871344c60d/rpmUtils/miscutils.py#L301
 func splitFileName(filename string) (name, ver, rel string, err error) {
 	if strings.HasSuffix(filename, ".rpm") {

pkg/fanal/artifact/sbom/sbom.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/attestation"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
-	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	"github.com/aquasecurity/trivy/pkg/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/fanal/handler"
@@ -30,8 +29,7 @@ type Artifact struct {
 	analyzer       analyzer.AnalyzerGroup
 	handlerManager handler.Manager
 
-	artifactOption      artifact.Option
-	configScannerOption config.ScannerOption
+	artifactOption artifact.Option
 }
 
 func NewArtifact(filePath string, c cache.ArtifactCache, opt artifact.Option) (artifact.Artifact, error) {

pkg/fanal/test/integration/library_test.go

@@ -241,6 +241,14 @@ func commonChecks(t *testing.T, detail types.ArtifactDetail, tc testCase) {
 }
 
 func checkOSPackages(t *testing.T, detail types.ArtifactDetail, tc testCase) {
+	// Sort OS packages for consistency
+	sort.Slice(detail.Packages, func(i, j int) bool {
+		if detail.Packages[i].Name != detail.Packages[j].Name {
+			return detail.Packages[i].Name < detail.Packages[j].Name
+		}
+		return detail.Packages[i].Version < detail.Packages[j].Version
+	})
+
 	splitted := strings.Split(tc.remoteImageName, ":")
 	goldenFile := fmt.Sprintf("testdata/goldens/packages/%s.json.golden", splitted[len(splitted)-1])
 

pkg/fanal/test/integration/testdata/goldens/packages/opensuse-leap-151.json.golden

@@ -209,8 +209,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "3dbdc284",
-    "Release": "53674dd4",
+    "Version": "307e3d54",
+    "Release": "5aaa90a5",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {
@@ -219,8 +219,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "307e3d54",
-    "Release": "5aaa90a5",
+    "Version": "39db7c82",
+    "Release": "5847eb1f",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {
@@ -229,8 +229,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "39db7c82",
-    "Release": "5847eb1f",
+    "Version": "3dbdc284",
+    "Release": "53674dd4",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {

pkg/fanal/test/integration/testdata/goldens/packages/suse-15.3_ndb.json.golden

@@ -209,8 +209,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "39db7c82",
-    "Release": "5f68629b",
+    "Version": "307e3d54",
+    "Release": "5aaa90a5",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {
@@ -219,8 +219,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "307e3d54",
-    "Release": "5aaa90a5",
+    "Version": "39db7c82",
+    "Release": "5f68629b",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {

pkg/flag/cache_flags.go

@@ -9,14 +9,15 @@ import (
 	"golang.org/x/xerrors"
 )
 
-// e.g. config yaml
-// cache:
-//   clear: true
-//   backend: "redis://localhost:6379"
-//   redis:
-//    ca: ca-cert.pem
-//    cert: cert.pem
-//    key: key.pem
+// e.g. config yaml:
+//
+//	cache:
+//	  clear: true
+//	  backend: "redis://localhost:6379"
+//	redis:
+//	  ca: ca-cert.pem
+//	  cert: cert.pem
+//	  key: key.pem
 var (
 	ClearCacheFlag = Flag{
 		Name:       "clear-cache",

pkg/flag/misconf_flags.go

@@ -4,11 +4,12 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 )
 
-// e.g. config yaml
-// misconfiguration:
-//   trace: true
-//   config-policy: "custom-policy/policy"
-//   policy-namespaces: "user"
+// e.g. config yaml:
+//
+//	misconfiguration:
+//	  trace: true
+//	  config-policy: "custom-policy/policy"
+//	  policy-namespaces: "user"
 var (
 	IncludeNonFailuresFlag = Flag{
 		Name:       "include-non-failures",

pkg/flag/options.go

@@ -289,7 +289,7 @@ func (f *Flags) Bind(cmd *cobra.Command) error {
 	return nil
 }
 
-//nolint: gocyclo
+// nolint: gocyclo
 func (f *Flags) ToOptions(appVersion string, args []string, globalFlags *GlobalFlagGroup, output io.Writer) (Options, error) {
 	var err error
 	opts := Options{

pkg/flag/report_flags.go

@@ -14,12 +14,11 @@ import (
 	"github.com/aquasecurity/trivy/pkg/result"
 )
 
-// e.g. config yaml
-// report:
-//   format: table
-//   dependency-tree: true
-//   exit-code: 1
-//   severity: HIGH,CRITICAL
+// e.g. config yaml:
+//
+//	format: table
+//	dependency-tree: true
+//	severity: HIGH,CRITICAL
 var (
 	FormatFlag = Flag{
 		Name:       "format",

pkg/k8s/commands/run.go

@@ -93,8 +93,9 @@ func run(ctx context.Context, opts flag.Options, cluster string, artifacts []*ar
 // To show all the results, user needs to specify "--report all" explicitly
 // even though the default value of "--report" is "all".
 //
-// e.g. $ trivy k8s --report all cluster
-//      $ trivy k8s --report all all
+// e.g.
+// $ trivy k8s --report all cluster
+// $ trivy k8s --report all all
 //
 // Or they can use "--format json" with implicit "--report all".
 //