Releases: aquasecurity/trivy
Releases · aquasecurity/trivy
v0.49.0
⚡Release highlights and summary⚡
👉 #6033
Changelog
- 729a051 fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
- 884745b chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (#6029)
- 59e5433 fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
- 5924c02 feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
- 4df9363 docs: add note about Bun (#6001)
- 70dd572 fix(report): use
AWS_REGION
env for secrets inasff
template (#6011) - 13f797f fix: check returned error before deferring f.Close() (#6007)
- adfde63 feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
- e2eb70e feat(vuln): enable
--vex
for all targets (#5992) - f9da021 docs: update link to data sources (#6000)
- b4b90cf feat(java): add support for line numbers for pom.xml files (#5991)
- fb36c4e refactor(sbom): use new
metadata.tools
struct for CycloneDX (#5981) - f6be42b docs: Update troubleshooting guide with image not found error (#5983)
- bb6caea style: update band logos (#5968)
- 189a46a chore(deps): Update misconfig deps (#5956)
- 91a2547 docs: update cosign tutorial and commands, update kyverno policy (#5929)
- a96f66f docs: update command to scan go binary (#5969)
- 2212d14 fix: handle non-parsable images names (#5965)
- 7cad04b chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (#5693)
- fbc1a83 fix(amazon): save system files for pkgs containing
amzn
in src (#5951) - 260aa28 fix(alpine): Add EOL support for alpine 3.19. (#5938)
- 2c9d7c6 feat: allow end-users to adjust K8S client QPS and burst (#5910)
- ffe2ca7 chore(deps): bump go-ebs-file (#5934)
- f90d4ee fix(nodejs): find licenses for packages with slash (#5836)
- c75143f fix(sbom): use
group
field for pom.xml and nodejs files for CycloneDX reports (#5922) - a3fac90 fix: ignore no init containers (#5939)
- b1b4734 docs: Fix documentation of ecosystem (#5940)
- a2b6549 docs(misconf): multiple ignores in comment (#5926)
- ae134a9 fix(secret): find aws secrets ending with a comma or dot (#5921)
- c8c55fe chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (#5885)
- 4d2e785 docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
- 7895657 fix(java): don't remove excluded deps from upper pom's (#5838)
- 37e7e3e fix(java): check if a version exists when determining GAV by file name for
jar
files (#5630) - d0c81e2 feat(vex): add PURL matching for CSAF VEX (#5890)
- 958e1f1 fix(secret):
AWS Secret Access Key
must include only secrets withaws
text. (#5901) - 56c4e24 revert(report): don't escape new line characters for sarif format (#5897)
- 92d9b3d docs: improve filter by rego (#5402)
- a626cdf chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#5892)
- 47b6c28 docs: add_scan2html_to_trivy_ecosystem (#5875)
- 0ebb6c4 fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
- c47ed0d feat(vex): Add support for CSAF format (#5535)
- 2cdd65d chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (#5880)
- cba67d1 chore(deps): bump actions/setup-go from 4 to 5 (#5845)
- d990e70 chore(deps): bump actions/stale from 8 to 9 (#5846)
- c72dfbf chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (#5853)
- 1218984 chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#5847)
- 682210a chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (#5854)
- e1a60cc chore(deps): bump alpine from 3.18.5 to 3.19.0 (#5849)
- b508414 chore(deps): bump actions/setup-python from 4 to 5 (#5848)
- df3e90a feat(python): parse licenses from dist-info folder (#4724)
- fa2e883 chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (#5852)
- 30eff9c feat(nodejs): add yarn alias support (#5818)
- 013df4c chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (#5850)
- b1489f3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#5856)
- 7f2e422 chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#5855)
- da597c4 refactor: propagate time through context values (#5858)
- 1607eee refactor: move PkgRef under PkgIdentifier (#5831)
- b3d516e fix(cyclonedx): fix unmarshal for licenses (#5828)
- c17b660 chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#5830)
- 1f0d629 feat(vuln): include pkg identifier on detected vulnerabilities (#5439)
v0.48.3
v0.48.2
v0.48.1
Changelog
- ba825b2 chore(deps): bump trivy-iac to v0.7.1 (#5797)
- abf227e fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
- df49ea4 refactor(sbom): disable html escaping for CycloneDX (#5764)
- f25e2df refactor(purl): use
pub
frompackage-url
(#5784) - b5e3b77 docs(python): add note to using
pip freeze
forcompatible releases
(#5760) - 6cc00c2 fix(report): use OS information for OS packages purl in
github
template (#5783) - c317fe8 fix(report): fix error if miconfigs are empty (#5782)
- 9b4bced refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
- be5a550 fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
- 01edbda docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
- eb97419 fix(report): update Gitlab template (#5721)
- be1c554 feat(secret): add support of GitHub fine-grained tokens (#5740)
- a5342da fix(misconf): add an image misconf to result (#5731)
- 108a5b0 feat(secret): added support of Docker registry credentials (#5720)
- 6080e24 chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.45 to 1.25.11 (#5717)
- e27ec32 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.21.0 to 1.24.1 (#5701)
v0.48.0
⚡Release highlights and summary⚡
👉 #5724
Changelog
- f2aa9bf chore(deps): bump sigstore/cosign-installer from 4a861528be5e691840a69536975ada1d4c30349d to 1fc5bd396d372bee37d608f955b336615edf79c8 (#5696)
- 6d7e2f8 chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.1 (#5694)
- 0ff5f96 feat: filter k8s core components vuln results (#5713)
- a54d1e9 feat(vuln): remove duplicates in Fixed Version (#5596)
- 99c04c4 feat(report): output plugin (#4863)
- 70078b9 chore(deps): bump alpine from 3.18.4 to 3.18.5 (#5700)
- 49e83a6 chore(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 (#5704)
- af32cb3 chore(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.10.1 (#5699)
- 1766271 chore(deps): bump actions/github-script from 6 to 7 (#5697)
- 7ee8547 chore(deps): bump easimon/maximize-build-space from 8 to 9 (#5695)
- 654147f docs: typo in modules.md (#5712)
- 2569575 feat: Add flag to configure node-collector image ref (#5710)
- c061009 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.9.0 (#5702)
- aedbd85 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.4 to 2.31.0 (#5698)
- e018b9c chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.1 to 1.4.0 (#5706)
- b5874e3 feat(misconf): Add
--misconfig-scanners
option (#5670) - 075d8f6 chore: bump Go to 1.21 (#5662)
- 16b757d feat: Packagesprops support (#5605)
- 372efc9 chore(deps): Bump up trivy misconf deps (#5656)
- edad5f6 docs: update adopters discussion template (#5632)
- ed9d340 docs: terraform tutorial links updated to point to correct loc (#5661)
- 8ff574e fix(secret): add
sec
and space to secret prefix foraws-secret-access-key
(#5647) - ad977a4 fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
- b1dc60b fix(secret): exclude upper case before secret for
alibaba-access-key-id
(#5618) - 65351d4 docs: Update Arch Linux package URL in installation.md (#5619)
- c866f1c chore: add prefix to image errors (#5601)
- ed0022b docs(vuln): fix link anchor (#5606)
- 3c81727 docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
- 2145464 fix: k8s friendly error messages kbom non cluster scans (#5594)
- 44d0b28 feat: set InstalledFiles for DEB and RPM packages (#5488)
- ae4bcf6 fix(report): use time.Time for CreatedAt (#5598)
- b6fafa0 test: retry containerd initialization (#5597)
- 1336223 feat(misconf): Expose misconf engine debug logs with
--debug
option (#5550) - 7105186 test: mock VM walker (#5589)
- d9d7f3f chore: bump node-collector v0.0.9 (#5591)
- e3c28f8 feat(misconf): Add support for
--cf-params
for CFT (#5507) - ac0e327 feat(flag): replace '--slow' with '--parallel' (#5572)
- 5372067 fix(report): add escaping for Sarif format (#5568)
- a389529 chore: show a deprecation notice for
--scanners config
(#5587) - f4dd062 feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
- d005f5a test: mock RPM DB (#5567)
- a96ec35 feat: add aliases to '--scanners' (#5558)
- 950e431 refactor: reintroduce output writer (#5564)
- 2310f0d chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#5543)
- 04b93e9 chore: not load plugins for auto-generating docs (#5569)
- cccaa15 chore: sort supported AWS services (#5570)
- 3891e3d fix: no schedule toleration (#5562)
- 138feb0 fix(cli): set correct
scanners
fork8s
target (#5561) - cb241a8 fix(sbom): add
FilesAnalyzed
andPackageVerificationCode
fields for SPDX (#5533) - e7f6a5c refactor(misconf): Update refactored dependencies (#5245)
- 2f5afa5 feat(secret): add built-in rule for JWT tokens (#5480)
- 91fc8da fix: trivy k8s parse ecr image with arn (#5537)
- 05df244 fix: fail k8s resource scanning (#5529)
- a1b4744 refactor(misconf): don't remove Highlighted in json format (#5531)
- 7712f8f docs(k8s): fix link in kubernetes.md (#5524)
- 043fbfc docs(k8s): fix whitespace in list syntax (#5525)
v0.47.0
⚡Release highlights and summary⚡
👉 #5520
Changelog
- d6df5fb docs: add info that license scanning supports file-patterns flag (#5484)
- 156d4cc docs: add Zora integration into Ecosystem session (#5490)
- 772d1d0 fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
- df47073 ci: use maximize build space for K8s tests (#5387)
- fed4710 fix: correct error mismatch causing race in fast walks (#5516)
- 46f1b9e docs: k8s vulnerability scanning (#5515)
- fdb3a15 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506)
- d0d956f chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493)
- 68b0797 docs: remove glad for java datasources (#5508)
- 474167c chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475)
- 7299867 chore: remove unused logger attribute in amazon detector (#5476)
- 8656bd9 fix: correct error mismatch causing race in fast walks (#5482)
- 2e10cd2 chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502)
- 13df746 chore(deps): bump docker/build-push-action from 4 to 5 (#5500)
- b0141cf chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491)
- 520830b fix(server): add licenses to
BlobInfo
message (#5382) - 9a6e125 chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501)
- 6e59272 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497)
- f3de7bc feat: scan vulns on k8s core component apps (#5418)
- e2fb3dd fix(java): fix infinite loop when
relativePath
field points topom.xml
being scanned (#5470) - 3e833be chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472)
- ca50b77 fix(sbom): save digests for package/application when scanning SBOM files (#5432)
- 048150d docs: fix the broken link (#5454)
- 013d901 docs: fix error when installing
PyYAML
for gh pages (#5462) - 26b4959 fix(java): download java-db once (#5442)
- 57fa701 chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)
- 53c9a7d docs(misconf): Update
--tf-exclude-downloaded-modules
description (#5419) - 01c98d1 feat(misconf): Support
--ignore-policy
in config scans (#5359) - 05b3c86 docs(misconf): fix broken table for
Use container image
section (#5425) - 1a15a3a feat(dart): add graph support (#5374)
- f2a12f5 refactor: define a new struct for scan targets (#5397)
- 6040d9f fix(sbom): add missed
primaryURL
andsource severity
for CycloneDX (#5399) - e5317c7 fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
- 9fba79f chore(deps): move to aws-sdk-go-v2 (#5381)
- 00f2059 docs: remove --scanners none (#5384)
- 57a1022 docs: Update container_image.md #5182 (#5193)
- 5b2b4ea feat(report): Add
InstalledFiles
field to Package (#4706)
v0.46.1
v0.46.0
⚡Release highlights and summary⚡
👉 #5377
Changelog
- cbbd1ce feat(k8s): add support for vulnerability detection (#5268)
- 24a0d92 fix(python): override BOM in
requirements.txt
files (#5375) - 0c3e2f0 docs: add kbom documentation (#5363)
- 6c12f04 test: use maximize build space for VM tests (#5362)
- c413422 chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365)
- 20ab703 fix(report): add escaping quotes in misconfig Title for asff template (#5351)
- 91841f5 ci: add workflow to check Go versions of dependencies (#5340)
- 57ba05c chore(deps): Upgrade defsec to v0.93.1 (#5348)
- fef3ed4 chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300)
- ced54ac fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
- 2798df9 fix: add config files to FS for post-analyzers (#5333)
- af485b3 fix: fix MIME warnings after updating to Go 1.20 (#5336)
- 008babf build: fix a compile error with Go 1.21 (#5339)
- 00d9c46 feat: added
Metadata
into the k8s resource's scan report (#5322) - 03b6787 ci: check only PR's in
actions/stale
(#5337) - e6d5889 chore: update adopters template (#5330)
- 74dbd8a ci: do not trigger tests on the push event (#5313)
- 393bfdc fix(sbom): use PURL or Group and Name in case of Java (#5154)
- 76eb8a5 docs: add buildkite repository to ecosystem page (#5316)
- 6c74ee1 chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290)
- 6119878 chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292)
- a346587 chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293)
- 7e613cc chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286)
- f05bc4b chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289)
- 3be5e6b chore: enable go-critic (#5302)
- f6cd21c chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288)
- f7b9751 chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287)
- 18d1687 close java-db client (#5273)
- eb60e9f chore(deps): bump docker/login-action from 2 to 3 (#5291)
- 5a92055 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294)
- 46afe65 chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304)
- 0bf2a11 chore(deps): bump github.com/opencontainers/image-spec (#5295)
- 23b5fec fix(report): removes git::http from uri in sarif (#5244)
- 4f1d576 Improve the meaning of sentence (#5301)
- 6ab2bdf chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297)
- 4217cff chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296)
- 1840584 add app nil check (#5274)
- c5ae9f2 typo: in secret.md (#5281)
- 562723f docs: add info about
github
format (#5265) - 3dd5b1e feat(dotnet): add license support for NuGet (#5217)
- 5c18475 docs: correctly export variables (#5260)
- 0c08dde chore: Add line numbers for lint output (#5247)
- 0ccbb4f chore(cli): disable java-db flags in server mode (#5263)
- 908a491 feat(db): allow passing registry options (#5226)
- 5b4652d chore(deps): Bump up defsec to v0.93.0 (#5253)
- faf8d49 refactor(purl): use TypeApk from purl (#5232)
- 559c0f3 chore: enable more linters (#5228)
- 2baad46 ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236)
- df2bff9 Fix typo on ide.md (#5239)
- 44656f2 refactor: use defined types (#5225)
- 37af529 fix(purl): skip local Go packages (#5190)
- eea3320 docs: update info about license scanning in Yarn projects (#5207)
- 2e66620 ci: auto apply labels (#5200)
- 49680dc fix link (#5203)
v0.45.1
Changelog
- daae882 fix(purl): handle rust types (#5186)
- 81240cf chore: auto-close issues (#5177)
- bd0accd chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093)
- ecee794 fix(k8s): kbom support addons labels (#5178)
- 9ebc25d test: validate SPDX with the JSON schema (#5124)
- 9a49a37 chore: bump trivy-kubernetes-latest (#5161)
- ad1dc63 docs: add 'Signature Verification' guide (#4731)
- 7c68d4a docs: add image-scanner-with-trivy for ecosystem (#5159)
- ed49609 fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
- 1953972 chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102)
- c751601 Update filtering.md (#5131)
- ccc6d7c chore(deps): bump sigstore/cosign-installer (#5104)
- 48cbf45 chore(deps): bump github.com/cyphar/filepath-securejoin (#5143)
- a9c2c74 chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103)
- 120ac68 chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105)
- 41eaa78 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126)
- 932f927 chaging adopters discussion tempalte (#5091)
- db31333 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092)
- 8c0b7d6 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094)
- c61c664 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095)
- a99944c chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097)
- 9fc844e chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098)
- c504f8b chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106)
v0.45.0
⚡Release highlights and summary⚡
👉 #5082
Changelog
- cdab67e docs: add Bitnami (#5078)
- 7acc5e8 feat(docker): add support for scanning Bitnami components (#5062)
- 9628b1c feat: add support for .trivyignore.yaml (#5070)
- 4547e27 fix(terraform): improve detection of terraform files (#4984)
- 0c8919e feat: filter artifacts on --exclude-owned flag (#5059)
- c04f234 fix(sbom): cyclonedx advisory should omit
null
value (#5041) - f811ed2 build: maximize build space for build tests (#5072)
- 69ea5bf feat: improve kbom component name (#5058)
- 3715dcb fix(pom): add licenses for pom artifacts (#5071)
- 07f7e98 chore(deps): Update defsec to v0.92.0 (#5068)
- d4ca3cc chore: bump Go to
1.20
(#5067) - 49fdd58 feat: PURL matching with qualifiers in OpenVEX (#5061)
- 4401998 feat(java): add graph support for pom.xml (#4902)
- 9c211d0 feat(swift): add vulns for cocoapods (#5037)
- 422fa41 fix: support image pull secret for additional workloads (#5052)
- 8e93386 fix: #5033 Superfluous double quote in html.tpl (#5036)
- 9345a98 docs(repo): update trivy repo usage and example (#5049)
- 5d8da70 perf: Optimize Dockerfile for reduced layers and size (#5038)
- 1be9da7 feat: scan K8s Resources Kind with --all-namespaces (#5043)
- 0e17d0b fix: vulnerability typo (#5044)
- d70fab2 docs: adding a terraform tutorial to the docs (#3708)
- 2fa264a feat(report): add licenses to sarif format (#4866)
- 07ddf47 feat(misconf): show the resource name in the report (#4806)
- 9de3606 chore: update alpine base images (#5015)
- ef70d20 feat: add Package.resolved swift files support (#4932)
- ec5d8be feat(nodejs): parse licenses in yarn projects (#4652)
- 3114c87 fix: k8s private registries support (#5021)
- 6d79f55 bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
- 9ace591 feat(vuln): support last_affected field from osv (#4944)
- d442176 feat(server): add version endpoint (#4869)
- 63cd41d feat: k8s private registries support (#4987)
- cb16e23 fix(server): add indirect prop to package (#4974)
- a4e981b docs: add coverage (#4954)
- 6f03c79 feat(c): add location for lock file dependencies. (#4994)
- c748705 docs: adding blog post on ec2 (#4813)
- 4e1316c revert 32bit bins (#4977)
- fc959fc chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917)