------------------------------------------------------------------- Wed Jul 27 06:38:26 UTC 2022 - kastl@b1-systems.de - Update to version 0.30.4: * fix: remove the first arg when running as a plugin (#2595) * fix: k8s controlplaner scanning (#2593) * fix(vuln): GitLab report template (#2578) ------------------------------------------------------------------- Tue Jul 26 11:29:36 UTC 2022 - kastl@b1-systems.de - Update to version 0.30.3: * fix(server): use a new db worker for hot updates (#2581) * docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583) * docs: split commands to download db for different versions of oras (#2582) * feat(report): export exitcode for license checks (#2564) * fix: cli can use lowercase for severities (#2565) * fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577) * fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569) * fix: enable some features of the wasm runtime (#2575) * fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521) * docs(sbom): improve sbom attestation documentation (#2566) ------------------------------------------------------------------- Thu Jul 21 13:21:11 UTC 2022 - kastl@b1-systems.de - Update to version 0.30.2: * fix(report): show the summary without results (#2548) * fix(cli): replace '-' to '_' for env vars (#2561) ------------------------------------------------------------------- Wed Jul 20 12:20:52 UTC 2022 - kastl@b1-systems.de - Update to version 0.30.1: * chore: remove a test repository (#2551) * fix(license): lazy loading of classifiers (#2547) * fix: CVE-2022-1996 in Trivy (#2499) * docs(sbom): add sbom attestation (#2527) * feat(rocky): set Rocky Linux 9 EOL (#2543) * docs: add attributes to the video tag to autoplay demo videos (#2538) * fix: yaml files with non-string chart name (#2534) * fix: skip dirs (#2530) * feat(repo): add support for branch, commit, & tag (#2494) * fix: remove auto configure environment variables via viper (#2526) ------------------------------------------------------------------- Sat Jul 16 19:28:03 UTC 2022 - kastl@b1-systems.de - Update to version 0.30.0: * fix: separating multiple licenses from one line in dpkg copyright files (#2508) * fix: change a capital letter for `plugin uninstall` subcommand (#2519) * fix: k8s hide empty report when scanning resource (#2517) * refactor: fix comments (#2516) * fix: scan vendor dir (#2515) * feat: Add support for license scanning (#2418) * chore: add owners for secret scanning (#2485) * fix: remove dependency-tree flag for image subcommand (#2492) * fix(k8s): add shorthand for k8s namespace flag (#2495) * docs: add information about using multiple servers to troubleshooting (#2498) * ci: add pushing canary build images to registries (#2428) * chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.0 (#2479) * feat(dotnet): add support for .Net core .deps.json files (#2487) * feat(amazon): add support for 2022 version (#2429) * Type correction bitnami chart (#2415) * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.1 to 2.1.2 (#2449) * chore(deps): bump github.com/aquasecurity/table from 1.5.1 to 1.6.0 (#2446) * docs: add config file and update CLI references (#2489) * feat: add support for flag groups (#2488) * refactor: move from urfave/cli to spf13/cobra (#2458) * fix: Fix secrets output not containing file/lines (#2467) * fix: clear output with modules (#2478) * chore(deps): bump github.com/mailru/easyjson from 0.7.6 to 0.7.7 (#2448) * docs(cbl): distroless 1.0 supported (#2473) * fix: Fix example dockerfile rego policy (#2460) * fix(config): add helm to list of config analyzers (#2457) * feat: k8s resouces scan (#2395) * feat(sbom): add cyclonedx sbom scan (#2203) * chore(deps): bump wazero to latest main (#2436) * chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.8.0 (#2444) * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.21.0 to 2.22.0 (#2445) * chore(deps): bump sigstore/cosign-installer from 2.3.0 to 2.4.1 (#2442) * chore(deps): bump actions/setup-python from 3 to 4 (#2441) * chore(deps): bump github.com/Azure/azure-sdk-for-go (#2450) * docs: remove links to removed content (#2431) * ci: added rpm build for rhel 9 (#2437) * fix(secret): remove space from asymmetric private key (#2434) * chore(deps): bump actions/cache from 3.0.2 to 3.0.4 (#2440) * chore(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#2439) * chore(deps): bump golang from 1.18.2 to 1.18.3 (#2438) * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.25 to 1.44.46 (#2447) * test(integration): fix golden files for debian 9 (#2435) * fix(cli): fix version string in docs link when secret scanning is enabled (#2422) * refactor: move CycloneDX marshaling (#2420) * docs(nodejs): add docs about pnpm support (#2423) * docs: improve k8s usage documentation (#2425) * feat: Make secrets scanning output consistant (#2410) * ci: create canary build after main branch changes (#1638) * fix(misconf): skip broken scans (#2396) * feat(nodejs): add pnpm support (#2414) * fix: Fix false positive for use of COS images (#2413) * eliminate nerdctl dependency (#2412) * Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403) * fix(go): no cast to lowercase go package names (#2401) * BREAKING(sbom): change 'trivy sbom' to scan SBOM (#2408) * fix(server): hot update the db from custom repository (#2406) * feat: added license parser for dpkg (#2381) * chore(helm): bump appVersion to latest release (#2397) * fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400) * feat: extract stripe publishable and secret keys (#2392) * feat: rbac support k8s sub-command (#2339) * feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390) * docs: Updating README with new CLI command (#2359) * fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383) * chore: add integration label and merge security label (#2316) ------------------------------------------------------------------- Fri Jul 08 07:31:17 UTC 2022 - dmueller@suse.com - Update to version 0.29.2: * chore: skip Visual Studio Code project folder (#2379) * fix(helm): handle charts with templated names (#2374) * docs: redirect operator docs to trivy-operator repo (#2372) * fix(secret): use secret result when determining Failed status (#2370) * try removing libdb-dev * run integration tests in fanal * use same testing images in fanal * feat(helm): add support for trivy dbRepository (#2345) * fix: Fix failing test due to deref lint issue * test: Fix broken test * fix: Fix makefile when no previous named ref is visible in a shallow clone * chore: Fix linting issues in fanal * refactor: Fix fanal import paths and remove dotfiles * chore: bump defsec version v0.68.1 ------------------------------------------------------------------- Wed Jun 22 11:15:35 UTC 2022 - kastl@b1-systems.de - Update to version 0.29.1: * fix(report): add required fields to the SARIF template (#2341) * chore: fix spelling errors (#2352) * Omit Remediation if PrimaryURL is empty (#2006) * docs(repo): Link to installation documentation in readme shows 404 (#2348) * feat(alma): support for scanning of modular packages for AlmaLinux (#2347) ------------------------------------------------------------------- Wed Jun 22 08:31:01 UTC 2022 - kastl@b1-systems.de - Update to version 0.29.0: * fix(lang): fix dependency graph in client server mode (#2336) * feat: allow expiration date for .trivyignore entries (#2332) * feat(lang): add dependency origin graph (#1970) * docs: update nix installation info (#2331) * feat: add rbac scanning support (#2328) * refactor: move WordPress module to another repository (#2329) * ci: add support for ppc64le (#2281) * feat: add support for WASM modules (#2195) * feat(secret): show recommendation for slow scanning (#2051) * fix(flag): remove --clear-cache flag client mode (#2301) * fix(java): added check for looping for variable evaluation in pom file (#2322) * BREAKING(k8s): change CLI API (#2186) * feat(alpine): add Alpine Linux 3.16 (#2319) * docs: bump trivy-operator to v0.0.7 (#2320) * ci: add `go mod tidy` check (#2314) * chore: run `go mod tidy` (#2313) * fix: do not exit if one resource is not found (#2311) * feat(cli): use stderr for all log messages (resolve #381) (#2289) * test: replace deprecated subcommand client in integration tests (#2308) * feat: add support for containerd (#2305) * fix(kubernetes): Support floats in manifest yaml (#2297) * docs(kubernetes): dead links (#2307) * chore: add license label (#2304) * feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293) * feat(helm): add pod annotations (#2272) * refactor: do not import defsec in fanal types package (#2292) * feat(report): Add misconfiguration support to ASFF report template (#2285) * test: use images in GHCR (#2275) * feat(helm): support pod annotations (#2265) * feat(misconf): Helm chart scanning (#2269) * docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267) * fix: mask redis credentials when logging (#2264) * refactor: extract commands Runner interface (#2147) * chore(deps): bump alpine from 3.15.4 to 3.16.0 (#2234) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.2 to 0.6.0 (#2245) * docs: update operator release (#2263) * chore(deps): bump github.com/urfave/cli/v2 from 2.6.0 to 2.8.1 (#2243) * feat(redhat): added architecture check (#2172) * docs: updating links in the docs to work again (#2256) * docs: fix readme (#2251) * fix: fixed incorrect CycloneDX output format (#2255) * chore(deps): bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.3 (#2241) * chore(deps): bump github.com/samber/lo from 1.19.0 to 1.21.0 (#2242) * chore(deps): bump goreleaser/goreleaser-action from 2 to 3 (#2240) * chore(deps): bump docker/setup-buildx-action from 1 to 2 (#2238) * chore(deps): bump docker/setup-qemu-action from 1 to 2 (#2236) * chore(deps): bump golang from 1.18.1 to 1.18.2 (#2235) * chore(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#2237) * chore(deps): bump docker/login-action from 1 to 2 (#2239) * chore(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#2246) * refactor(deps): move dependencies to package (#2189) * fix(report): change github format version to required (#2229) * docs: update readme (#2110) * docs: added information about choosing advisory database (#2212) * chore: update trivy-kubernetes (#2224) * docs: clarifying parts of the k8s docs and updating links (#2222) * fix(k8s): timeout error logging (#2179) * chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214) * feat(k8s): add --context flag (#2171) * fix(k8s): properly instantiate TableWriter (#2175) * test: fixed integration tests after updating testcontainers to v0.13.0 (#2208) * chore: update labels (#2197) * fix(report): fixed panic if all misconf reports were removed in filter (#2188) * feat(k8s): scan secrets (#2178) * feat(report): GitHub Dependency Snapshots support (#1522) * feat(db): added insecure skip tls verify to download trivy db (#2140) * fix(redhat): always use vulns with fixed version if there is one (#2165) * chore(redhat): Add support for Red Hat UBI 9. (#2183) * fix(k8s): update trivy-kubernetes (#2163) * fix misconfig start line for code quality tpl (#2181) * fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176) * docs(vuln): Include GitLab 15.0 integration (#2153) * docs: fix the operator version (#2167) * fix(k8s): summary report when when only vulns exit (#2146) * chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156) * perf(misconf): Improve performance when scanning very large files (#2152) * docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150) * chore(deps): Update fanal (for less verbose code in misconf results) (#2151) * docs: fixed installation instruction for rhel/centos (#2143) ------------------------------------------------------------------- Mon May 23 06:14:37 UTC 2022 - dmueller@suse.com - Update to version 0.28.0 (bsc#1199760, CVE-2022-28946): * fix: remove Highlighted from json output (#2131) * fix: remove trivy-kubernetes replace (#2132) * docs: Add Operator docs under Kubernetes section (#2111) * fix(k8s): security-checks panic (#2127) * ci: added k8s scope (#2130) * docs: Update misconfig output in examples (#2128) * fix(misconf): Fix coloured output in Goland terminal (#2126) * docs(secret): Fix default value of --security-checks in docs (#2107) * refactor(report): move colorize function from trivy-db (#2122) * feat: k8s resource scanning (#2118) * chore: add CODEOWNERS (#2121) * feat(image): add `--server` option for remote scans (#1871) * refactor: k8s (#2116) * refactor: export useful APIs (#2108) * docs: fix k8s doc (#2114) * feat(kubernetes): Add report flag for summary (#2112) * fix: Remove problematic advanced rego policies (#2113) * feat(misconf): Add special output format for misconfigurations (#2100) * feat: add k8s subcommand (#2065) * chore: fix make lint version (#2102) * fix(java): handle relative pom modules (#2101) * fix(misconf): Add missing links for non-rego misconfig results (#2094) * feat(misconf): Added fs.FS based scanning via latest defsec (#2084) * chore(deps): bump trivy-issue-action to v0.0.4 (#2091) * chore(deps): bump github.com/twitchtv/twirp (#2077) * chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (#2074) * chore(os): updated fanal version and alpine distroless test (#2086) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 (#2075) * chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (#2076) * feat(report): add support for SPDX (#2059) * chore(deps): bump actions/setup-go from 2 to 3 (#2073) * chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (#2071) * chore(deps): bump golang from 1.18.0 to 1.18.1 (#2069) * chore(deps): bump actions/stale from 4 to 5 (#2070) * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (#2072) * chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (#2079) * chore: app version 0.27.0 (#2046) * fix(misconf): added to skip conf files if their scanning is not enabled (#2066) * docs(secret) fix rule path in docs (#2061) * docs: change from go.sum to go.mod (#2056) ------------------------------------------------------------------- Wed Apr 27 12:40:06 UTC 2022 - kastl@b1-systems.de - Update to version 0.27.1: * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926) * refactor(fs): scanner options (#2050) * feat(secret): truncate long line (#2052) * docs: fix a broken bullets (#2042) * feat(ubuntu): add 22.04 approx eol date (#2044) * docs: update installation.md (#2027) * docs: add Containerfile (#2032) ------------------------------------------------------------------- Tue Apr 26 06:18:23 UTC 2022 - kastl@b1-systems.de - Update to version 0.27.0: * fix(go): fixed panic to scan gomod without version (#2038) * docs(mariner): confirm it works with Mariner 2.0 VM (#2036) * feat(secret): support enable rules (#2035) * chore: app version 26.0 (#2030) * docs(secret): add a demo movie (#2031) * feat: support cache TTL in Redis (#2021) * fix(go): skip system installed binaries (#2028) * fix(go): check if go.sum is nil (#2029) * feat: add secret scanning (#1901) * chore: gh publish only with push the tag release (#2025) * fix(fs): ignore permission errors (#2022) * test(mod): using correct module inside test go.mod (#2020) * feat(server): re-add proxy support for client/server communications (#1995) * fix(report): truncate a description before escaping in ASFF template (#2004) * fix(cloudformation): correct margin removal for empty lines (#2002) * fix(template): correct check of old sarif template files (#2003) ------------------------------------------------------------------- Sat Apr 16 09:04:55 UTC 2022 - kastl@b1-systems.de - Update to version 0.26.0: * feat(alpine): warn mixing versions (#2000) * Update ASFF template (#1914) * chore(deps): replace `containerd/containerd` version to fix CVE-2022-23648 (#1994) * chore(deps): bump alpine from 3.15.3 to 3.15.4 (#1993) * test(go): add integration tests for gomod (#1989) * fix(python): fixed panic when scan .egg archive (#1992) * fix(go): set correct go modules type (#1990) * feat(alpine): support apk repositories (#1987) * docs: add CBL-Mariner (#1982) * docs(go): fix version (#1986) * feat(go): support go.mod in Go 1.17+ (#1985) * ci: fix URLs in the PR template (#1972) * ci: add semantic pull requests check (#1968) * docs(issue): added docs for wrong detection issues (#1961) ------------------------------------------------------------------- Thu Apr 14 20:12:09 UTC 2022 - kastl@b1-systems.de - Update to version 0.25.4: * docs: move CONTRIBUTING.md to docs (#1971) * refactor(table): use file name instead package path (#1966) * fix(sbom): add --db-repository (#1964) * feat(table): add PkgPath in table result (#1960) * fix(pom): merge multiple pom imports in a good manner (#1959) ------------------------------------------------------------------- Wed Apr 06 07:35:16 UTC 2022 - kastl@b1-systems.de - Update to version 0.25.3: * fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956) * fix(misconf): update BurntSushi/toml for fix runtime error (#1948) * fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947) * feat(jar): allow setting Maven Central URL using environment variable (#1939) * chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931) * chore(chart): remove version comments (#1933) ------------------------------------------------------------------- Wed Apr 06 07:32:54 UTC 2022 - kastl@b1-systems.de - Update to version 0.25.2: * fix(downloadDB): add flag to server command (#1942) ------------------------------------------------------------------- Tue Apr 05 06:52:40 UTC 2022 - kastl@b1-systems.de - Update to version 0.25.1: * fix(misconf): update defsec to resolve panics (#1935) * chore(deps): bump github.com/docker/docker (#1924) * docs: restructure the documentation (#1887) * chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 (#1923) * chore(deps): bump actions/cache from 2 to 3.0.1 (#1920) * chore(deps): bump actions/checkout from 2 to 3 (#1916) * chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.39.0 (#1921) * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.1.0 (#1919) * chore(deps): bump helm/chart-testing-action from 2.2.0 to 2.2.1 (#1918) * chore(deps): bump golang from 1.17 to 1.18.0 (#1915) * Add trivy horizontal logo (#1932) * chore(deps): bump alpine from 3.15.0 to 3.15.3 (#1917) * chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 (#1925) * chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#1927) * feat(db): Add dbRepository flag to get advisory database from OCI registry (#1873) ------------------------------------------------------------------- Fri Apr 1 07:30:58 UTC 2022 - Johannes Kastl - Buildrequire go1.18 as upstream says in go.mod ------------------------------------------------------------------- Fri Apr 01 07:03:41 UTC 2022 - kastl@b1-systems.de - Update to version 0.25.0: * docs(filter vulnerabilities): fix link (#1880) * feat(template) Add misconfigurations to gitlab codequality report (#1756) * fix(rpc): add PkgPath field to client / server mode (#1643) * fix(vulnerabilities): fixed trivy-db vulns (#1883) * feat(cache): remove temporary cache after filesystem scanning (#1868) * feat(sbom): add a dedicated sbom command (#1799) * feat(cyclonedx): add vulnerabilities (#1832) * fix(option): hide false warning about remote options (#1865) * chore: bump up Go to 1.18 (#1862) * feat(filesystem): scan in client/server mode (#1829) * refactor(template): remove unused test (#1861) * fix(cli): json format for trivy version (#1854) * docs: change URL for tfsec-checks (#1857) ------------------------------------------------------------------- Tue Mar 22 10:46:08 UTC 2022 - Dirk Müller - tie to go.17 as 1.18 became available ------------------------------------------------------------------- Fri Mar 18 10:21:14 UTC 2022 - kastl@b1-systems.de - Update to version 0.24.4: * fix(docker): Getting images without a tag (#1852) * docs(gitlab-ci): Use environment variables TRIVY_CACHE_DIR and TRIVY_NO_PROGRESS (#1801) ------------------------------------------------------------------- Thu Mar 17 10:14:45 UTC 2022 - Johannes Kastl - BuildRequire go1.17 ------------------------------------------------------------------- Wed Mar 16 18:04:55 UTC 2022 - kastl@b1-systems.de - Update to version 0.24.3: * chore(issue labels): added new labels (#1839) * refactor: clarify db update warning messages (#1808) * chore(ci): change trivy vulnerability scan for every day (#1838) * feat(helm): make Trivy service name configurable (#1825) * chore(deps): updated sprig to version v3.2.2. (#1814) * chore(deps): updated testcontainers-go to version v0.12.0 (#1822) * docs: add packages.config for .NET (#1823) * build: sign container image (#1668) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.4.0 to 0.5.0 (#1778) * docs: fix Installation documentation (#1804) * fix(report): ensure json report got a final new line (#1797) * fix(terraform): resolve panics in defsec (#1811) * feat(docker): Label images based on OCI image spec (#1793) * fix(helm): indentation for ServiceAccount annotations (#1795) * fix(hcl): fix panic in hcl2json (#1791) * chore(helm): remove psp from helm manifest (#1315) * build: Replace `make protoc` with `for loop` to return an error (#1655) * fix: ASFF template to match ASFF schema (#1685) * feat(helm): Add support for server token (#1734) ------------------------------------------------------------------- Thu Mar 03 13:38:37 UTC 2022 - kastl@b1-systems.de - Update to version 0.24.2: * fix(pom): keep an order of dependencies (#1784) * chore: bump up Go to 1.17 (#1781) * chore(deps): bump actions/setup-python from 2 to 3 (#1776) * chore(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (#1777) ------------------------------------------------------------------- Sun Feb 27 17:12:56 UTC 2022 - kastl@b1-systems.de - Update to version 0.24.1: * fix(python): correct handling pip package names with a hyphen (#1771) * doc(docker): fix command to run trivy with docker on linux (#1761) * feat(helm): Add support for custom labels (#1767) * chore(helm): bump chart to trivy 0.24.0 (#1762) * docs: remove erroneous command (#1763) ------------------------------------------------------------------- Wed Feb 23 16:09:07 UTC 2022 - kastl@b1-systems.de - Update to version 0.24.0: * chore(deps): bump github.com/spf13/afero from 1.6.0 to 1.8.1 (#1708) * fix(option): warn list-all-pkgs only with the table format (#1755) * feat(option): warn "--list-all-pkgs" with "--format table" (#1632) * feat(report): add support for CycloneDX (#1081) * chore(deps): update the defsec and tfsec versions (#1747) * fix(scanner): fix skip of language-specific files when scanning rootf… (#1751) * chore(deps): bump github.com/google/wire from 0.4.0 to 0.5.0 (#1712) * feat(report): considering App.Writer when printing results (#1722) * chore(deps): replace `satori` version and skipping examples folder (#1745) * build: add s390x container images (#1726) * feat(template) Add misconfigurations to junit report (#1724) * chore(deps): bump github.com/twitchtv/twirp (#1709) * feat(client): configure TLS InsecureSkipVerify for server connection (#1287) * fix(rpc): Supports RPC calls for new identifier CustomResource (#1605) * chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 (#1705) * chore(deps): bump github.com/caarlos0/env/v6 from 6.0.0 to 6.9.1 (#1707) * feat(helm): Parameterise ServiceAccount annotations (#1677) * chore(deps): bump github.com/hashicorp/go-getter from 1.5.2 to 1.5.11 (#1710) * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.3 to 3.0.8 (#1704) * chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.2 (#1711) * chore(dependabot): enable gomod monthly (#1699) * fix(gitlab tpl): escape double quote (#1635) * build: Make `make protoc` be consistent (#1682) * feat(purl): add generate purl package utilities (#1574) * refactor: move result structs under types (#1696) * feat(mariner): add support for CBL-Mariner 2.0 (#1694) * docs(gitlab-ci): fix Script in GitLab CI Example #1688 * chore: Upgrade helm chart version (#1683) * chore(mod): update Go dependencies (#1681) * docs: fix typos in markdown docs (#1674) * docs: update documentation for image scanning of tar files to use a tag present on Docker Hub (#1671) * fix(repo): --no-progress suppresses git output (#1669) ------------------------------------------------------------------- Tue Feb 01 07:14:27 UTC 2022 - kastl@b1-systems.de - Update to version 0.23.0: * docs: add ACR navigator (#1651) * fix: update example Rego files and docs (#1628) * feat(option): show a link to GitHub Discussions for --light deprecation (#1650) * fix(sarif): fix the warning message (#1647) * refactor: migrate to prefixed buckets (#1644) * feat(mariner): add support for CBL-Mariner (#1640) * docs: commercial use available (#1641) * feat: support azure acr (#1611) * feat(os-pkg): add data sources (#1636) * feat(redhat): support build info in RHEL (#807) * fix: change links in pull_request_template to static URLs (#1634) * feat(lang-pkg): add data sources (#1625) * feat(detector): support custom detector (#1615) * docs(contribution): change role who should resolve comments (#1618) * docs: add PR template (#1602) * feat(rocky): support Rocky Linux (#1570) * Add the ability to set dockerhub credentials in the helm chart (#1569) * feat(cache): redis TLS support (#1297) * feat(java): add support for PAR files (#1599) * refactor(rust): move rust-advisory-db to OSV (#1591) * feat: log ignored vulnerabilities on debug (#1378) * chore(mod): hcl2json deps update (#1585) * fix(rpm): do not ignore installed files via third-party rpm (#1594) * feat(fs): allow scanning a single file (#1578) * refactor(python): drop Safety DB (#1580) * feat: added insecure tls skip to scan git repo (#1528) * Supress git clone output (#1590) * fix(alma): skip modular package because MODULARITYLABEL is not set (#1588) * feat(photon os): added EOL dates check (#1587) * docs: update supported os (#1586) * BREAKING: remove root command (#1579) * docs: add Rust to Language-specific Packages Table (#1577) * docs: update int doc for gitlab ci (#1575) * BREAKING: migrate the sarif template to Go code (#1437) * refactor: remove unused field (#1567) * chore(deps): bump helm/chart-testing-action from 2.1.0 to 2.2.0 (#1554) * docs: gitlab integration (#1381) * feat(alma): support AlmaLinux (#1238) * docs: added note about default template path when Trivy installed using rpm (#1551) * BREAKING: Trivy DB from GHCR (#1539) * feat(cli): Do not set default commands when a plugin is being run (#1549) * fix: add fingerprint field to codequality template (#1541) * fix(image): correct handling of uncompressed layers (#1544) * chore: helm chart app version 0.22.0 (#1535) * test(integration): use fixtures (#1532) ------------------------------------------------------------------- Tue Dec 28 09:50:49 UTC 2021 - dmueller@suse.com - Update to version 0.22.0 (jsc#SLE-18339): * fix(java/pom): ignore unsupported requirements (#1514) * feat(cli): warning for root command (#1516) * BREAKING: disable JAR detection in fs/repo scanning (#1512) * feat(scan): support --offline-scan option (#1511) * fix: improve memory usage (#1509) * feat(java): support pom.xml (#1501) * docs: fixing rust link to security advisory (#1504) * Add missing IacMetdata (#1505) * feat(jar): add file path (#1498) * feat(rpm): support NDB (#1497) * feat: added misconfiguration field for html.tpl (#1444) ------------------------------------------------------------------- Tue Dec 21 08:33:39 UTC 2021 - dmueller@suse.com - Update to version 0.21.3: * fix(docs): typo (#1488) * feat(plugin): Add option to update plugin (#1462) * fix: fixed skipFiles/skipDirs flags for relative path (#1482) * feat (plugin): add list and info command for plugin (#1452) * fix: set up a vulnerability severity (#1458) * chore: add arm64 deb package (#1480) * Link to trivy tutorial on Semaphore (#1449) * refactor(helm): externalize env vars to configMap (#1345) * docs: provide more information on scanning Google's GCR (#1426) * docs(misconfiguration): added instruction for misconfiguration detection (#1428) * Update git-repository.md (#1430) * fix(hooks): exclude unrelated lib types from system files filtering (#1431) * chore: run `go fmt` (#1429) * fix(sarif): change `help` field in the sarif template. (#1423) * Update fanal with cfsec version update (#1425) * Replace deprecated option in goreleaser (#1406) * feat(alpine): support 3.15 (#1422) * chore: test the helm chart in the PR and used the commit hash (#1414) * chore(deps): bump alpine from 3.14 to 3.15.0 (#1417) * chore(release): add ubuntu older versions to deploy script (#1416) ------------------------------------------------------------------- Sun Dec 05 10:46:26 UTC 2021 - dmueller@suse.com - Update to version 0.21.1: * chore(mod): tidy (#1415) * fix(rpc): fix nil layer transmit (#1410) * Lang advisory order (#1409) * chore: add support for s390x arch (#1304) * fix(chart): ingress helm manifest-update trivy image (#1323) * docs: Add comparison for cfsec (#1388) * remove: delete unused functions in utils package (#1379) * fix(sarif): fix validation errors (#1376) * docs: add Bitbucket Pipelines (#1374) * docs: add community integrations (#1361) * Use a stable SARIF identifier (#1230) * fix(python): fix parsing of requirements.txt with hash checking mode available in pip since version 8.0 * feat(iac): Add line information (#1366) * feat(cloudformation): Adding support for cfsec IaC scanning (#1360) * chore: send debug and info logs to stdout in install.sh, not stderr. (#1264) * Update containerd to v1.5.7 and docker-cli to v20.10.9 (#1356) * chore: update SBOM generation (#1349) ------------------------------------------------------------------- Wed Nov 10 11:42:19 UTC 2021 - dmueller@suse.com - Update to version 0.20.2: * docs: update builtin.md (#1335) * chore: fix issues with Homebrew formula (#1329) * chore: bump GoReleaser to v0.183.0 (#1328) * docs: update iac.md for a typo (#1326) * docs: typo fix (#1308) * Add new networking API features to Ingress (#1262) * chore(release): bump up GoReleaser to v0.182.1 (#1299) * fix(yarn): support quoted version (#1298) * feat(custom-forward): Forward the extended advisory data (#1247) * feat(javascript) : Initialize npm driver for javascript packages (#1289) * fix(cli): fix incorrect comparision of DB metadata type. (#1286) * docs: add footer to readme (#1281) * feat(report): add package path (#1274) * feat(command): add rootfs command (#1271) * fix: update fanal (#1272) * feat(commands): remove deprecated options (#1270) * Aggregate jar result for table (#1269) * BREAKING(report): migrate to new json schema (#1265) * feat: improve --skip-dirs and --skip-files (#1249) * fix(gobinary): skip large files (#1259) * Disable library analyzer for OS only scan type (#1191) * chore: update trivy version (#1252) * refactor: move from io/ioutil to io and os package (#1245) * fix: brew test command (#1253) * fix:added layer info in packages (#1248) * fix(go/binary): improve debug messages (#1244) * Update db.go (#1199) * fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243) * feat(debian): support the versions that reached EOL (#1237) * feat(alpine): support unfixed vulnerabilities (#1235) * feat(report): add image config (#1231) * feat(nodejs): support package.json (#1225) * refactor: use testing DB instead of mock (#1234) * feat(ruby): support gemspec (#1224) * feat(python): add packaging detector and respective hook (#1223) * feat(license): Added support to new License field of go-dep-parser's library (#1167) * fix(oracle): handle advisories contain ksplice versions (#1209) * fix(docs): remove OSVDB advisories (#1215) * docs: fix typos in CONTRIBUTING.md (#1181) * Update EOL of Debian 11 (#1180) * fix(plugin): resolve a closure (#1207) * docs: fix typo (#1206) * fix(detector): change an argument for trivy-db getter (#1203) * chore(mod): update fanal (#1179) * Add license info to package data (#1176) * feat(nuget): support packages.config (#1095) * feat(python): add support for requirements.txt (#1169) * GitLab CI integration documentation (#1168) * chore(gorelease) change goreleaser config to include template examples (#1138) * chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153) * chore(deps): bump actions/stale from 3 to 4 (#1152) * feat(report): add end of service life flag to OS metadata (#1142) * chore: set up Dependabot for github-actions and docker (#1128) * docs: fix typo (#1149) * docs: add some external links (#1147) * chore (release): add ubuntu esm versions to deploy script (#1151) * docs(troubleshooting) add urls which are required to download vuls db (#1137) * Updated the Alpine Image to 3.14 (latest) (#1130) * Added EOL for Ubuntu 21.10 (#1131) * fix(image): disabled scanning of config files within container images (#1133) * docs: fixed typo (#1124) * update cyclonedx github action to v0.3.0 (#1127) * fix(policy): fix panic on the first run (#1116) * docs(misconf): add comparison with Conftest and tfsec (#1111) * feat(report): add schema version (#1110) * fix(scan): change unknown os from info to debug (#1109) * docs: add misconfiguration (#1101) * fix(config): rename include-successes with include-non-failures (#1107) * feat(config): support --trace (#1106) * fix(policy): reduce the Internet access (#1105) * chore: bump golangci-lint to v1.41.1 (#1104) * feat: support config scanning (#931) * feat(report): add artifact metadata (#1079) * Generate SBOM (#1076) * fix(db): multiple prefixed data sources (#1070) * Add EOL date for Alpine 3.14 (#1072) * suse: mark sle 15.3 as maintained, add opensuse 15.3 (#1059) * docs: improve data sources (#1069) * chore(label): add kind/security-advisory (#1068) * fix(asff): replace slice with substr (#1058) * fix(helm-chart): parametrized ingress host path (#1049) * feat: support Google Artifact Repository (#1055) * Update ASFF template to use label for severity (#1047) * BREAKING: migrate to a new JSON schema (#782) * docs: Fix link to AWS Security Hub template (#1046) * refactor(server): support gzip (#1045) * chore(rpc): update protoc and twirp (#1044) * Added support for list all packages flag in client (#1032) * chore: chart with 0.18.3 (#1033) * feat: add gitlab codequality template (#895) * feat(plugin): add aqua plugin (#1029) * fix(go): if patchedVersion is empty mark it as vulnerable (#1030) * docs(ubuntu): fix supported versions (#1028) * Support Ubuntu 21.04 (#1027) * chore: remove codecov (#1016) * fix typo on github-actions.md (#1022) - drop 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch (upstream) ------------------------------------------------------------------- Thu Jun 10 12:46:10 UTC 2021 - Dirk Müller - add 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch ------------------------------------------------------------------- Thu Jun 10 08:31:11 UTC 2021 - Dirk Müller - strip binaries ------------------------------------------------------------------- Mon Jun 07 19:14:07 UTC 2021 - dmueller@suse.com - Update to version 0.18.3: * chore(ci): change to more granular tokens (#1014) * chore(ci): add Go scanning and update dependencies (#1001) * docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013) * fix(image): disable go.sum scanning (#1007) * fix(gomod): handle go.sum with an empty line (#1006) * feat: prepare for config scanning (#1005) * Clarify that dev dependencies are excluded (#986) * Include target value in Sarif template ruleID (#991) * chore(mkdocs): allow workflow_dispatch (#989) * fix(vuln) unique vulnerabilities from different data sources (#984) * feat(go): added support of gomod analyzer (#978) ------------------------------------------------------------------- Mon May 03 10:04:22 UTC 2021 - dmueller@suse.com - Update to version 0.17.2: * Upgrade fanal dependency (#976) * docs: mention upx binaries (#974) * Upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971) * fix(fs): skip dirs (#969) * chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965) * chore(ci): clone trivy-repo after releasing binaries (#963) * docs: add golang support (#962) * fix(table): skip zero vulnerabilities on java (#961) * chore(ci): create a release discussion (#959) * feat(go): support binary scan (#948) * feat(java): support GitLab Advisory Database (#917) * feat: show help message when the context's deadline passes (#955) * chore(mkdocs): replace github token (#954) * Update SARIF report template (#935) * Update install docs to make commands consistent (#933) * Docker multi-platform image build with `buildx`, using Goreleaser (#915) * Fix JUnit template for AWS CodeBuild compatibility (#904) * break(cli): use StringSliceFlag for skip-dirs/files (#916) * docs: add white logo (#914) * add package name in ruleID (#913) * feat: gh-action for stale issues (#908) * chore(triage): add lifecycle/active label (#909) * feat: publish helm repository (#888) * Fix Documentation Typo (#901) * docs: migrate README to MkDocs (#884) * refactor(internal): export internal packages (#887) * feat: support plugins (#878) * chore(ci): deploy dev docs only for the main branch (#882) * add MkDocs implementation (#870) * docs(README): update ubuntu versions (#877) * support Ubuntu 20.10 (#876) * feat(cache): introduce versioned cache (#865) * chore: bump up Go to 1.16 (#861) * fix: allow the latest tag (#864) * feat: disable analyzers (#846) * chore(ci): push the official image to public ECR (#855) * chore(ci): migrate CircleCI to GitHub Actions (#850) * adds example with multistage build (#853) * remove SARIF helpUri if empty (#841) (#845) * Add Sprig to Template Engine (#832) * Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844) * feat(java): support jar/war/ear (#837) * fix(app): increase the default value of timeout (#842) * Update README.md (#838) * Fix compatibility for Jenkins xunit plugin (#820) * README: add Gitlab job that uses a container with trivy (#823) * feat: support Podman (#825) * fix(eol): update EOL dates (#824) * fix(python): follow PEP 440 (#816) * Support alpine 3.13 (#819) * Changed the output string to "Using your github token". (#814) * Align comment with code (#812) * Parse redis backend url (#804) * Update README.md (#810) * Added nodeSelector, affinity and tolerations to helm chart (#803) * Fix readme typo in policy flag (#805) * Fix errors in SARIF format (#801) * Fix env variable for github token (#796) * fix(vulnerability): set unknown severity for empty values (#793) * Remove global flags from filesystem command (#772) * Add imagePullSecrets to helm Chart (#789) * Add redis cache backend configuration options (#784) * Update README.md (#735) * feat(redhat): support modular packages (#790) * Fix formatting of log message (#785) * chore(ci): migrate unit tests to GitHub Actions (#779) * shifted: brews.github to brews.tap (#780) ------------------------------------------------------------------- Fri Jan 08 13:31:54 UTC 2021 - rbrown@suse.com - Update to version 0.15.0: * Feat: NuGet Scanner (#686) * feat(cache): support Redis (#770) * fix(redhat): skip module packages (#776) * chore: migrate from master to main (#778) * chore(circleci): remove gofmt (#777) * chore(README): remove experimental (#775) * NVD: Add timestamps. (#761) * (fix): Make the table output less wide. (#763) * Add gitHubToken to prevent rate limit problems (#769) * Add helm chart to install trivy in server mode. (#751) * chore(docs): add nix install (#762) * HTML template (#567) * feat: remove rpm dependency (#753) * fix(vulnerability): make an empty severity UNKNOWN (#759) * chore(README): add TRIVY_INSECURE (#760) * feat(vulnerability): add primary URLs (#752) ------------------------------------------------------------------- Thu Nov 26 15:23:00 UTC 2020 - dmueller@suse.com - Update to version 0.13.0: * fix(oracle): handle ksplice advisories (#745) * fix: version comparison (#740) * updated Readme.md (#737) * Add suse sles 15.2 to the EOL list as well (#734) * Update README.md (#731) * Warn when a user attempts to use trivy without a detectable lockfile (#729) * Add back support for FreeBSD & OpenBSD (#728) * Add support for ppc64le architecture (#724) * Skip packages from unsupported repository (remi) (#695) * Skip downloading DB if a remote DB is not updated (#717) * Sunsetting VendorVectors (#718) * Add GitHub Container Registry to README (#712) * update BUG_REPORT.md using H2 instead of bold formatting (#714) * fix(ci/deb): do not remove old packages for EOL versions (#706) * Add linter check support (#679) * Optimize images (#696) * Update triage.md (#701) - remove 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch (merged) ------------------------------------------------------------------- Fri Oct 30 14:52:37 UTC 2020 - Dirk Mueller - add 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch ------------------------------------------------------------------- Wed Oct 28 12:47:30 UTC 2020 - Dirk Mueller - revert _service and build changes in last update to use the proper macros - set VERSION parameter properly (jsc#CAPS-105) - remove update-end-of-life-dates.patch ------------------------------------------------------------------- Thu Oct 22 14:20:24 UTC 2020 - Stefan Nica - Require golang >= 1.15 to fix EINTR read issues (jsc#CAPS-170) ------------------------------------------------------------------- Thu Oct 22 13:16:40 UTC 2020 - Dirk Mueller - add update-end-of-life-dates.patch ------------------------------------------------------------------- Tue Oct 20 13:13:39 UTC 2020 - msabate@suse.com - Update to version 0.12.0: * ci(circle): update remote docker version (#683) * suse: update end of life dates for SLES service packs (#676) * update readme for parallel run issue (#660) * fix link for Clear images section in README (#659) * add link to Gitlab CI pipeline in README (#658) * test: add tests for mux (#645) * chore: bump up Go to 1.15 (#646) * Add contrib/ to the release chain for Docker (#638) * Add health check endpoint to trivy server (#644) * fix(cli): show help for subcommands (#629) ------------------------------------------------------------------- Tue Sep 08 18:00:57 UTC 2020 - jsuchome@suse.com - Update to version 0.9.2: * Fixing `Error retrieving template from path` when --format is not template but template is provided (#556) * Adding contrib/junit.tpl to docker image (#554) * db: Update trivy-db to include CVSS score info (#530) * docs: fix markdown (#553) * Added function to escape string in failure message title and descriptions (#551) * Added JUNIT support (#541) * chore(docs): mention air-gapped environment (#544) * chore(README): add programming languages (#543) * fix(log): write error messages to stderr (#538) * Use StoreMetadata from trivy-db (#509) * docs: add more CI options to README (#535) * chore(Dockerfile): bump up alpine to 3.12 (#528) * fix(alpine): replace go-deb-version with go-apk-version (#520) * fix: MissingBlobs is implemented different in FS and S3 the method log… (#522) ------------------------------------------------------------------- Wed Aug 19 11:24:03 UTC 2020 - dmueller@suse.com - Update to version 0.9.1: * fix(alpine): support 3.12 (#517) * chore(README): prepare for v0.9.0 (#507) * fix(config): transpose arguments (#516) ------------------------------------------------------------------- Tue Jul 28 12:33:21 UTC 2020 - jsuchome@suse.com - Update to version 0.9.0: * fix(app): add ArgsUsage (#508) * feat: support repository and filesystem scan (#503) * Add GHSA support (#467) * refactor: define common options and embed them into the option for subcommand (#502) * Add image subcommand (#493) * fix: remove help template (#500) * vulnerability: Add CVSS Vectors to JSON output. (#484) * feat: support registry token (#482) * chore: bump up urfave/cli to v2 (#499) * chore(doc): update README (#490) * chore(ci): move integration tests to GitHub Actions (#485) * feat: support OCI Image Format (#475) * chore(github): fix issue templates (#483) * contrib/gitlab.tpl: Add new id field (#468) * chore(docs): add triage.md (#473) * fix: handle a scratch/busybox/DockerSlim image gracefully (#476) * rpc: Fix output to use templates when in client server mode. (#469) * Override with Vendor score if exists (#433) * docs: Update installation docs for pointing to Trivy Releases. (#463) ------------------------------------------------------------------- Fri Jul 24 11:34:15 UTC 2020 - jsuchome@suse.com - enabled changesgenerate option to automatically generate changes ------------------------------------------------------------------- Thu Jul 16 15:54:15 CEST 2020 - jsuchome@suse.com - initial release of 0.6.0 version, supported by Harbor 2.0