1
0
forked from pool/trivy
trivy/trivy.changes

2498 lines
135 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com
- Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):
* release: v0.52.0 [main] (#6809)
* fix(plugin): initialize logger (#6836)
* chore(deps): bump alpine from 3.19.1 to 3.20.0 in the docker group (#6835)
* fix(cli): always output fatal errors to stderr (#6827)
* fix: close testfile (#6830)
* docs(julia): add scanner table (#6826)
* feat(python): add license support for `requirement.txt` files (#6782)
* docs: add more workarounds for out-of-disk (#6821)
* chore: improve error message for image not found (#6822)
* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)
* ci(deps): use modules instead of incompatible version (#6805)
* ci: set initial version to v0.51.1 (#6810)
* ci: replace PAT with ORG_REPO_TOKEN (#6806)
* chore(deps): bump the common group with 3 updates (#6789)
* fix: clean up golangci lint configuration (#6797)
* ci: introduce Release Please for automated release management (#6795)
* fix(python): add package name and version validation for `requirements.txt` files. (#6804)
* feat(vex): improve relationship support in CSAF VEX (#6735)
* chore(alpine): add eol date for Alpine 3.20 (#6800)
* docs(plugin): add missed `plugin` section (#6799)
* fix: include packages unless it is not needed (#6765)
* ci(deps): fix ineffassign and bodyclose in ".*_test.go$" (#6777)
* chore(deps): Bump trivy-aws and trivy-checks (#6796)
* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)
* ci(deps): fix govet in ".*_test.go$" (#6736)
* ci(deps): simplify gosec rules exclusion (#6778)
* chore: replace interface{} with any (#6751)
* fix: close settings.xml (#6768)
* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)
* ci(deps): fix gocritic in ".*_test.go$" (#6763)
* build: use main package instead of main.go (#6766)
* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)
* chore(deps): bump the common group across 1 directory with 29 updates (#6756)
* ci(deps): fix tenv in ".*_test.go$" (#6748)
* chore(deps): bump the aws group with 8 updates (#6738)
* chore(deps): bump the docker group with 2 updates (#6739)
* chore(deps): bump the github-actions group with 4 updates (#6737)
* chore(deps): bump the testcontainers group with 2 updates (#6740)
* docs: add info on adding compliance checks (#6275)
* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)
* ci: add groups for `dependabot` (#6734)
* ci(deps): fix gci and gofmt in ".*_test.go$" (#6721)
* feat(nodejs): add v9 pnpm lock file support (#6617)
* feat(vex): support non-root components for products in OpenVEX (#6728)
* feat(python): add line number support for `requirement.txt` files (#6729)
* chore: respect timeout value in .golangci.yaml (#6724)
* ci(deps): enable `require-error` rule from `testifylint` linter (#6718)
* chore(deps): bump golangci-lint to v1.58.2 (#6719)
* fix: node-collector high and critical cves (#6707)
* Merge pull request from GHSA-xcq4-m2r3-cmrj
* chore: auto-bump golang patch versions (#6711)
* fix(misconf): don't shift ignore rule related to code (#6708)
* feat(plugin): specify plugin version (#6683)
* chore: enforce golangci-lint version (#6700)
* ci(deps): update golangci-lint-action and enable testifylint linter on "integration/*" (#6706)
* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)
* fix(go): add only non-empty root modules for `gobinaries` (#6710)
* refactor: unify package addition and vulnerability scanning (#6579)
* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
* ci(deps): enable testifylint linter on .*_test.go$ (#6688)
* feat(misconf): Add support for deprecating a check (#6664)
* chore(deps): use `google.golang.org/protobuf/types/known` instead of `github.com/golang/protobuf/ptypes` (#6681)
* feat: Add Julia language analyzer support (#5635)
* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
* fix(report): hide empty tables if all vulns has been filtered (#6352)
* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)
* feat: add support for plugin index (#6674)
* fix(conda): add support `pip` deps for `environment.yml` files (#6675)
* docs: add support table for client server mode (#6498)
* fix: close APKINDEX archive file (#6672)
* fix(misconf): skip Rego errors with a nil location (#6666)
* refactor: move artifact types under artifact package to avoid import cycles (#6652)
* refactor(misconf): remove extrafs (#6656)
* refactor: re-define module structs for serialization (#6655)
* chore(misconf): Clean up iac logger (#6642)
* feat(misconf): support symlinks inside of Helm archives (#6621)
* feat(misconf): add Terraform 'removed' block to schema (#6640)
* refactor: unify Library and Package structs (#6633)
* fix: use of specified context to obtain cluster name (#6645)
* perf(misconf): parse rego input once (#6615)
* fix(misconf): skip Rego errors with a nil location (#6638)
* ci: add `generic` dir to deb deploy script (#6636)
* docs: link warning to both timeout config options (#6620)
* docs: fix usage of image-config-scanners (#6635)
* chore(deps): bump `knqyf263/trivy-issue-action` to v0.0.6 (#6632)
-------------------------------------------------------------------
Thu May 09 13:21:53 UTC 2024 - dmueller@suse.com
- Update to version 0.51.1:
* fix(fs): handle default skip dirs properly (#6628)
* fix(misconf): load cached tf modules (#6607)
* fix(misconf): do not use semver for parsing tf module versions (#6614)
* refactor: move setting scanners when using compliance reports to flag parsing (#6619)
* feat: introduce package UIDs for improved vulnerability mapping (#6583)
* perf(misconf): Improve cause performance (#6586)
* docs: trivy-k8s new experiance remove un-used section (#6608)
* chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
* docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
* feat(misconf): Use updated terminology for misconfiguration checks (#6476)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
* docs: use `generic` link from `trivy-repo` (#6606)
* docs: update trivy k8s with new experience (#6465)
* feat: support `--skip-images` scanning flag (#6334)
* BREAKING: add support for k8s `disable-node-collector` flag (#6311)
* chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
* chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
* chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
* chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
* chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
* chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
* feat: add ubuntu 23.10 and 24.04 support (#6573)
* chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
* chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598)
* docs(go): add stdlib (#6580)
* chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592)
* chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600)
* feat(go): parse main mod version from build info settings (#6564)
* feat: respect custom exit code from plugin (#6584)
* docs: add asdf and mise installation method (#6063)
* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
* feat: add support `environment.yaml` files (#6569)
* fix: close plugin.yaml (#6577)
* fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)
* feat(go): add main module (#6574)
* feat: add relationships (#6563)
* ci: disable `Go` cache for `reusable-release.yaml` (#6572)
* docs: mention `--show-suppressed` is available in table (#6571)
* chore: fix sqlite to support loong64 (#6511)
* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
* docs: update info about config file (#6547)
* docs: remove RELEASE_VERSION from trivy.repo (#6546)
* fix(sbom): change error to warning for multiple OSes (#6541)
* fix(vuln): skip empty versions (#6542)
* feat(c): add license support for conan lock files (#6329)
* fix(terraform): Attribute and fileset fixes (#6544)
* refactor: change warning if no vulnerability details are found (#6230)
* refactor(misconf): improve error handling in the Rego scanner (#6527)
* ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533)
* feat(go): parse main module of go binary files (#6530)
* chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526)
* refactor(misconf): simplify the retrieval of module annotations (#6528)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523)
* docs(nodejs): add info about supported versions of pnpm lock files (#6510)
* feat(misconf): loading embedded checks as a fallback (#6502)
* fix(misconf): Parse JSON k8s manifests properly (#6490)
* refactor: remove parallel walk (#5180)
* fix: close pom.xml (#6507)
* fix(secret): convert severity for custom rules (#6500)
* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)
* fix: typo (#6283)
* docs(k8s,image): fix command-line syntax issues (#6403)
* chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435)
* fix(misconf): avoid panic if the scheme is not valid (#6496)
* feat(image): goversion as stdlib (#6277)
* fix: add color for error inside of log message (#6493)
* chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438)
* docs: fix links to OPA docs (#6480)
* refactor: replace zap with slog (#6466)
* docs: update links to IaC schemas (#6477)
* chore: bump Go to 1.22 (#6075)
* refactor(terraform): sync funcs with Terraform (#6415)
* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426)
* chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452)
* chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430)
* chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437)
* fix(terraform): eval submodules (#6411)
* refactor(terraform): remove unused options (#6446)
* refactor(terraform): remove unused file (#6445)
* chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427)
* fix(misconf): Escape template value correctly (#6292)
* feat(misconf): add support for wildcard ignores (#6414)
* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)
* refactor(terraform): remove metrics collection (#6444)
* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428)
* chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429)
* fix(db): check schema version for image name only (#6410)
* chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433)
* chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436)
* feat(misconf): Support private registries for misconf check bundle (#6327)
* feat(cloudformation): inline ignore support for YAML templates (#6358)
* feat(terraform): ignore resources by nested attributes (#6302)
* perf(helm): load in-memory files (#6383)
* feat(aws): apply filter options to result (#6367)
* feat(aws): quiet flag support (#6331)
* fix(misconf): clear location URI for SARIF (#6405)
* test(cloudformation): add CF tests (#6315)
* fix(cloudformation): infer type after resolving a function (#6406)
* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
* fix(nodejs): merge `Indirect`, `Dev`, `ExternalReferences` fields for same deps from `package-lock.json` files v2 or later (#6356)
* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)
* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)
* fix: use `0600` perms for tmp files for post analyzers (#6386)
* fix(helm): scan the subcharts once (#6382)
* docs(terraform): add file patterns for Terraform Plan (#6393)
* fix(terraform): сhecking SSE encryption algorithm validity (#6341)
* fix(java): parse modules from `pom.xml` files once (#6312)
* chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#6364)
* fix(server): add Locations for `Packages` in client/server mode (#6366)
* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)
* fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
* chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321)
* feat(java): add support licenses and graph for gradle lock files (#6140)
* feat(vex): consider root component for relationships (#6313)
* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
* chore: updates wazero to v1.7.0 (#6301)
* feat(sbom): Support license detection for SBOM scan (#6072)
* refactor(sbom): use intermediate representation for SPDX (#6310)
* docs(terraform): improve documentation for filtering by inline comments (#6284)
* fix(terraform): fix policy document retrieval (#6276)
* refactor(terraform): remove unused custom error (#6303)
* refactor(sbom): add intermediate representation for BOM (#6240)
* fix(amazon): check only major version of AL to find advisories (#6295)
* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)
* fix(nodejs): add name validation for package name from `package.json` (#6268)
* docs: Added install instructions for FreeBSD (#6293)
* feat(image): customer podman host or socket option (#6256)
* chore(deps): bump wazero from 1.2.1 to 1.6.0 (#6290)
* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)
* fix(license): reorder logic of how python package licenses are acquired (#6220)
* test(terraform): skip cached modules (#6281)
* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
* fix(cloudformation): support of all SSE algorithms for s3 (#6270)
* feat(terraform): Terraform Plan snapshot scanning support (#6176)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#6249)
* fix: typo function name and comment optimization (#6200)
* fix(java): don't ignore runtime scope for pom.xml files (#6223)
* chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#6242)
* chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#6243)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#6251)
* chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#6253)
* chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#6250)
* chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#6247)
* chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#6246)
* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
* chore(deps): Upgrade iac deps (#6255)
* feat: add info log message about dev deps suppression (#6211)
* test(k8s): use test-db for k8s integration tests (#6222)
* ci: add maximize-build-space for `Test` job (#6221)
* fix(terraform): fix root module search (#6160)
* test(parser): squash test data for yarn (#6203)
* fix(terraform): do not re-expand dynamic blocks (#6151)
* docs: update ecosystem page reporting with db app (#6201)
* fix: k8s summary separate infra and user finding results (#6120)
* fix: add context to target finding on k8s table view (#6099)
* fix: Printf format err (#6198)
* refactor: better integration of the parser into Trivy (#6183)
* chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#6189)
* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
* fix(vex): CSAF filtering should consider relationships (#5923)
* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)
* feat(vuln): ignore vulnerabilities by PURL (#6178)
* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
* feat(k8s): rancher rke2 version support (#5988)
* docs: update kbom distribution for scanning (#6019)
* chore: update CODEOWNERS (#6173)
* fix(swift): try to use branch to resolve version (#6168)
* fix(terraform): ensure consistent path handling across OS (#6161)
* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)
* fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
* chore(deps): merge go-dep-parser into Trivy (#6094)
* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)
* docs: update template path for gitlab-ci tutorial (#6144)
* feat(report): support for filtering licenses and secrets via rego policy files (#6004)
* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
* refactor(deps): Merge defsec into trivy (#6109)
* chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#6142)
* docs: add SecObserve in CI/CD and reporting (#6139)
* fix(alpine): exclude empty licenses for apk packages (#6130)
* docs: add docs tutorial on custom policies with rego (#6104)
* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
* feat(vuln): show suppressed vulnerabilities in table (#6084)
* docs: rename governance to principles (#6107)
* docs: add governance (#6090)
* refactor(deps): Merge trivy-iac into Trivy (#6005)
* feat(java): add dependency location support for `gradle` files (#6083)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#6038)
* fix(misconf): get `user` from `Config.User` (#6070)
-------------------------------------------------------------------
Thu Feb 08 12:51:32 UTC 2024 - dmueller@suse.com
- Update to version 0.49.1:
* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
* docs: Fix broken link to "pronunciation" (#6057)
* chore(deps): bump actions/upload-artifact from 3 to 4 (#6047)
* chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (#6042)
* chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (#6043)
* ci: reduce `root-reserve-mb` size for `maximize-build-space` (#6064)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#6041)
* chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#6039)
* fix: fix cursor usage in Redis Clear function (#6056)
* chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (#6037)
* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)
* chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#6046)
* chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (#6044)
* chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#6048)
* test: fix flaky `TestDockerEngine` (#6054)
* chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (#6040)
* chore(deps): bump easimon/maximize-build-space from 9 to 10 (#6049)
* chore(deps): bump alpine from 3.19.0 to 3.19.1 (#6051)
* chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (#6028)
* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
* chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (#6029)
* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
* docs: add note about Bun (#6001)
* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)
* fix: check returned error before deferring f.Close() (#6007)
* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
* feat(vuln): enable `--vex` for all targets (#5992)
* docs: update link to data sources (#6000)
* feat(java): add support for line numbers for pom.xml files (#5991)
* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)
* docs: Update troubleshooting guide with image not found error (#5983)
* style: update band logos (#5968)
* chore(deps): Update misconfig deps (#5956)
* docs: update cosign tutorial and commands, update kyverno policy (#5929)
* docs: update command to scan go binary (#5969)
* fix: handle non-parsable images names (#5965)
* chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (#5693)
* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)
* fix(alpine): Add EOL support for alpine 3.19. (#5938)
* feat: allow end-users to adjust K8S client QPS and burst (#5910)
* chore(deps): bump go-ebs-file (#5934)
* fix(nodejs): find licenses for packages with slash (#5836)
* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)
* fix: ignore no init containers (#5939)
* docs: Fix documentation of ecosystem (#5940)
* docs(misconf): multiple ignores in comment (#5926)
* fix(secret): find aws secrets ending with a comma or dot (#5921)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (#5885)
* docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
* fix(java): don't remove excluded deps from upper pom's (#5838)
* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)
* feat(vex): add PURL matching for CSAF VEX (#5890)
* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)
* revert(report): don't escape new line characters for sarif format (#5897)
* docs: improve filter by rego (#5402)
* chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#5892)
* docs: add_scan2html_to_trivy_ecosystem (#5875)
* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
* feat(vex): Add support for CSAF format (#5535)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (#5880)
* chore(deps): bump actions/setup-go from 4 to 5 (#5845)
* chore(deps): bump actions/stale from 8 to 9 (#5846)
* chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (#5853)
* chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#5847)
* chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (#5854)
* chore(deps): bump alpine from 3.18.5 to 3.19.0 (#5849)
* chore(deps): bump actions/setup-python from 4 to 5 (#5848)
* feat(python): parse licenses from dist-info folder (#4724)
* chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (#5852)
* feat(nodejs): add yarn alias support (#5818)
* chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (#5850)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#5856)
* chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#5855)
* refactor: propagate time through context values (#5858)
* refactor: move PkgRef under PkgIdentifier (#5831)
* fix(cyclonedx): fix unmarshal for licenses (#5828)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#5830)
* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 (#5822)
* chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#5809)
* chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#5805)
-------------------------------------------------------------------
Tue Dec 19 14:18:46 UTC 2023 - dmueller@suse.com
- Update to version 0.48.1:
* chore(deps): bump trivy-iac to v0.7.1 (#5797)
* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
* refactor(sbom): disable html escaping for CycloneDX (#5764)
* refactor(purl): use `pub` from `package-url` (#5784)
* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)
* fix(report): use OS information for OS packages purl in `github` template (#5783)
* fix(report): fix error if miconfigs are empty (#5782)
* refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
* fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
* fix(report): update Gitlab template (#5721)
* feat(secret): add support of GitHub fine-grained tokens (#5740)
* fix(misconf): add an image misconf to result (#5731)
* feat(secret): added support of Docker registry credentials (#5720)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.45 to 1.25.11 (#5717)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.21.0 to 1.24.1 (#5701)
-------------------------------------------------------------------
Wed Dec 06 10:00:18 UTC 2023 - dmueller@suse.com
- Update to version 0.48.0:
* chore(deps): bump sigstore/cosign-installer from 4a861528be5e691840a69536975ada1d4c30349d to 1fc5bd396d372bee37d608f955b336615edf79c8 (#5696)
* chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.1 (#5694)
* feat: filter k8s core components vuln results (#5713)
* feat(vuln): remove duplicates in Fixed Version (#5596)
* feat(report): output plugin (#4863)
* chore(deps): bump alpine from 3.18.4 to 3.18.5 (#5700)
* chore(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 (#5704)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.10.1 (#5699)
* chore(deps): bump actions/github-script from 6 to 7 (#5697)
* chore(deps): bump easimon/maximize-build-space from 8 to 9 (#5695)
* docs: typo in modules.md (#5712)
* feat: Add flag to configure node-collector image ref (#5710)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.9.0 (#5702)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.4 to 2.31.0 (#5698)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.1 to 1.4.0 (#5706)
* feat(misconf): Add `--misconfig-scanners` option (#5670)
* chore: bump Go to 1.21 (#5662)
* feat: Packagesprops support (#5605)
* chore(deps): Bump up trivy misconf deps (#5656)
* docs: update adopters discussion template (#5632)
* docs: terraform tutorial links updated to point to correct loc (#5661)
* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)
* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)
* docs: Update Arch Linux package URL in installation.md (#5619)
* chore: add prefix to image errors (#5601)
* docs(vuln): fix link anchor (#5606)
* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
* fix: k8s friendly error messages kbom non cluster scans (#5594)
* feat: set InstalledFiles for DEB and RPM packages (#5488)
* fix(report): use time.Time for CreatedAt (#5598)
* test: retry containerd initialization (#5597)
* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)
* test: mock VM walker (#5589)
* chore: bump node-collector v0.0.9 (#5591)
* feat(misconf): Add support for `--cf-params` for CFT (#5507)
* feat(flag): replace '--slow' with '--parallel' (#5572)
* fix(report): add escaping for Sarif format (#5568)
* chore: show a deprecation notice for `--scanners config` (#5587)
* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
* test: mock RPM DB (#5567)
* feat: add aliases to '--scanners' (#5558)
* refactor: reintroduce output writer (#5564)
* chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#5543)
* chore: not load plugins for auto-generating docs (#5569)
* chore: sort supported AWS services (#5570)
* fix: no schedule toleration (#5562)
* fix(cli): set correct `scanners` for `k8s` target (#5561)
* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)
* refactor(misconf): Update refactored dependencies (#5245)
* feat(secret): add built-in rule for JWT tokens (#5480)
* fix: trivy k8s parse ecr image with arn (#5537)
* fix: fail k8s resource scanning (#5529)
* refactor(misconf): don't remove Highlighted in json format (#5531)
* docs(k8s): fix link in kubernetes.md (#5524)
* docs(k8s): fix whitespace in list syntax (#5525)
-------------------------------------------------------------------
Tue Nov 07 12:24:51 UTC 2023 - dmueller@suse.com
- Update to version 0.47.0:
* docs: add info that license scanning supports file-patterns flag (#5484)
* docs: add Zora integration into Ecosystem session (#5490)
* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
* ci: use maximize build space for K8s tests (#5387)
* fix: correct error mismatch causing race in fast walks (#5516)
* docs: k8s vulnerability scanning (#5515)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493)
* docs: remove glad for java datasources (#5508)
* chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475)
* chore: remove unused logger attribute in amazon detector (#5476)
* fix: correct error mismatch causing race in fast walks (#5482)
* chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502)
* chore(deps): bump docker/build-push-action from 4 to 5 (#5500)
* chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491)
* fix(server): add licenses to `BlobInfo` message (#5382)
* chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497)
* feat: scan vulns on k8s core component apps (#5418)
* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)
* chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472)
* fix(sbom): save digests for package/application when scanning SBOM files (#5432)
* docs: fix the broken link (#5454)
* docs: fix error when installing `PyYAML` for gh pages (#5462)
* fix(java): download java-db once (#5442)
* chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)
* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)
* feat(misconf): Support `--ignore-policy` in config scans (#5359)
* docs(misconf): fix broken table for `Use container image` section (#5425)
* feat(dart): add graph support (#5374)
* refactor: define a new struct for scan targets (#5397)
* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)
* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
* chore(deps): move to aws-sdk-go-v2 (#5381)
* docs: remove --scanners none (#5384)
* docs: Update container_image.md #5182 (#5193)
* feat(report): Add `InstalledFiles` field to Package (#4706)
* feat(k8s): add support for vulnerability detection (#5268)
* fix(python): override BOM in `requirements.txt` files (#5375)
* docs: add kbom documentation (#5363)
* test: use maximize build space for VM tests (#5362)
* chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365)
* fix(report): add escaping quotes in misconfig Title for asff template (#5351)
* ci: add workflow to check Go versions of dependencies (#5340)
* chore(deps): Upgrade defsec to v0.93.1 (#5348)
* chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300)
* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
* fix: add config files to FS for post-analyzers (#5333)
* fix: fix MIME warnings after updating to Go 1.20 (#5336)
* build: fix a compile error with Go 1.21 (#5339)
* feat: added `Metadata` into the k8s resource's scan report (#5322)
* ci: check only PR's in `actions/stale` (#5337)
* chore: update adopters template (#5330)
* ci: do not trigger tests on the push event (#5313)
* fix(sbom): use PURL or Group and Name in case of Java (#5154)
* docs: add buildkite repository to ecosystem page (#5316)
* chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290)
* chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292)
* chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293)
* chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289)
* chore: enable go-critic (#5302)
* chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287)
* close java-db client (#5273)
* chore(deps): bump docker/login-action from 2 to 3 (#5291)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294)
* chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304)
* chore(deps): bump github.com/opencontainers/image-spec (#5295)
* fix(report): removes git::http from uri in sarif (#5244)
* Improve the meaning of sentence (#5301)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297)
* chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296)
* add app nil check (#5274)
* typo: in secret.md (#5281)
* docs: add info about `github` format (#5265)
* feat(dotnet): add license support for NuGet (#5217)
* docs: correctly export variables (#5260)
* chore: Add line numbers for lint output (#5247)
* chore(cli): disable java-db flags in server mode (#5263)
* feat(db): allow passing registry options (#5226)
* chore(deps): Bump up defsec to v0.93.0 (#5253)
* refactor(purl): use TypeApk from purl (#5232)
* chore: enable more linters (#5228)
* ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236)
* Fix typo on ide.md (#5239)
* refactor: use defined types (#5225)
* fix(purl): skip local Go packages (#5190)
* docs: update info about license scanning in Yarn projects (#5207)
* ci: auto apply labels (#5200)
* fix link (#5203)
* fix(purl): handle rust types (#5186)
* chore: auto-close issues (#5177)
* chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093)
* fix(k8s): kbom support addons labels (#5178)
* test: validate SPDX with the JSON schema (#5124)
* chore: bump trivy-kubernetes-latest (#5161)
* docs: add 'Signature Verification' guide (#4731)
* docs: add image-scanner-with-trivy for ecosystem (#5159)
* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102)
* Update filtering.md (#5131)
* chore(deps): bump sigstore/cosign-installer (#5104)
* chore(deps): bump github.com/cyphar/filepath-securejoin (#5143)
* chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103)
* chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126)
* chaging adopters discussion tempalte (#5091)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092)
* chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095)
* chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098)
* chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106)
* docs: add Bitnami (#5078)
* feat(docker): add support for scanning Bitnami components (#5062)
* feat: add support for .trivyignore.yaml (#5070)
* fix(terraform): improve detection of terraform files (#4984)
* feat: filter artifacts on --exclude-owned flag (#5059)
* fix(sbom): cyclonedx advisory should omit `null` value (#5041)
* build: maximize build space for build tests (#5072)
* feat: improve kbom component name (#5058)
* fix(pom): add licenses for pom artifacts (#5071)
* chore(deps): Update defsec to v0.92.0 (#5068)
* chore: bump Go to `1.20` (#5067)
* feat: PURL matching with qualifiers in OpenVEX (#5061)
* feat(java): add graph support for pom.xml (#4902)
* feat(swift): add vulns for cocoapods (#5037)
* fix: support image pull secret for additional workloads (#5052)
* fix: #5033 Superfluous double quote in html.tpl (#5036)
* docs(repo): update trivy repo usage and example (#5049)
* perf: Optimize Dockerfile for reduced layers and size (#5038)
* feat: scan K8s Resources Kind with --all-namespaces (#5043)
* fix: vulnerability typo (#5044)
* docs: adding a terraform tutorial to the docs (#3708)
* feat(report): add licenses to sarif format (#4866)
* feat(misconf): show the resource name in the report (#4806)
* chore: update alpine base images (#5015)
* feat: add Package.resolved swift files support (#4932)
* feat(nodejs): parse licenses in yarn projects (#4652)
* fix: k8s private registries support (#5021)
* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
* feat(vuln): support last_affected field from osv (#4944)
* feat(server): add version endpoint (#4869)
* feat: k8s private registries support (#4987)
* fix(server): add indirect prop to package (#4974)
* docs: add coverage (#4954)
* feat(c): add location for lock file dependencies. (#4994)
* docs: adding blog post on ec2 (#4813)
* revert 32bit bins (#4977)
* chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917)
-------------------------------------------------------------------
Thu Aug 10 10:51:52 UTC 2023 - dmueller@suse.com
- Update to version 0.44.1:
* fix(report): return severity colors in table format (#4969)
* build: maximize available disk space for release (#4937)
* test(cli): Fix assertion helptext (#4966)
* chore(deps): Bump defsec to v0.91.1 (#4965)
* test: validate CycloneDX with the JSON schema (#4956)
* fix(server): add licenses to the Result message (#4955)
* fix(aws): resolve endpoint if endpoint is passed (#4925)
* fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)
* add only uniq deps in dependsOn (#4943)
* use testify instead of gotest.tools (#4946)
* fix(nodejs): do not detect lock file in node_modules as an app (#4949)
* bump go-dep-parser (#4936)
* chore(deps): bump github.com/openvex/go-vex from 0.2.0 to 0.2.1 (#4914)
* chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 (#4909)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#4912)
* test(aws): move part of unit tests to integration (#4884)
* docs(cli): update help string for file and dir skipping (#4872)
* chore(deps): bump sigstore/cosign-installer (#4910)
* chore(deps): bump github.com/sosedoff/gitkit from 0.3.0 to 0.4.0 (#4916)
* chore(deps): bump k8s.io/api from 0.27.3 to 0.27.4 (#4918)
* chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4919)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#4913)
* chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 (#4915)
* docs: update the discussion template (#4928)
-------------------------------------------------------------------
Thu Aug 03 11:21:12 UTC 2023 - dmueller@suse.com
- Update to version 0.44.0:
* feat(repo): support local repositories (#4890)
* bump go-dep-parser (#4893)
* fix(misconf): add missing fields to proto (#4861)
* fix: remove trivy-db package replacement (#4877)
* chore(test): bump the integration test timeout to 15m (#4880)
* chore(deps): Update defsec to v0.91.0 (#4886)
* chore: update CODEOWNERS (#4871)
* feat(vuln): support vulnerability status (#4867)
* feat(misconf): Support custom URLs for policy bundle (#4834)
* refactor: replace with sortable packages (#4858)
* docs: correct license scanning sample command (#4855)
* fix(report): close the file (#4842)
* feat(nodejs): add support for include-dev-deps flag for yarn (#4812)
* feat(misconf): Add support for independently enabling libraries (#4070)
* feat(secret): add secret config file for cache calculation (#4837)
* Fix a link in gitlab-ci.md (#4850)
* fix(flag): use globalstar to skip directories (#4854)
* chore(deps): bump github.com/docker/docker from v23.0.5+incompatible to v23.0.7-0.20230714215826-f00e7af96042+incompatible (#4849)
* fix(license): using common way for splitting licenses (#4434)
* fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
* remove govulndb (#4783)
* fix(java): inherit licenses from parents (#4817)
* refactor: add allowed values for CLI flags (#4800)
* add example regex to allow rules (#4827)
* feat(misconf): Support custom data for rego policies for cloud (#4745)
* docs: correcting the trivy k8s tutorial (#4815)
* feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
* fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
* feat(misconf): enable --policy flag to accept directory and files both (#4777)
* feat(python): add license fields (#4722)
* fix: support trivy k8s-version on k8s sub-command (#4786)
-------------------------------------------------------------------
Thu Jul 13 08:47:12 UTC 2023 - dmueller@suse.com
- Update to version 0.43.1:
* chore(deps): Update defsec to v0.90.3 (#4793)
* chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#4752)
* chore(deps): bump alpine from 3.18.0 to 3.18.2 (#4748)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 (#4758)
* docs(image): fix the comment on the soft/hard link (#4740)
* check Type when filling pkgs in vulns (#4776)
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
* chore(deps): bump modernc.org/sqlite from 1.20.3 to 1.23.1 (#4756)
* fix(rocky): add architectures support for advisories (#4691)
* chore(deps): bump github.com/opencontainers/image-spec (#4751)
* chore(deps): bump github.com/package-url/packageurl-go (#4754)
* chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 (#4750)
* chore(deps): bump github.com/tetratelabs/wazero from 1.2.0 to 1.2.1 (#4755)
* chore(deps): bump github.com/testcontainers/testcontainers-go (#4759)
* fix: documentation about reseting trivy image (#4733)
* fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
* fix: update Amazon Linux 1 EOL (#4761)
- drop eol-dates.patch (all upstream)
-------------------------------------------------------------------
Mon Jul 03 13:22:20 UTC 2023 - dmueller@suse.com
- Update to version 0.43.0:
* chore(deps): Update defsec to v0.90.1 (#4739)
* feat(nodejs): support yarn workspaces (#4664)
* feat(cli): add include-dev-deps flag (#4700)
* fix(image): pass the secret scanner option to scan the img config (#4735)
* fix: scan job pod it not found on k8s-1.27.x (#4729)
* feat(docker): add support for mTLS authentication when connecting to registry (#4649)
* chore(deps): Update defsec to v0.90.0 (#4723)
* fix: skip scanning the gpg-pubkey package (#4720)
* Fix http registry oci pull (#4701)
* feat(misconf): Support skipping services (#4686)
* docs: fix supported modes for pubspec.lock files (#4713)
* fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
* clarifying a dir path is required for custom policies (#4716)
* chore: update alpine base images (#4715)
* fix last-history-created (#4697)
* feat: kbom and cyclonedx v1.5 spec support (#4708)
* docs: add information about Aqua (#4590)
* fix: k8s escape resource filename on windows os (#4693)
* ci: ignore merge queue branches (#4696)
* chore(deps): bump actions/checkout from 2.4.0 to 3.5.3 (#4695)
* chore(deps): bump aquaproj/aqua-installer from 2.1.1 to 2.1.2 (#4694)
* feat: cyclondx sbom custom property support (#4688)
* ci: do not trigger tests in main (#4692)
* add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
* use group field for jar in cyclonedx (#4674)
* feat(java): capture licenses from pom.xml (#4681)
* feat(helm): make sessionAffinity configurable (#4623)
* fix: Show the correct URL of the secret scanning (#4682)
* document expected file pattern definition format (#4654)
* fix: format arg error (#4642)
* feat(k8s): cyclonedx kbom support (#4557)
* fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
* fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
* ci: update build IDs (#4641)
* fix(debian): update EOL for Debian 12 (#4647)
* chore(deps): bump go-containerregistry (#4639)
* chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
* fix(db): change argument order in Exists query for JavaDB (#4595)
* feat(aws): Add support to see successes in results (#4427)
* chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#4613)
* ci: do not trigger tests in main (#4614)
* chore(deps): bump sigstore/cosign-installer (#4609)
* chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1 to 2 (#4608)
* ci: bypass the required status checks (#4611)
* ci: support merge queue (#3652)
* ci: matrix build for testing (#4587)
* feat: trivy k8s private registry support (#4567)
* docs: add general coverage page (#3859)
* chore: create SECURITY.md (#4601)
-------------------------------------------------------------------
Fri Jun 30 15:06:47 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add eol-dates.patch to list SLE/Leap 15.5
-------------------------------------------------------------------
Thu Jun 22 08:39:30 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add NOTICE to doc
-------------------------------------------------------------------
Mon Jun 12 07:56:25 UTC 2023 - dmueller@suse.com
- Update to version 0.42.1:
* ci: remove 32bit packages (#4585)
* fix(misconf): deduplicate misconf results (#4588)
* fix(vm): support sector size of 4096 (#4564)
* fix(misconf): terraform relative paths (#4571)
* fix(purl): skip unsupported library type (#4577)
* fix(terraform): recursively detect all Root Modules (#4457)
* fix(vm): support post analyzer for vm command (#4544)
* fix(nodejs): change the type of the devDependencies field (#4560)
* fix(sbom): export empty dependencies in CycloneDX (#4568)
* refactor: add composite fs for post-analyzers (#4556)
* chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#4554)
* chore(deps): bump helm/kind-action from 1.5.0 to 1.7.0 (#4526)
* chore(deps): bump github.com/BurntSushi/toml from 1.2.1 to 1.3.0 (#4528)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.2 to 2.30.3 (#4529)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 (#4536)
* chore(deps): bump github.com/tetratelabs/wazero from 1.0.0 to 1.2.0 (#4549)
* chore(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#4532)
* chore(deps): bump github.com/testcontainers/testcontainers-go (#4537)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#4530)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4534)
* chore(deps): bump github.com/sigstore/rekor from 1.2.0 to 1.2.1 (#4533)
* chore(deps): bump alpine from 3.17.3 to 3.18.0 (#4525)
* feat: add SBOM analyzer (#4210)
* fix(sbom): update logic for work with files in spdx format (#4513)
* feat: azure workload identity support (#4489)
* feat(ubuntu): add eol date for 18.04 ESM (#4524)
* fix(misconf): Update required extensions for terraformplan (#4523)
* refactor(cyclonedx): add intermediate representation (#4490)
* fix(misconf): Remove debug print while scanning (#4521)
* fix(java): remove duplicates of jar libs (#4515)
* fix(java): fix overwriting project props in pom.xml (#4498)
* docs: Update compilation instructions (#4512)
* fix(nodejs): update logic for parsing pnpm lock files (#4502)
* fix(secret): remove aws-account-id rule (#4494)
* feat(oci): add support for referencing an input image by digest (#4470)
* chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#4338)
* docs: fixed the format (#4503)
* fix(java): add support of * for exclusions for pom.xml files (#4501)
* feat: adding issue template for documentation (#4453)
* docs: switch glad to ghsa for Go (#4493)
* chore(deps): Update defsec to v0.89.0 (#4474)
* feat(misconf): Add terraformplan support (#4342)
* feat(debian): add digests for dpkg (#4445)
* chore(deps): bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 (#4478)
* feat(k8s): exclude node scanning by node labels (#4459)
* docs: add info about multi-line mode for regexp from custom secret rules (#4159)
* feat(cli): convert JSON reports into a different format (#4452)
* feat(image): add logic to guess base layer for docker-cis scan (#4344)
* fix(cyclonedx): set original names for packages (#4306)
* feat: group subcommands (#4449)
* feat(cli): add retry to cache operations (#4189)
* fix(vuln): report architecture for `apk` packages (#4247)
* refactor: enable cases where return values are not needed in pipeline (#4443)
* fix(image): resolve scan deadlock when error occurs in slow mode (#4336)
* docs(misconf): Update docs for kubernetes file patterns (#4435)
* test: k8s integration tests (#4423)
* feat(redhat): add package digest for rpm (#4410)
* feat(misconf): Add `--reset-policy-bundle` for policy bundle (#4167)
* fix: typo (#4431)
* add user instruction to imgconf (#4429)
* fix(k8s): add image sources (#4411)
* docs(scanning): Add versioning banner (#4415)
* feat(cli): add mage command to update golden integration test files (#4380)
* feat: node-collector custom namespace support (#4407)
* chore(deps): bump owenrumney/go-sarif from v2.1.3 to v2.2.0 (#4378)
* refactor(sbom): use multiline json for spdx-json format (#4404)
* fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)
* refactor: code-optimization (#4214)
* feat(image): Add image-src flag to specify which runtime(s) to use (#4047)
* test: skip wrong update of test golden files (#4379)
* refactor: don't return error for package.json without version/name (#4377)
* docs: cmd error (#4376)
* test(cli): add test for config file and env combination (#2666)
* fix(report): set a correct file location for license scan output (#4326)
* ci: rpm repository for all versions and aarch64 (#4077)
* chore(alpine): Update Alpine to 3.18 (#4351)
* fix(alpine): add EOL date for Alpine 3.18 (#4308)
* chore(deps): bump github.com/docker/distribution (#4337)
* feat: allow root break for mapfs (#4094)
* docs(misconf): Remove examples.md (#4256)
* fix(ubuntu): update eol dates for Ubuntu (#4258)
* feat(alpine): add digests for apk packages (#4168)
* chore: add discussion templates (#4190)
* fix(terraform): Support tfvars (#4123)
* chore: separate docs:generate (#4242)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4246)
* refactor: define vulnerability scanner interfaces (#4117)
* feat: unified k8s scan resources (#4188)
* chore(deps): Update defsec to v0.88.1 (#4178)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 (#4141)
* chore: trivy bin ignore (#4212)
* feat(image): enforce image platform (#4083)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.2 to 2.1.3 (#4143)
* chore(deps): bump github.com/docker/docker (#4144)
* chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 (#4146)
* chore(deps): bump aquaproj/aqua-installer from 2.0.2 to 2.1.1 (#4140)
* fix(ubuntu): fix version selection logic for ubuntu esm (#4171)
* chore(deps): bump github.com/samber/lo from 1.37.0 to 1.38.1 (#4147)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.0 to 1.7.1 (#4145)
* chore(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.3 (#4138)
* chore(deps): bump github.com/testcontainers/testcontainers-go (#4150)
* chore: install.sh support for windows (#4155)
* chore(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#4166)
* chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#4149)
* docs: moving skipping files out of others (#4154)
-------------------------------------------------------------------
Thu May 11 17:05:04 UTC 2023 - Dirk Müller <dmueller@suse.com>
- actually create a PIE binary
-------------------------------------------------------------------
Fri Apr 28 07:31:35 UTC 2023 - dmueller@suse.com
- Update to version 0.41.0:
* fix(spdx): add workaround for no src packages (#4118)
* test(golang): rename broken go.mod (#4129)
* feat(sbom): add supplier field (#4122)
* test(misconf): skip downloading of policies for tests #4126
* refactor: use debug message for post-analyze errors (#4037)
* feat(sbom): add VEX support (#4053)
* feat(sbom): add primary package purpose field for SPDX (#4119)
* fix(k8s): fix quiet flag (#4120)
* fix(python): parse of pip extras (#4103)
* feat(java): use full path for nested jars (#3992)
* feat(license): add new flag for classifier confidence level (#4073)
* feat: config and fs compliance support (#4097)
* chore(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 (#3952)
* feat(spdx): add support for SPDX 2.3 (#4058)
* fix: k8s all-namespaces support (#4096)
* perf(misconf): replace with post-analyzers (#4090)
* fix(helm): update networking API version detection (#4106)
* feat(image): custom docker host option (#3599)
* style: debug flag is incorrect and needs extra - (#4087)
* docs(vuln): Document inline vulnerability filtering comments (#4024)
* feat(fs): customize error callback during fs walk (#4038)
* fix(ubuntu): skip copyright files from subfolders (#4076)
* docs: restructure scanners (#3977)
* fix: fix `file does not exist` error for post-analyzers (#4061)
-------------------------------------------------------------------
Sun Apr 16 18:05:08 UTC 2023 - dmueller@suse.com
- Update to version 0.40.0:
* feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026)
* chore(deps): bump actions/stale from 7 to 8 (#3955)
* fix: return insecure option to download javadb (#4064)
* fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
* ci: add gpg signing for RPM packages (#4056)
* fix(k8s): current context title (#4055)
* fix(k8s): quit support on k8s progress bar (#4021)
* chore: add a note about Dockerfile.canary (#4050)
* ci: fix path to canary binaries (#4045)
* fix(vuln): report architecture for debian packages (#4032)
* feat: add support for Chainguard's commercial distro (#3641)
* ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979)
* fix(vuln): fix error message for remote scanners (#4031)
* feat(report): add image metadata to SARIF (#4020)
* docs: fix broken cache link on Installation page (#3999)
* fix: lock downloading policies and database (#4017)
* fix: avoid concurrent access to the global map (#4014)
* feat(rust): add Cargo.lock v3 support (#4012)
* feat: auth support oci download server subcommand (#4008)
* chore(deps): bump github.com/docker/docker (#4009)
* chore: install.sh support for armv7 (#3985)
* chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961)
-------------------------------------------------------------------
Thu Apr 13 08:10:58 UTC 2023 - dmueller@suse.com
- Update to version 0.39.1:
* fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
* fix(sbom): fix infinite loop for cyclonedx (#3998)
* chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954)
* fix: use warning for errors from enrichment files for post-analyzers (#3972)
* chore(deps): bump github.com/docker/docker (#3963)
* fix(helm): added annotation to psp configurable from values (#3893)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962)
* fix(secret): update built-in rule `tests` (#3855)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957)
* test: rewrite scripts in Go (#3968)
* docs(cli): Improve glob documentation (#3945)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959)
* ci: check CLI references (#3967)
* chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956)
* chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958)
* chore(deps): bump actions/setup-go from 3 to 4 (#3953)
* chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950)
* chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965)
* chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964)
-------------------------------------------------------------------
Mon Apr 03 08:36:44 UTC 2023 - dmueller@suse.com
- Update to version 0.39.0:
* docs(cli): added makefile and go file to create docs (#3930)
* chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
* chore: ignore gpg key (#3943)
* feat(cyclonedx): support dependency graph (#3177)
* chore(deps): Bump defsec to v0.85.0 (#3940)
* feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919)
* feat(server): redis with public TLS certs support (#3783)
* feat(flag): Add glob support to `--skip-dirs` and `--skip-files` (#3866)
* chore: replace make with mage (#3932)
* fix(sbom): add checksum to files (#3888)
* chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928)
* chore: remove unused mount volumes (#3927)
* feat: add auth support for downloading OCI artifacts (#3915)
* refactor(purl): use epoch in qualifier (#3913)
* chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727)
* feat(image): add registry options (#3906)
* feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
* chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905)
* feat(php): add support for location, licenses and graph for composer.lock files (#3873)
* chore(deps): updates wazero to 1.0.0 (#3904)
* feat(image): discover SBOM in OCI referrers (#3768)
* docs: change cache-dir key in config file (#3897)
* fix(sbom): use release and epoch for SPDX package version (#3896)
* ci: add gpg signing for RPM packages (#3612)
* docs: Update incorrect comment for skip-update flag (#3878)
* refactor(misconf): simplify policy filesystem (#3875)
* feat(nodejs): parse package.json alongside yarn.lock (#3757)
* fix(spdx): add PkgDownloadLocation field (#3879)
* fix(report): try to guess direct deps for dependency tree (#3852)
* chore(amazon): update EOL (#3876)
* fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)
* feat(amazon): add al2023 support (#3854)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.0 to 3.1.2 (#3736)
* docs(misconf): Add information about selectors (#3703)
* docs(cli): update CLI docs with cobra (#3815)
* feat: k8s parallel processing (#3693)
* docs: add DefectDojo in the Security Management section (#3871)
* chore(deps): updates wazero to 1.0.0-rc.2 (#3853)
* refactor: add pipeline (#3868)
* feat(cli): add javadb metadata to version info (#3835)
* chore(deps): Move compliance types to defsec (#3842)
* feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)
* feat: add node toleration option (#3823)
* fix: allow mapfs to open dirs (#3867)
* fix(report): update uri only for os class targets (#3846)
* feat(nodejs): Add v3 npm lock file support (#3826)
* feat(nodejs): parse package.json files alongside package-lock.json (#2916)
* docs(misconf): Fix links to built in policies (#3841)
-------------------------------------------------------------------
Tue Mar 14 09:56:08 UTC 2023 - dmueller@suse.com
- Update to version 0.38.3:
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2
from 1.86.1 to 1.89.1
* fix(java): skip empty files for jar post analyzer
* fix(docker): build healthcheck command for line without
/bin/sh prefix
* refactor(license): use goyacc for license parser (#3824)
* chore(deps): bump github.com/docker/docker from
23.0.0-rc.1+incompatible to 23.0.1+incompatible
* fix: populate timeout context to node-collector
* fix: exclude node collector scanning (#3771)
* fix: display correct flag in error message when skipping
java db update #3808
* fix: disable jar analyzer for scanners other than vuln (#3810)
* fix(sbom): fix incompliant license format for spdx (#3335)
* fix(java): the project props take precedence over the
parent's props (#3320)
* docs: add canary build info to README.md (#3799)
* docs: adding link to gh token generation (#3784)
* docs: changing docs in accordance with #3460 (#3787)
-------------------------------------------------------------------
Wed Mar 08 11:02:13 UTC 2023 - dmueller@suse.com
- Update to version 0.38.2:
* chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
* chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
* fix(license): disable jar analyzer for licence scan only (#3780)
* bump trivy-issue-action to v0.0.0; skip `pkg` dir (#3781)
* fix: skip checking dirs for required post-analyzers (#3773)
* docs: add information about plugin format (#3749)
* fix(sbom): add trivy version to spdx creators tool field (#3756)
-------------------------------------------------------------------
Thu Mar 02 17:30:50 UTC 2023 - dmueller@suse.com
- Update to version 0.38.1:
* feat(misconf): Add support to show policy bundle version (#3743)
* fix(python): fix error with optional dependencies in pyproject.toml (#3741)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
* add id for package.json files (#3750)
* chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
* chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
* chore(deps): bump github.com/google/go-containerregistry (#3731)
* chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
* chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)
-------------------------------------------------------------------
Wed Mar 01 10:38:28 UTC 2023 - dmueller@suse.com
- Update to version 0.38.0:
* fix(cli): pass integer to exit-on-eol (#3716)
* feat: add kubernetes pss compliance (#3498)
* feat: Adding --module-dir and --enable-modules (#3677)
* feat: add special IDs for filtering secrets (#3702)
* chore(deps): Update defsec (#3713)
* docs(misconf): Add guide on input schema (#3692)
* feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
* feat: docker multi credential support (#3631)
* feat: summarize vulnerabilities in compliance reports (#3651)
* feat(python): parse pyproject.toml alongside poetry.lock (#3695)
* feat(python): add dependency tree for poetry lock file (#3665)
* fix(cyclonedx): incompliant affect ref (#3679)
* chore(helm): update skip-db-update environment variable (#3657)
* fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
* fix(sbom): export empty dependencies in CycloneDX (#3664)
* docs: java-db air-gap doc tweaks (#3561)
* feat(go): license support (#3683)
* feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
* fix(k8s): k8s label size (#3678)
* fix(cyclondx): fix array empty value, null to [] (#3676)
* refactor: rewrite gomod analyzer as post-analyzer (#3674)
* feat: config outdated-api result filtered by k8s version (#3578)
* fix: Update to Alpine 3.17.2 (#3655)
* feat: add support for virtual files (#3654)
* feat: add post-analyzers (#3640)
* chore(deps): updates wazero to 1.0.0-pre.9 (#3653)
* chore(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#3528)
* chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 (#3633)
* feat(python): add dependency locations for Pipfile.lock (#3614)
* chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3648)
* fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.1 to 1.85.0 (#3607)
* fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
* feat(cli): add command completion (#3061)
* docs(misconf): update dockerfile link (#3627)
* feat(flag): add exit-on-eosl option (#3423)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#3533)
* fix(cli): make java db repository configurable (#3595)
* chore: bump trivy-kubernetes (#3613)
-------------------------------------------------------------------
Wed Feb 15 08:39:40 UTC 2023 - dmueller@suse.com
- Update to version 0.37.3 (bsc#1208091, CVE-2023-25165):
* chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
* chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
* chore(deps): bump golang/x/mod to v0.8.0 (#3606)
* chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
* chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
* ci: quote pros in c++ for semantic pr (#3605)
* fix(image): check proxy settings from env for remote images (#3604)
-------------------------------------------------------------------
Fri Feb 10 06:19:47 UTC 2023 - kastl@b1-systems.de
- Update to version 0.37.2:
* BREAKING: use normalized trivy-java-db (#3583)
* fix(image): add timeout for remote images (#3582)
* chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
* chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
* fix(misconf): handle dot files better (#3550)
* chore: bump Go to 1.19 (#3551)
* chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
* chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
* chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
* chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
* chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)
-------------------------------------------------------------------
Wed Feb 01 16:17:14 UTC 2023 - dmueller@suse.com
- Update to version 0.37.1:
* fix(sbom): download the Java DB when generating SBOM (#3539)
* fix: use cgo free sqlite driver (#3521)
* ci: fix path to dist folder (#3527)
-------------------------------------------------------------------
Wed Feb 01 12:09:23 UTC 2023 - dmueller@suse.com
- Update to version 0.37.0:
* fix(image): close layers (#3517)
* refactor: db client changed (#3515)
* feat(java): use trivy-java-db to get GAV (#3484)
* docs: add note about the limitation in Rekor (#3494)
* docs: aggregate targets (#3503)
* deps: updates wazero to 1.0.0-pre.8 (#3510)
* docs: add alma 9 and rocky 9 to supported os (#3513)
* chore(deps): bump defsec to v0.82.9 (#3512)
* chore: add missing target labels (#3504)
* docs: add java vulnerability page (#3429)
* feat(image): add support for Docker CIS Benchmark (#3496)
* feat(image): secret scanning on container image config (#3495)
* chore(deps): Upgrade defsec to v0.82.8 (#3488)
* feat(image): scan misconfigurations in image config (#3437)
* chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
* feat(k8s): add node info resource (#3482)
* perf(secret): optimize secret scanning memory usage (#3453)
* feat: support aliases in CLI flag, env and config (#3481)
* fix(k8s): migrate rbac k8s (#3459)
* feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
* refactor: rename security-checks to scanners (#3467)
* chore: display the troubleshooting URL for the DB denial error (#3474)
* docs: yaml tabs to spaces, auto create namespace (#3469)
* docs: adding show-and-tell template to GH discussions (#3391)
* fix: Fix a temporary file leak in case of error (#3465)
* fix(test): sort cyclonedx components (#3468)
* docs: fixing spelling mistakes (#3462)
* ci: set paths triggering VM tests in PR (#3438)
* docs: typo in --skip-files (#3454)
* feat(custom-forward): Extended advisory data (#3444)
* docs: fix spelling error (#3436)
* refactor(image): extend image config analyzer (#3434)
* fix(nodejs): add ignore protocols to yarn parser (#3433)
* fix(db): check proxy settings when using insecure flag (#3435)
* feat(misconf): Fetch policies from OCI registry (#3015)
* ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
* ci: store URLs to Github Releases in RPM repository (#3414)
* feat(server): add support of `skip-db-update` flag for hot db update (#3416)
* chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411)
* fix(image): handle wrong empty layer detection (#3375)
* test: fix integration tests for spdx and cycloneDX (#3412)
* feat(python): Include Conda packages in SBOMs (#3379)
* feat: add support pubspec.lock files for dart (#3344)
* fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
* fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
* feat(server): log errors on server side (#3397)
* chore(deps): bump defsec to address helm vulnerabilities (#3399)
* docs: rewrite installation docs and general improvements (#3368)
* chore: update code owners (#3393)
* chore: test docs separately from code (#3392)
* docs: use the formula maintained by Homebrew (#3389)
* docs: add `Security Management` section with SonarQube plugin
-------------------------------------------------------------------
Thu Jan 05 12:08:53 UTC 2023 - dmueller@suse.com
- Update to version 0.36.1:
* fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
* feat(flag): early fail when the format is invalid (#3370)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
* docs(aws): fix broken links (#3374)
* chore(deps): bump actions/stale from 6 to 7 (#3360)
* chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
* chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
* chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
* chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
* chore(go): updates wazero to v1.0.0-pre.7 (#3355)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)
-------------------------------------------------------------------
Mon Jan 02 08:27:43 UTC 2023 - dmueller@suse.com
- Update to version 0.36.0:
* docs: improve compliance docs (#3340)
* feat(deps): add yarn lock dependency tree (#3348)
* fix: compliance change id and title naming (#3349)
* feat: add support for mix.lock files for elixir language (#3328)
* feat: add k8s cis bench (#3315)
* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
* revert: cache merged layers (#3334)
* feat(cyclonedx): add recommendation (#3336)
* feat(ubuntu): added support ubuntu ESM versions (#1893)
* fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
* chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
* feat: Adding support for Windows testing (#3037)
* feat: add support for Alpine 3.17 (#3319)
* docs: change PodFile.lock to Podfile.lock (#3318)
* fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
* feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
* chore(go): remove experimental FS API usage in Wasm (#3299)
* ci: add workflow to add issues to roadmap project (#3292)
* fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
* feat(sbom): better support for third-party SBOMs (#3262)
* docs: add information about languages with support for dependency locations (#3306)
* feat(vm): add `region` option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
* chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
* fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
* docs: remove comparisons (#3289)
* feat: add support for Wolfi Linux (#3215)
* ci: add go.mod to canary workflow (#3288)
* feat(python): skip dev dependencies (#3282)
* chore: update ubuntu version for Github action runnners (#3257)
* fix(go): skip dep without Path for go-binaries (#3254)
* feat(rust): add ID for cargo pgks (#3256)
* chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
* feat: add support for swift cocoapods lock files (#2956)
* fix(sbom): use proper constants (#3286)
* chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
* test(vm): import relevant analyzers (#3285)
* feat: support scan remote repository (#3131)
* docs: fix typo in fluxcd (#3268)
* docs: fix broken "ecosystem" link in readme (#3280)
* feat(misconf): Add compliance check support (#3130)
* docs: Adding Concourse resource for trivy (#3224)
* chore(deps): change golang from 1.19.2 to 1.19 (#3249)
* fix(sbom): duplicate dependson (#3261)
* chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
* chore(go): updates wazero to 1.0.0-pre.4 (#3242)
* feat(report): add dependency locations to sarif format (#3210)
* fix(rpm): add rocky to osVendors (#3241)
* docs: fix a typo (#3236)
* feat(dotnet): add dependency parsing for nuget lock files (#3222)
* docs: add pre-commit hook to community tools (#3203)
* feat(helm): pass arbitrary env vars to trivy (#3208)
-------------------------------------------------------------------
Mon Nov 28 06:41:54 UTC 2022 - kastl@b1-systems.de
- Update to version 0.35.0:
* chore(vm): update xfs filesystem parser for change log (#3230)
* feat: add virtual machine scan command (#2910)
* docs: reorganize index and readme (#3026)
* fix: `slowSizeThreshold` should be less than `defaultSizeThreshold` (#3225)
* feat: Export functions for trivy plugin (#3204)
* feat(image): add support wildcard for platform os (#3196)
* fix: load compliance report from file system (#3161)
* fix(suse): use package name to get advisories (#3199)
* docs(image): space issues during image scan (#3190)
* feat(containerd): scan image by digest (#3075)
* fix(vuln): add package name to title (#3183)
* fix: present control status instead of compliance percentage in compliance report (#3181)
* perf(license): remove go-enry/go-license-detector. (#3187)
* fix: workdir command as empty layer (#3087)
* docs: reorganize ecosystem section (#3025)
* feat(dotnet): add support dependency location for dotnet-core files (#3095)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174)
* chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109)
* feat(dotnet): add support dependency location for nuget lock files (#3032)
* chore: update code owners for misconfigurations (#3176)
* feat: add slow mode (#3084)
* docs: fix typo in enable-builin-rules mentions (#3118)
* feat: Add maintainer field to OS packages (#3149)
* docs: fix some typo (#3171)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175)
* chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112)
* docs: fix links on Built-in Policies page (#3124)
* chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117)
* chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116)
* fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
* chore: use newline for semantic pr (#3172)
* chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107)
* chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106)
* chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105)
* chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104)
* fix(spdx): rename describes field in spdx (#3102)
* chore: handle GOPATH with several paths in make file (#3092)
* docs(flag): add "rego" configuration file options (#3165)
* chore(go): updates wazero to 1.0.0-pre.3 (#3090)
* chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108)
* docs(license): fix typo inside quick start (#3134)
* chore: update codeowners for docs (#3135)
* fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
* fix: remove --security-checks none from image help (#3156)
* fix: compliance flag description (#3160)
* docs(k8s): fix a typo (#3163)
* chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103)
-------------------------------------------------------------------
Mon Oct 31 11:51:38 UTC 2022 - kastl@b1-systems.de
- Update to version 0.34.0:
* feat(vuln): support dependency graph for RHEL/CentOS (#3094)
* feat(vuln): support dependency graph for dpkg and apk (#3093)
* perf(license): enable license classifier only with "--license-full" (#3086)
* feat(report): add secret scanning to ASFF template (#2860)
* feat: Allow override of containerd namespace (#3060)
* fix(vuln): In alpine use Name as SrcName (#3079)
* fix(secret): Alibaba AccessKey ID (#3083)
-------------------------------------------------------------------
Wed Oct 26 05:22:55 UTC 2022 - kastl@b1-systems.de
- Update to version 0.33.0:
* refactor(k8s): custom reports (#3076)
* fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
* feat(image): add support for passing architecture and OS (#3012)
* test: disable containerd integration tests for non-amd64 arch (#3073)
* feat(server): Add support for client/server mode to rootfs command (#3021)
* feat(vuln): support non-packaged binaries (#3019)
* feat: compliance reports (#2951)
* fix(flag): disable flag parsing for each plugin command (#3074)
* feat(nodejs): add support dependency location for yarn.lock files (#3016)
* chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
* feat: add k8s components (#2589)
* fix(secret): update the regex for secrets scanning (#2964)
* chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979)
* fix: bump trivy-kubernetes (#3064)
* docs: fix missing 'image' subcommand (#3051)
* chore: Patch golang x/text vulnerability (#3046)
* chore: add licensed project logo (#3058)
* feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
* refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
* feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
* docs(misconf): fix typo (#3043)
* feat: add support for scanning azure ARM (#3011)
* feat(report): add location.message to SARIF output (#3002) (#3003)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980)
* feat(nodejs): add dependency line numbers for npm lock files (#2932)
* test(fs): add `--skip-files`, `--skip-dirs` (#2984)
* docs: add Woodpecker CI integrations example (#2823)
* chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981)
* chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976)
* chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982)
* fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
* fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
* fix(sbom): use nuget purl type for dotnet-core (#2990)
* perf: retrieve rekor entries in bulk (#2987)
* feat(aws): Custom rego policies for AWS scanning (#2994)
* docs: jq cli formatting (#2881)
* docs(repo): troubleshooting $TMPDIR customization (#2985)
* chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969)
* chore(deps): bump actions/stale from 5 to 6 (#2970)
* chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971)
* chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972)
* chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973)
* chore: run `go fmt` (#2897)
* chore(go): updates wazero to 1.0.0-pre.2 (#2955)
* fix(aws): Less function for slice sorting always returns false #2967
* fix(java): fix unmarshal pom exclusions (#2936)
-------------------------------------------------------------------
Wed Sep 28 13:42:03 UTC 2022 - dmueller@suse.com
- Update to version 0.32.1:
* fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
* chore: expat lib and go binary deps vulns (#2940)
* wasm: Removes accidentally exported memory (#2950)
* fix(sbom): fix package name separation for gradle (#2906)
* docs(readme.md): fix broken integrations link (#2931)
* fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
* fix(cli): split env values with ',' for slice flags (#2926)
* fix(cli): config/helm: also take into account files with `.yml` (#2928)
* fix(flag): add file-patterns flag for config subcommand (#2925)
* chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)
-------------------------------------------------------------------
Mon Sep 19 07:17:00 UTC 2022 - dmueller@suse.com
- Update to version 0.32.0:
* docs: add Rekor SBOM attestation scanning (#2893)
* chore: narrow the owner scope (#2894)
* fix: remove a patch number from the recommendation link (#2891)
* fix: enable parsing of UUID-only rekor entry ID (#2887)
* docs(sbom): add SPDX scanning (#2885)
* docs: restructure docs and add tutorials (#2883)
* feat(sbom): scan sbom attestation in the rekor record (#2699)
* feat(k8s): support outdated-api (#2877)
* chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815)
* fix(c): support revisions in Conan parser (#2878)
* feat: dynamic links support for scan results (#2838)
* chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818)
* docs: update archlinux commands (#2876)
* feat(secret): add line from dockerfile where secret was added to secret result (#2780)
* feat(sbom): Add unmarshal for spdx (#2868)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827)
* fix: revert asff arn and add documentation (#2852)
* docs: batch-import-findings limit (#2851)
* chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872)
* feat(sbom): Add marshal for spdx (#2867)
* build: checkout before setting up Go (#2873)
* chore: bump Go to 1.19 (#2861)
* docs: azure doc and trivy (#2869)
* fix: Scan tarr'd dependencies (#2857)
* chore(helm): helm test with ingress (#2630)
* feat(report): add secrets to sarif format (#2820)
* chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807)
* refactor: add a new interface for initializing analyzers (#2835)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840)
* fix: update ProductArn with account id (#2782)
* feat(helm): make cache TTL configurable (#2798)
* build(): Sign releaser artifacts, not only container manifests (#2789)
* chore: improve doc about azure devops (#2795)
* chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825)
* docs: don't push patch versions (#2824)
* feat: add support for conan.lock file (#2779)
* feat: cache merged layers
* chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805)
* chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811)
* chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810)
* chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814)
* feat: add support for gradle.lockfile (#2759)
* chore(mod): updates wazero to 1.0.0-pre.1 #2791
* feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
* Fix url validaton failures (#2783)
* fix(image): add logic to detect empty layers (#2790)
* feat(rust): add dependency graph from Rust binaries (#2771)
-------------------------------------------------------------------
Mon Sep 05 12:12:16 UTC 2022 - dmueller@suse.com
- Update to version 0.31.3:
* fix: handle empty OS family (#2768)
* fix: fix k8s summary report (#2777)
* fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
* chore: bump trivy-kubernetes (#2770)
* fix(secret): Consider secrets in rpc calls (#2753)
* fix(java): check depManagement from upper pom's (#2747)
* fix(php): skip `composer.lock` inside `vendor` folder (#2718)
* fix: fix k8s rbac filter (#2765)
* feat(misconf): skipping misconfigurations by AVD ID (#2743)
* chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
* docs: add MacPorts install instructions (#2727)
* docs: typo (#2730)
-------------------------------------------------------------------
Tue Aug 16 19:32:37 UTC 2022 - dmueller@suse.com
- Update to version 0.31.2:
* fix: Correctly handle recoverable AWS scanning errors (#2726)
* docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)
-------------------------------------------------------------------
Tue Aug 16 13:32:11 UTC 2022 - dmueller@suse.com
- Update to version 0.31.1:
* fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)
-------------------------------------------------------------------
Tue Aug 16 12:02:47 UTC 2022 - dmueller@suse.com
- Update to version 0.31.0:
* fix(flag): add error when there are no supported security checks (#2713)
* fix(vuln): continue scanning when no vuln found in the first application (#2712)
* revert: add new classes for vulnerabilities (#2701)
* feat(secret): detect secrets removed or overwritten in upper layer (#2611)
* fix(cli): secret scanning perf link fix (#2607)
* chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
* feat: Add AWS Cloud scanning (#2493)
* docs: specify the type when verifying an attestation (#2697)
* docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
* fix(rpc): scanResponse rpc conversion for custom resources (#2692)
* feat(rust): Add support for cargo-auditable (#2675)
* feat: Support passing value overrides for configuration checks (#2679)
* feat(sbom): add support for scanning a sbom attestation (#2652)
* chore(image): skip symlinks and hardlinks from tar scan (#2634)
* fix(report): Update junit.tpl (#2677)
* fix(cyclonedx): add nil check to metadata.component (#2673)
* docs(secret): fix missing and broken links (#2674)
* refactor(cyclonedx): implement json.Unmarshaler (#2662)
* chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643)
* chore(deps): bump github.com/Azure/go-autorest/autorest (#2642)
* feat(kubernetes): add option to specify kubeconfig file path (#2576)
* docs: follow Debian's "instructions to connect to a third-party repository" (#2511)
* chore(deps): bump github.com/google/licenseclassifier/v2 (#2644)
* chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645)
* chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646)
* chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641)
* chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640)
* chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639)
* chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648)
* chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649)
* chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651)
* feat(alma): set AlmaLinux 9 EOL (#2653)
* fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
* test(misconf): add tests for misconf handler for dockerfiles (#2621)
* feat(oracle): set Oracle Linux 9 EOL (#2635)
* BREAKING: add new classes for vulnerabilities (#2541)
* fix(secret): add newline escaping for asymmetric private key (#2532)
* docs: improve formatting (#2572)
* feat(helm): allows users to define an existing secret for tokens (#2587)
* docs(mariner): use tdnf in fs usage example (#2616)
* docs: remove unnecessary double quotation marks (#2609)
* fix: Fix --file-patterns flag (#2625)
* feat(report): add support for Cosign vulnerability attestation (#2567)
* docs(mariner): use v2.0 in examples (#2602)
* feat(report): add secrets template for codequality report (#2461)
-------------------------------------------------------------------
Wed Jul 27 06:38:26 UTC 2022 - kastl@b1-systems.de
- Update to version 0.30.4:
* fix: remove the first arg when running as a plugin (#2595)
* fix: k8s controlplaner scanning (#2593)
* fix(vuln): GitLab report template (#2578)
-------------------------------------------------------------------
Tue Jul 26 11:29:36 UTC 2022 - kastl@b1-systems.de
- Update to version 0.30.3:
* fix(server): use a new db worker for hot updates (#2581)
* docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)
* docs: split commands to download db for different versions of oras (#2582)
* feat(report): export exitcode for license checks (#2564)
* fix: cli can use lowercase for severities (#2565)
* fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)
* fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)
* fix: enable some features of the wasm runtime (#2575)
* fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521)
* docs(sbom): improve sbom attestation documentation (#2566)
-------------------------------------------------------------------
Thu Jul 21 13:21:11 UTC 2022 - kastl@b1-systems.de
- Update to version 0.30.2:
* fix(report): show the summary without results (#2548)
* fix(cli): replace '-' to '_' for env vars (#2561)
-------------------------------------------------------------------
Wed Jul 20 12:20:52 UTC 2022 - kastl@b1-systems.de
- Update to version 0.30.1:
* chore: remove a test repository (#2551)
* fix(license): lazy loading of classifiers (#2547)
* fix: CVE-2022-1996 in Trivy (#2499)
* docs(sbom): add sbom attestation (#2527)
* feat(rocky): set Rocky Linux 9 EOL (#2543)
* docs: add attributes to the video tag to autoplay demo videos (#2538)
* fix: yaml files with non-string chart name (#2534)
* fix: skip dirs (#2530)
* feat(repo): add support for branch, commit, & tag (#2494)
* fix: remove auto configure environment variables via viper (#2526)
-------------------------------------------------------------------
Sat Jul 16 19:28:03 UTC 2022 - kastl@b1-systems.de
- Update to version 0.30.0:
* fix: separating multiple licenses from one line in dpkg copyright files (#2508)
* fix: change a capital letter for `plugin uninstall` subcommand (#2519)
* fix: k8s hide empty report when scanning resource (#2517)
* refactor: fix comments (#2516)
* fix: scan vendor dir (#2515)
* feat: Add support for license scanning (#2418)
* chore: add owners for secret scanning (#2485)
* fix: remove dependency-tree flag for image subcommand (#2492)
* fix(k8s): add shorthand for k8s namespace flag (#2495)
* docs: add information about using multiple servers to troubleshooting (#2498)
* ci: add pushing canary build images to registries (#2428)
* chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.0 (#2479)
* feat(dotnet): add support for .Net core .deps.json files (#2487)
* feat(amazon): add support for 2022 version (#2429)
* Type correction bitnami chart (#2415)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.1 to 2.1.2 (#2449)
* chore(deps): bump github.com/aquasecurity/table from 1.5.1 to 1.6.0 (#2446)
* docs: add config file and update CLI references (#2489)
* feat: add support for flag groups (#2488)
* refactor: move from urfave/cli to spf13/cobra (#2458)
* fix: Fix secrets output not containing file/lines (#2467)
* fix: clear output with modules (#2478)
* chore(deps): bump github.com/mailru/easyjson from 0.7.6 to 0.7.7 (#2448)
* docs(cbl): distroless 1.0 supported (#2473)
* fix: Fix example dockerfile rego policy (#2460)
* fix(config): add helm to list of config analyzers (#2457)
* feat: k8s resouces scan (#2395)
* feat(sbom): add cyclonedx sbom scan (#2203)
* chore(deps): bump wazero to latest main (#2436)
* chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.8.0 (#2444)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.21.0 to 2.22.0 (#2445)
* chore(deps): bump sigstore/cosign-installer from 2.3.0 to 2.4.1 (#2442)
* chore(deps): bump actions/setup-python from 3 to 4 (#2441)
* chore(deps): bump github.com/Azure/azure-sdk-for-go (#2450)
* docs: remove links to removed content (#2431)
* ci: added rpm build for rhel 9 (#2437)
* fix(secret): remove space from asymmetric private key (#2434)
* chore(deps): bump actions/cache from 3.0.2 to 3.0.4 (#2440)
* chore(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#2439)
* chore(deps): bump golang from 1.18.2 to 1.18.3 (#2438)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.25 to 1.44.46 (#2447)
* test(integration): fix golden files for debian 9 (#2435)
* fix(cli): fix version string in docs link when secret scanning is enabled (#2422)
* refactor: move CycloneDX marshaling (#2420)
* docs(nodejs): add docs about pnpm support (#2423)
* docs: improve k8s usage documentation (#2425)
* feat: Make secrets scanning output consistant (#2410)
* ci: create canary build after main branch changes (#1638)
* fix(misconf): skip broken scans (#2396)
* feat(nodejs): add pnpm support (#2414)
* fix: Fix false positive for use of COS images (#2413)
* eliminate nerdctl dependency (#2412)
* Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403)
* fix(go): no cast to lowercase go package names (#2401)
* BREAKING(sbom): change 'trivy sbom' to scan SBOM (#2408)
* fix(server): hot update the db from custom repository (#2406)
* feat: added license parser for dpkg (#2381)
* chore(helm): bump appVersion to latest release (#2397)
* fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400)
* feat: extract stripe publishable and secret keys (#2392)
* feat: rbac support k8s sub-command (#2339)
* feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390)
* docs: Updating README with new CLI command (#2359)
* fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383)
* chore: add integration label and merge security label (#2316)
-------------------------------------------------------------------
Fri Jul 08 07:31:17 UTC 2022 - dmueller@suse.com
- Update to version 0.29.2:
* chore: skip Visual Studio Code project folder (#2379)
* fix(helm): handle charts with templated names (#2374)
* docs: redirect operator docs to trivy-operator repo (#2372)
* fix(secret): use secret result when determining Failed status (#2370)
* try removing libdb-dev
* run integration tests in fanal
* use same testing images in fanal
* feat(helm): add support for trivy dbRepository (#2345)
* fix: Fix failing test due to deref lint issue
* test: Fix broken test
* fix: Fix makefile when no previous named ref is visible in a shallow clone
* chore: Fix linting issues in fanal
* refactor: Fix fanal import paths and remove dotfiles
* chore: bump defsec version v0.68.1
-------------------------------------------------------------------
Wed Jun 22 11:15:35 UTC 2022 - kastl@b1-systems.de
- Update to version 0.29.1:
* fix(report): add required fields to the SARIF template (#2341)
* chore: fix spelling errors (#2352)
* Omit Remediation if PrimaryURL is empty (#2006)
* docs(repo): Link to installation documentation in readme shows 404 (#2348)
* feat(alma): support for scanning of modular packages for AlmaLinux (#2347)
-------------------------------------------------------------------
Wed Jun 22 08:31:01 UTC 2022 - kastl@b1-systems.de
- Update to version 0.29.0:
* fix(lang): fix dependency graph in client server mode (#2336)
* feat: allow expiration date for .trivyignore entries (#2332)
* feat(lang): add dependency origin graph (#1970)
* docs: update nix installation info (#2331)
* feat: add rbac scanning support (#2328)
* refactor: move WordPress module to another repository (#2329)
* ci: add support for ppc64le (#2281)
* feat: add support for WASM modules (#2195)
* feat(secret): show recommendation for slow scanning (#2051)
* fix(flag): remove --clear-cache flag client mode (#2301)
* fix(java): added check for looping for variable evaluation in pom file (#2322)
* BREAKING(k8s): change CLI API (#2186)
* feat(alpine): add Alpine Linux 3.16 (#2319)
* docs: bump trivy-operator to v0.0.7 (#2320)
* ci: add `go mod tidy` check (#2314)
* chore: run `go mod tidy` (#2313)
* fix: do not exit if one resource is not found (#2311)
* feat(cli): use stderr for all log messages (resolve #381) (#2289)
* test: replace deprecated subcommand client in integration tests (#2308)
* feat: add support for containerd (#2305)
* fix(kubernetes): Support floats in manifest yaml (#2297)
* docs(kubernetes): dead links (#2307)
* chore: add license label (#2304)
* feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293)
* feat(helm): add pod annotations (#2272)
* refactor: do not import defsec in fanal types package (#2292)
* feat(report): Add misconfiguration support to ASFF report template (#2285)
* test: use images in GHCR (#2275)
* feat(helm): support pod annotations (#2265)
* feat(misconf): Helm chart scanning (#2269)
* docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267)
* fix: mask redis credentials when logging (#2264)
* refactor: extract commands Runner interface (#2147)
* chore(deps): bump alpine from 3.15.4 to 3.16.0 (#2234)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.2 to 0.6.0 (#2245)
* docs: update operator release (#2263)
* chore(deps): bump github.com/urfave/cli/v2 from 2.6.0 to 2.8.1 (#2243)
* feat(redhat): added architecture check (#2172)
* docs: updating links in the docs to work again (#2256)
* docs: fix readme (#2251)
* fix: fixed incorrect CycloneDX output format (#2255)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.3 (#2241)
* chore(deps): bump github.com/samber/lo from 1.19.0 to 1.21.0 (#2242)
* chore(deps): bump goreleaser/goreleaser-action from 2 to 3 (#2240)
* chore(deps): bump docker/setup-buildx-action from 1 to 2 (#2238)
* chore(deps): bump docker/setup-qemu-action from 1 to 2 (#2236)
* chore(deps): bump golang from 1.18.1 to 1.18.2 (#2235)
* chore(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#2237)
* chore(deps): bump docker/login-action from 1 to 2 (#2239)
* chore(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#2246)
* refactor(deps): move dependencies to package (#2189)
* fix(report): change github format version to required (#2229)
* docs: update readme (#2110)
* docs: added information about choosing advisory database (#2212)
* chore: update trivy-kubernetes (#2224)
* docs: clarifying parts of the k8s docs and updating links (#2222)
* fix(k8s): timeout error logging (#2179)
* chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214)
* feat(k8s): add --context flag (#2171)
* fix(k8s): properly instantiate TableWriter (#2175)
* test: fixed integration tests after updating testcontainers to v0.13.0 (#2208)
* chore: update labels (#2197)
* fix(report): fixed panic if all misconf reports were removed in filter (#2188)
* feat(k8s): scan secrets (#2178)
* feat(report): GitHub Dependency Snapshots support (#1522)
* feat(db): added insecure skip tls verify to download trivy db (#2140)
* fix(redhat): always use vulns with fixed version if there is one (#2165)
* chore(redhat): Add support for Red Hat UBI 9. (#2183)
* fix(k8s): update trivy-kubernetes (#2163)
* fix misconfig start line for code quality tpl (#2181)
* fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176)
* docs(vuln): Include GitLab 15.0 integration (#2153)
* docs: fix the operator version (#2167)
* fix(k8s): summary report when when only vulns exit (#2146)
* chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156)
* perf(misconf): Improve performance when scanning very large files (#2152)
* docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150)
* chore(deps): Update fanal (for less verbose code in misconf results) (#2151)
* docs: fixed installation instruction for rhel/centos (#2143)
-------------------------------------------------------------------
Mon May 23 06:14:37 UTC 2022 - dmueller@suse.com
- Update to version 0.28.0 (bsc#1199760, CVE-2022-28946):
* fix: remove Highlighted from json output (#2131)
* fix: remove trivy-kubernetes replace (#2132)
* docs: Add Operator docs under Kubernetes section (#2111)
* fix(k8s): security-checks panic (#2127)
* ci: added k8s scope (#2130)
* docs: Update misconfig output in examples (#2128)
* fix(misconf): Fix coloured output in Goland terminal (#2126)
* docs(secret): Fix default value of --security-checks in docs (#2107)
* refactor(report): move colorize function from trivy-db (#2122)
* feat: k8s resource scanning (#2118)
* chore: add CODEOWNERS (#2121)
* feat(image): add `--server` option for remote scans (#1871)
* refactor: k8s (#2116)
* refactor: export useful APIs (#2108)
* docs: fix k8s doc (#2114)
* feat(kubernetes): Add report flag for summary (#2112)
* fix: Remove problematic advanced rego policies (#2113)
* feat(misconf): Add special output format for misconfigurations (#2100)
* feat: add k8s subcommand (#2065)
* chore: fix make lint version (#2102)
* fix(java): handle relative pom modules (#2101)
* fix(misconf): Add missing links for non-rego misconfig results (#2094)
* feat(misconf): Added fs.FS based scanning via latest defsec (#2084)
* chore(deps): bump trivy-issue-action to v0.0.4 (#2091)
* chore(deps): bump github.com/twitchtv/twirp (#2077)
* chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (#2074)
* chore(os): updated fanal version and alpine distroless test (#2086)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 (#2075)
* chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (#2076)
* feat(report): add support for SPDX (#2059)
* chore(deps): bump actions/setup-go from 2 to 3 (#2073)
* chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (#2071)
* chore(deps): bump golang from 1.18.0 to 1.18.1 (#2069)
* chore(deps): bump actions/stale from 4 to 5 (#2070)
* chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (#2072)
* chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (#2079)
* chore: app version 0.27.0 (#2046)
* fix(misconf): added to skip conf files if their scanning is not enabled (#2066)
* docs(secret) fix rule path in docs (#2061)
* docs: change from go.sum to go.mod (#2056)
-------------------------------------------------------------------
Wed Apr 27 12:40:06 UTC 2022 - kastl@b1-systems.de
- Update to version 0.27.1:
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926)
* refactor(fs): scanner options (#2050)
* feat(secret): truncate long line (#2052)
* docs: fix a broken bullets (#2042)
* feat(ubuntu): add 22.04 approx eol date (#2044)
* docs: update installation.md (#2027)
* docs: add Containerfile (#2032)
-------------------------------------------------------------------
Tue Apr 26 06:18:23 UTC 2022 - kastl@b1-systems.de
- Update to version 0.27.0:
* fix(go): fixed panic to scan gomod without version (#2038)
* docs(mariner): confirm it works with Mariner 2.0 VM (#2036)
* feat(secret): support enable rules (#2035)
* chore: app version 26.0 (#2030)
* docs(secret): add a demo movie (#2031)
* feat: support cache TTL in Redis (#2021)
* fix(go): skip system installed binaries (#2028)
* fix(go): check if go.sum is nil (#2029)
* feat: add secret scanning (#1901)
* chore: gh publish only with push the tag release (#2025)
* fix(fs): ignore permission errors (#2022)
* test(mod): using correct module inside test go.mod (#2020)
* feat(server): re-add proxy support for client/server communications (#1995)
* fix(report): truncate a description before escaping in ASFF template (#2004)
* fix(cloudformation): correct margin removal for empty lines (#2002)
* fix(template): correct check of old sarif template files (#2003)
-------------------------------------------------------------------
Sat Apr 16 09:04:55 UTC 2022 - kastl@b1-systems.de
- Update to version 0.26.0:
* feat(alpine): warn mixing versions (#2000)
* Update ASFF template (#1914)
* chore(deps): replace `containerd/containerd` version to fix CVE-2022-23648 (#1994)
* chore(deps): bump alpine from 3.15.3 to 3.15.4 (#1993)
* test(go): add integration tests for gomod (#1989)
* fix(python): fixed panic when scan .egg archive (#1992)
* fix(go): set correct go modules type (#1990)
* feat(alpine): support apk repositories (#1987)
* docs: add CBL-Mariner (#1982)
* docs(go): fix version (#1986)
* feat(go): support go.mod in Go 1.17+ (#1985)
* ci: fix URLs in the PR template (#1972)
* ci: add semantic pull requests check (#1968)
* docs(issue): added docs for wrong detection issues (#1961)
-------------------------------------------------------------------
Thu Apr 14 20:12:09 UTC 2022 - kastl@b1-systems.de
- Update to version 0.25.4:
* docs: move CONTRIBUTING.md to docs (#1971)
* refactor(table): use file name instead package path (#1966)
* fix(sbom): add --db-repository (#1964)
* feat(table): add PkgPath in table result (#1960)
* fix(pom): merge multiple pom imports in a good manner (#1959)
-------------------------------------------------------------------
Wed Apr 06 07:35:16 UTC 2022 - kastl@b1-systems.de
- Update to version 0.25.3:
* fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956)
* fix(misconf): update BurntSushi/toml for fix runtime error (#1948)
* fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947)
* feat(jar): allow setting Maven Central URL using environment variable (#1939)
* chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931)
* chore(chart): remove version comments (#1933)
-------------------------------------------------------------------
Wed Apr 06 07:32:54 UTC 2022 - kastl@b1-systems.de
- Update to version 0.25.2:
* fix(downloadDB): add flag to server command (#1942)
-------------------------------------------------------------------
Tue Apr 05 06:52:40 UTC 2022 - kastl@b1-systems.de
- Update to version 0.25.1:
* fix(misconf): update defsec to resolve panics (#1935)
* chore(deps): bump github.com/docker/docker (#1924)
* docs: restructure the documentation (#1887)
* chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 (#1923)
* chore(deps): bump actions/cache from 2 to 3.0.1 (#1920)
* chore(deps): bump actions/checkout from 2 to 3 (#1916)
* chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.39.0 (#1921)
* chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.1.0 (#1919)
* chore(deps): bump helm/chart-testing-action from 2.2.0 to 2.2.1 (#1918)
* chore(deps): bump golang from 1.17 to 1.18.0 (#1915)
* Add trivy horizontal logo (#1932)
* chore(deps): bump alpine from 3.15.0 to 3.15.3 (#1917)
* chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 (#1925)
* chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#1927)
* feat(db): Add dbRepository flag to get advisory database from OCI registry (#1873)
-------------------------------------------------------------------
Fri Apr 1 07:30:58 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- Buildrequire go1.18 as upstream says in go.mod
-------------------------------------------------------------------
Fri Apr 01 07:03:41 UTC 2022 - kastl@b1-systems.de
- Update to version 0.25.0:
* docs(filter vulnerabilities): fix link (#1880)
* feat(template) Add misconfigurations to gitlab codequality report (#1756)
* fix(rpc): add PkgPath field to client / server mode (#1643)
* fix(vulnerabilities): fixed trivy-db vulns (#1883)
* feat(cache): remove temporary cache after filesystem scanning (#1868)
* feat(sbom): add a dedicated sbom command (#1799)
* feat(cyclonedx): add vulnerabilities (#1832)
* fix(option): hide false warning about remote options (#1865)
* chore: bump up Go to 1.18 (#1862)
* feat(filesystem): scan in client/server mode (#1829)
* refactor(template): remove unused test (#1861)
* fix(cli): json format for trivy version (#1854)
* docs: change URL for tfsec-checks (#1857)
-------------------------------------------------------------------
Tue Mar 22 10:46:08 UTC 2022 - Dirk Müller <dmueller@suse.com>
- tie to go.17 as 1.18 became available
-------------------------------------------------------------------
Fri Mar 18 10:21:14 UTC 2022 - kastl@b1-systems.de
- Update to version 0.24.4:
* fix(docker): Getting images without a tag (#1852)
* docs(gitlab-ci): Use environment variables TRIVY_CACHE_DIR and TRIVY_NO_PROGRESS (#1801)
-------------------------------------------------------------------
Thu Mar 17 10:14:45 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.17
-------------------------------------------------------------------
Wed Mar 16 18:04:55 UTC 2022 - kastl@b1-systems.de
- Update to version 0.24.3:
* chore(issue labels): added new labels (#1839)
* refactor: clarify db update warning messages (#1808)
* chore(ci): change trivy vulnerability scan for every day (#1838)
* feat(helm): make Trivy service name configurable (#1825)
* chore(deps): updated sprig to version v3.2.2. (#1814)
* chore(deps): updated testcontainers-go to version v0.12.0 (#1822)
* docs: add packages.config for .NET (#1823)
* build: sign container image (#1668)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.4.0 to 0.5.0 (#1778)
* docs: fix Installation documentation (#1804)
* fix(report): ensure json report got a final new line (#1797)
* fix(terraform): resolve panics in defsec (#1811)
* feat(docker): Label images based on OCI image spec (#1793)
* fix(helm): indentation for ServiceAccount annotations (#1795)
* fix(hcl): fix panic in hcl2json (#1791)
* chore(helm): remove psp from helm manifest (#1315)
* build: Replace `make protoc` with `for loop` to return an error (#1655)
* fix: ASFF template to match ASFF schema (#1685)
* feat(helm): Add support for server token (#1734)
-------------------------------------------------------------------
Thu Mar 03 13:38:37 UTC 2022 - kastl@b1-systems.de
- Update to version 0.24.2:
* fix(pom): keep an order of dependencies (#1784)
* chore: bump up Go to 1.17 (#1781)
* chore(deps): bump actions/setup-python from 2 to 3 (#1776)
* chore(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (#1777)
-------------------------------------------------------------------
Sun Feb 27 17:12:56 UTC 2022 - kastl@b1-systems.de
- Update to version 0.24.1:
* fix(python): correct handling pip package names with a hyphen (#1771)
* doc(docker): fix command to run trivy with docker on linux (#1761)
* feat(helm): Add support for custom labels (#1767)
* chore(helm): bump chart to trivy 0.24.0 (#1762)
* docs: remove erroneous command (#1763)
-------------------------------------------------------------------
Wed Feb 23 16:09:07 UTC 2022 - kastl@b1-systems.de
- Update to version 0.24.0:
* chore(deps): bump github.com/spf13/afero from 1.6.0 to 1.8.1 (#1708)
* fix(option): warn list-all-pkgs only with the table format (#1755)
* feat(option): warn "--list-all-pkgs" with "--format table" (#1632)
* feat(report): add support for CycloneDX (#1081)
* chore(deps): update the defsec and tfsec versions (#1747)
* fix(scanner): fix skip of language-specific files when scanning rootf… (#1751)
* chore(deps): bump github.com/google/wire from 0.4.0 to 0.5.0 (#1712)
* feat(report): considering App.Writer when printing results (#1722)
* chore(deps): replace `satori` version and skipping examples folder (#1745)
* build: add s390x container images (#1726)
* feat(template) Add misconfigurations to junit report (#1724)
* chore(deps): bump github.com/twitchtv/twirp (#1709)
* feat(client): configure TLS InsecureSkipVerify for server connection (#1287)
* fix(rpc): Supports RPC calls for new identifier CustomResource (#1605)
* chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 (#1705)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.0.0 to 6.9.1 (#1707)
* feat(helm): Parameterise ServiceAccount annotations (#1677)
* chore(deps): bump github.com/hashicorp/go-getter from 1.5.2 to 1.5.11 (#1710)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.3 to 3.0.8 (#1704)
* chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.2 (#1711)
* chore(dependabot): enable gomod monthly (#1699)
* fix(gitlab tpl): escape double quote (#1635)
* build: Make `make protoc` be consistent (#1682)
* feat(purl): add generate purl package utilities (#1574)
* refactor: move result structs under types (#1696)
* feat(mariner): add support for CBL-Mariner 2.0 (#1694)
* docs(gitlab-ci): fix Script in GitLab CI Example #1688
* chore: Upgrade helm chart version (#1683)
* chore(mod): update Go dependencies (#1681)
* docs: fix typos in markdown docs (#1674)
* docs: update documentation for image scanning of tar files to use a tag present on Docker Hub (#1671)
* fix(repo): --no-progress suppresses git output (#1669)
-------------------------------------------------------------------
Tue Feb 01 07:14:27 UTC 2022 - kastl@b1-systems.de
- Update to version 0.23.0:
* docs: add ACR navigator (#1651)
* fix: update example Rego files and docs (#1628)
* feat(option): show a link to GitHub Discussions for --light deprecation (#1650)
* fix(sarif): fix the warning message (#1647)
* refactor: migrate to prefixed buckets (#1644)
* feat(mariner): add support for CBL-Mariner (#1640)
* docs: commercial use available (#1641)
* feat: support azure acr (#1611)
* feat(os-pkg): add data sources (#1636)
* feat(redhat): support build info in RHEL (#807)
* fix: change links in pull_request_template to static URLs (#1634)
* feat(lang-pkg): add data sources (#1625)
* feat(detector): support custom detector (#1615)
* docs(contribution): change role who should resolve comments (#1618)
* docs: add PR template (#1602)
* feat(rocky): support Rocky Linux (#1570)
* Add the ability to set dockerhub credentials in the helm chart (#1569)
* feat(cache): redis TLS support (#1297)
* feat(java): add support for PAR files (#1599)
* refactor(rust): move rust-advisory-db to OSV (#1591)
* feat: log ignored vulnerabilities on debug (#1378)
* chore(mod): hcl2json deps update (#1585)
* fix(rpm): do not ignore installed files via third-party rpm (#1594)
* feat(fs): allow scanning a single file (#1578)
* refactor(python): drop Safety DB (#1580)
* feat: added insecure tls skip to scan git repo (#1528)
* Supress git clone output (#1590)
* fix(alma): skip modular package because MODULARITYLABEL is not set (#1588)
* feat(photon os): added EOL dates check (#1587)
* docs: update supported os (#1586)
* BREAKING: remove root command (#1579)
* docs: add Rust to Language-specific Packages Table (#1577)
* docs: update int doc for gitlab ci (#1575)
* BREAKING: migrate the sarif template to Go code (#1437)
* refactor: remove unused field (#1567)
* chore(deps): bump helm/chart-testing-action from 2.1.0 to 2.2.0 (#1554)
* docs: gitlab integration (#1381)
* feat(alma): support AlmaLinux (#1238)
* docs: added note about default template path when Trivy installed using rpm (#1551)
* BREAKING: Trivy DB from GHCR (#1539)
* feat(cli): Do not set default commands when a plugin is being run (#1549)
* fix: add fingerprint field to codequality template (#1541)
* fix(image): correct handling of uncompressed layers (#1544)
* chore: helm chart app version 0.22.0 (#1535)
* test(integration): use fixtures (#1532)
-------------------------------------------------------------------
Tue Dec 28 09:50:49 UTC 2021 - dmueller@suse.com
- Update to version 0.22.0 (jsc#SLE-18339):
* fix(java/pom): ignore unsupported requirements (#1514)
* feat(cli): warning for root command (#1516)
* BREAKING: disable JAR detection in fs/repo scanning (#1512)
* feat(scan): support --offline-scan option (#1511)
* fix: improve memory usage (#1509)
* feat(java): support pom.xml (#1501)
* docs: fixing rust link to security advisory (#1504)
* Add missing IacMetdata (#1505)
* feat(jar): add file path (#1498)
* feat(rpm): support NDB (#1497)
* feat: added misconfiguration field for html.tpl (#1444)
-------------------------------------------------------------------
Tue Dec 21 08:33:39 UTC 2021 - dmueller@suse.com
- Update to version 0.21.3:
* fix(docs): typo (#1488)
* feat(plugin): Add option to update plugin (#1462)
* fix: fixed skipFiles/skipDirs flags for relative path (#1482)
* feat (plugin): add list and info command for plugin (#1452)
* fix: set up a vulnerability severity (#1458)
* chore: add arm64 deb package (#1480)
* Link to trivy tutorial on Semaphore (#1449)
* refactor(helm): externalize env vars to configMap (#1345)
* docs: provide more information on scanning Google's GCR (#1426)
* docs(misconfiguration): added instruction for misconfiguration detection (#1428)
* Update git-repository.md (#1430)
* fix(hooks): exclude unrelated lib types from system files filtering (#1431)
* chore: run `go fmt` (#1429)
* fix(sarif): change `help` field in the sarif template. (#1423)
* Update fanal with cfsec version update (#1425)
* Replace deprecated option in goreleaser (#1406)
* feat(alpine): support 3.15 (#1422)
* chore: test the helm chart in the PR and used the commit hash (#1414)
* chore(deps): bump alpine from 3.14 to 3.15.0 (#1417)
* chore(release): add ubuntu older versions to deploy script (#1416)
-------------------------------------------------------------------
Sun Dec 05 10:46:26 UTC 2021 - dmueller@suse.com
- Update to version 0.21.1:
* chore(mod): tidy (#1415)
* fix(rpc): fix nil layer transmit (#1410)
* Lang advisory order (#1409)
* chore: add support for s390x arch (#1304)
* fix(chart): ingress helm manifest-update trivy image (#1323)
* docs: Add comparison for cfsec (#1388)
* remove: delete unused functions in utils package (#1379)
* fix(sarif): fix validation errors (#1376)
* docs: add Bitbucket Pipelines (#1374)
* docs: add community integrations (#1361)
* Use a stable SARIF identifier (#1230)
* fix(python): fix parsing of requirements.txt with hash checking mode available in pip since version 8.0
* feat(iac): Add line information (#1366)
* feat(cloudformation): Adding support for cfsec IaC scanning (#1360)
* chore: send debug and info logs to stdout in install.sh, not stderr. (#1264)
* Update containerd to v1.5.7 and docker-cli to v20.10.9 (#1356)
* chore: update SBOM generation (#1349)
-------------------------------------------------------------------
Wed Nov 10 11:42:19 UTC 2021 - dmueller@suse.com
- Update to version 0.20.2:
* docs: update builtin.md (#1335)
* chore: fix issues with Homebrew formula (#1329)
* chore: bump GoReleaser to v0.183.0 (#1328)
* docs: update iac.md for a typo (#1326)
* docs: typo fix (#1308)
* Add new networking API features to Ingress (#1262)
* chore(release): bump up GoReleaser to v0.182.1 (#1299)
* fix(yarn): support quoted version (#1298)
* feat(custom-forward): Forward the extended advisory data (#1247)
* feat(javascript) : Initialize npm driver for javascript packages (#1289)
* fix(cli): fix incorrect comparision of DB metadata type. (#1286)
* docs: add footer to readme (#1281)
* feat(report): add package path (#1274)
* feat(command): add rootfs command (#1271)
* fix: update fanal (#1272)
* feat(commands): remove deprecated options (#1270)
* Aggregate jar result for table (#1269)
* BREAKING(report): migrate to new json schema (#1265)
* feat: improve --skip-dirs and --skip-files (#1249)
* fix(gobinary): skip large files (#1259)
* Disable library analyzer for OS only scan type (#1191)
* chore: update trivy version (#1252)
* refactor: move from io/ioutil to io and os package (#1245)
* fix: brew test command (#1253)
* fix:added layer info in packages (#1248)
* fix(go/binary): improve debug messages (#1244)
* Update db.go (#1199)
* fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243)
* feat(debian): support the versions that reached EOL (#1237)
* feat(alpine): support unfixed vulnerabilities (#1235)
* feat(report): add image config (#1231)
* feat(nodejs): support package.json (#1225)
* refactor: use testing DB instead of mock (#1234)
* feat(ruby): support gemspec (#1224)
* feat(python): add packaging detector and respective hook (#1223)
* feat(license): Added support to new License field of go-dep-parser's library (#1167)
* fix(oracle): handle advisories contain ksplice versions (#1209)
* fix(docs): remove OSVDB advisories (#1215)
* docs: fix typos in CONTRIBUTING.md (#1181)
* Update EOL of Debian 11 (#1180)
* fix(plugin): resolve a closure (#1207)
* docs: fix typo (#1206)
* fix(detector): change an argument for trivy-db getter (#1203)
* chore(mod): update fanal (#1179)
* Add license info to package data (#1176)
* feat(nuget): support packages.config (#1095)
* feat(python): add support for requirements.txt (#1169)
* GitLab CI integration documentation (#1168)
* chore(gorelease) change goreleaser config to include template examples (#1138)
* chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153)
* chore(deps): bump actions/stale from 3 to 4 (#1152)
* feat(report): add end of service life flag to OS metadata (#1142)
* chore: set up Dependabot for github-actions and docker (#1128)
* docs: fix typo (#1149)
* docs: add some external links (#1147)
* chore (release): add ubuntu esm versions to deploy script (#1151)
* docs(troubleshooting) add urls which are required to download vuls db (#1137)
* Updated the Alpine Image to 3.14 (latest) (#1130)
* Added EOL for Ubuntu 21.10 (#1131)
* fix(image): disabled scanning of config files within container images (#1133)
* docs: fixed typo (#1124)
* update cyclonedx github action to v0.3.0 (#1127)
* fix(policy): fix panic on the first run (#1116)
* docs(misconf): add comparison with Conftest and tfsec (#1111)
* feat(report): add schema version (#1110)
* fix(scan): change unknown os from info to debug (#1109)
* docs: add misconfiguration (#1101)
* fix(config): rename include-successes with include-non-failures (#1107)
* feat(config): support --trace (#1106)
* fix(policy): reduce the Internet access (#1105)
* chore: bump golangci-lint to v1.41.1 (#1104)
* feat: support config scanning (#931)
* feat(report): add artifact metadata (#1079)
* Generate SBOM (#1076)
* fix(db): multiple prefixed data sources (#1070)
* Add EOL date for Alpine 3.14 (#1072)
* suse: mark sle 15.3 as maintained, add opensuse 15.3 (#1059)
* docs: improve data sources (#1069)
* chore(label): add kind/security-advisory (#1068)
* fix(asff): replace slice with substr (#1058)
* fix(helm-chart): parametrized ingress host path (#1049)
* feat: support Google Artifact Repository (#1055)
* Update ASFF template to use label for severity (#1047)
* BREAKING: migrate to a new JSON schema (#782)
* docs: Fix link to AWS Security Hub template (#1046)
* refactor(server): support gzip (#1045)
* chore(rpc): update protoc and twirp (#1044)
* Added support for list all packages flag in client (#1032)
* chore: chart with 0.18.3 (#1033)
* feat: add gitlab codequality template (#895)
* feat(plugin): add aqua plugin (#1029)
* fix(go): if patchedVersion is empty mark it as vulnerable (#1030)
* docs(ubuntu): fix supported versions (#1028)
* Support Ubuntu 21.04 (#1027)
* chore: remove codecov (#1016)
* fix typo on github-actions.md (#1022)
- drop 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch (upstream)
-------------------------------------------------------------------
Thu Jun 10 12:46:10 UTC 2021 - Dirk Müller <dmueller@suse.com>
- add 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch
-------------------------------------------------------------------
Thu Jun 10 08:31:11 UTC 2021 - Dirk Müller <dmueller@suse.com>
- strip binaries
-------------------------------------------------------------------
Mon Jun 07 19:14:07 UTC 2021 - dmueller@suse.com
- Update to version 0.18.3:
* chore(ci): change to more granular tokens (#1014)
* chore(ci): add Go scanning and update dependencies (#1001)
* docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013)
* fix(image): disable go.sum scanning (#1007)
* fix(gomod): handle go.sum with an empty line (#1006)
* feat: prepare for config scanning (#1005)
* Clarify that dev dependencies are excluded (#986)
* Include target value in Sarif template ruleID (#991)
* chore(mkdocs): allow workflow_dispatch (#989)
* fix(vuln) unique vulnerabilities from different data sources (#984)
* feat(go): added support of gomod analyzer (#978)
-------------------------------------------------------------------
Mon May 03 10:04:22 UTC 2021 - dmueller@suse.com
- Update to version 0.17.2:
* Upgrade fanal dependency (#976)
* docs: mention upx binaries (#974)
* Upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971)
* fix(fs): skip dirs (#969)
* chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965)
* chore(ci): clone trivy-repo after releasing binaries (#963)
* docs: add golang support (#962)
* fix(table): skip zero vulnerabilities on java (#961)
* chore(ci): create a release discussion (#959)
* feat(go): support binary scan (#948)
* feat(java): support GitLab Advisory Database (#917)
* feat: show help message when the context's deadline passes (#955)
* chore(mkdocs): replace github token (#954)
* Update SARIF report template (#935)
* Update install docs to make commands consistent (#933)
* Docker multi-platform image build with `buildx`, using Goreleaser (#915)
* Fix JUnit template for AWS CodeBuild compatibility (#904)
* break(cli): use StringSliceFlag for skip-dirs/files (#916)
* docs: add white logo (#914)
* add package name in ruleID (#913)
* feat: gh-action for stale issues (#908)
* chore(triage): add lifecycle/active label (#909)
* feat: publish helm repository (#888)
* Fix Documentation Typo (#901)
* docs: migrate README to MkDocs (#884)
* refactor(internal): export internal packages (#887)
* feat: support plugins (#878)
* chore(ci): deploy dev docs only for the main branch (#882)
* add MkDocs implementation (#870)
* docs(README): update ubuntu versions (#877)
* support Ubuntu 20.10 (#876)
* feat(cache): introduce versioned cache (#865)
* chore: bump up Go to 1.16 (#861)
* fix: allow the latest tag (#864)
* feat: disable analyzers (#846)
* chore(ci): push the official image to public ECR (#855)
* chore(ci): migrate CircleCI to GitHub Actions (#850)
* adds example with multistage build (#853)
* remove SARIF helpUri if empty (#841) (#845)
* Add Sprig to Template Engine (#832)
* Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844)
* feat(java): support jar/war/ear (#837)
* fix(app): increase the default value of timeout (#842)
* Update README.md (#838)
* Fix compatibility for Jenkins xunit plugin (#820)
* README: add Gitlab job that uses a container with trivy (#823)
* feat: support Podman (#825)
* fix(eol): update EOL dates (#824)
* fix(python): follow PEP 440 (#816)
* Support alpine 3.13 (#819)
* Changed the output string to "Using your github token". (#814)
* Align comment with code (#812)
* Parse redis backend url (#804)
* Update README.md (#810)
* Added nodeSelector, affinity and tolerations to helm chart (#803)
* Fix readme typo in policy flag (#805)
* Fix errors in SARIF format (#801)
* Fix env variable for github token (#796)
* fix(vulnerability): set unknown severity for empty values (#793)
* Remove global flags from filesystem command (#772)
* Add imagePullSecrets to helm Chart (#789)
* Add redis cache backend configuration options (#784)
* Update README.md (#735)
* feat(redhat): support modular packages (#790)
* Fix formatting of log message (#785)
* chore(ci): migrate unit tests to GitHub Actions (#779)
* shifted: brews.github to brews.tap (#780)
-------------------------------------------------------------------
Fri Jan 08 13:31:54 UTC 2021 - rbrown@suse.com
- Update to version 0.15.0:
* Feat: NuGet Scanner (#686)
* feat(cache): support Redis (#770)
* fix(redhat): skip module packages (#776)
* chore: migrate from master to main (#778)
* chore(circleci): remove gofmt (#777)
* chore(README): remove experimental (#775)
* NVD: Add timestamps. (#761)
* (fix): Make the table output less wide. (#763)
* Add gitHubToken to prevent rate limit problems (#769)
* Add helm chart to install trivy in server mode. (#751)
* chore(docs): add nix install (#762)
* HTML template (#567)
* feat: remove rpm dependency (#753)
* fix(vulnerability): make an empty severity UNKNOWN (#759)
* chore(README): add TRIVY_INSECURE (#760)
* feat(vulnerability): add primary URLs (#752)
-------------------------------------------------------------------
Thu Nov 26 15:23:00 UTC 2020 - dmueller@suse.com
- Update to version 0.13.0:
* fix(oracle): handle ksplice advisories (#745)
* fix: version comparison (#740)
* updated Readme.md (#737)
* Add suse sles 15.2 to the EOL list as well (#734)
* Update README.md (#731)
* Warn when a user attempts to use trivy without a detectable lockfile (#729)
* Add back support for FreeBSD & OpenBSD (#728)
* Add support for ppc64le architecture (#724)
* Skip packages from unsupported repository (remi) (#695)
* Skip downloading DB if a remote DB is not updated (#717)
* Sunsetting VendorVectors (#718)
* Add GitHub Container Registry to README (#712)
* update BUG_REPORT.md using H2 instead of bold formatting (#714)
* fix(ci/deb): do not remove old packages for EOL versions (#706)
* Add linter check support (#679)
* Optimize images (#696)
* Update triage.md (#701)
- remove 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch (merged)
-------------------------------------------------------------------
Fri Oct 30 14:52:37 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- add 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch
-------------------------------------------------------------------
Wed Oct 28 12:47:30 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- revert _service and build changes in last update to use
the proper macros
- set VERSION parameter properly (jsc#CAPS-105)
- remove update-end-of-life-dates.patch
-------------------------------------------------------------------
Thu Oct 22 14:20:24 UTC 2020 - Stefan Nica <snica@suse.com>
- Require golang >= 1.15 to fix EINTR read issues (jsc#CAPS-170)
-------------------------------------------------------------------
Thu Oct 22 13:16:40 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- add update-end-of-life-dates.patch
-------------------------------------------------------------------
Tue Oct 20 13:13:39 UTC 2020 - msabate@suse.com
- Update to version 0.12.0:
* ci(circle): update remote docker version (#683)
* suse: update end of life dates for SLES service packs (#676)
* update readme for parallel run issue (#660)
* fix link for Clear images section in README (#659)
* add link to Gitlab CI pipeline in README (#658)
* test: add tests for mux (#645)
* chore: bump up Go to 1.15 (#646)
* Add contrib/ to the release chain for Docker (#638)
* Add health check endpoint to trivy server (#644)
* fix(cli): show help for subcommands (#629)
-------------------------------------------------------------------
Tue Sep 08 18:00:57 UTC 2020 - jsuchome@suse.com
- Update to version 0.9.2:
* Fixing `Error retrieving template from path` when --format is not template but template is provided (#556)
* Adding contrib/junit.tpl to docker image (#554)
* db: Update trivy-db to include CVSS score info (#530)
* docs: fix markdown (#553)
* Added function to escape string in failure message title and descriptions (#551)
* Added JUNIT support (#541)
* chore(docs): mention air-gapped environment (#544)
* chore(README): add programming languages (#543)
* fix(log): write error messages to stderr (#538)
* Use StoreMetadata from trivy-db (#509)
* docs: add more CI options to README (#535)
* chore(Dockerfile): bump up alpine to 3.12 (#528)
* fix(alpine): replace go-deb-version with go-apk-version (#520)
* fix: MissingBlobs is implemented different in FS and S3 the method log… (#522)
-------------------------------------------------------------------
Wed Aug 19 11:24:03 UTC 2020 - dmueller@suse.com
- Update to version 0.9.1:
* fix(alpine): support 3.12 (#517)
* chore(README): prepare for v0.9.0 (#507)
* fix(config): transpose arguments (#516)
-------------------------------------------------------------------
Tue Jul 28 12:33:21 UTC 2020 - jsuchome@suse.com
- Update to version 0.9.0:
* fix(app): add ArgsUsage (#508)
* feat: support repository and filesystem scan (#503)
* Add GHSA support (#467)
* refactor: define common options and embed them into the option for subcommand (#502)
* Add image subcommand (#493)
* fix: remove help template (#500)
* vulnerability: Add CVSS Vectors to JSON output. (#484)
* feat: support registry token (#482)
* chore: bump up urfave/cli to v2 (#499)
* chore(doc): update README (#490)
* chore(ci): move integration tests to GitHub Actions (#485)
* feat: support OCI Image Format (#475)
* chore(github): fix issue templates (#483)
* contrib/gitlab.tpl: Add new id field (#468)
* chore(docs): add triage.md (#473)
* fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
* rpc: Fix output to use templates when in client server mode. (#469)
* Override with Vendor score if exists (#433)
* docs: Update installation docs for pointing to Trivy Releases. (#463)
-------------------------------------------------------------------
Fri Jul 24 11:34:15 UTC 2020 - jsuchome@suse.com
- enabled changesgenerate option to automatically generate changes
-------------------------------------------------------------------
Thu Jul 16 15:54:15 CEST 2020 - jsuchome@suse.com
- initial release of 0.6.0 version, supported by Harbor 2.0