commit 4c45efeca5070701f279777cc798324109d87463334b1d76214d42e1155d8507 Author: Git SCM Staging Date: Wed Jun 19 16:26:14 2024 +0000 [info=661ba9512713191dbad2929ae1a76f9ef89bbcaa0f3da1fac367aa96b97f6054] OBS-URL: https://build.opensuse.org/package/show/devel:Factory:git-workflow:staging:dirkmueller:trivy:2/trivy?expand=0&rev=2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..a275540 --- /dev/null +++ b/_constraints @@ -0,0 +1,8 @@ + + + + + 10 + + + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo new file mode 100644 index 0000000..64abd69 --- /dev/null +++ b/_scmsync.obsinfo @@ -0,0 +1,4 @@ +mtime: 1718814149 +commit: 661ba9512713191dbad2929ae1a76f9ef89bbcaa0f3da1fac367aa96b97f6054 +url: https://src.opensuse.org/dirkmueller/trivy.git +revision: 661ba9512713191dbad2929ae1a76f9ef89bbcaa0f3da1fac367aa96b97f6054 diff --git a/_service b/_service new file mode 100644 index 0000000..a7556a8 --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/aquasecurity/trivy + git + v0.52.2 + @PARENT_TAG@ + v(.*) + enable + + + trivy-*.tar + zst + + + trivy + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..4346b9d --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/aquasecurity/trivy + 8709d4f9c8ae29df1ff2e0d45b414cc075d3ea0b \ No newline at end of file diff --git a/add-opensuse-tumbleweed-db.patch b/add-opensuse-tumbleweed-db.patch new file mode 100644 index 0000000..d363228 --- /dev/null +++ b/add-opensuse-tumbleweed-db.patch @@ -0,0 +1,103 @@ +From f055a591d0ad779eab39ad0b13bd240653c9f137 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 19 Jun 2024 09:59:41 +0200 +Subject: [PATCH 1/2] added openSUSE Tumbleweed version detection + +(Tumbleweed has no version as it is rolling) + +https://github.com/aquasecurity/trivy-db/issues/410 +--- + pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 18 +++++++++++++++--- + pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go | 4 ++++ + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +index be3d4eff..297b29eb 100644 +--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go ++++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +@@ -24,8 +24,10 @@ type Distribution int + const ( + SUSEEnterpriseLinux Distribution = iota + OpenSUSE ++ OpenSUSETumbleweed + +- platformOpenSUSEFormat = "openSUSE Leap %s" ++ platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed" ++ platformOpenSUSELeapFormat = "openSUSE Leap %s" + platformSUSELinuxFormat = "SUSE Linux Enterprise %s" + ) + +@@ -55,6 +57,9 @@ func (vs VulnSrc) Name() types.SourceID { + if vs.dist == OpenSUSE { + return "opensuse-cvrf" + } ++ if vs.dist == OpenSUSETumbleweed { ++ return "opensuse-tumbleweed-cvrf" ++ } + return source.ID + } + +@@ -66,6 +71,7 @@ func (vs VulnSrc) Update(dir string) error { + case SUSEEnterpriseLinux: + rootDir = filepath.Join(rootDir, "suse") + case OpenSUSE: ++ case OpenSUSETumbleweed: + rootDir = filepath.Join(rootDir, "opensuse") + default: + return xerrors.New("unknown distribution") +@@ -185,6 +191,10 @@ func getOSVersion(platformName string) string { + // SUSE Linux Enterprise Module for SUSE Manager Server 4.0 + return "" + } ++ if strings.HasPrefix(platformName, "openSUSE Tumbleweed") { ++ // Tumbleweed has no version, it is a rolling release ++ return platformOpenSUSETumbleweedFormat ++ } + if strings.HasPrefix(platformName, "openSUSE Leap") { + // openSUSE Leap 15.0 + ss := strings.Split(platformName, " ") +@@ -196,7 +206,7 @@ func getOSVersion(platformName string) string { + log.Printf("invalid version: %s, err: %s", platformName, err) + return "" + } +- return fmt.Sprintf(platformOpenSUSEFormat, ss[2]) ++ return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2]) + } + if strings.Contains(platformName, "SUSE Linux Enterprise") { + // e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1 +@@ -276,7 +286,9 @@ func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error) + case SUSEEnterpriseLinux: + bucket = fmt.Sprintf(platformSUSELinuxFormat, version) + case OpenSUSE: +- bucket = fmt.Sprintf(platformOpenSUSEFormat, version) ++ bucket = fmt.Sprintf(platformOpenSUSELeapFormat, version) ++ case OpenSUSETumbleweed: ++ bucket = platformOpenSUSETumbleweedFormat + default: + return nil, xerrors.New("unknown distribution") + } + +From a6bad64919d94263c6e075f2f3676b6cdbfe811d Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 19 Jun 2024 16:07:49 +0200 +Subject: [PATCH 2/2] Update pkg/vulnsrc/suse-cvrf/suse-cvrf.go + +Co-authored-by: Teppei Fukuda +--- + pkg/vulnsrc/suse-cvrf/suse-cvrf.go | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +index 297b29eb..f616990e 100644 +--- a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go ++++ b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go +@@ -70,8 +70,7 @@ func (vs VulnSrc) Update(dir string) error { + switch vs.dist { + case SUSEEnterpriseLinux: + rootDir = filepath.Join(rootDir, "suse") +- case OpenSUSE: +- case OpenSUSETumbleweed: ++ case OpenSUSE, OpenSUSETumbleweed: + rootDir = filepath.Join(rootDir, "opensuse") + default: + return xerrors.New("unknown distribution") diff --git a/add-opensuse-tumbleweed-support.patch b/add-opensuse-tumbleweed-support.patch new file mode 100644 index 0000000..461cf47 --- /dev/null +++ b/add-opensuse-tumbleweed-support.patch @@ -0,0 +1,94 @@ +From 3e9c8361a53b33bdd8bfe3009fae69a50fe5f261 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 19 Jun 2024 10:32:34 +0200 +Subject: [PATCH] feat: add openSUSE tumbleweed detection and scanning + +needs changes in trivy-db to go along from https://github.com/aquasecurity/trivy-db/pull/411 to go along + +https://github.com/aquasecurity/trivy-db/issues/410 +--- + docs/docs/coverage/os/index.md | 1 + + docs/docs/coverage/os/suse.md | 5 +++-- + pkg/detector/ospkg/detect.go | 1 + + pkg/detector/ospkg/suse/suse.go | 9 +++++++++ + 4 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md +index a8d2670d7d6..49982b1b2d6 100644 +--- a/docs/docs/coverage/os/index.md ++++ b/docs/docs/coverage/os/index.md +@@ -22,6 +22,7 @@ Trivy supports operating systems for + | [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm | + | [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | + | [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | ++| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | + | [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | + | [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | + | [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | +diff --git a/docs/docs/coverage/os/suse.md b/docs/docs/coverage/os/suse.md +index 6ff52de31c8..15cfb1e9379 100644 +--- a/docs/docs/coverage/os/suse.md ++++ b/docs/docs/coverage/os/suse.md +@@ -2,6 +2,7 @@ + Trivy supports the following distributions: + + - openSUSE Leap ++- openSUSE Tumbleweed + - SUSE Enterprise Linux (SLE) + + Please see [here](index.md#supported-os) for supported versions. +@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages. + + + [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies +-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/ ++[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/ + +-[vulnerability statuses]: ../../configuration/filtering.md#by-status +\ No newline at end of file ++[vulnerability statuses]: ../../configuration/filtering.md#by-status +diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go +index bbeb8e8649d..56c4b76d147 100644 +--- a/pkg/detector/ospkg/detect.go ++++ b/pkg/detector/ospkg/detect.go +@@ -40,6 +40,7 @@ var ( + ftypes.CentOS: redhat.NewScanner(), + ftypes.Rocky: rocky.NewScanner(), + ftypes.Oracle: oracle.NewScanner(), ++ ftypes.OpenSUSETumbleweed: suse.NewScanner(suse.OpenSUSETumbleweed), + ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE), + ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux), + ftypes.Photon: photon.NewScanner(), +diff --git a/pkg/detector/ospkg/suse/suse.go b/pkg/detector/ospkg/suse/suse.go +index a5ccade5c81..439cad3ce28 100644 +--- a/pkg/detector/ospkg/suse/suse.go ++++ b/pkg/detector/ospkg/suse/suse.go +@@ -66,6 +66,7 @@ const ( + SUSEEnterpriseLinux Type = iota + // OpenSUSE for open versions + OpenSUSE ++ OpenSUSETumbleweed + ) + + // Scanner implements the SUSE scanner +@@ -84,6 +85,10 @@ func NewScanner(t Type) *Scanner { + return &Scanner{ + vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSE), + } ++ case OpenSUSETumbleweed: ++ return &Scanner{ ++ vs: susecvrf.NewVulnSrc(susecvrf.OpenSUSETumbleweed), ++ } + } + return nil + } +@@ -128,5 +133,9 @@ func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType + if osFamily == ftypes.SLES { + return osver.Supported(ctx, slesEolDates, osFamily, osVer) + } ++ // tumbleweed is a rolling release, it has no version and no eol ++ if osFamily == ftypes.OpenSUSETumbleweed { ++ return true ++ } + return osver.Supported(ctx, opensuseEolDates, osFamily, osVer) + } diff --git a/build.specials.obscpio b/build.specials.obscpio new file mode 100644 index 0000000..50ce4ee --- /dev/null +++ b/build.specials.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b2e416bcee1987ed56ce1444ba61cfb347ddbdccdd29289fad559466e974121d +size 256 diff --git a/trivy-0.52.1.tar.zst b/trivy-0.52.1.tar.zst new file mode 100644 index 0000000..9276395 --- /dev/null +++ b/trivy-0.52.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:468105619fa0a066fd1915deadce5bd8b870e6b333b747d76cfabaa1b4a71512 +size 51995809 diff --git a/trivy-0.52.2.tar.zst b/trivy-0.52.2.tar.zst new file mode 100644 index 0000000..4321d85 --- /dev/null +++ b/trivy-0.52.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff5a9e30ebb5fabc0d8bd5f11f9d4874cbbcf728ba163d7f4125cffc10e7f1d6 +size 51992543 diff --git a/trivy.changes b/trivy.changes new file mode 100644 index 0000000..033a0a9 --- /dev/null +++ b/trivy.changes @@ -0,0 +1,2522 @@ +------------------------------------------------------------------- +Wed Jun 19 15:58:20 UTC 2024 - dmueller@suse.com + +- Update to version 0.52.2: + * release: v0.52.2 [release/v0.52] (#6896) + * ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919) + * test: bump docker API to 1.45 [backport: release/v0.52] (#6922) + * ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893) + * fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892) +- add add-opensuse-tumbleweed-db.patch, + add-opensuse-tumbleweed-support.patch: patches for tumbleweed + support + +------------------------------------------------------------------- +Wed Jun 12 14:19:45 UTC 2024 - dmueller@suse.com + +- Update to version 0.52.1: + * release: v0.52.1 [release/v0.52] (#6877) + * fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888) + * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881) + * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878) + * docs: explain how VEX is applied (#6864) + * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857) + +------------------------------------------------------------------- +Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com + +- Update to version 0.52.0 (bsc#1224781, CVE-2024-35192): + * release: v0.52.0 [main] (#6809) + * fix(plugin): initialize logger (#6836) + * chore(deps): bump alpine from 3.19.1 to 3.20.0 in the docker group (#6835) + * fix(cli): always output fatal errors to stderr (#6827) + * fix: close testfile (#6830) + * docs(julia): add scanner table (#6826) + * feat(python): add license support for `requirement.txt` files (#6782) + * docs: add more workarounds for out-of-disk (#6821) + * chore: improve error message for image not found (#6822) + * fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808) + * ci(deps): use modules instead of incompatible version (#6805) + * ci: set initial version to v0.51.1 (#6810) + * ci: replace PAT with ORG_REPO_TOKEN (#6806) + * chore(deps): bump the common group with 3 updates (#6789) + * fix: clean up golangci lint configuration (#6797) + * ci: introduce Release Please for automated release management (#6795) + * fix(python): add package name and version validation for `requirements.txt` files. (#6804) + * feat(vex): improve relationship support in CSAF VEX (#6735) + * chore(alpine): add eol date for Alpine 3.20 (#6800) + * docs(plugin): add missed `plugin` section (#6799) + * fix: include packages unless it is not needed (#6765) + * ci(deps): fix ineffassign and bodyclose in ".*_test.go$" (#6777) + * chore(deps): Bump trivy-aws and trivy-checks (#6796) + * feat(misconf): support for VPC resources for inbound/outbound rules (#6779) + * ci(deps): fix govet in ".*_test.go$" (#6736) + * ci(deps): simplify gosec rules exclusion (#6778) + * chore: replace interface{} with any (#6751) + * fix: close settings.xml (#6768) + * refactor(go): add priority for gobinary module versions from `ldflags` (#6745) + * ci(deps): fix gocritic in ".*_test.go$" (#6763) + * build: use main package instead of main.go (#6766) + * feat(misconf): resolve tf module from OpenTofu compatible registry (#6743) + * chore(deps): bump the common group across 1 directory with 29 updates (#6756) + * ci(deps): fix tenv in ".*_test.go$" (#6748) + * chore(deps): bump the aws group with 8 updates (#6738) + * chore(deps): bump the docker group with 2 updates (#6739) + * chore(deps): bump the github-actions group with 4 updates (#6737) + * chore(deps): bump the testcontainers group with 2 updates (#6740) + * docs: add info on adding compliance checks (#6275) + * docs: Add documentation for contributing additional checks to the trivy policies repo (#6234) + * ci: add groups for `dependabot` (#6734) + * ci(deps): fix gci and gofmt in ".*_test.go$" (#6721) + * feat(nodejs): add v9 pnpm lock file support (#6617) + * feat(vex): support non-root components for products in OpenVEX (#6728) + * feat(python): add line number support for `requirement.txt` files (#6729) + * chore: respect timeout value in .golangci.yaml (#6724) + * ci(deps): enable `require-error` rule from `testifylint` linter (#6718) + * chore(deps): bump golangci-lint to v1.58.2 (#6719) + * fix: node-collector high and critical cves (#6707) + * Merge pull request from GHSA-xcq4-m2r3-cmrj + * chore: auto-bump golang patch versions (#6711) + * fix(misconf): don't shift ignore rule related to code (#6708) + * feat(plugin): specify plugin version (#6683) + * chore: enforce golangci-lint version (#6700) + * ci(deps): update golangci-lint-action and enable testifylint linter on "integration/*" (#6706) + * fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705) + * fix(go): add only non-empty root modules for `gobinaries` (#6710) + * refactor: unify package addition and vulnerability scanning (#6579) + * fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696) + * ci(deps): enable testifylint linter on .*_test.go$ (#6688) + * feat(misconf): Add support for deprecating a check (#6664) + * chore(deps): use `google.golang.org/protobuf/types/known` instead of `github.com/golang/protobuf/ptypes` (#6681) + * feat: Add Julia language analyzer support (#5635) + * feat(misconf): register builtin Rego funcs from trivy-checks (#6616) + * fix(report): hide empty tables if all vulns has been filtered (#6352) + * feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483) + * feat: add support for plugin index (#6674) + * fix(conda): add support `pip` deps for `environment.yml` files (#6675) + * docs: add support table for client server mode (#6498) + * fix: close APKINDEX archive file (#6672) + * fix(misconf): skip Rego errors with a nil location (#6666) + * refactor: move artifact types under artifact package to avoid import cycles (#6652) + * refactor(misconf): remove extrafs (#6656) + * refactor: re-define module structs for serialization (#6655) + * chore(misconf): Clean up iac logger (#6642) + * feat(misconf): support symlinks inside of Helm archives (#6621) + * feat(misconf): add Terraform 'removed' block to schema (#6640) + * refactor: unify Library and Package structs (#6633) + * fix: use of specified context to obtain cluster name (#6645) + * perf(misconf): parse rego input once (#6615) + * fix(misconf): skip Rego errors with a nil location (#6638) + * ci: add `generic` dir to deb deploy script (#6636) + * docs: link warning to both timeout config options (#6620) + * docs: fix usage of image-config-scanners (#6635) + * chore(deps): bump `knqyf263/trivy-issue-action` to v0.0.6 (#6632) + +------------------------------------------------------------------- +Thu May 09 13:21:53 UTC 2024 - dmueller@suse.com + +- Update to version 0.51.1: + * fix(fs): handle default skip dirs properly (#6628) + * fix(misconf): load cached tf modules (#6607) + * fix(misconf): do not use semver for parsing tf module versions (#6614) + * refactor: move setting scanners when using compliance reports to flag parsing (#6619) + * feat: introduce package UIDs for improved vulnerability mapping (#6583) + * perf(misconf): Improve cause performance (#6586) + * docs: trivy-k8s new experiance remove un-used section (#6608) + * chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612) + * docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609) + * feat(misconf): Use updated terminology for misconfiguration checks (#6476) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593) + * docs: use `generic` link from `trivy-repo` (#6606) + * docs: update trivy k8s with new experience (#6465) + * feat: support `--skip-images` scanning flag (#6334) + * BREAKING: add support for k8s `disable-node-collector` flag (#6311) + * chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601) + * chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599) + * chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597) + * chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588) + * chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595) + * chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596) + * feat: add ubuntu 23.10 and 24.04 support (#6573) + * chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590) + * chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598) + * docs(go): add stdlib (#6580) + * chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592) + * chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600) + * feat(go): parse main mod version from build info settings (#6564) + * feat: respect custom exit code from plugin (#6584) + * docs: add asdf and mise installation method (#6063) + * feat(vuln): Handle scanning conan v2.x lockfiles (#6357) + * feat: add support `environment.yaml` files (#6569) + * fix: close plugin.yaml (#6577) + * fix: trivy k8s avoid deleting non-default node collector namespace (#6559) + * BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323) + * feat(go): add main module (#6574) + * feat: add relationships (#6563) + * ci: disable `Go` cache for `reusable-release.yaml` (#6572) + * docs: mention `--show-suppressed` is available in table (#6571) + * chore: fix sqlite to support loong64 (#6511) + * fix(debian): sort dpkg info before parsing due to exclude directories (#6551) + * docs: update info about config file (#6547) + * docs: remove RELEASE_VERSION from trivy.repo (#6546) + * fix(sbom): change error to warning for multiple OSes (#6541) + * fix(vuln): skip empty versions (#6542) + * feat(c): add license support for conan lock files (#6329) + * fix(terraform): Attribute and fileset fixes (#6544) + * refactor: change warning if no vulnerability details are found (#6230) + * refactor(misconf): improve error handling in the Rego scanner (#6527) + * ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533) + * feat(go): parse main module of go binary files (#6530) + * chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526) + * refactor(misconf): simplify the retrieval of module annotations (#6528) + * chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523) + * docs(nodejs): add info about supported versions of pnpm lock files (#6510) + * feat(misconf): loading embedded checks as a fallback (#6502) + * fix(misconf): Parse JSON k8s manifests properly (#6490) + * refactor: remove parallel walk (#5180) + * fix: close pom.xml (#6507) + * fix(secret): convert severity for custom rules (#6500) + * fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412) + * fix: typo (#6283) + * docs(k8s,image): fix command-line syntax issues (#6403) + * chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435) + * fix(misconf): avoid panic if the scheme is not valid (#6496) + * feat(image): goversion as stdlib (#6277) + * fix: add color for error inside of log message (#6493) + * chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438) + * docs: fix links to OPA docs (#6480) + * refactor: replace zap with slog (#6466) + * docs: update links to IaC schemas (#6477) + * chore: bump Go to 1.22 (#6075) + * refactor(terraform): sync funcs with Terraform (#6415) + * feat(misconf): add helm-api-version and helm-kube-version flag (#6332) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426) + * chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452) + * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430) + * chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437) + * fix(terraform): eval submodules (#6411) + * refactor(terraform): remove unused options (#6446) + * refactor(terraform): remove unused file (#6445) + * chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427) + * fix(misconf): Escape template value correctly (#6292) + * feat(misconf): add support for wildcard ignores (#6414) + * fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439) + * refactor(terraform): remove metrics collection (#6444) + * feat(cloudformation): add support for logging and endpoint access for EKS (#6440) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428) + * chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429) + * fix(db): check schema version for image name only (#6410) + * chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433) + * chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436) + * feat(misconf): Support private registries for misconf check bundle (#6327) + * feat(cloudformation): inline ignore support for YAML templates (#6358) + * feat(terraform): ignore resources by nested attributes (#6302) + * perf(helm): load in-memory files (#6383) + * feat(aws): apply filter options to result (#6367) + * feat(aws): quiet flag support (#6331) + * fix(misconf): clear location URI for SARIF (#6405) + * test(cloudformation): add CF tests (#6315) + * fix(cloudformation): infer type after resolving a function (#6406) + * fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399) + * fix(nodejs): merge `Indirect`, `Dev`, `ExternalReferences` fields for same deps from `package-lock.json` files v2 or later (#6356) + * docs: add info about support for package license detection in `fs`/`repo` modes (#6381) + * fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231) + * fix: use `0600` perms for tmp files for post analyzers (#6386) + * fix(helm): scan the subcharts once (#6382) + * docs(terraform): add file patterns for Terraform Plan (#6393) + * fix(terraform): сhecking SSE encryption algorithm validity (#6341) + * fix(java): parse modules from `pom.xml` files once (#6312) + * chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#6364) + * fix(server): add Locations for `Packages` in client/server mode (#6366) + * fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346) + * fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348) + * chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371) + * chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321) + * feat(java): add support licenses and graph for gradle lock files (#6140) + * feat(vex): consider root component for relationships (#6313) + * fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298) + * chore: updates wazero to v1.7.0 (#6301) + * feat(sbom): Support license detection for SBOM scan (#6072) + * refactor(sbom): use intermediate representation for SPDX (#6310) + * docs(terraform): improve documentation for filtering by inline comments (#6284) + * fix(terraform): fix policy document retrieval (#6276) + * refactor(terraform): remove unused custom error (#6303) + * refactor(sbom): add intermediate representation for BOM (#6240) + * fix(amazon): check only major version of AL to find advisories (#6295) + * fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219) + * fix(nodejs): add name validation for package name from `package.json` (#6268) + * docs: Added install instructions for FreeBSD (#6293) + * feat(image): customer podman host or socket option (#6256) + * chore(deps): bump wazero from 1.2.1 to 1.6.0 (#6290) + * feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213) + * fix(license): reorder logic of how python package licenses are acquired (#6220) + * test(terraform): skip cached modules (#6281) + * feat(secret): Support for detecting Hugging Face Access Tokens (#6236) + * fix(cloudformation): support of all SSE algorithms for s3 (#6270) + * feat(terraform): Terraform Plan snapshot scanning support (#6176) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#6249) + * fix: typo function name and comment optimization (#6200) + * fix(java): don't ignore runtime scope for pom.xml files (#6223) + * chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#6242) + * chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#6243) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#6251) + * chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#6253) + * chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#6250) + * chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#6247) + * chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#6246) + * fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215) + * chore(deps): Upgrade iac deps (#6255) + * feat: add info log message about dev deps suppression (#6211) + * test(k8s): use test-db for k8s integration tests (#6222) + * ci: add maximize-build-space for `Test` job (#6221) + * fix(terraform): fix root module search (#6160) + * test(parser): squash test data for yarn (#6203) + * fix(terraform): do not re-expand dynamic blocks (#6151) + * docs: update ecosystem page reporting with db app (#6201) + * fix: k8s summary separate infra and user finding results (#6120) + * fix: add context to target finding on k8s table view (#6099) + * fix: Printf format err (#6198) + * refactor: better integration of the parser into Trivy (#6183) + * chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#6189) + * feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108) + * fix(vex): CSAF filtering should consider relationships (#5923) + * refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999) + * feat(vuln): ignore vulnerabilities by PURL (#6178) + * feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171) + * feat(k8s): rancher rke2 version support (#5988) + * docs: update kbom distribution for scanning (#6019) + * chore: update CODEOWNERS (#6173) + * fix(swift): try to use branch to resolve version (#6168) + * fix(terraform): ensure consistent path handling across OS (#6161) + * fix(java): add only valid libs from `pom.properties` files from `jars` (#6164) + * fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163) + * chore(deps): merge go-dep-parser into Trivy (#6094) + * docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145) + * docs: update template path for gitlab-ci tutorial (#6144) + * feat(report): support for filtering licenses and secrets via rego policy files (#6004) + * fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113) + * refactor(deps): Merge defsec into trivy (#6109) + * chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#6142) + * docs: add SecObserve in CI/CD and reporting (#6139) + * fix(alpine): exclude empty licenses for apk packages (#6130) + * docs: add docs tutorial on custom policies with rego (#6104) + * fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102) + * feat(vuln): show suppressed vulnerabilities in table (#6084) + * docs: rename governance to principles (#6107) + * docs: add governance (#6090) + * refactor(deps): Merge trivy-iac into Trivy (#6005) + * feat(java): add dependency location support for `gradle` files (#6083) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#6038) + * fix(misconf): get `user` from `Config.User` (#6070) + +------------------------------------------------------------------- +Thu Feb 08 12:51:32 UTC 2024 - dmueller@suse.com + +- Update to version 0.49.1: + * fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025) + * docs: Fix broken link to "pronunciation" (#6057) + * chore(deps): bump actions/upload-artifact from 3 to 4 (#6047) + * chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (#6042) + * chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (#6043) + * ci: reduce `root-reserve-mb` size for `maximize-build-space` (#6064) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#6041) + * chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#6039) + * fix: fix cursor usage in Redis Clear function (#6056) + * chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (#6037) + * fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034) + * chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#6046) + * chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (#6044) + * chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#6048) + * test: fix flaky `TestDockerEngine` (#6054) + * chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (#6040) + * chore(deps): bump easimon/maximize-build-space from 9 to 10 (#6049) + * chore(deps): bump alpine from 3.19.0 to 3.19.1 (#6051) + * chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (#6028) + * fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982) + * chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (#6029) + * fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843) + * feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285) + * docs: add note about Bun (#6001) + * fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011) + * fix: check returned error before deferring f.Close() (#6007) + * feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990) + * feat(vuln): enable `--vex` for all targets (#5992) + * docs: update link to data sources (#6000) + * feat(java): add support for line numbers for pom.xml files (#5991) + * refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981) + * docs: Update troubleshooting guide with image not found error (#5983) + * style: update band logos (#5968) + * chore(deps): Update misconfig deps (#5956) + * docs: update cosign tutorial and commands, update kyverno policy (#5929) + * docs: update command to scan go binary (#5969) + * fix: handle non-parsable images names (#5965) + * chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (#5693) + * fix(amazon): save system files for pkgs containing `amzn` in src (#5951) + * fix(alpine): Add EOL support for alpine 3.19. (#5938) + * feat: allow end-users to adjust K8S client QPS and burst (#5910) + * chore(deps): bump go-ebs-file (#5934) + * fix(nodejs): find licenses for packages with slash (#5836) + * fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922) + * fix: ignore no init containers (#5939) + * docs: Fix documentation of ecosystem (#5940) + * docs(misconf): multiple ignores in comment (#5926) + * fix(secret): find aws secrets ending with a comma or dot (#5921) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (#5885) + * docs: ✨ Updated ecosystem docs with reference to new community app (#5918) + * fix(java): don't remove excluded deps from upper pom's (#5838) + * fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630) + * feat(vex): add PURL matching for CSAF VEX (#5890) + * fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901) + * revert(report): don't escape new line characters for sarif format (#5897) + * docs: improve filter by rego (#5402) + * chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#5892) + * docs: add_scan2html_to_trivy_ecosystem (#5875) + * fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888) + * feat(vex): Add support for CSAF format (#5535) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (#5880) + * chore(deps): bump actions/setup-go from 4 to 5 (#5845) + * chore(deps): bump actions/stale from 8 to 9 (#5846) + * chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (#5853) + * chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#5847) + * chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (#5854) + * chore(deps): bump alpine from 3.18.5 to 3.19.0 (#5849) + * chore(deps): bump actions/setup-python from 4 to 5 (#5848) + * feat(python): parse licenses from dist-info folder (#4724) + * chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (#5852) + * feat(nodejs): add yarn alias support (#5818) + * chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (#5850) + * chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#5856) + * chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#5855) + * refactor: propagate time through context values (#5858) + * refactor: move PkgRef under PkgIdentifier (#5831) + * fix(cyclonedx): fix unmarshal for licenses (#5828) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#5830) + * feat(vuln): include pkg identifier on detected vulnerabilities (#5439) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 (#5822) + * chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#5809) + * chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#5805) + +------------------------------------------------------------------- +Tue Dec 19 14:18:46 UTC 2023 - dmueller@suse.com + +- Update to version 0.48.1: + * chore(deps): bump trivy-iac to v0.7.1 (#5797) + * fix(bitnami): use a different comparer for detecting vulnerabilities (#5633) + * refactor(sbom): disable html escaping for CycloneDX (#5764) + * refactor(purl): use `pub` from `package-url` (#5784) + * docs(python): add note to using `pip freeze` for `compatible releases` (#5760) + * fix(report): use OS information for OS packages purl in `github` template (#5783) + * fix(report): fix error if miconfigs are empty (#5782) + * refactor(vuln): don't remove VendorSeverity in JSON report (#5761) + * fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767) + * docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746) + * fix(report): update Gitlab template (#5721) + * feat(secret): add support of GitHub fine-grained tokens (#5740) + * fix(misconf): add an image misconf to result (#5731) + * feat(secret): added support of Docker registry credentials (#5720) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.45 to 1.25.11 (#5717) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.21.0 to 1.24.1 (#5701) + +------------------------------------------------------------------- +Wed Dec 06 10:00:18 UTC 2023 - dmueller@suse.com + +- Update to version 0.48.0: + * chore(deps): bump sigstore/cosign-installer from 4a861528be5e691840a69536975ada1d4c30349d to 1fc5bd396d372bee37d608f955b336615edf79c8 (#5696) + * chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.1 (#5694) + * feat: filter k8s core components vuln results (#5713) + * feat(vuln): remove duplicates in Fixed Version (#5596) + * feat(report): output plugin (#4863) + * chore(deps): bump alpine from 3.18.4 to 3.18.5 (#5700) + * chore(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 (#5704) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.10.1 (#5699) + * chore(deps): bump actions/github-script from 6 to 7 (#5697) + * chore(deps): bump easimon/maximize-build-space from 8 to 9 (#5695) + * docs: typo in modules.md (#5712) + * feat: Add flag to configure node-collector image ref (#5710) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.9.0 (#5702) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.4 to 2.31.0 (#5698) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.1 to 1.4.0 (#5706) + * feat(misconf): Add `--misconfig-scanners` option (#5670) + * chore: bump Go to 1.21 (#5662) + * feat: Packagesprops support (#5605) + * chore(deps): Bump up trivy misconf deps (#5656) + * docs: update adopters discussion template (#5632) + * docs: terraform tutorial links updated to point to correct loc (#5661) + * fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647) + * fix(nodejs): support protocols for dependency section in yarn.lock files (#5612) + * fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618) + * docs: Update Arch Linux package URL in installation.md (#5619) + * chore: add prefix to image errors (#5601) + * docs(vuln): fix link anchor (#5606) + * docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608) + * fix: k8s friendly error messages kbom non cluster scans (#5594) + * feat: set InstalledFiles for DEB and RPM packages (#5488) + * fix(report): use time.Time for CreatedAt (#5598) + * test: retry containerd initialization (#5597) + * feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550) + * test: mock VM walker (#5589) + * chore: bump node-collector v0.0.9 (#5591) + * feat(misconf): Add support for `--cf-params` for CFT (#5507) + * feat(flag): replace '--slow' with '--parallel' (#5572) + * fix(report): add escaping for Sarif format (#5568) + * chore: show a deprecation notice for `--scanners config` (#5587) + * feat(report): Add CreatedAt to the JSON report. (#5542) (#5549) + * test: mock RPM DB (#5567) + * feat: add aliases to '--scanners' (#5558) + * refactor: reintroduce output writer (#5564) + * chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#5543) + * chore: not load plugins for auto-generating docs (#5569) + * chore: sort supported AWS services (#5570) + * fix: no schedule toleration (#5562) + * fix(cli): set correct `scanners` for `k8s` target (#5561) + * fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533) + * refactor(misconf): Update refactored dependencies (#5245) + * feat(secret): add built-in rule for JWT tokens (#5480) + * fix: trivy k8s parse ecr image with arn (#5537) + * fix: fail k8s resource scanning (#5529) + * refactor(misconf): don't remove Highlighted in json format (#5531) + * docs(k8s): fix link in kubernetes.md (#5524) + * docs(k8s): fix whitespace in list syntax (#5525) + +------------------------------------------------------------------- +Tue Nov 07 12:24:51 UTC 2023 - dmueller@suse.com + +- Update to version 0.47.0: + * docs: add info that license scanning supports file-patterns flag (#5484) + * docs: add Zora integration into Ecosystem session (#5490) + * fix(sbom): Use UUID as BomRef for packages with empty purl (#5448) + * ci: use maximize build space for K8s tests (#5387) + * fix: correct error mismatch causing race in fast walks (#5516) + * docs: k8s vulnerability scanning (#5515) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506) + * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493) + * docs: remove glad for java datasources (#5508) + * chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475) + * chore: remove unused logger attribute in amazon detector (#5476) + * fix: correct error mismatch causing race in fast walks (#5482) + * chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502) + * chore(deps): bump docker/build-push-action from 4 to 5 (#5500) + * chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491) + * fix(server): add licenses to `BlobInfo` message (#5382) + * chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497) + * feat: scan vulns on k8s core component apps (#5418) + * fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470) + * chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472) + * fix(sbom): save digests for package/application when scanning SBOM files (#5432) + * docs: fix the broken link (#5454) + * docs: fix error when installing `PyYAML` for gh pages (#5462) + * fix(java): download java-db once (#5442) + * chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447) + * docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419) + * feat(misconf): Support `--ignore-policy` in config scans (#5359) + * docs(misconf): fix broken table for `Use container image` section (#5425) + * feat(dart): add graph support (#5374) + * refactor: define a new struct for scan targets (#5397) + * fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399) + * fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393) + * chore(deps): move to aws-sdk-go-v2 (#5381) + * docs: remove --scanners none (#5384) + * docs: Update container_image.md #5182 (#5193) + * feat(report): Add `InstalledFiles` field to Package (#4706) + * feat(k8s): add support for vulnerability detection (#5268) + * fix(python): override BOM in `requirements.txt` files (#5375) + * docs: add kbom documentation (#5363) + * test: use maximize build space for VM tests (#5362) + * chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365) + * fix(report): add escaping quotes in misconfig Title for asff template (#5351) + * ci: add workflow to check Go versions of dependencies (#5340) + * chore(deps): Upgrade defsec to v0.93.1 (#5348) + * chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300) + * fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342) + * fix: add config files to FS for post-analyzers (#5333) + * fix: fix MIME warnings after updating to Go 1.20 (#5336) + * build: fix a compile error with Go 1.21 (#5339) + * feat: added `Metadata` into the k8s resource's scan report (#5322) + * ci: check only PR's in `actions/stale` (#5337) + * chore: update adopters template (#5330) + * ci: do not trigger tests on the push event (#5313) + * fix(sbom): use PURL or Group and Name in case of Java (#5154) + * docs: add buildkite repository to ecosystem page (#5316) + * chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290) + * chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292) + * chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293) + * chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286) + * chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289) + * chore: enable go-critic (#5302) + * chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287) + * close java-db client (#5273) + * chore(deps): bump docker/login-action from 2 to 3 (#5291) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294) + * chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304) + * chore(deps): bump github.com/opencontainers/image-spec (#5295) + * fix(report): removes git::http from uri in sarif (#5244) + * Improve the meaning of sentence (#5301) + * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297) + * chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296) + * add app nil check (#5274) + * typo: in secret.md (#5281) + * docs: add info about `github` format (#5265) + * feat(dotnet): add license support for NuGet (#5217) + * docs: correctly export variables (#5260) + * chore: Add line numbers for lint output (#5247) + * chore(cli): disable java-db flags in server mode (#5263) + * feat(db): allow passing registry options (#5226) + * chore(deps): Bump up defsec to v0.93.0 (#5253) + * refactor(purl): use TypeApk from purl (#5232) + * chore: enable more linters (#5228) + * ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236) + * Fix typo on ide.md (#5239) + * refactor: use defined types (#5225) + * fix(purl): skip local Go packages (#5190) + * docs: update info about license scanning in Yarn projects (#5207) + * ci: auto apply labels (#5200) + * fix link (#5203) + * fix(purl): handle rust types (#5186) + * chore: auto-close issues (#5177) + * chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093) + * fix(k8s): kbom support addons labels (#5178) + * test: validate SPDX with the JSON schema (#5124) + * chore: bump trivy-kubernetes-latest (#5161) + * docs: add 'Signature Verification' guide (#4731) + * docs: add image-scanner-with-trivy for ecosystem (#5159) + * fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102) + * Update filtering.md (#5131) + * chore(deps): bump sigstore/cosign-installer (#5104) + * chore(deps): bump github.com/cyphar/filepath-securejoin (#5143) + * chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103) + * chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126) + * chaging adopters discussion tempalte (#5091) + * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092) + * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095) + * chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098) + * chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106) + * docs: add Bitnami (#5078) + * feat(docker): add support for scanning Bitnami components (#5062) + * feat: add support for .trivyignore.yaml (#5070) + * fix(terraform): improve detection of terraform files (#4984) + * feat: filter artifacts on --exclude-owned flag (#5059) + * fix(sbom): cyclonedx advisory should omit `null` value (#5041) + * build: maximize build space for build tests (#5072) + * feat: improve kbom component name (#5058) + * fix(pom): add licenses for pom artifacts (#5071) + * chore(deps): Update defsec to v0.92.0 (#5068) + * chore: bump Go to `1.20` (#5067) + * feat: PURL matching with qualifiers in OpenVEX (#5061) + * feat(java): add graph support for pom.xml (#4902) + * feat(swift): add vulns for cocoapods (#5037) + * fix: support image pull secret for additional workloads (#5052) + * fix: #5033 Superfluous double quote in html.tpl (#5036) + * docs(repo): update trivy repo usage and example (#5049) + * perf: Optimize Dockerfile for reduced layers and size (#5038) + * feat: scan K8s Resources Kind with --all-namespaces (#5043) + * fix: vulnerability typo (#5044) + * docs: adding a terraform tutorial to the docs (#3708) + * feat(report): add licenses to sarif format (#4866) + * feat(misconf): show the resource name in the report (#4806) + * chore: update alpine base images (#5015) + * feat: add Package.resolved swift files support (#4932) + * feat(nodejs): parse licenses in yarn projects (#4652) + * fix: k8s private registries support (#5021) + * bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018) + * feat(vuln): support last_affected field from osv (#4944) + * feat(server): add version endpoint (#4869) + * feat: k8s private registries support (#4987) + * fix(server): add indirect prop to package (#4974) + * docs: add coverage (#4954) + * feat(c): add location for lock file dependencies. (#4994) + * docs: adding blog post on ec2 (#4813) + * revert 32bit bins (#4977) + * chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917) + +------------------------------------------------------------------- +Thu Aug 10 10:51:52 UTC 2023 - dmueller@suse.com + +- Update to version 0.44.1: + * fix(report): return severity colors in table format (#4969) + * build: maximize available disk space for release (#4937) + * test(cli): Fix assertion helptext (#4966) + * chore(deps): Bump defsec to v0.91.1 (#4965) + * test: validate CycloneDX with the JSON schema (#4956) + * fix(server): add licenses to the Result message (#4955) + * fix(aws): resolve endpoint if endpoint is passed (#4925) + * fix(sbom): move licenses to `name` field in Cyclonedx format (#4941) + * add only uniq deps in dependsOn (#4943) + * use testify instead of gotest.tools (#4946) + * fix(nodejs): do not detect lock file in node_modules as an app (#4949) + * bump go-dep-parser (#4936) + * chore(deps): bump github.com/openvex/go-vex from 0.2.0 to 0.2.1 (#4914) + * chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 (#4909) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#4912) + * test(aws): move part of unit tests to integration (#4884) + * docs(cli): update help string for file and dir skipping (#4872) + * chore(deps): bump sigstore/cosign-installer (#4910) + * chore(deps): bump github.com/sosedoff/gitkit from 0.3.0 to 0.4.0 (#4916) + * chore(deps): bump k8s.io/api from 0.27.3 to 0.27.4 (#4918) + * chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4919) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#4913) + * chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 (#4915) + * docs: update the discussion template (#4928) + +------------------------------------------------------------------- +Thu Aug 03 11:21:12 UTC 2023 - dmueller@suse.com + +- Update to version 0.44.0: + * feat(repo): support local repositories (#4890) + * bump go-dep-parser (#4893) + * fix(misconf): add missing fields to proto (#4861) + * fix: remove trivy-db package replacement (#4877) + * chore(test): bump the integration test timeout to 15m (#4880) + * chore(deps): Update defsec to v0.91.0 (#4886) + * chore: update CODEOWNERS (#4871) + * feat(vuln): support vulnerability status (#4867) + * feat(misconf): Support custom URLs for policy bundle (#4834) + * refactor: replace with sortable packages (#4858) + * docs: correct license scanning sample command (#4855) + * fix(report): close the file (#4842) + * feat(nodejs): add support for include-dev-deps flag for yarn (#4812) + * feat(misconf): Add support for independently enabling libraries (#4070) + * feat(secret): add secret config file for cache calculation (#4837) + * Fix a link in gitlab-ci.md (#4850) + * fix(flag): use globalstar to skip directories (#4854) + * chore(deps): bump github.com/docker/docker from v23.0.5+incompatible to v23.0.7-0.20230714215826-f00e7af96042+incompatible (#4849) + * fix(license): using common way for splitting licenses (#4434) + * fix(containerd): Use img platform in exporter instead of strict host platform (#4477) + * remove govulndb (#4783) + * fix(java): inherit licenses from parents (#4817) + * refactor: add allowed values for CLI flags (#4800) + * add example regex to allow rules (#4827) + * feat(misconf): Support custom data for rego policies for cloud (#4745) + * docs: correcting the trivy k8s tutorial (#4815) + * feat(cli): add --tf-exclude-downloaded-modules flag (#4810) + * fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794) + * feat(misconf): enable --policy flag to accept directory and files both (#4777) + * feat(python): add license fields (#4722) + * fix: support trivy k8s-version on k8s sub-command (#4786) + +------------------------------------------------------------------- +Thu Jul 13 08:47:12 UTC 2023 - dmueller@suse.com + +- Update to version 0.43.1: + * chore(deps): Update defsec to v0.90.3 (#4793) + * chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#4752) + * chore(deps): bump alpine from 3.18.0 to 3.18.2 (#4748) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 (#4758) + * docs(image): fix the comment on the soft/hard link (#4740) + * check Type when filling pkgs in vulns (#4776) + * feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770) + * chore(deps): bump modernc.org/sqlite from 1.20.3 to 1.23.1 (#4756) + * fix(rocky): add architectures support for advisories (#4691) + * chore(deps): bump github.com/opencontainers/image-spec (#4751) + * chore(deps): bump github.com/package-url/packageurl-go (#4754) + * chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 (#4750) + * chore(deps): bump github.com/tetratelabs/wazero from 1.2.0 to 1.2.1 (#4755) + * chore(deps): bump github.com/testcontainers/testcontainers-go (#4759) + * fix: documentation about reseting trivy image (#4733) + * fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744) + * fix: update Amazon Linux 1 EOL (#4761) +- drop eol-dates.patch (all upstream) + +------------------------------------------------------------------- +Mon Jul 03 13:22:20 UTC 2023 - dmueller@suse.com + +- Update to version 0.43.0: + * chore(deps): Update defsec to v0.90.1 (#4739) + * feat(nodejs): support yarn workspaces (#4664) + * feat(cli): add include-dev-deps flag (#4700) + * fix(image): pass the secret scanner option to scan the img config (#4735) + * fix: scan job pod it not found on k8s-1.27.x (#4729) + * feat(docker): add support for mTLS authentication when connecting to registry (#4649) + * chore(deps): Update defsec to v0.90.0 (#4723) + * fix: skip scanning the gpg-pubkey package (#4720) + * Fix http registry oci pull (#4701) + * feat(misconf): Support skipping services (#4686) + * docs: fix supported modes for pubspec.lock files (#4713) + * fix(misconf): disable the terraform plan analyzer for other scanners (#4714) + * clarifying a dir path is required for custom policies (#4716) + * chore: update alpine base images (#4715) + * fix last-history-created (#4697) + * feat: kbom and cyclonedx v1.5 spec support (#4708) + * docs: add information about Aqua (#4590) + * fix: k8s escape resource filename on windows os (#4693) + * ci: ignore merge queue branches (#4696) + * chore(deps): bump actions/checkout from 2.4.0 to 3.5.3 (#4695) + * chore(deps): bump aquaproj/aqua-installer from 2.1.1 to 2.1.2 (#4694) + * feat: cyclondx sbom custom property support (#4688) + * ci: do not trigger tests in main (#4692) + * add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690) + * use group field for jar in cyclonedx (#4674) + * feat(java): capture licenses from pom.xml (#4681) + * feat(helm): make sessionAffinity configurable (#4623) + * fix: Show the correct URL of the secret scanning (#4682) + * document expected file pattern definition format (#4654) + * fix: format arg error (#4642) + * feat(k8s): cyclonedx kbom support (#4557) + * fix(nodejs): remove unused fields for the pnpm lockfile (#4630) + * fix(vm): update ext4-filesystem parser for parse multi block extents (#4616) + * ci: update build IDs (#4641) + * fix(debian): update EOL for Debian 12 (#4647) + * chore(deps): bump go-containerregistry (#4639) + * chore: unnecessary use of fmt.Sprintf (S1039) (#4637) + * fix(db): change argument order in Exists query for JavaDB (#4595) + * feat(aws): Add support to see successes in results (#4427) + * chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#4613) + * ci: do not trigger tests in main (#4614) + * chore(deps): bump sigstore/cosign-installer (#4609) + * chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1 to 2 (#4608) + * ci: bypass the required status checks (#4611) + * ci: support merge queue (#3652) + * ci: matrix build for testing (#4587) + * feat: trivy k8s private registry support (#4567) + * docs: add general coverage page (#3859) + * chore: create SECURITY.md (#4601) + +------------------------------------------------------------------- +Fri Jun 30 15:06:47 UTC 2023 - Dirk Müller + +- add eol-dates.patch to list SLE/Leap 15.5 + +------------------------------------------------------------------- +Thu Jun 22 08:39:30 UTC 2023 - Dirk Müller + +- add NOTICE to doc + +------------------------------------------------------------------- +Mon Jun 12 07:56:25 UTC 2023 - dmueller@suse.com + +- Update to version 0.42.1: + * ci: remove 32bit packages (#4585) + * fix(misconf): deduplicate misconf results (#4588) + * fix(vm): support sector size of 4096 (#4564) + * fix(misconf): terraform relative paths (#4571) + * fix(purl): skip unsupported library type (#4577) + * fix(terraform): recursively detect all Root Modules (#4457) + * fix(vm): support post analyzer for vm command (#4544) + * fix(nodejs): change the type of the devDependencies field (#4560) + * fix(sbom): export empty dependencies in CycloneDX (#4568) + * refactor: add composite fs for post-analyzers (#4556) + * chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#4554) + * chore(deps): bump helm/kind-action from 1.5.0 to 1.7.0 (#4526) + * chore(deps): bump github.com/BurntSushi/toml from 1.2.1 to 1.3.0 (#4528) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.2 to 2.30.3 (#4529) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 (#4536) + * chore(deps): bump github.com/tetratelabs/wazero from 1.0.0 to 1.2.0 (#4549) + * chore(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#4532) + * chore(deps): bump github.com/testcontainers/testcontainers-go (#4537) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#4530) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4534) + * chore(deps): bump github.com/sigstore/rekor from 1.2.0 to 1.2.1 (#4533) + * chore(deps): bump alpine from 3.17.3 to 3.18.0 (#4525) + * feat: add SBOM analyzer (#4210) + * fix(sbom): update logic for work with files in spdx format (#4513) + * feat: azure workload identity support (#4489) + * feat(ubuntu): add eol date for 18.04 ESM (#4524) + * fix(misconf): Update required extensions for terraformplan (#4523) + * refactor(cyclonedx): add intermediate representation (#4490) + * fix(misconf): Remove debug print while scanning (#4521) + * fix(java): remove duplicates of jar libs (#4515) + * fix(java): fix overwriting project props in pom.xml (#4498) + * docs: Update compilation instructions (#4512) + * fix(nodejs): update logic for parsing pnpm lock files (#4502) + * fix(secret): remove aws-account-id rule (#4494) + * feat(oci): add support for referencing an input image by digest (#4470) + * chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#4338) + * docs: fixed the format (#4503) + * fix(java): add support of * for exclusions for pom.xml files (#4501) + * feat: adding issue template for documentation (#4453) + * docs: switch glad to ghsa for Go (#4493) + * chore(deps): Update defsec to v0.89.0 (#4474) + * feat(misconf): Add terraformplan support (#4342) + * feat(debian): add digests for dpkg (#4445) + * chore(deps): bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 (#4478) + * feat(k8s): exclude node scanning by node labels (#4459) + * docs: add info about multi-line mode for regexp from custom secret rules (#4159) + * feat(cli): convert JSON reports into a different format (#4452) + * feat(image): add logic to guess base layer for docker-cis scan (#4344) + * fix(cyclonedx): set original names for packages (#4306) + * feat: group subcommands (#4449) + * feat(cli): add retry to cache operations (#4189) + * fix(vuln): report architecture for `apk` packages (#4247) + * refactor: enable cases where return values are not needed in pipeline (#4443) + * fix(image): resolve scan deadlock when error occurs in slow mode (#4336) + * docs(misconf): Update docs for kubernetes file patterns (#4435) + * test: k8s integration tests (#4423) + * feat(redhat): add package digest for rpm (#4410) + * feat(misconf): Add `--reset-policy-bundle` for policy bundle (#4167) + * fix: typo (#4431) + * add user instruction to imgconf (#4429) + * fix(k8s): add image sources (#4411) + * docs(scanning): Add versioning banner (#4415) + * feat(cli): add mage command to update golden integration test files (#4380) + * feat: node-collector custom namespace support (#4407) + * chore(deps): bump owenrumney/go-sarif from v2.1.3 to v2.2.0 (#4378) + * refactor(sbom): use multiline json for spdx-json format (#4404) + * fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347) + * refactor: code-optimization (#4214) + * feat(image): Add image-src flag to specify which runtime(s) to use (#4047) + * test: skip wrong update of test golden files (#4379) + * refactor: don't return error for package.json without version/name (#4377) + * docs: cmd error (#4376) + * test(cli): add test for config file and env combination (#2666) + * fix(report): set a correct file location for license scan output (#4326) + * ci: rpm repository for all versions and aarch64 (#4077) + * chore(alpine): Update Alpine to 3.18 (#4351) + * fix(alpine): add EOL date for Alpine 3.18 (#4308) + * chore(deps): bump github.com/docker/distribution (#4337) + * feat: allow root break for mapfs (#4094) + * docs(misconf): Remove examples.md (#4256) + * fix(ubuntu): update eol dates for Ubuntu (#4258) + * feat(alpine): add digests for apk packages (#4168) + * chore: add discussion templates (#4190) + * fix(terraform): Support tfvars (#4123) + * chore: separate docs:generate (#4242) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4246) + * refactor: define vulnerability scanner interfaces (#4117) + * feat: unified k8s scan resources (#4188) + * chore(deps): Update defsec to v0.88.1 (#4178) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 (#4141) + * chore: trivy bin ignore (#4212) + * feat(image): enforce image platform (#4083) + * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.2 to 2.1.3 (#4143) + * chore(deps): bump github.com/docker/docker (#4144) + * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 (#4146) + * chore(deps): bump aquaproj/aqua-installer from 2.0.2 to 2.1.1 (#4140) + * fix(ubuntu): fix version selection logic for ubuntu esm (#4171) + * chore(deps): bump github.com/samber/lo from 1.37.0 to 1.38.1 (#4147) + * chore(deps): bump github.com/hashicorp/go-getter from 1.7.0 to 1.7.1 (#4145) + * chore(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.3 (#4138) + * chore(deps): bump github.com/testcontainers/testcontainers-go (#4150) + * chore: install.sh support for windows (#4155) + * chore(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#4166) + * chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#4149) + * docs: moving skipping files out of others (#4154) + +------------------------------------------------------------------- +Thu May 11 17:05:04 UTC 2023 - Dirk Müller + +- actually create a PIE binary + +------------------------------------------------------------------- +Fri Apr 28 07:31:35 UTC 2023 - dmueller@suse.com + +- Update to version 0.41.0: + * fix(spdx): add workaround for no src packages (#4118) + * test(golang): rename broken go.mod (#4129) + * feat(sbom): add supplier field (#4122) + * test(misconf): skip downloading of policies for tests #4126 + * refactor: use debug message for post-analyze errors (#4037) + * feat(sbom): add VEX support (#4053) + * feat(sbom): add primary package purpose field for SPDX (#4119) + * fix(k8s): fix quiet flag (#4120) + * fix(python): parse of pip extras (#4103) + * feat(java): use full path for nested jars (#3992) + * feat(license): add new flag for classifier confidence level (#4073) + * feat: config and fs compliance support (#4097) + * chore(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 (#3952) + * feat(spdx): add support for SPDX 2.3 (#4058) + * fix: k8s all-namespaces support (#4096) + * perf(misconf): replace with post-analyzers (#4090) + * fix(helm): update networking API version detection (#4106) + * feat(image): custom docker host option (#3599) + * style: debug flag is incorrect and needs extra - (#4087) + * docs(vuln): Document inline vulnerability filtering comments (#4024) + * feat(fs): customize error callback during fs walk (#4038) + * fix(ubuntu): skip copyright files from subfolders (#4076) + * docs: restructure scanners (#3977) + * fix: fix `file does not exist` error for post-analyzers (#4061) + +------------------------------------------------------------------- +Sun Apr 16 18:05:08 UTC 2023 - dmueller@suse.com + +- Update to version 0.40.0: + * feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026) + * chore(deps): bump actions/stale from 7 to 8 (#3955) + * fix: return insecure option to download javadb (#4064) + * fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052) + * ci: add gpg signing for RPM packages (#4056) + * fix(k8s): current context title (#4055) + * fix(k8s): quit support on k8s progress bar (#4021) + * chore: add a note about Dockerfile.canary (#4050) + * ci: fix path to canary binaries (#4045) + * fix(vuln): report architecture for debian packages (#4032) + * feat: add support for Chainguard's commercial distro (#3641) + * ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979) + * fix(vuln): fix error message for remote scanners (#4031) + * feat(report): add image metadata to SARIF (#4020) + * docs: fix broken cache link on Installation page (#3999) + * fix: lock downloading policies and database (#4017) + * fix: avoid concurrent access to the global map (#4014) + * feat(rust): add Cargo.lock v3 support (#4012) + * feat: auth support oci download server subcommand (#4008) + * chore(deps): bump github.com/docker/docker (#4009) + * chore: install.sh support for armv7 (#3985) + * chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961) + +------------------------------------------------------------------- +Thu Apr 13 08:10:58 UTC 2023 - dmueller@suse.com + +- Update to version 0.39.1: + * fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997) + * fix(sbom): fix infinite loop for cyclonedx (#3998) + * chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954) + * fix: use warning for errors from enrichment files for post-analyzers (#3972) + * chore(deps): bump github.com/docker/docker (#3963) + * fix(helm): added annotation to psp configurable from values (#3893) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962) + * fix(secret): update built-in rule `tests` (#3855) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957) + * test: rewrite scripts in Go (#3968) + * docs(cli): Improve glob documentation (#3945) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959) + * ci: check CLI references (#3967) + * chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956) + * chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958) + * chore(deps): bump actions/setup-go from 3 to 4 (#3953) + * chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950) + * chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965) + * chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964) + +------------------------------------------------------------------- +Mon Apr 03 08:36:44 UTC 2023 - dmueller@suse.com + +- Update to version 0.39.0: + * docs(cli): added makefile and go file to create docs (#3930) + * chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946) + * chore: ignore gpg key (#3943) + * feat(cyclonedx): support dependency graph (#3177) + * chore(deps): Bump defsec to v0.85.0 (#3940) + * feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919) + * feat(server): redis with public TLS certs support (#3783) + * feat(flag): Add glob support to `--skip-dirs` and `--skip-files` (#3866) + * chore: replace make with mage (#3932) + * fix(sbom): add checksum to files (#3888) + * chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928) + * chore: remove unused mount volumes (#3927) + * feat: add auth support for downloading OCI artifacts (#3915) + * refactor(purl): use epoch in qualifier (#3913) + * chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727) + * feat(image): add registry options (#3906) + * feat(rust): dependency tree and line numbers support for cargo lock file (#3746) + * chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905) + * feat(php): add support for location, licenses and graph for composer.lock files (#3873) + * chore(deps): updates wazero to 1.0.0 (#3904) + * feat(image): discover SBOM in OCI referrers (#3768) + * docs: change cache-dir key in config file (#3897) + * fix(sbom): use release and epoch for SPDX package version (#3896) + * ci: add gpg signing for RPM packages (#3612) + * docs: Update incorrect comment for skip-update flag (#3878) + * refactor(misconf): simplify policy filesystem (#3875) + * feat(nodejs): parse package.json alongside yarn.lock (#3757) + * fix(spdx): add PkgDownloadLocation field (#3879) + * fix(report): try to guess direct deps for dependency tree (#3852) + * chore(amazon): update EOL (#3876) + * fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877) + * feat(amazon): add al2023 support (#3854) + * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.0 to 3.1.2 (#3736) + * docs(misconf): Add information about selectors (#3703) + * docs(cli): update CLI docs with cobra (#3815) + * feat: k8s parallel processing (#3693) + * docs: add DefectDojo in the Security Management section (#3871) + * chore(deps): updates wazero to 1.0.0-rc.2 (#3853) + * refactor: add pipeline (#3868) + * feat(cli): add javadb metadata to version info (#3835) + * chore(deps): Move compliance types to defsec (#3842) + * feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849) + * feat: add node toleration option (#3823) + * fix: allow mapfs to open dirs (#3867) + * fix(report): update uri only for os class targets (#3846) + * feat(nodejs): Add v3 npm lock file support (#3826) + * feat(nodejs): parse package.json files alongside package-lock.json (#2916) + * docs(misconf): Fix links to built in policies (#3841) + +------------------------------------------------------------------- +Tue Mar 14 09:56:08 UTC 2023 - dmueller@suse.com + +- Update to version 0.38.3: + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 + from 1.86.1 to 1.89.1 + * fix(java): skip empty files for jar post analyzer + * fix(docker): build healthcheck command for line without + /bin/sh prefix + * refactor(license): use goyacc for license parser (#3824) + * chore(deps): bump github.com/docker/docker from + 23.0.0-rc.1+incompatible to 23.0.1+incompatible + * fix: populate timeout context to node-collector + * fix: exclude node collector scanning (#3771) + * fix: display correct flag in error message when skipping + java db update #3808 + * fix: disable jar analyzer for scanners other than vuln (#3810) + * fix(sbom): fix incompliant license format for spdx (#3335) + * fix(java): the project props take precedence over the + parent's props (#3320) + * docs: add canary build info to README.md (#3799) + * docs: adding link to gh token generation (#3784) + * docs: changing docs in accordance with #3460 (#3787) + +------------------------------------------------------------------- +Wed Mar 08 11:02:13 UTC 2023 - dmueller@suse.com + +- Update to version 0.38.2: + * chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789) + * chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724) + * fix(license): disable jar analyzer for licence scan only (#3780) + * bump trivy-issue-action to v0.0.0; skip `pkg` dir (#3781) + * fix: skip checking dirs for required post-analyzers (#3773) + * docs: add information about plugin format (#3749) + * fix(sbom): add trivy version to spdx creators tool field (#3756) + +------------------------------------------------------------------- +Thu Mar 02 17:30:50 UTC 2023 - dmueller@suse.com + +- Update to version 0.38.1: + * feat(misconf): Add support to show policy bundle version (#3743) + * fix(python): fix error with optional dependencies in pyproject.toml (#3741) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740) + * add id for package.json files (#3750) + * chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738) + * chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725) + * chore(deps): bump github.com/google/go-containerregistry (#3731) + * chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732) + * chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723) + +------------------------------------------------------------------- +Wed Mar 01 10:38:28 UTC 2023 - dmueller@suse.com + +- Update to version 0.38.0: + * fix(cli): pass integer to exit-on-eol (#3716) + * feat: add kubernetes pss compliance (#3498) + * feat: Adding --module-dir and --enable-modules (#3677) + * feat: add special IDs for filtering secrets (#3702) + * chore(deps): Update defsec (#3713) + * docs(misconf): Add guide on input schema (#3692) + * feat(go): support dependency graph and show only direct dependencies in the tree (#3691) + * feat: docker multi credential support (#3631) + * feat: summarize vulnerabilities in compliance reports (#3651) + * feat(python): parse pyproject.toml alongside poetry.lock (#3695) + * feat(python): add dependency tree for poetry lock file (#3665) + * fix(cyclonedx): incompliant affect ref (#3679) + * chore(helm): update skip-db-update environment variable (#3657) + * fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675) + * fix(sbom): export empty dependencies in CycloneDX (#3664) + * docs: java-db air-gap doc tweaks (#3561) + * feat(go): license support (#3683) + * feat(ruby): add dependency tree/location support for Gemfile.lock (#3669) + * fix(k8s): k8s label size (#3678) + * fix(cyclondx): fix array empty value, null to [] (#3676) + * refactor: rewrite gomod analyzer as post-analyzer (#3674) + * feat: config outdated-api result filtered by k8s version (#3578) + * fix: Update to Alpine 3.17.2 (#3655) + * feat: add support for virtual files (#3654) + * feat: add post-analyzers (#3640) + * chore(deps): updates wazero to 1.0.0-pre.9 (#3653) + * chore(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#3528) + * chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 (#3633) + * feat(python): add dependency locations for Pipfile.lock (#3614) + * chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3648) + * fix(java): fix groupID selection by ArtifactID for jar files. (#3644) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.1 to 1.85.0 (#3607) + * fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619) + * feat(cli): add command completion (#3061) + * docs(misconf): update dockerfile link (#3627) + * feat(flag): add exit-on-eosl option (#3423) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#3533) + * fix(cli): make java db repository configurable (#3595) + * chore: bump trivy-kubernetes (#3613) + +------------------------------------------------------------------- +Wed Feb 15 08:39:40 UTC 2023 - dmueller@suse.com + +- Update to version 0.37.3 (bsc#1208091, CVE-2023-25165): + * chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574) + * chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536) + * chore(deps): bump golang/x/mod to v0.8.0 (#3606) + * chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529) + * chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580) + * ci: quote pros in c++ for semantic pr (#3605) + * fix(image): check proxy settings from env for remote images (#3604) + +------------------------------------------------------------------- +Fri Feb 10 06:19:47 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.37.2: + * BREAKING: use normalized trivy-java-db (#3583) + * fix(image): add timeout for remote images (#3582) + * chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532) + * chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534) + * fix(misconf): handle dot files better (#3550) + * chore: bump Go to 1.19 (#3551) + * chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522) + * chore(deps): bump docker/build-push-action from 3 to 4 (#3523) + * chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524) + * chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525) + * chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526) + +------------------------------------------------------------------- +Wed Feb 01 16:17:14 UTC 2023 - dmueller@suse.com + +- Update to version 0.37.1: + * fix(sbom): download the Java DB when generating SBOM (#3539) + * fix: use cgo free sqlite driver (#3521) + * ci: fix path to dist folder (#3527) + +------------------------------------------------------------------- +Wed Feb 01 12:09:23 UTC 2023 - dmueller@suse.com + +- Update to version 0.37.0: + * fix(image): close layers (#3517) + * refactor: db client changed (#3515) + * feat(java): use trivy-java-db to get GAV (#3484) + * docs: add note about the limitation in Rekor (#3494) + * docs: aggregate targets (#3503) + * deps: updates wazero to 1.0.0-pre.8 (#3510) + * docs: add alma 9 and rocky 9 to supported os (#3513) + * chore(deps): bump defsec to v0.82.9 (#3512) + * chore: add missing target labels (#3504) + * docs: add java vulnerability page (#3429) + * feat(image): add support for Docker CIS Benchmark (#3496) + * feat(image): secret scanning on container image config (#3495) + * chore(deps): Upgrade defsec to v0.82.8 (#3488) + * feat(image): scan misconfigurations in image config (#3437) + * chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489) + * feat(k8s): add node info resource (#3482) + * perf(secret): optimize secret scanning memory usage (#3453) + * feat: support aliases in CLI flag, env and config (#3481) + * fix(k8s): migrate rbac k8s (#3459) + * feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480) + * refactor: rename security-checks to scanners (#3467) + * chore: display the troubleshooting URL for the DB denial error (#3474) + * docs: yaml tabs to spaces, auto create namespace (#3469) + * docs: adding show-and-tell template to GH discussions (#3391) + * fix: Fix a temporary file leak in case of error (#3465) + * fix(test): sort cyclonedx components (#3468) + * docs: fixing spelling mistakes (#3462) + * ci: set paths triggering VM tests in PR (#3438) + * docs: typo in --skip-files (#3454) + * feat(custom-forward): Extended advisory data (#3444) + * docs: fix spelling error (#3436) + * refactor(image): extend image config analyzer (#3434) + * fix(nodejs): add ignore protocols to yarn parser (#3433) + * fix(db): check proxy settings when using insecure flag (#3435) + * feat(misconf): Fetch policies from OCI registry (#3015) + * ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413) + * ci: store URLs to Github Releases in RPM repository (#3414) + * feat(server): add support of `skip-db-update` flag for hot db update (#3416) + * chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411) + * fix(image): handle wrong empty layer detection (#3375) + * test: fix integration tests for spdx and cycloneDX (#3412) + * feat(python): Include Conda packages in SBOMs (#3379) + * feat: add support pubspec.lock files for dart (#3344) + * fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326) + * fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405) + * feat(server): log errors on server side (#3397) + * chore(deps): bump defsec to address helm vulnerabilities (#3399) + * docs: rewrite installation docs and general improvements (#3368) + * chore: update code owners (#3393) + * chore: test docs separately from code (#3392) + * docs: use the formula maintained by Homebrew (#3389) + * docs: add `Security Management` section with SonarQube plugin + +------------------------------------------------------------------- +Thu Jan 05 12:08:53 UTC 2023 - dmueller@suse.com + +- Update to version 0.36.1: + * fix(deps): fix errors on yarn.lock files that contain local file reference (#3384) + * feat(flag): early fail when the format is invalid (#3370) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366) + * docs(aws): fix broken links (#3374) + * chore(deps): bump actions/stale from 6 to 7 (#3360) + * chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974) + * chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358) + * chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173) + * chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357) + * chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367) + * chore(go): updates wazero to v1.0.0-pre.7 (#3355) + * chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362) + * chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356) + +------------------------------------------------------------------- +Mon Jan 02 08:27:43 UTC 2023 - dmueller@suse.com + +- Update to version 0.36.0: + * docs: improve compliance docs (#3340) + * feat(deps): add yarn lock dependency tree (#3348) + * fix: compliance change id and title naming (#3349) + * feat: add support for mix.lock files for elixir language (#3328) + * feat: add k8s cis bench (#3315) + * test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322) + * revert: cache merged layers (#3334) + * feat(cyclonedx): add recommendation (#3336) + * feat(ubuntu): added support ubuntu ESM versions (#1893) + * fix: change logic to build relative paths for skip-dirs and skip-files (#3331) + * chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265) + * feat: Adding support for Windows testing (#3037) + * feat: add support for Alpine 3.17 (#3319) + * docs: change PodFile.lock to Podfile.lock (#3318) + * fix(sbom): support for the detection of old CycloneDX predicate type (#3316) + * feat(secret): Use .trivyignore for filtering secret scanning result (#3312) + * chore(go): remove experimental FS API usage in Wasm (#3299) + * ci: add workflow to add issues to roadmap project (#3292) + * fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275) + * chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250) + * feat(sbom): better support for third-party SBOMs (#3262) + * docs: add information about languages with support for dependency locations (#3306) + * feat(vm): add `region` option to vm scan to be able to scan any region's ami and ebs snapshots (#3284) + * chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251) + * fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255) + * docs: remove comparisons (#3289) + * feat: add support for Wolfi Linux (#3215) + * ci: add go.mod to canary workflow (#3288) + * feat(python): skip dev dependencies (#3282) + * chore: update ubuntu version for Github action runnners (#3257) + * fix(go): skip dep without Path for go-binaries (#3254) + * feat(rust): add ID for cargo pgks (#3256) + * chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263) + * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253) + * feat: add support for swift cocoapods lock files (#2956) + * fix(sbom): use proper constants (#3286) + * chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278) + * test(vm): import relevant analyzers (#3285) + * feat: support scan remote repository (#3131) + * docs: fix typo in fluxcd (#3268) + * docs: fix broken "ecosystem" link in readme (#3280) + * feat(misconf): Add compliance check support (#3130) + * docs: Adding Concourse resource for trivy (#3224) + * chore(deps): change golang from 1.19.2 to 1.19 (#3249) + * fix(sbom): duplicate dependson (#3261) + * chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247) + * chore(go): updates wazero to 1.0.0-pre.4 (#3242) + * feat(report): add dependency locations to sarif format (#3210) + * fix(rpm): add rocky to osVendors (#3241) + * docs: fix a typo (#3236) + * feat(dotnet): add dependency parsing for nuget lock files (#3222) + * docs: add pre-commit hook to community tools (#3203) + * feat(helm): pass arbitrary env vars to trivy (#3208) + +------------------------------------------------------------------- +Mon Nov 28 06:41:54 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.35.0: + * chore(vm): update xfs filesystem parser for change log (#3230) + * feat: add virtual machine scan command (#2910) + * docs: reorganize index and readme (#3026) + * fix: `slowSizeThreshold` should be less than `defaultSizeThreshold` (#3225) + * feat: Export functions for trivy plugin (#3204) + * feat(image): add support wildcard for platform os (#3196) + * fix: load compliance report from file system (#3161) + * fix(suse): use package name to get advisories (#3199) + * docs(image): space issues during image scan (#3190) + * feat(containerd): scan image by digest (#3075) + * fix(vuln): add package name to title (#3183) + * fix: present control status instead of compliance percentage in compliance report (#3181) + * perf(license): remove go-enry/go-license-detector. (#3187) + * fix: workdir command as empty layer (#3087) + * docs: reorganize ecosystem section (#3025) + * feat(dotnet): add support dependency location for dotnet-core files (#3095) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174) + * chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109) + * feat(dotnet): add support dependency location for nuget lock files (#3032) + * chore: update code owners for misconfigurations (#3176) + * feat: add slow mode (#3084) + * docs: fix typo in enable-builin-rules mentions (#3118) + * feat: Add maintainer field to OS packages (#3149) + * docs: fix some typo (#3171) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175) + * chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112) + * docs: fix links on Built-in Policies page (#3124) + * chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117) + * chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116) + * fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144) + * chore: use newline for semantic pr (#3172) + * chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107) + * chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106) + * chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105) + * chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104) + * fix(spdx): rename describes field in spdx (#3102) + * chore: handle GOPATH with several paths in make file (#3092) + * docs(flag): add "rego" configuration file options (#3165) + * chore(go): updates wazero to 1.0.0-pre.3 (#3090) + * chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108) + * docs(license): fix typo inside quick start (#3134) + * chore: update codeowners for docs (#3135) + * fix(cli): exclude --compliance flag from non supported sub-commands (#3158) + * fix: remove --security-checks none from image help (#3156) + * fix: compliance flag description (#3160) + * docs(k8s): fix a typo (#3163) + * chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103) + +------------------------------------------------------------------- +Mon Oct 31 11:51:38 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.34.0: + * feat(vuln): support dependency graph for RHEL/CentOS (#3094) + * feat(vuln): support dependency graph for dpkg and apk (#3093) + * perf(license): enable license classifier only with "--license-full" (#3086) + * feat(report): add secret scanning to ASFF template (#2860) + * feat: Allow override of containerd namespace (#3060) + * fix(vuln): In alpine use Name as SrcName (#3079) + * fix(secret): Alibaba AccessKey ID (#3083) + +------------------------------------------------------------------- +Wed Oct 26 05:22:55 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.33.0: + * refactor(k8s): custom reports (#3076) + * fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068) + * feat(image): add support for passing architecture and OS (#3012) + * test: disable containerd integration tests for non-amd64 arch (#3073) + * feat(server): Add support for client/server mode to rootfs command (#3021) + * feat(vuln): support non-packaged binaries (#3019) + * feat: compliance reports (#2951) + * fix(flag): disable flag parsing for each plugin command (#3074) + * feat(nodejs): add support dependency location for yarn.lock files (#3016) + * chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069) + * feat: add k8s components (#2589) + * fix(secret): update the regex for secrets scanning (#2964) + * chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979) + * fix: bump trivy-kubernetes (#3064) + * docs: fix missing 'image' subcommand (#3051) + * chore: Patch golang x/text vulnerability (#3046) + * chore: add licensed project logo (#3058) + * feat(ubuntu): set Ubuntu 22.10 EOL (#3054) + * refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028) + * feat(report): Use understandable value for shortDescription in SARIF reports (#3009) + * docs(misconf): fix typo (#3043) + * feat: add support for scanning azure ARM (#3011) + * feat(report): add location.message to SARIF output (#3002) (#3003) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980) + * feat(nodejs): add dependency line numbers for npm lock files (#2932) + * test(fs): add `--skip-files`, `--skip-dirs` (#2984) + * docs: add Woodpecker CI integrations example (#2823) + * chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981) + * chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976) + * chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975) + * chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982) + * fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000) + * fix(java): don't stop parsing jar file when wrong inner jar is found (#2989) + * fix(sbom): use nuget purl type for dotnet-core (#2990) + * perf: retrieve rekor entries in bulk (#2987) + * feat(aws): Custom rego policies for AWS scanning (#2994) + * docs: jq cli formatting (#2881) + * docs(repo): troubleshooting $TMPDIR customization (#2985) + * chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969) + * chore(deps): bump actions/stale from 5 to 6 (#2970) + * chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971) + * chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972) + * chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973) + * chore: run `go fmt` (#2897) + * chore(go): updates wazero to 1.0.0-pre.2 (#2955) + * fix(aws): Less function for slice sorting always returns false #2967 + * fix(java): fix unmarshal pom exclusions (#2936) + +------------------------------------------------------------------- +Wed Sep 28 13:42:03 UTC 2022 - dmueller@suse.com + +- Update to version 0.32.1: + * fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943) + * chore: expat lib and go binary deps vulns (#2940) + * wasm: Removes accidentally exported memory (#2950) + * fix(sbom): fix package name separation for gradle (#2906) + * docs(readme.md): fix broken integrations link (#2931) + * fix(image): handle images with single layer in rescan mergedLayers cache (#2927) + * fix(cli): split env values with ',' for slice flags (#2926) + * fix(cli): config/helm: also take into account files with `.yml` (#2928) + * fix(flag): add file-patterns flag for config subcommand (#2925) + * chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902) + +------------------------------------------------------------------- +Mon Sep 19 07:17:00 UTC 2022 - dmueller@suse.com + +- Update to version 0.32.0: + * docs: add Rekor SBOM attestation scanning (#2893) + * chore: narrow the owner scope (#2894) + * fix: remove a patch number from the recommendation link (#2891) + * fix: enable parsing of UUID-only rekor entry ID (#2887) + * docs(sbom): add SPDX scanning (#2885) + * docs: restructure docs and add tutorials (#2883) + * feat(sbom): scan sbom attestation in the rekor record (#2699) + * feat(k8s): support outdated-api (#2877) + * chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815) + * fix(c): support revisions in Conan parser (#2878) + * feat: dynamic links support for scan results (#2838) + * chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818) + * docs: update archlinux commands (#2876) + * feat(secret): add line from dockerfile where secret was added to secret result (#2780) + * feat(sbom): Add unmarshal for spdx (#2868) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827) + * fix: revert asff arn and add documentation (#2852) + * docs: batch-import-findings limit (#2851) + * chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872) + * feat(sbom): Add marshal for spdx (#2867) + * build: checkout before setting up Go (#2873) + * chore: bump Go to 1.19 (#2861) + * docs: azure doc and trivy (#2869) + * fix: Scan tarr'd dependencies (#2857) + * chore(helm): helm test with ingress (#2630) + * feat(report): add secrets to sarif format (#2820) + * chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807) + * refactor: add a new interface for initializing analyzers (#2835) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840) + * fix: update ProductArn with account id (#2782) + * feat(helm): make cache TTL configurable (#2798) + * build(): Sign releaser artifacts, not only container manifests (#2789) + * chore: improve doc about azure devops (#2795) + * chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825) + * docs: don't push patch versions (#2824) + * feat: add support for conan.lock file (#2779) + * feat: cache merged layers + * chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805) + * chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806) + * chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811) + * chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810) + * chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814) + * feat: add support for gradle.lockfile (#2759) + * chore(mod): updates wazero to 1.0.0-pre.1 #2791 + * feat: move file patterns to a global level to be able to use it on any analyzer (#2539) + * Fix url validaton failures (#2783) + * fix(image): add logic to detect empty layers (#2790) + * feat(rust): add dependency graph from Rust binaries (#2771) + +------------------------------------------------------------------- +Mon Sep 05 12:12:16 UTC 2022 - dmueller@suse.com + +- Update to version 0.31.3: + * fix: handle empty OS family (#2768) + * fix: fix k8s summary report (#2777) + * fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767) + * chore: bump trivy-kubernetes (#2770) + * fix(secret): Consider secrets in rpc calls (#2753) + * fix(java): check depManagement from upper pom's (#2747) + * fix(php): skip `composer.lock` inside `vendor` folder (#2718) + * fix: fix k8s rbac filter (#2765) + * feat(misconf): skipping misconfigurations by AVD ID (#2743) + * chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741) + * docs: add MacPorts install instructions (#2727) + * docs: typo (#2730) + +------------------------------------------------------------------- +Tue Aug 16 19:32:37 UTC 2022 - dmueller@suse.com + +- Update to version 0.31.2: + * fix: Correctly handle recoverable AWS scanning errors (#2726) + * docs: Remove reference to SecurityAudit policy for AWS scanning (#2721) + +------------------------------------------------------------------- +Tue Aug 16 13:32:11 UTC 2022 - dmueller@suse.com + +- Update to version 0.31.1: + * fix: upgrade defsec to v0.71.7 for elb scan panic (#2720) + +------------------------------------------------------------------- +Tue Aug 16 12:02:47 UTC 2022 - dmueller@suse.com + +- Update to version 0.31.0: + * fix(flag): add error when there are no supported security checks (#2713) + * fix(vuln): continue scanning when no vuln found in the first application (#2712) + * revert: add new classes for vulnerabilities (#2701) + * feat(secret): detect secrets removed or overwritten in upper layer (#2611) + * fix(cli): secret scanning perf link fix (#2607) + * chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650) + * feat: Add AWS Cloud scanning (#2493) + * docs: specify the type when verifying an attestation (#2697) + * docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690) + * fix(rpc): scanResponse rpc conversion for custom resources (#2692) + * feat(rust): Add support for cargo-auditable (#2675) + * feat: Support passing value overrides for configuration checks (#2679) + * feat(sbom): add support for scanning a sbom attestation (#2652) + * chore(image): skip symlinks and hardlinks from tar scan (#2634) + * fix(report): Update junit.tpl (#2677) + * fix(cyclonedx): add nil check to metadata.component (#2673) + * docs(secret): fix missing and broken links (#2674) + * refactor(cyclonedx): implement json.Unmarshaler (#2662) + * chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643) + * chore(deps): bump github.com/Azure/go-autorest/autorest (#2642) + * feat(kubernetes): add option to specify kubeconfig file path (#2576) + * docs: follow Debian's "instructions to connect to a third-party repository" (#2511) + * chore(deps): bump github.com/google/licenseclassifier/v2 (#2644) + * chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645) + * chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647) + * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646) + * chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641) + * chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640) + * chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639) + * chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648) + * chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649) + * chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651) + * feat(alma): set AlmaLinux 9 EOL (#2653) + * fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636) + * test(misconf): add tests for misconf handler for dockerfiles (#2621) + * feat(oracle): set Oracle Linux 9 EOL (#2635) + * BREAKING: add new classes for vulnerabilities (#2541) + * fix(secret): add newline escaping for asymmetric private key (#2532) + * docs: improve formatting (#2572) + * feat(helm): allows users to define an existing secret for tokens (#2587) + * docs(mariner): use tdnf in fs usage example (#2616) + * docs: remove unnecessary double quotation marks (#2609) + * fix: Fix --file-patterns flag (#2625) + * feat(report): add support for Cosign vulnerability attestation (#2567) + * docs(mariner): use v2.0 in examples (#2602) + * feat(report): add secrets template for codequality report (#2461) + +------------------------------------------------------------------- +Wed Jul 27 06:38:26 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.30.4: + * fix: remove the first arg when running as a plugin (#2595) + * fix: k8s controlplaner scanning (#2593) + * fix(vuln): GitLab report template (#2578) + +------------------------------------------------------------------- +Tue Jul 26 11:29:36 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.30.3: + * fix(server): use a new db worker for hot updates (#2581) + * docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583) + * docs: split commands to download db for different versions of oras (#2582) + * feat(report): export exitcode for license checks (#2564) + * fix: cli can use lowercase for severities (#2565) + * fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577) + * fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569) + * fix: enable some features of the wasm runtime (#2575) + * fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521) + * docs(sbom): improve sbom attestation documentation (#2566) + +------------------------------------------------------------------- +Thu Jul 21 13:21:11 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.30.2: + * fix(report): show the summary without results (#2548) + * fix(cli): replace '-' to '_' for env vars (#2561) + +------------------------------------------------------------------- +Wed Jul 20 12:20:52 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.30.1: + * chore: remove a test repository (#2551) + * fix(license): lazy loading of classifiers (#2547) + * fix: CVE-2022-1996 in Trivy (#2499) + * docs(sbom): add sbom attestation (#2527) + * feat(rocky): set Rocky Linux 9 EOL (#2543) + * docs: add attributes to the video tag to autoplay demo videos (#2538) + * fix: yaml files with non-string chart name (#2534) + * fix: skip dirs (#2530) + * feat(repo): add support for branch, commit, & tag (#2494) + * fix: remove auto configure environment variables via viper (#2526) + +------------------------------------------------------------------- +Sat Jul 16 19:28:03 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.30.0: + * fix: separating multiple licenses from one line in dpkg copyright files (#2508) + * fix: change a capital letter for `plugin uninstall` subcommand (#2519) + * fix: k8s hide empty report when scanning resource (#2517) + * refactor: fix comments (#2516) + * fix: scan vendor dir (#2515) + * feat: Add support for license scanning (#2418) + * chore: add owners for secret scanning (#2485) + * fix: remove dependency-tree flag for image subcommand (#2492) + * fix(k8s): add shorthand for k8s namespace flag (#2495) + * docs: add information about using multiple servers to troubleshooting (#2498) + * ci: add pushing canary build images to registries (#2428) + * chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.0 (#2479) + * feat(dotnet): add support for .Net core .deps.json files (#2487) + * feat(amazon): add support for 2022 version (#2429) + * Type correction bitnami chart (#2415) + * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.1 to 2.1.2 (#2449) + * chore(deps): bump github.com/aquasecurity/table from 1.5.1 to 1.6.0 (#2446) + * docs: add config file and update CLI references (#2489) + * feat: add support for flag groups (#2488) + * refactor: move from urfave/cli to spf13/cobra (#2458) + * fix: Fix secrets output not containing file/lines (#2467) + * fix: clear output with modules (#2478) + * chore(deps): bump github.com/mailru/easyjson from 0.7.6 to 0.7.7 (#2448) + * docs(cbl): distroless 1.0 supported (#2473) + * fix: Fix example dockerfile rego policy (#2460) + * fix(config): add helm to list of config analyzers (#2457) + * feat: k8s resouces scan (#2395) + * feat(sbom): add cyclonedx sbom scan (#2203) + * chore(deps): bump wazero to latest main (#2436) + * chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.8.0 (#2444) + * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.21.0 to 2.22.0 (#2445) + * chore(deps): bump sigstore/cosign-installer from 2.3.0 to 2.4.1 (#2442) + * chore(deps): bump actions/setup-python from 3 to 4 (#2441) + * chore(deps): bump github.com/Azure/azure-sdk-for-go (#2450) + * docs: remove links to removed content (#2431) + * ci: added rpm build for rhel 9 (#2437) + * fix(secret): remove space from asymmetric private key (#2434) + * chore(deps): bump actions/cache from 3.0.2 to 3.0.4 (#2440) + * chore(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#2439) + * chore(deps): bump golang from 1.18.2 to 1.18.3 (#2438) + * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.25 to 1.44.46 (#2447) + * test(integration): fix golden files for debian 9 (#2435) + * fix(cli): fix version string in docs link when secret scanning is enabled (#2422) + * refactor: move CycloneDX marshaling (#2420) + * docs(nodejs): add docs about pnpm support (#2423) + * docs: improve k8s usage documentation (#2425) + * feat: Make secrets scanning output consistant (#2410) + * ci: create canary build after main branch changes (#1638) + * fix(misconf): skip broken scans (#2396) + * feat(nodejs): add pnpm support (#2414) + * fix: Fix false positive for use of COS images (#2413) + * eliminate nerdctl dependency (#2412) + * Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403) + * fix(go): no cast to lowercase go package names (#2401) + * BREAKING(sbom): change 'trivy sbom' to scan SBOM (#2408) + * fix(server): hot update the db from custom repository (#2406) + * feat: added license parser for dpkg (#2381) + * chore(helm): bump appVersion to latest release (#2397) + * fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400) + * feat: extract stripe publishable and secret keys (#2392) + * feat: rbac support k8s sub-command (#2339) + * feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390) + * docs: Updating README with new CLI command (#2359) + * fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383) + * chore: add integration label and merge security label (#2316) + +------------------------------------------------------------------- +Fri Jul 08 07:31:17 UTC 2022 - dmueller@suse.com + +- Update to version 0.29.2: + * chore: skip Visual Studio Code project folder (#2379) + * fix(helm): handle charts with templated names (#2374) + * docs: redirect operator docs to trivy-operator repo (#2372) + * fix(secret): use secret result when determining Failed status (#2370) + * try removing libdb-dev + * run integration tests in fanal + * use same testing images in fanal + * feat(helm): add support for trivy dbRepository (#2345) + * fix: Fix failing test due to deref lint issue + * test: Fix broken test + * fix: Fix makefile when no previous named ref is visible in a shallow clone + * chore: Fix linting issues in fanal + * refactor: Fix fanal import paths and remove dotfiles + * chore: bump defsec version v0.68.1 + +------------------------------------------------------------------- +Wed Jun 22 11:15:35 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.29.1: + * fix(report): add required fields to the SARIF template (#2341) + * chore: fix spelling errors (#2352) + * Omit Remediation if PrimaryURL is empty (#2006) + * docs(repo): Link to installation documentation in readme shows 404 (#2348) + * feat(alma): support for scanning of modular packages for AlmaLinux (#2347) + +------------------------------------------------------------------- +Wed Jun 22 08:31:01 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.29.0: + * fix(lang): fix dependency graph in client server mode (#2336) + * feat: allow expiration date for .trivyignore entries (#2332) + * feat(lang): add dependency origin graph (#1970) + * docs: update nix installation info (#2331) + * feat: add rbac scanning support (#2328) + * refactor: move WordPress module to another repository (#2329) + * ci: add support for ppc64le (#2281) + * feat: add support for WASM modules (#2195) + * feat(secret): show recommendation for slow scanning (#2051) + * fix(flag): remove --clear-cache flag client mode (#2301) + * fix(java): added check for looping for variable evaluation in pom file (#2322) + * BREAKING(k8s): change CLI API (#2186) + * feat(alpine): add Alpine Linux 3.16 (#2319) + * docs: bump trivy-operator to v0.0.7 (#2320) + * ci: add `go mod tidy` check (#2314) + * chore: run `go mod tidy` (#2313) + * fix: do not exit if one resource is not found (#2311) + * feat(cli): use stderr for all log messages (resolve #381) (#2289) + * test: replace deprecated subcommand client in integration tests (#2308) + * feat: add support for containerd (#2305) + * fix(kubernetes): Support floats in manifest yaml (#2297) + * docs(kubernetes): dead links (#2307) + * chore: add license label (#2304) + * feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293) + * feat(helm): add pod annotations (#2272) + * refactor: do not import defsec in fanal types package (#2292) + * feat(report): Add misconfiguration support to ASFF report template (#2285) + * test: use images in GHCR (#2275) + * feat(helm): support pod annotations (#2265) + * feat(misconf): Helm chart scanning (#2269) + * docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267) + * fix: mask redis credentials when logging (#2264) + * refactor: extract commands Runner interface (#2147) + * chore(deps): bump alpine from 3.15.4 to 3.16.0 (#2234) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.2 to 0.6.0 (#2245) + * docs: update operator release (#2263) + * chore(deps): bump github.com/urfave/cli/v2 from 2.6.0 to 2.8.1 (#2243) + * feat(redhat): added architecture check (#2172) + * docs: updating links in the docs to work again (#2256) + * docs: fix readme (#2251) + * fix: fixed incorrect CycloneDX output format (#2255) + * chore(deps): bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.3 (#2241) + * chore(deps): bump github.com/samber/lo from 1.19.0 to 1.21.0 (#2242) + * chore(deps): bump goreleaser/goreleaser-action from 2 to 3 (#2240) + * chore(deps): bump docker/setup-buildx-action from 1 to 2 (#2238) + * chore(deps): bump docker/setup-qemu-action from 1 to 2 (#2236) + * chore(deps): bump golang from 1.18.1 to 1.18.2 (#2235) + * chore(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#2237) + * chore(deps): bump docker/login-action from 1 to 2 (#2239) + * chore(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#2246) + * refactor(deps): move dependencies to package (#2189) + * fix(report): change github format version to required (#2229) + * docs: update readme (#2110) + * docs: added information about choosing advisory database (#2212) + * chore: update trivy-kubernetes (#2224) + * docs: clarifying parts of the k8s docs and updating links (#2222) + * fix(k8s): timeout error logging (#2179) + * chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214) + * feat(k8s): add --context flag (#2171) + * fix(k8s): properly instantiate TableWriter (#2175) + * test: fixed integration tests after updating testcontainers to v0.13.0 (#2208) + * chore: update labels (#2197) + * fix(report): fixed panic if all misconf reports were removed in filter (#2188) + * feat(k8s): scan secrets (#2178) + * feat(report): GitHub Dependency Snapshots support (#1522) + * feat(db): added insecure skip tls verify to download trivy db (#2140) + * fix(redhat): always use vulns with fixed version if there is one (#2165) + * chore(redhat): Add support for Red Hat UBI 9. (#2183) + * fix(k8s): update trivy-kubernetes (#2163) + * fix misconfig start line for code quality tpl (#2181) + * fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176) + * docs(vuln): Include GitLab 15.0 integration (#2153) + * docs: fix the operator version (#2167) + * fix(k8s): summary report when when only vulns exit (#2146) + * chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156) + * perf(misconf): Improve performance when scanning very large files (#2152) + * docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150) + * chore(deps): Update fanal (for less verbose code in misconf results) (#2151) + * docs: fixed installation instruction for rhel/centos (#2143) + +------------------------------------------------------------------- +Mon May 23 06:14:37 UTC 2022 - dmueller@suse.com + +- Update to version 0.28.0 (bsc#1199760, CVE-2022-28946): + * fix: remove Highlighted from json output (#2131) + * fix: remove trivy-kubernetes replace (#2132) + * docs: Add Operator docs under Kubernetes section (#2111) + * fix(k8s): security-checks panic (#2127) + * ci: added k8s scope (#2130) + * docs: Update misconfig output in examples (#2128) + * fix(misconf): Fix coloured output in Goland terminal (#2126) + * docs(secret): Fix default value of --security-checks in docs (#2107) + * refactor(report): move colorize function from trivy-db (#2122) + * feat: k8s resource scanning (#2118) + * chore: add CODEOWNERS (#2121) + * feat(image): add `--server` option for remote scans (#1871) + * refactor: k8s (#2116) + * refactor: export useful APIs (#2108) + * docs: fix k8s doc (#2114) + * feat(kubernetes): Add report flag for summary (#2112) + * fix: Remove problematic advanced rego policies (#2113) + * feat(misconf): Add special output format for misconfigurations (#2100) + * feat: add k8s subcommand (#2065) + * chore: fix make lint version (#2102) + * fix(java): handle relative pom modules (#2101) + * fix(misconf): Add missing links for non-rego misconfig results (#2094) + * feat(misconf): Added fs.FS based scanning via latest defsec (#2084) + * chore(deps): bump trivy-issue-action to v0.0.4 (#2091) + * chore(deps): bump github.com/twitchtv/twirp (#2077) + * chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (#2074) + * chore(os): updated fanal version and alpine distroless test (#2086) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 (#2075) + * chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (#2076) + * feat(report): add support for SPDX (#2059) + * chore(deps): bump actions/setup-go from 2 to 3 (#2073) + * chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (#2071) + * chore(deps): bump golang from 1.18.0 to 1.18.1 (#2069) + * chore(deps): bump actions/stale from 4 to 5 (#2070) + * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (#2072) + * chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (#2079) + * chore: app version 0.27.0 (#2046) + * fix(misconf): added to skip conf files if their scanning is not enabled (#2066) + * docs(secret) fix rule path in docs (#2061) + * docs: change from go.sum to go.mod (#2056) + +------------------------------------------------------------------- +Wed Apr 27 12:40:06 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.27.1: + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926) + * refactor(fs): scanner options (#2050) + * feat(secret): truncate long line (#2052) + * docs: fix a broken bullets (#2042) + * feat(ubuntu): add 22.04 approx eol date (#2044) + * docs: update installation.md (#2027) + * docs: add Containerfile (#2032) + +------------------------------------------------------------------- +Tue Apr 26 06:18:23 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.27.0: + * fix(go): fixed panic to scan gomod without version (#2038) + * docs(mariner): confirm it works with Mariner 2.0 VM (#2036) + * feat(secret): support enable rules (#2035) + * chore: app version 26.0 (#2030) + * docs(secret): add a demo movie (#2031) + * feat: support cache TTL in Redis (#2021) + * fix(go): skip system installed binaries (#2028) + * fix(go): check if go.sum is nil (#2029) + * feat: add secret scanning (#1901) + * chore: gh publish only with push the tag release (#2025) + * fix(fs): ignore permission errors (#2022) + * test(mod): using correct module inside test go.mod (#2020) + * feat(server): re-add proxy support for client/server communications (#1995) + * fix(report): truncate a description before escaping in ASFF template (#2004) + * fix(cloudformation): correct margin removal for empty lines (#2002) + * fix(template): correct check of old sarif template files (#2003) + +------------------------------------------------------------------- +Sat Apr 16 09:04:55 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.26.0: + * feat(alpine): warn mixing versions (#2000) + * Update ASFF template (#1914) + * chore(deps): replace `containerd/containerd` version to fix CVE-2022-23648 (#1994) + * chore(deps): bump alpine from 3.15.3 to 3.15.4 (#1993) + * test(go): add integration tests for gomod (#1989) + * fix(python): fixed panic when scan .egg archive (#1992) + * fix(go): set correct go modules type (#1990) + * feat(alpine): support apk repositories (#1987) + * docs: add CBL-Mariner (#1982) + * docs(go): fix version (#1986) + * feat(go): support go.mod in Go 1.17+ (#1985) + * ci: fix URLs in the PR template (#1972) + * ci: add semantic pull requests check (#1968) + * docs(issue): added docs for wrong detection issues (#1961) + +------------------------------------------------------------------- +Thu Apr 14 20:12:09 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.25.4: + * docs: move CONTRIBUTING.md to docs (#1971) + * refactor(table): use file name instead package path (#1966) + * fix(sbom): add --db-repository (#1964) + * feat(table): add PkgPath in table result (#1960) + * fix(pom): merge multiple pom imports in a good manner (#1959) + +------------------------------------------------------------------- +Wed Apr 06 07:35:16 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.25.3: + * fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956) + * fix(misconf): update BurntSushi/toml for fix runtime error (#1948) + * fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947) + * feat(jar): allow setting Maven Central URL using environment variable (#1939) + * chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931) + * chore(chart): remove version comments (#1933) + +------------------------------------------------------------------- +Wed Apr 06 07:32:54 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.25.2: + * fix(downloadDB): add flag to server command (#1942) + +------------------------------------------------------------------- +Tue Apr 05 06:52:40 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.25.1: + * fix(misconf): update defsec to resolve panics (#1935) + * chore(deps): bump github.com/docker/docker (#1924) + * docs: restructure the documentation (#1887) + * chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 (#1923) + * chore(deps): bump actions/cache from 2 to 3.0.1 (#1920) + * chore(deps): bump actions/checkout from 2 to 3 (#1916) + * chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.39.0 (#1921) + * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.1.0 (#1919) + * chore(deps): bump helm/chart-testing-action from 2.2.0 to 2.2.1 (#1918) + * chore(deps): bump golang from 1.17 to 1.18.0 (#1915) + * Add trivy horizontal logo (#1932) + * chore(deps): bump alpine from 3.15.0 to 3.15.3 (#1917) + * chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 (#1925) + * chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#1927) + * feat(db): Add dbRepository flag to get advisory database from OCI registry (#1873) + +------------------------------------------------------------------- +Fri Apr 1 07:30:58 UTC 2022 - Johannes Kastl + +- Buildrequire go1.18 as upstream says in go.mod + +------------------------------------------------------------------- +Fri Apr 01 07:03:41 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.25.0: + * docs(filter vulnerabilities): fix link (#1880) + * feat(template) Add misconfigurations to gitlab codequality report (#1756) + * fix(rpc): add PkgPath field to client / server mode (#1643) + * fix(vulnerabilities): fixed trivy-db vulns (#1883) + * feat(cache): remove temporary cache after filesystem scanning (#1868) + * feat(sbom): add a dedicated sbom command (#1799) + * feat(cyclonedx): add vulnerabilities (#1832) + * fix(option): hide false warning about remote options (#1865) + * chore: bump up Go to 1.18 (#1862) + * feat(filesystem): scan in client/server mode (#1829) + * refactor(template): remove unused test (#1861) + * fix(cli): json format for trivy version (#1854) + * docs: change URL for tfsec-checks (#1857) + +------------------------------------------------------------------- +Tue Mar 22 10:46:08 UTC 2022 - Dirk Müller + +- tie to go.17 as 1.18 became available + +------------------------------------------------------------------- +Fri Mar 18 10:21:14 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.24.4: + * fix(docker): Getting images without a tag (#1852) + * docs(gitlab-ci): Use environment variables TRIVY_CACHE_DIR and TRIVY_NO_PROGRESS (#1801) + +------------------------------------------------------------------- +Thu Mar 17 10:14:45 UTC 2022 - Johannes Kastl + +- BuildRequire go1.17 + +------------------------------------------------------------------- +Wed Mar 16 18:04:55 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.24.3: + * chore(issue labels): added new labels (#1839) + * refactor: clarify db update warning messages (#1808) + * chore(ci): change trivy vulnerability scan for every day (#1838) + * feat(helm): make Trivy service name configurable (#1825) + * chore(deps): updated sprig to version v3.2.2. (#1814) + * chore(deps): updated testcontainers-go to version v0.12.0 (#1822) + * docs: add packages.config for .NET (#1823) + * build: sign container image (#1668) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.4.0 to 0.5.0 (#1778) + * docs: fix Installation documentation (#1804) + * fix(report): ensure json report got a final new line (#1797) + * fix(terraform): resolve panics in defsec (#1811) + * feat(docker): Label images based on OCI image spec (#1793) + * fix(helm): indentation for ServiceAccount annotations (#1795) + * fix(hcl): fix panic in hcl2json (#1791) + * chore(helm): remove psp from helm manifest (#1315) + * build: Replace `make protoc` with `for loop` to return an error (#1655) + * fix: ASFF template to match ASFF schema (#1685) + * feat(helm): Add support for server token (#1734) + +------------------------------------------------------------------- +Thu Mar 03 13:38:37 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.24.2: + * fix(pom): keep an order of dependencies (#1784) + * chore: bump up Go to 1.17 (#1781) + * chore(deps): bump actions/setup-python from 2 to 3 (#1776) + * chore(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (#1777) + +------------------------------------------------------------------- +Sun Feb 27 17:12:56 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.24.1: + * fix(python): correct handling pip package names with a hyphen (#1771) + * doc(docker): fix command to run trivy with docker on linux (#1761) + * feat(helm): Add support for custom labels (#1767) + * chore(helm): bump chart to trivy 0.24.0 (#1762) + * docs: remove erroneous command (#1763) + +------------------------------------------------------------------- +Wed Feb 23 16:09:07 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.24.0: + * chore(deps): bump github.com/spf13/afero from 1.6.0 to 1.8.1 (#1708) + * fix(option): warn list-all-pkgs only with the table format (#1755) + * feat(option): warn "--list-all-pkgs" with "--format table" (#1632) + * feat(report): add support for CycloneDX (#1081) + * chore(deps): update the defsec and tfsec versions (#1747) + * fix(scanner): fix skip of language-specific files when scanning rootf… (#1751) + * chore(deps): bump github.com/google/wire from 0.4.0 to 0.5.0 (#1712) + * feat(report): considering App.Writer when printing results (#1722) + * chore(deps): replace `satori` version and skipping examples folder (#1745) + * build: add s390x container images (#1726) + * feat(template) Add misconfigurations to junit report (#1724) + * chore(deps): bump github.com/twitchtv/twirp (#1709) + * feat(client): configure TLS InsecureSkipVerify for server connection (#1287) + * fix(rpc): Supports RPC calls for new identifier CustomResource (#1605) + * chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 (#1705) + * chore(deps): bump github.com/caarlos0/env/v6 from 6.0.0 to 6.9.1 (#1707) + * feat(helm): Parameterise ServiceAccount annotations (#1677) + * chore(deps): bump github.com/hashicorp/go-getter from 1.5.2 to 1.5.11 (#1710) + * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.3 to 3.0.8 (#1704) + * chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.2 (#1711) + * chore(dependabot): enable gomod monthly (#1699) + * fix(gitlab tpl): escape double quote (#1635) + * build: Make `make protoc` be consistent (#1682) + * feat(purl): add generate purl package utilities (#1574) + * refactor: move result structs under types (#1696) + * feat(mariner): add support for CBL-Mariner 2.0 (#1694) + * docs(gitlab-ci): fix Script in GitLab CI Example #1688 + * chore: Upgrade helm chart version (#1683) + * chore(mod): update Go dependencies (#1681) + * docs: fix typos in markdown docs (#1674) + * docs: update documentation for image scanning of tar files to use a tag present on Docker Hub (#1671) + * fix(repo): --no-progress suppresses git output (#1669) + +------------------------------------------------------------------- +Tue Feb 01 07:14:27 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.23.0: + * docs: add ACR navigator (#1651) + * fix: update example Rego files and docs (#1628) + * feat(option): show a link to GitHub Discussions for --light deprecation (#1650) + * fix(sarif): fix the warning message (#1647) + * refactor: migrate to prefixed buckets (#1644) + * feat(mariner): add support for CBL-Mariner (#1640) + * docs: commercial use available (#1641) + * feat: support azure acr (#1611) + * feat(os-pkg): add data sources (#1636) + * feat(redhat): support build info in RHEL (#807) + * fix: change links in pull_request_template to static URLs (#1634) + * feat(lang-pkg): add data sources (#1625) + * feat(detector): support custom detector (#1615) + * docs(contribution): change role who should resolve comments (#1618) + * docs: add PR template (#1602) + * feat(rocky): support Rocky Linux (#1570) + * Add the ability to set dockerhub credentials in the helm chart (#1569) + * feat(cache): redis TLS support (#1297) + * feat(java): add support for PAR files (#1599) + * refactor(rust): move rust-advisory-db to OSV (#1591) + * feat: log ignored vulnerabilities on debug (#1378) + * chore(mod): hcl2json deps update (#1585) + * fix(rpm): do not ignore installed files via third-party rpm (#1594) + * feat(fs): allow scanning a single file (#1578) + * refactor(python): drop Safety DB (#1580) + * feat: added insecure tls skip to scan git repo (#1528) + * Supress git clone output (#1590) + * fix(alma): skip modular package because MODULARITYLABEL is not set (#1588) + * feat(photon os): added EOL dates check (#1587) + * docs: update supported os (#1586) + * BREAKING: remove root command (#1579) + * docs: add Rust to Language-specific Packages Table (#1577) + * docs: update int doc for gitlab ci (#1575) + * BREAKING: migrate the sarif template to Go code (#1437) + * refactor: remove unused field (#1567) + * chore(deps): bump helm/chart-testing-action from 2.1.0 to 2.2.0 (#1554) + * docs: gitlab integration (#1381) + * feat(alma): support AlmaLinux (#1238) + * docs: added note about default template path when Trivy installed using rpm (#1551) + * BREAKING: Trivy DB from GHCR (#1539) + * feat(cli): Do not set default commands when a plugin is being run (#1549) + * fix: add fingerprint field to codequality template (#1541) + * fix(image): correct handling of uncompressed layers (#1544) + * chore: helm chart app version 0.22.0 (#1535) + * test(integration): use fixtures (#1532) + +------------------------------------------------------------------- +Tue Dec 28 09:50:49 UTC 2021 - dmueller@suse.com + +- Update to version 0.22.0 (jsc#SLE-18339): + * fix(java/pom): ignore unsupported requirements (#1514) + * feat(cli): warning for root command (#1516) + * BREAKING: disable JAR detection in fs/repo scanning (#1512) + * feat(scan): support --offline-scan option (#1511) + * fix: improve memory usage (#1509) + * feat(java): support pom.xml (#1501) + * docs: fixing rust link to security advisory (#1504) + * Add missing IacMetdata (#1505) + * feat(jar): add file path (#1498) + * feat(rpm): support NDB (#1497) + * feat: added misconfiguration field for html.tpl (#1444) + +------------------------------------------------------------------- +Tue Dec 21 08:33:39 UTC 2021 - dmueller@suse.com + +- Update to version 0.21.3: + * fix(docs): typo (#1488) + * feat(plugin): Add option to update plugin (#1462) + * fix: fixed skipFiles/skipDirs flags for relative path (#1482) + * feat (plugin): add list and info command for plugin (#1452) + * fix: set up a vulnerability severity (#1458) + * chore: add arm64 deb package (#1480) + * Link to trivy tutorial on Semaphore (#1449) + * refactor(helm): externalize env vars to configMap (#1345) + * docs: provide more information on scanning Google's GCR (#1426) + * docs(misconfiguration): added instruction for misconfiguration detection (#1428) + * Update git-repository.md (#1430) + * fix(hooks): exclude unrelated lib types from system files filtering (#1431) + * chore: run `go fmt` (#1429) + * fix(sarif): change `help` field in the sarif template. (#1423) + * Update fanal with cfsec version update (#1425) + * Replace deprecated option in goreleaser (#1406) + * feat(alpine): support 3.15 (#1422) + * chore: test the helm chart in the PR and used the commit hash (#1414) + * chore(deps): bump alpine from 3.14 to 3.15.0 (#1417) + * chore(release): add ubuntu older versions to deploy script (#1416) + +------------------------------------------------------------------- +Sun Dec 05 10:46:26 UTC 2021 - dmueller@suse.com + +- Update to version 0.21.1: + * chore(mod): tidy (#1415) + * fix(rpc): fix nil layer transmit (#1410) + * Lang advisory order (#1409) + * chore: add support for s390x arch (#1304) + * fix(chart): ingress helm manifest-update trivy image (#1323) + * docs: Add comparison for cfsec (#1388) + * remove: delete unused functions in utils package (#1379) + * fix(sarif): fix validation errors (#1376) + * docs: add Bitbucket Pipelines (#1374) + * docs: add community integrations (#1361) + * Use a stable SARIF identifier (#1230) + * fix(python): fix parsing of requirements.txt with hash checking mode available in pip since version 8.0 + * feat(iac): Add line information (#1366) + * feat(cloudformation): Adding support for cfsec IaC scanning (#1360) + * chore: send debug and info logs to stdout in install.sh, not stderr. (#1264) + * Update containerd to v1.5.7 and docker-cli to v20.10.9 (#1356) + * chore: update SBOM generation (#1349) + +------------------------------------------------------------------- +Wed Nov 10 11:42:19 UTC 2021 - dmueller@suse.com + +- Update to version 0.20.2: + * docs: update builtin.md (#1335) + * chore: fix issues with Homebrew formula (#1329) + * chore: bump GoReleaser to v0.183.0 (#1328) + * docs: update iac.md for a typo (#1326) + * docs: typo fix (#1308) + * Add new networking API features to Ingress (#1262) + * chore(release): bump up GoReleaser to v0.182.1 (#1299) + * fix(yarn): support quoted version (#1298) + * feat(custom-forward): Forward the extended advisory data (#1247) + * feat(javascript) : Initialize npm driver for javascript packages (#1289) + * fix(cli): fix incorrect comparision of DB metadata type. (#1286) + * docs: add footer to readme (#1281) + * feat(report): add package path (#1274) + * feat(command): add rootfs command (#1271) + * fix: update fanal (#1272) + * feat(commands): remove deprecated options (#1270) + * Aggregate jar result for table (#1269) + * BREAKING(report): migrate to new json schema (#1265) + * feat: improve --skip-dirs and --skip-files (#1249) + * fix(gobinary): skip large files (#1259) + * Disable library analyzer for OS only scan type (#1191) + * chore: update trivy version (#1252) + * refactor: move from io/ioutil to io and os package (#1245) + * fix: brew test command (#1253) + * fix:added layer info in packages (#1248) + * fix(go/binary): improve debug messages (#1244) + * Update db.go (#1199) + * fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243) + * feat(debian): support the versions that reached EOL (#1237) + * feat(alpine): support unfixed vulnerabilities (#1235) + * feat(report): add image config (#1231) + * feat(nodejs): support package.json (#1225) + * refactor: use testing DB instead of mock (#1234) + * feat(ruby): support gemspec (#1224) + * feat(python): add packaging detector and respective hook (#1223) + * feat(license): Added support to new License field of go-dep-parser's library (#1167) + * fix(oracle): handle advisories contain ksplice versions (#1209) + * fix(docs): remove OSVDB advisories (#1215) + * docs: fix typos in CONTRIBUTING.md (#1181) + * Update EOL of Debian 11 (#1180) + * fix(plugin): resolve a closure (#1207) + * docs: fix typo (#1206) + * fix(detector): change an argument for trivy-db getter (#1203) + * chore(mod): update fanal (#1179) + * Add license info to package data (#1176) + * feat(nuget): support packages.config (#1095) + * feat(python): add support for requirements.txt (#1169) + * GitLab CI integration documentation (#1168) + * chore(gorelease) change goreleaser config to include template examples (#1138) + * chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153) + * chore(deps): bump actions/stale from 3 to 4 (#1152) + * feat(report): add end of service life flag to OS metadata (#1142) + * chore: set up Dependabot for github-actions and docker (#1128) + * docs: fix typo (#1149) + * docs: add some external links (#1147) + * chore (release): add ubuntu esm versions to deploy script (#1151) + * docs(troubleshooting) add urls which are required to download vuls db (#1137) + * Updated the Alpine Image to 3.14 (latest) (#1130) + * Added EOL for Ubuntu 21.10 (#1131) + * fix(image): disabled scanning of config files within container images (#1133) + * docs: fixed typo (#1124) + * update cyclonedx github action to v0.3.0 (#1127) + * fix(policy): fix panic on the first run (#1116) + * docs(misconf): add comparison with Conftest and tfsec (#1111) + * feat(report): add schema version (#1110) + * fix(scan): change unknown os from info to debug (#1109) + * docs: add misconfiguration (#1101) + * fix(config): rename include-successes with include-non-failures (#1107) + * feat(config): support --trace (#1106) + * fix(policy): reduce the Internet access (#1105) + * chore: bump golangci-lint to v1.41.1 (#1104) + * feat: support config scanning (#931) + * feat(report): add artifact metadata (#1079) + * Generate SBOM (#1076) + * fix(db): multiple prefixed data sources (#1070) + * Add EOL date for Alpine 3.14 (#1072) + * suse: mark sle 15.3 as maintained, add opensuse 15.3 (#1059) + * docs: improve data sources (#1069) + * chore(label): add kind/security-advisory (#1068) + * fix(asff): replace slice with substr (#1058) + * fix(helm-chart): parametrized ingress host path (#1049) + * feat: support Google Artifact Repository (#1055) + * Update ASFF template to use label for severity (#1047) + * BREAKING: migrate to a new JSON schema (#782) + * docs: Fix link to AWS Security Hub template (#1046) + * refactor(server): support gzip (#1045) + * chore(rpc): update protoc and twirp (#1044) + * Added support for list all packages flag in client (#1032) + * chore: chart with 0.18.3 (#1033) + * feat: add gitlab codequality template (#895) + * feat(plugin): add aqua plugin (#1029) + * fix(go): if patchedVersion is empty mark it as vulnerable (#1030) + * docs(ubuntu): fix supported versions (#1028) + * Support Ubuntu 21.04 (#1027) + * chore: remove codecov (#1016) + * fix typo on github-actions.md (#1022) +- drop 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch (upstream) + +------------------------------------------------------------------- +Thu Jun 10 12:46:10 UTC 2021 - Dirk Müller + +- add 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch + +------------------------------------------------------------------- +Thu Jun 10 08:31:11 UTC 2021 - Dirk Müller + +- strip binaries + +------------------------------------------------------------------- +Mon Jun 07 19:14:07 UTC 2021 - dmueller@suse.com + +- Update to version 0.18.3: + * chore(ci): change to more granular tokens (#1014) + * chore(ci): add Go scanning and update dependencies (#1001) + * docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013) + * fix(image): disable go.sum scanning (#1007) + * fix(gomod): handle go.sum with an empty line (#1006) + * feat: prepare for config scanning (#1005) + * Clarify that dev dependencies are excluded (#986) + * Include target value in Sarif template ruleID (#991) + * chore(mkdocs): allow workflow_dispatch (#989) + * fix(vuln) unique vulnerabilities from different data sources (#984) + * feat(go): added support of gomod analyzer (#978) + +------------------------------------------------------------------- +Mon May 03 10:04:22 UTC 2021 - dmueller@suse.com + +- Update to version 0.17.2: + * Upgrade fanal dependency (#976) + * docs: mention upx binaries (#974) + * Upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971) + * fix(fs): skip dirs (#969) + * chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965) + * chore(ci): clone trivy-repo after releasing binaries (#963) + * docs: add golang support (#962) + * fix(table): skip zero vulnerabilities on java (#961) + * chore(ci): create a release discussion (#959) + * feat(go): support binary scan (#948) + * feat(java): support GitLab Advisory Database (#917) + * feat: show help message when the context's deadline passes (#955) + * chore(mkdocs): replace github token (#954) + * Update SARIF report template (#935) + * Update install docs to make commands consistent (#933) + * Docker multi-platform image build with `buildx`, using Goreleaser (#915) + * Fix JUnit template for AWS CodeBuild compatibility (#904) + * break(cli): use StringSliceFlag for skip-dirs/files (#916) + * docs: add white logo (#914) + * add package name in ruleID (#913) + * feat: gh-action for stale issues (#908) + * chore(triage): add lifecycle/active label (#909) + * feat: publish helm repository (#888) + * Fix Documentation Typo (#901) + * docs: migrate README to MkDocs (#884) + * refactor(internal): export internal packages (#887) + * feat: support plugins (#878) + * chore(ci): deploy dev docs only for the main branch (#882) + * add MkDocs implementation (#870) + * docs(README): update ubuntu versions (#877) + * support Ubuntu 20.10 (#876) + * feat(cache): introduce versioned cache (#865) + * chore: bump up Go to 1.16 (#861) + * fix: allow the latest tag (#864) + * feat: disable analyzers (#846) + * chore(ci): push the official image to public ECR (#855) + * chore(ci): migrate CircleCI to GitHub Actions (#850) + * adds example with multistage build (#853) + * remove SARIF helpUri if empty (#841) (#845) + * Add Sprig to Template Engine (#832) + * Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844) + * feat(java): support jar/war/ear (#837) + * fix(app): increase the default value of timeout (#842) + * Update README.md (#838) + * Fix compatibility for Jenkins xunit plugin (#820) + * README: add Gitlab job that uses a container with trivy (#823) + * feat: support Podman (#825) + * fix(eol): update EOL dates (#824) + * fix(python): follow PEP 440 (#816) + * Support alpine 3.13 (#819) + * Changed the output string to "Using your github token". (#814) + * Align comment with code (#812) + * Parse redis backend url (#804) + * Update README.md (#810) + * Added nodeSelector, affinity and tolerations to helm chart (#803) + * Fix readme typo in policy flag (#805) + * Fix errors in SARIF format (#801) + * Fix env variable for github token (#796) + * fix(vulnerability): set unknown severity for empty values (#793) + * Remove global flags from filesystem command (#772) + * Add imagePullSecrets to helm Chart (#789) + * Add redis cache backend configuration options (#784) + * Update README.md (#735) + * feat(redhat): support modular packages (#790) + * Fix formatting of log message (#785) + * chore(ci): migrate unit tests to GitHub Actions (#779) + * shifted: brews.github to brews.tap (#780) + +------------------------------------------------------------------- +Fri Jan 08 13:31:54 UTC 2021 - rbrown@suse.com + +- Update to version 0.15.0: + * Feat: NuGet Scanner (#686) + * feat(cache): support Redis (#770) + * fix(redhat): skip module packages (#776) + * chore: migrate from master to main (#778) + * chore(circleci): remove gofmt (#777) + * chore(README): remove experimental (#775) + * NVD: Add timestamps. (#761) + * (fix): Make the table output less wide. (#763) + * Add gitHubToken to prevent rate limit problems (#769) + * Add helm chart to install trivy in server mode. (#751) + * chore(docs): add nix install (#762) + * HTML template (#567) + * feat: remove rpm dependency (#753) + * fix(vulnerability): make an empty severity UNKNOWN (#759) + * chore(README): add TRIVY_INSECURE (#760) + * feat(vulnerability): add primary URLs (#752) + +------------------------------------------------------------------- +Thu Nov 26 15:23:00 UTC 2020 - dmueller@suse.com + +- Update to version 0.13.0: + * fix(oracle): handle ksplice advisories (#745) + * fix: version comparison (#740) + * updated Readme.md (#737) + * Add suse sles 15.2 to the EOL list as well (#734) + * Update README.md (#731) + * Warn when a user attempts to use trivy without a detectable lockfile (#729) + * Add back support for FreeBSD & OpenBSD (#728) + * Add support for ppc64le architecture (#724) + * Skip packages from unsupported repository (remi) (#695) + * Skip downloading DB if a remote DB is not updated (#717) + * Sunsetting VendorVectors (#718) + * Add GitHub Container Registry to README (#712) + * update BUG_REPORT.md using H2 instead of bold formatting (#714) + * fix(ci/deb): do not remove old packages for EOL versions (#706) + * Add linter check support (#679) + * Optimize images (#696) + * Update triage.md (#701) +- remove 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch (merged) + +------------------------------------------------------------------- +Fri Oct 30 14:52:37 UTC 2020 - Dirk Mueller + +- add 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch + +------------------------------------------------------------------- +Wed Oct 28 12:47:30 UTC 2020 - Dirk Mueller + +- revert _service and build changes in last update to use + the proper macros +- set VERSION parameter properly (jsc#CAPS-105) +- remove update-end-of-life-dates.patch + +------------------------------------------------------------------- +Thu Oct 22 14:20:24 UTC 2020 - Stefan Nica + +- Require golang >= 1.15 to fix EINTR read issues (jsc#CAPS-170) + +------------------------------------------------------------------- +Thu Oct 22 13:16:40 UTC 2020 - Dirk Mueller + +- add update-end-of-life-dates.patch + +------------------------------------------------------------------- +Tue Oct 20 13:13:39 UTC 2020 - msabate@suse.com + +- Update to version 0.12.0: + * ci(circle): update remote docker version (#683) + * suse: update end of life dates for SLES service packs (#676) + * update readme for parallel run issue (#660) + * fix link for Clear images section in README (#659) + * add link to Gitlab CI pipeline in README (#658) + * test: add tests for mux (#645) + * chore: bump up Go to 1.15 (#646) + * Add contrib/ to the release chain for Docker (#638) + * Add health check endpoint to trivy server (#644) + * fix(cli): show help for subcommands (#629) + +------------------------------------------------------------------- +Tue Sep 08 18:00:57 UTC 2020 - jsuchome@suse.com + +- Update to version 0.9.2: + * Fixing `Error retrieving template from path` when --format is not template but template is provided (#556) + * Adding contrib/junit.tpl to docker image (#554) + * db: Update trivy-db to include CVSS score info (#530) + * docs: fix markdown (#553) + * Added function to escape string in failure message title and descriptions (#551) + * Added JUNIT support (#541) + * chore(docs): mention air-gapped environment (#544) + * chore(README): add programming languages (#543) + * fix(log): write error messages to stderr (#538) + * Use StoreMetadata from trivy-db (#509) + * docs: add more CI options to README (#535) + * chore(Dockerfile): bump up alpine to 3.12 (#528) + * fix(alpine): replace go-deb-version with go-apk-version (#520) + * fix: MissingBlobs is implemented different in FS and S3 the method log… (#522) + +------------------------------------------------------------------- +Wed Aug 19 11:24:03 UTC 2020 - dmueller@suse.com + +- Update to version 0.9.1: + * fix(alpine): support 3.12 (#517) + * chore(README): prepare for v0.9.0 (#507) + * fix(config): transpose arguments (#516) + +------------------------------------------------------------------- +Tue Jul 28 12:33:21 UTC 2020 - jsuchome@suse.com + +- Update to version 0.9.0: + * fix(app): add ArgsUsage (#508) + * feat: support repository and filesystem scan (#503) + * Add GHSA support (#467) + * refactor: define common options and embed them into the option for subcommand (#502) + * Add image subcommand (#493) + * fix: remove help template (#500) + * vulnerability: Add CVSS Vectors to JSON output. (#484) + * feat: support registry token (#482) + * chore: bump up urfave/cli to v2 (#499) + * chore(doc): update README (#490) + * chore(ci): move integration tests to GitHub Actions (#485) + * feat: support OCI Image Format (#475) + * chore(github): fix issue templates (#483) + * contrib/gitlab.tpl: Add new id field (#468) + * chore(docs): add triage.md (#473) + * fix: handle a scratch/busybox/DockerSlim image gracefully (#476) + * rpc: Fix output to use templates when in client server mode. (#469) + * Override with Vendor score if exists (#433) + * docs: Update installation docs for pointing to Trivy Releases. (#463) + +------------------------------------------------------------------- +Fri Jul 24 11:34:15 UTC 2020 - jsuchome@suse.com + +- enabled changesgenerate option to automatically generate changes + +------------------------------------------------------------------- +Thu Jul 16 15:54:15 CEST 2020 - jsuchome@suse.com + +- initial release of 0.6.0 version, supported by Harbor 2.0 + diff --git a/trivy.spec b/trivy.spec new file mode 100644 index 0000000..e6493ad --- /dev/null +++ b/trivy.spec @@ -0,0 +1,67 @@ +# +# spec file for package trivy +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: trivy +Version: 0.52.2 +Release: 0 +Summary: A Simple and Comprehensive Vulnerability Scanner for Containers +License: Apache-2.0 +Group: System/Management +URL: https://github.com/aquasecurity/trivy +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +# From https://github.com/aquasecurity/trivy-db/pull/411.patch +Patch1: add-opensuse-tumbleweed-db.patch +Patch2: https://github.com/aquasecurity/trivy/pull/6965.patch#/add-opensuse-tumbleweed-support.patch +BuildRequires: golang(API) = 1.22 +BuildRequires: golang-packaging +BuildRequires: zstd +Requires: ca-certificates +Requires: git-core +Requires: rpm + +%description +Trivy (`tri` pronounced like trigger, `vy` pronounced like envy) is a simple and +comprehensive vulnerability scanner for containers and other artifacts. A +software vulnerability is a glitch, flaw, or weakness present in the software or +in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, +RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, +etc.). Trivy is easy to use. Just install the binary and you're ready to +scan. All you need to do for scanning is to specify a target such as an image +name of the container. + +%prep +%setup -a1 +pushd vendor/github.com/aquasecurity/trivy-db +%patch -P 1 -p1 +popd +%patch -P 2 -p1 + +%build +export CGO_ENABLED=1 +go build -o trivy -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X=main.version=%{version}" cmd/trivy/main.go + +%install +install -D -m 755 trivy %{buildroot}/%{_bindir}/%{name} + +%files +%license LICENSE +%doc NOTICE README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..5a85a5d --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:24ef9542d19cec2325c75b8d9872e02f2475ad1704da5dae59eb2d16ad8ec50f +size 35584664