diff --git a/.github/workflows/mkdocs-dev.yaml b/.github/workflows/mkdocs-dev.yaml
index f89deb9f5151..68ca817e2259 100644
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -22,7 +22,7 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
- pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+ pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
diff --git a/.github/workflows/mkdocs-latest.yaml b/.github/workflows/mkdocs-latest.yaml
index 0f07db482a05..e709f9d8fa92 100644
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -24,7 +24,7 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
- pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+ pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git@9.5.44-insiders-4.53.14
pip install -r docs/build/requirements.txt
env:
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
diff --git a/README.md b/README.md
index f02dd9c0cd9b..15a53e5310db 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,6 @@ Targets (what Trivy can scan):
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
-- AWS
Scanners (what Trivy can find there):
diff --git a/docs/assets/css/trivy_v1_homepage.min.css b/docs/assets/css/trivy_v1_homepage.min.css
new file mode 100644
index 000000000000..0b9ef16d1976
--- /dev/null
+++ b/docs/assets/css/trivy_v1_homepage.min.css
@@ -0,0 +1 @@
+body{font-family:"Inter",sans-serif}.trivy_v1_homepage_wrap{position:relative;z-index:3}.trivy_v1_homepage_wrap *{transition:all .2s ease !important}.trivy_v1_homepage_wrap .container{width:100%;margin:0 auto;max-width:1440px}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .container{padding:0 24px;max-width:769px}}.trivy_v1_homepage_wrap .button{background-color:#ebf3fa;border:1px solid #dbdbdb;border-width:1px;color:#363636;cursor:pointer;justify-content:center;padding-bottom:calc(.5em - 1px);padding-left:1em;padding-right:1em;padding-top:calc(.5em - 1px);text-align:center;white-space:nowrap;border-radius:4px;transition:all .2s ease;font-size:16px;display:inline-block;font-weight:700}.trivy_v1_homepage_wrap .button.is-seafoam{background-color:#00ffe4;border-color:#00ffe4;color:#07242d}.trivy_v1_homepage_wrap .button.is-seafoam.is-outlined{background-color:rgba(0,0,0,0);border-color:#00ffe4;color:#00ffe4;border-width:2px}.trivy_v1_homepage_wrap .button.is-seafoam.is-outlined:hover{background-color:#00ffe4;color:#07242d}.trivy_v1_homepage_wrap .button.large_btn{font-size:22px;padding:16px 27px;margin-right:12px}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .button.large_btn{font-size:18px}}.trivy_v1_homepage_wrap .button.solidseafoamarrowbutton{background-color:#00ffe4;font-weight:700;border:2px solid #00ffe4;font-size:22px;padding:16px 27px;color:#07242d}.trivy_v1_homepage_wrap .button.solidseafoamarrowbutton:after{content:"";border:solid #07242d;border-width:0 2px 2px 0;display:inline-block;padding:4px;transform:rotate(-45deg);margin-left:30px;vertical-align:middle;transition:all .2s}.trivy_v1_homepage_wrap .margin-bottom-20{margin-bottom:20px}.trivy_v1_homepage_wrap .hero_wrap{background-color:#0a0b23;background-image:radial-gradient(1600px at 70% 120%, #031145 10%, #0a0b23 100%);min-height:1050px;position:relative;z-index:10}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap{position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:1;pointer-events:none}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .stars_wrap{position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:1;overflow:hidden}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .stars_wrap .stars_bg{position:absolute;width:400vw;height:400vh;top:50%;left:50%;margin-top:-200vh;margin-left:-200vw;animation:stars_ani 240s linear infinite;background-size:240px;backface-visibility:visible;background-image:url(../images/homepage_hero_stars_02.svg);background-repeat:repeat}@keyframes stars_ani{0%{transform:rotate(0deg)}100%{transform:rotate(360deg)}}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .terrain_wrap{position:absolute;left:0px;bottom:0px;width:100%;height:680px;background-image:url(../images/homepage_hero_terrain_08.svg);background-repeat:no-repeat;background-position:center top;background-size:cover;z-index:2}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .beams_wrap{position:absolute;left:0px;bottom:0px;width:100%;height:100%;z-index:3;overflow:hidden}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .beams_wrap .beam{position:absolute;right:200px;top:270px;width:3px;height:350%;background:rgba(62,171,255,.6);box-shadow:0px 0px 55px 0px #3eabff;transform-origin:0 0;animation:beam_ani 10s infinite}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .beams_wrap .beam.num2{animation:beam_ani 11s infinite}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .beams_wrap .beam.num3{animation:beam_ani 12s infinite}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .beams_wrap .beam.num4{animation:beam_ani 13s infinite}@keyframes beam_ani{0%{transform:rotate(75deg)}50%{transform:rotate(-15deg)}100%{transform:rotate(75deg)}}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .beams_wrap .sphere{z-index:999;position:absolute;top:60px;right:50px;width:280px;height:280px;background-image:url(../images/homepage_hero_orb_03.png);background-position:center center;background-repeat:no-repeat}.trivy_v1_homepage_wrap .hero_wrap .homepage_background_image_wrap .person_wrap{position:absolute;left:0px;bottom:0px;width:100%;height:595px;background-image:url(../images/homepage_v1_hero_person_01.png);background-repeat:no-repeat;background-position:center bottom;z-index:4}.trivy_v1_homepage_wrap .hero .hero-body{padding:80px 0px}.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap{width:50%;position:relative;z-index:3}.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap .page_title{color:#fff;font-weight:700;font-size:48px;line-height:1.3}.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap .page_subtitle{color:#fff;font-weight:400;font-size:24px;line-height:1.3;margin-bottom:30px}@media screen and (max-width: 1216px),print{.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap{width:70%}}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap{width:100%}.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap .page_title{font-size:32px}.trivy_v1_homepage_wrap .hero .hero-body .header_title_wrap .header_title_content_wrap .page_subtitle{font-size:18px}}@media screen and (min-width: 769px),print{.trivy_v1_homepage_wrap .hero .hero-body{padding:48px 24px}}.trivy_v1_homepage_wrap .homepage_community_wrap{position:relative;background-color:#0a0b23;color:#fff;z-index:5;padding-top:60px;padding-bottom:20px}.trivy_v1_homepage_wrap .homepage_community_wrap .container.wide_container{max-width:1640px;padding-left:20px;padding-right:20px;display:flex;flex-direction:row;flex-wrap:wrap}.trivy_v1_homepage_wrap .homepage_community_wrap .community_titles_column{width:33.3333%;padding-right:32px}@media screen and (max-width: 1024px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_titles_column{width:41.6666666667%}}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_titles_column{width:100%}}.trivy_v1_homepage_wrap .homepage_community_wrap .community_slider_column{width:66.6666%}@media screen and (max-width: 1024px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_slider_column{width:58.3333333333%}}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_slider_column{width:100%}}.trivy_v1_homepage_wrap .homepage_community_wrap .community_title{color:#00ffe4;font-size:60px;font-weight:700;margin-bottom:24px;line-height:1.2}.trivy_v1_homepage_wrap .homepage_community_wrap .community_subtitle{color:#fff;font-size:26px;margin-bottom:24px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_cta_wrap .button{font-weight:700;margin-right:10px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap{position:relative}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes{column-count:3;column-gap:20px}@media screen and (max-width: 1216px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes{column-count:2}}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes{column-count:1}}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item_wrap{display:inline-block;margin:0px 0px 20px 0px;width:100%}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item{display:block;position:relative;color:#fff;border:1px solid rgba(0,255,228,.2);background-color:rgba(0,255,228,.05);border-radius:4px;padding:25px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item .quote_name{font-size:16px;font-weight:600}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item .quote_twitter_handle{opacity:.6;font-size:13px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item .quote_company{opacity:.6;font-size:13px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item .quote_text{font-size:16px;font-weight:400;line-height:1.3}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item .quote_avatar{display:block;position:absolute;top:25px;left:25px;width:40px;height:40px;border-radius:50%;background-repeat:no-repeat;background-position:center center;background-size:cover}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item.is_tweet .quote_text{padding-top:10px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item.is_tweet.has_avatar .quote_name,.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item.is_tweet.has_avatar .quote_twitter_handle{padding-left:50px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item.is_quote .quote_text{position:relative;padding-top:40px;padding-bottom:10px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_quotes_wrap .community_quotes .quote_item.is_quote .quote_text:before{content:"";display:block;position:absolute;top:-10px;left:0px;width:56px;height:42px;background-image:url(../images/community_quote.png);background-position:center center;background-repeat:no-repeat}@media screen and (max-width: 769px),print{.trivy_v1_homepage_wrap .homepage_community_wrap .community_title{font-size:32px}.trivy_v1_homepage_wrap .homepage_community_wrap .community_subtitle{font-size:18px}}.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:rgba(0,0,0,0)}.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0}.slick-list:focus{outline:none}.slick-list.dragging{cursor:hand}.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0, 0, 0)}.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto}.slick-track:before,.slick-track:after{display:table;content:""}.slick-track:after{clear:both}.slick-loading .slick-track{visibility:hidden}.slick-slide{display:none;float:left;height:100%;min-height:1px}.slick-slide:focus{outline:none}.slick-slide img{display:block}.slick-slide.slick-loading img{display:none}.slick-slide.dragging img{pointer-events:none}.slick-initialized .slick-slide{display:block}.slick-loading .slick-slide{visibility:hidden}.slick-vertical .slick-slide{display:block;height:auto;border:1px solid rgba(0,0,0,0)}.slick-arrow.slick-hidden{display:none}.slick-arrow{display:block;background-color:rgba(0,0,0,0);border:none;color:rgba(0,0,0,0);cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none}.slick-arrow:focus,.slick-arrow:active{outline:none}.slick-arrow.slick-prev{left:0px;background-image:linear-gradient(to right, #ebf3fa 0%, rgba(235, 243, 250, 0) 100%)}.slick-arrow.slick-next{right:0px;background-image:linear-gradient(to left, #ebf3fa 0%, rgba(235, 243, 250, 0) 100%)}.slick-arrow:before{content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat}.slick-arrow.slick-prev:before{background-image:url(../images/arrow_left.png);background-position:center left}.slick-arrow.slick-next:before{background-image:url(../images/arrow_right.png);background-position:center right}.slick-dotted.slick-slider{margin-bottom:0px}.slick-dots{position:relative;display:block;width:100%;padding:0;margin:0;list-style:none;text-align:center}.slick-dots li{position:relative;display:inline-block;width:24px;height:24px;margin:0px 4px;padding:0;cursor:pointer}.slick-dots li button{font-size:0;line-height:0;display:block;width:24px;height:24px;padding:0px;cursor:pointer;color:rgba(0,0,0,0);border:0;outline:none;background:rgba(0,0,0,0)}.slick-dots li button:before{position:relative;top:0px;left:0px;width:20px;height:20px;content:"";background-color:rgba(0,0,0,0);border:2px solid #00ffe4;border-radius:50%;display:block;opacity:.7}.slick-dots li button:after{position:absolute;top:7px;left:5px;width:10px;height:10px;content:"";background-color:#00ffe4;border-radius:50%;display:block;opacity:0;transition:.2s ease-out}.slick-dots li button:hover,.slick-dots li button:focus{outline:none}.slick-dots li button:hover:after,.slick-dots li button:focus:after{opacity:1}.slick-dots li.slick-active button:after{opacity:1}
diff --git a/docs/assets/css/trivy_v1_homepage.scss b/docs/assets/css/trivy_v1_homepage.scss
new file mode 100644
index 000000000000..7dd40ba43a11
--- /dev/null
+++ b/docs/assets/css/trivy_v1_homepage.scss
@@ -0,0 +1,693 @@
+/* trivy homepage */
+
+//aqua brand colors
+$aq-royal-blue: #1904da;
+$aq-legacy-blue: #08b1d5;
+$aq-coral-red: #ff445f;
+$aq-starfish-yellow: #ffc900;
+$aq-dark-abyss: #07242d;
+$aq-deep-sea-blue: #183278;
+$aq-ocean-ash: #405a75;
+$aq-sea-foam: #00ffe4;
+
+$aq-neo-background: #ebf3fa;
+$aq-neo-background-hover: #f0f8ff;
+
+
+$aq-royal-blue-dark: #1503ba;
+
+$aq-trivy-dark: #0a0b23;
+
+
+$weight-normal: 400;
+$weight-semibold: 600;
+$weight-bold: 700;
+
+
+
+$gap: 32px;
+// 960, 1152, and 1344 have been chosen because they are divisible by both 12 and 16
+$tablet: 769px;
+
+// 960px container + 4rem
+$desktop: 960px + 2 * $gap;
+
+// 1152px container + 4rem
+$widescreen: 1152px + 2 * $gap;
+$widescreen-enabled: true;
+
+// 1344px container + 4rem
+$fullhd: 1344px + 2 * $gap;
+$fullhd-enabled: true;
+
+
+
+body {
+
+ font-family: "Inter", sans-serif;
+}
+
+.trivy_v1_homepage_wrap {
+ position: relative;
+ z-index: 3;
+
+ * {
+ transition: all 0.2s ease !important;
+ }
+
+ .container {
+ width: 100%;
+ margin: 0 auto;
+ max-width: 1440px;
+
+ @media screen and (max-width: $tablet), print { //769
+ padding: 0 24px;
+ max-width: $tablet; //769
+ } //until tablet
+ }
+
+ .button {
+
+ background-color: #ebf3fa;
+ border: 1px solid #dbdbdb;
+ border-width: 1px;
+ color: #363636;
+ cursor: pointer;
+ justify-content: center;
+ padding-bottom: calc(.5em - 1px);
+ padding-left: 1em;
+ padding-right: 1em;
+ padding-top: calc(.5em - 1px);
+ text-align: center;
+ white-space: nowrap;
+ border-radius: 4px;
+ transition: all .2s ease;
+ font-size: 16px;
+ display: inline-block;
+ font-weight: 700;
+
+ &.is-seafoam {
+ background-color: $aq-sea-foam;
+ border-color: $aq-sea-foam;
+ color: $aq-dark-abyss;
+
+
+ &.is-outlined {
+ background-color: rgba(0,0,0,0);
+ border-color: $aq-sea-foam;
+ color: $aq-sea-foam;
+ border-width: 2px;
+
+ &:hover {
+ background-color: $aq-sea-foam;
+ color: $aq-dark-abyss;
+ }
+ } //is-outlines
+
+ } //is-seafoam
+
+ &.large_btn {
+ font-size: 22px;
+ padding: 16px 27px;
+ margin-right: 12px;
+
+ @media screen and (max-width: $tablet), print {
+ font-size: 18px;
+ } //until tablet
+ }
+
+
+
+ &.solidseafoamarrowbutton {
+
+ background-color: $aq-sea-foam;
+ font-weight: 700;
+ border: 2px solid $aq-sea-foam;
+ font-size: 22px; //1.375rem; //1.125rem;
+ padding: 16px 27px;
+ color: $aq-dark-abyss;
+
+
+ &:after {
+ content: "";
+ border: solid $aq-dark-abyss;
+ border-width: 0 2px 2px 0;
+ display: inline-block;
+ padding: 4px;
+ transform: rotate(-45deg);
+ margin-left: 30px;
+ vertical-align: middle;
+ transition: all .2s;
+ }
+ } //solidseafoamarrowbutton
+
+ } //button
+
+ .margin-bottom-20 {
+ margin-bottom: 20px;
+ }
+
+ .hero_wrap {
+ background-color: $aq-trivy-dark;
+ background-image: radial-gradient(1600px at 70% 120%, #031145 10%, $aq-trivy-dark 100%);
+ min-height: 1050px;
+ position: relative;
+ z-index: 10;
+
+
+
+
+
+
+ .homepage_background_image_wrap {
+ position: absolute;
+ left: 0px;
+ top: 0px;
+ width: 100%;
+ height: 100%;
+ z-index: 1;
+ pointer-events: none;
+
+
+ .stars_wrap {
+ position: absolute;
+ left: 0px;
+ top: 0px;
+ width: 100%;
+ height: 100%;
+ z-index: 1;
+ overflow: hidden;
+
+ .stars_bg {
+ position: absolute;
+ width: 400vw;
+ height: 400vh;
+ top: 50%;
+ left: 50%;
+ margin-top: -200vh;
+ margin-left: -200vw;
+ animation: stars_ani 240s linear infinite;
+ background-size: 240px;
+ backface-visibility: visible;
+ background-image:url(../images/homepage_hero_stars_02.svg);
+ background-repeat: repeat;
+
+ }
+
+
+ @keyframes stars_ani {
+ 0% { transform: rotate(0deg); }
+ 100% { transform: rotate(360deg); }
+ }
+
+ } //stars_wrap
+
+ .terrain_wrap {
+ position: absolute;
+ left: 0px;
+ bottom: 0px;
+ width: 100%;
+ height: 680px;
+ background-image:url(../images/homepage_hero_terrain_08.svg);
+ background-repeat: no-repeat;
+ background-position: center top;
+ background-size: cover;
+ z-index: 2;
+ } // terrain_wrap
+
+
+ .beams_wrap {
+ position: absolute;
+ left: 0px;
+ bottom: 0px;
+ width: 100%;
+ height: 100%;
+ z-index: 3;
+ overflow: hidden;
+
+ .beam {
+ position: absolute;
+ right: 200px;
+ top: 270px;
+ width: 3px;
+ height: 350%;
+ background: rgba(#3eabff,0.6);
+ box-shadow: 0px 0px 55px 0px rgba(#3eabff,1);
+ transform-origin: 0 0;
+ animation: beam_ani 10s infinite;
+
+ &.num2 {animation: beam_ani 11s infinite;}
+ &.num3 {animation: beam_ani 12s infinite;}
+ &.num4 {animation: beam_ani 13s infinite;}
+ } //beam
+
+ @keyframes beam_ani {
+ 0% { transform: rotate(75deg); }
+ 50% { transform: rotate(-15deg); }
+ 100% { transform: rotate(75deg); }
+ }
+
+ .sphere {
+ z-index:999;
+ position: absolute;
+ top: 60px;
+ right: 50px;
+ width: 280px;
+ height: 280px;
+ background-image:url(../images/homepage_hero_orb_03.png);
+ background-position: center center;
+ background-repeat: no-repeat;
+ }
+
+ } //beams_wrap
+
+
+ .person_wrap {
+ position: absolute;
+ left: 0px;
+ bottom: 0px;
+ width: 100%;
+ height: 595px;
+ background-image:url(../images/homepage_v1_hero_person_01.png);
+ background-repeat: no-repeat;
+ background-position: center bottom;
+ z-index: 4;
+
+ } // person_wrap
+
+
+
+ } //hero_background_image_wrap
+ }
+
+
+
+ .hero {
+
+
+ .hero-body {
+ padding: 80px 0px;
+ // border: 1px solid red;
+
+ .header_title_wrap {
+ .header_title_content_wrap {
+
+ width: 50%;
+ position: relative;
+ z-index: 3;
+
+ .page_title {
+ color: #ffffff;
+ font-weight: $weight-bold;
+ font-size: 48px; //3rem;
+ line-height: 1.3;
+ }//page_title
+
+ .page_subtitle {
+ color: #ffffff;
+ font-weight: $weight-normal;
+ font-size: 24px; //1.5rem;
+ line-height: 1.3;
+ margin-bottom: 30px;
+ } //page_subtitle
+
+
+ @media screen and (max-width: $widescreen), print {
+ width: 70%;
+ } //until widescreen
+
+ @media screen and (max-width: $tablet), print { //769
+
+ width: 100%;
+
+ .page_title {
+ font-size: 32px; //2rem;
+ }//page_title
+
+ .page_subtitle {
+ font-size: 18px; //1.125rem;
+ }//page_subtitle
+
+ } //until tablet
+
+
+ } //header_title_content_wrap
+
+ } //header_title_wrap
+
+ @media screen and (min-width: $tablet), print { //769
+ padding: 48px 24px; //3rem 1.5rem;
+ }
+ }
+
+ } //hero
+
+
+
+
+
+ // } //page-trivy_homepage
+
+
+
+
+ /* homepage_community */
+ .homepage_community_wrap {
+ position: relative;
+ background-color: $aq-trivy-dark;
+ color: #ffffff;
+ z-index: 5;
+ padding-top: 60px;
+ padding-bottom: 20px;
+
+
+ .container.wide_container {
+ max-width: 1640px;
+ padding-left: 20px;
+ padding-right: 20px;
+ display: flex;
+ flex-direction: row;
+ flex-wrap: wrap;
+ }
+
+
+ .community_titles_column {
+ width: 33.3333%;
+ padding-right: 32px;
+
+ @media screen and (max-width: $desktop), print {
+ width: 41.6666666667%;
+ } //until desktop
+
+ @media screen and (max-width: $tablet), print {
+ width: 100%;
+ } //until tablet
+ }
+
+ .community_slider_column {
+ width: 66.6666%;
+
+ @media screen and (max-width: $desktop), print {
+ width: 58.3333333333%;
+ } //until desktop
+
+ @media screen and (max-width: $tablet), print {
+ width: 100%;
+ } //until tablet
+ }
+
+
+ .community_title {
+ color: $aq-sea-foam;
+ font-size: 60px; //3.75rem;
+ font-weight: $weight-bold;
+ margin-bottom: 24px; ////1.5rem;
+ line-height: 1.2;
+
+
+ }
+
+ .community_subtitle {
+ color: #ffffff;
+ font-size: 26px; //1.625rem;
+ margin-bottom: 24px; ////1.5rem;
+
+
+ }
+
+ .community_cta_wrap {
+
+ .button {
+ font-weight: $weight-bold;
+ margin-right: 10px;
+ }
+
+ }
+
+ .community_quotes_wrap {
+ position: relative;
+
+
+ .community_quotes {
+ column-count: 3;
+ column-gap: 20px;
+
+ @media screen and (max-width: $widescreen), print { //1216
+ column-count: 2;
+ }
+
+ @media screen and (max-width: $tablet), print { //769
+ column-count: 1;
+ }
+
+ .quote_item_wrap {
+ display: inline-block;
+ margin: 0px 0px 20px 0px;
+ width: 100%;
+ }
+
+ .quote_item {
+
+ display: block;
+ position: relative;
+ color: #ffffff;
+ border: 1px solid rgba($aq-sea-foam,0.2);
+ background-color: rgba($aq-sea-foam,0.05);
+ border-radius: 4px;
+ padding: 25px;
+
+ .quote_name {
+ font-size: 16px; //1rem;
+ font-weight: $weight-semibold;
+ }
+
+ .quote_twitter_handle {
+ opacity: 0.6;
+ font-size: 13px; //0.8125rem;
+ }
+
+ .quote_company {
+ opacity: 0.6;
+ font-size: 13px; //0.8125rem;
+ }
+
+ .quote_text {
+ font-size: 16px; //1rem;
+ font-weight: $weight-normal;
+ line-height: 1.3;
+ }
+
+ .quote_avatar {
+ display: block;
+ position: absolute;
+ top: 25px;
+ left: 25px;
+ width: 40px;
+ height: 40px;
+ border-radius: 50%;
+ background-repeat: no-repeat;
+ background-position: center center;
+ background-size: cover;
+
+ }
+
+ &.is_tweet {
+
+ .quote_text {
+ padding-top: 10px;
+ }
+
+
+ &.has_avatar {
+ .quote_name,
+ .quote_twitter_handle {
+ padding-left: 50px;
+ }
+ } //has_avatar
+
+ } //&is_tweet
+
+ &.is_quote {
+
+ .quote_text {
+ position: relative;
+ padding-top: 40px;
+ padding-bottom: 10px;
+
+ &:before {
+ content: "";
+ display: block;
+ position: absolute;
+ top: -10px;
+ left: 0px;
+ width: 56px;
+ height: 42px;
+ background-image: url(../images/community_quote.png);
+ background-position: center center;
+ background-repeat: no-repeat;
+ }
+ } //quote_text
+
+ } //&is_quote
+
+ } //quote_item
+
+ }
+
+ } //community_quotes_wrap
+
+ @media screen and (max-width: $tablet), print { //tablet
+
+ .community_title {
+ font-size: 32px; //2rem;
+ }
+ .community_subtitle {
+ font-size: 18px; //1.125rem;
+ }
+
+ } //until
+
+
+ } //homepage_community_wrap
+
+} //trivy_homepage_wrap
+
+
+
+
+
+/* Slider */
+.slick-slider{position:relative;display:block;box-sizing:border-box;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-touch-callout:none;-khtml-user-select:none;-ms-touch-action:pan-y;touch-action:pan-y;-webkit-tap-highlight-color:transparent;}
+.slick-list{position:relative;display:block;overflow:hidden;margin:0;padding:0;}
+.slick-list:focus{outline:none;}
+.slick-list.dragging{cursor:hand;}
+.slick-slider .slick-track,.slick-slider .slick-list{transform:translate3d(0,0,0);}
+.slick-track{position:relative;top:0;left:0;display:block;margin-left:auto;margin-right:auto;}
+.slick-track:before,.slick-track:after{display:table;content:'';}
+.slick-track:after{clear:both;}
+.slick-loading .slick-track{visibility:hidden;}
+.slick-slide{display:none;float:left;height:100%;min-height:1px;}
+.slick-slide:focus{outline:none;}
+.slick-slide img{display:block;}
+.slick-slide.slick-loading img{display:none;}
+.slick-slide.dragging img{pointer-events:none;}
+.slick-initialized .slick-slide{display:block;}
+.slick-loading .slick-slide{visibility:hidden;}
+.slick-vertical .slick-slide{display:block;height:auto;border:1px solid transparent;}
+.slick-arrow.slick-hidden{display:none;}
+
+.slick-arrow {display:block;background-color:transparent;border:none;color:transparent;cursor:pointer;position:absolute;top:0px;height:330px;width:80px;z-index:20;outline:none;}
+.slick-arrow:focus, .slick-arrow:active {outline:none;}
+.slick-arrow.slick-prev {left:0px;background-image:linear-gradient(to right, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow.slick-next {right:0px;background-image:linear-gradient(to left, rgba($aq-neo-background,1) 0%, rgba($aq-neo-background,0) 100%);}
+.slick-arrow:before {content:"";display:block;position:absolute;left:0px;top:0px;width:100%;height:100%;z-index:21;background-repeat:no-repeat;}
+.slick-arrow.slick-prev:before {background-image:url(../images/arrow_left.png);background-position:center left;}
+.slick-arrow.slick-next:before {background-image:url(../images/arrow_right.png);background-position:center right;}
+
+
+
+/* dots */
+.slick-dotted.slick-slider
+{
+ margin-bottom: 0px;
+}
+
+
+.slick-dots
+{
+ //position: absolute;
+ //bottom: -25px;
+ position: relative;
+ display: block;
+
+ width: 100%;
+ padding: 0;
+ margin: 0;
+
+ list-style: none;
+
+ text-align: center;
+}
+
+
+.slick-dots li {
+ position: relative;
+ display: inline-block;
+ width: 24px;
+ height: 24px;
+ margin: 0px 4px;
+ padding: 0;
+ cursor: pointer;
+}
+
+.slick-dots li button
+{
+ font-size: 0;
+ line-height: 0;
+
+ display: block;
+
+ width: 24px;
+ height: 24px;
+ padding: 0px;
+
+ cursor: pointer;
+
+ color: transparent;
+ border: 0;
+ outline: none;
+ background: transparent;
+
+ &:before {
+
+ position: relative;
+ top: 0px;
+ left: 0px;
+ width: 20px;
+ height: 20px;
+ content: "";
+ background-color: transparent;
+ border: 2px solid $aq-sea-foam;
+ border-radius: 50%;
+ display: block;
+ opacity: 0.7;
+ }
+
+ &:after {
+
+ position: absolute;
+ top: 7px;
+ left: 5px;
+ width: 10px;
+ height: 10px;
+ content: "";
+ background-color: $aq-sea-foam;
+ //border: 1px solid #666;
+ border-radius: 50%;
+ //box-shadow: inset 1px 1px 1px #888;
+ display: block;
+ opacity: 0;
+ transition: 0.2s ease-out;
+
+ }
+
+
+
+
+}
+.slick-dots li button:hover,
+.slick-dots li button:focus
+{
+ outline: none;
+ &:after {
+ opacity: 1;
+ }
+}
+
+.slick-dots li.slick-active button:after {
+ opacity: 1;
+}
+
+
+
+
diff --git a/docs/assets/images/homepage_hero_orb_03.png b/docs/assets/images/homepage_hero_orb_03.png
new file mode 100644
index 000000000000..261f40f49073
Binary files /dev/null and b/docs/assets/images/homepage_hero_orb_03.png differ
diff --git a/docs/assets/images/homepage_hero_stars_02.svg b/docs/assets/images/homepage_hero_stars_02.svg
new file mode 100644
index 000000000000..d0e4570eb467
--- /dev/null
+++ b/docs/assets/images/homepage_hero_stars_02.svg
@@ -0,0 +1 @@
++~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp(F),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+F),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(p.childNodes),p.childNodes),t[p.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&(T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!N[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&(U.test(t)||z.test(t))){(f=ee.test(t)&&ye(e.parentNode)||e)===e&&d.scope||((s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=S)),o=(l=h(t)).length;while(o--)l[o]=(s?"#"+s:":scope")+" "+xe(l[o]);c=l.join(",")}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){N(t,!0)}finally{s===S&&e.removeAttribute("id")}}}return g(t.replace($,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[S]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e.namespaceURI,n=(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:p;return r!=C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),p!=C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.scope=ce(function(e){return a.appendChild(e).appendChild(C.createElement("div")),"undefined"!=typeof e.querySelectorAll&&!e.querySelectorAll(":scope fieldset div").length}),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=S,!C.getElementsByName||!C.getElementsByName(S).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},b.find.CLASS=d.getElementsByClassName&&function(e,t){if("undefined"!=typeof t.getElementsByClassName&&E)return t.getElementsByClassName(e)},s=[],v=[],(d.qsa=K.test(C.querySelectorAll))&&(ce(function(e){var t;a.appendChild(e).innerHTML="":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(te,ne),e[3]=(e[3]||e[4]||e[5]||"").replace(te,ne),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||se.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&se.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return G.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&&X.test(n)&&(t=h(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(te,ne).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=m[e+" "];return t||(t=new RegExp("(^|"+M+")"+e+"("+M+"|$)"))&&m(e,function(e){return t.test("string"==typeof e.className&&e.className||"undefined"!=typeof e.getAttribute&&e.getAttribute("class")||"")})},ATTR:function(n,r,i){return function(e){var t=se.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i;function D(e,n,r){return m(n)?S.grep(e,function(e,t){return!!n.call(e,t,e)!==r}):n.nodeType?S.grep(e,function(e){return e===n!==r}):"string"!=typeof n?S.grep(e,function(e){return-1)[^>]*|#([\w-]+))$/;(S.fn.init=function(e,t,n){var r,i;if(!e)return this;if(n=n||j,"string"==typeof e){if(!(r="<"===e[0]&&">"===e[e.length-1]&&3<=e.length?[null,e,null]:q.exec(e))||!r[1]&&t)return!t||t.jquery?(t||n).find(e):this.constructor(t).find(e);if(r[1]){if(t=t instanceof S?t[0]:t,S.merge(this,S.parseHTML(r[1],t&&t.nodeType?t.ownerDocument||t:E,!0)),N.test(r[1])&&S.isPlainObject(t))for(r in t)m(this[r])?this[r](t[r]):this.attr(r,t[r]);return this}return(i=E.getElementById(r[2]))&&(this[0]=i,this.length=1),this}return e.nodeType?(this[0]=e,this.length=1,this):m(e)?void 0!==n.ready?n.ready(e):e(S):S.makeArray(e,this)}).prototype=S.fn,j=S(E);var L=/^(?:parents|prev(?:Until|All))/,H={children:!0,contents:!0,next:!0,prev:!0};function O(e,t){while((e=e[t])&&1!==e.nodeType);return e}S.fn.extend({has:function(e){var t=S(e,this),n=t.length;return this.filter(function(){for(var e=0;e\x20\t\r\n\f]*)/i,he=/^$|^module$|\/(?:java|ecma)script/i;ce=E.createDocumentFragment().appendChild(E.createElement("div")),(fe=E.createElement("input")).setAttribute("type","radio"),fe.setAttribute("checked","checked"),fe.setAttribute("name","t"),ce.appendChild(fe),y.checkClone=ce.cloneNode(!0).cloneNode(!0).lastChild.checked,ce.innerHTML="",y.noCloneChecked=!!ce.cloneNode(!0).lastChild.defaultValue,ce.innerHTML="",""]);var me=/<|&#?\w+;/;function xe(e,t,n,r,i){for(var o,a,s,u,l,c,f=t.createDocumentFragment(),p=[],d=0,h=e.length;d\s*$/g;function qe(e,t){return A(e,"table")&&A(11!==t.nodeType?t:t.firstChild,"tr")&&S(e).children("tbody")[0]||e}function Le(e){return e.type=(null!==e.getAttribute("type"))+"/"+e.type,e}function He(e){return"true/"===(e.type||"").slice(0,5)?e.type=e.type.slice(5):e.removeAttribute("type"),e}function Oe(e,t){var n,r,i,o,a,s;if(1===t.nodeType){if(Y.hasData(e)&&(s=Y.get(e).events))for(i in Y.remove(t,"handle events"),s)for(n=0,r=s[i].length;n").attr(n.scriptAttrs||{}).prop({charset:n.scriptCharset,src:n.url}).on("load error",i=function(e){r.remove(),i=null,e&&t("error"===e.type?404:200,e.type)}),E.head.appendChild(r[0])},abort:function(){i&&i()}}});var Ut,Xt=[],Vt=/(=)\?(?=&|$)|\?\?/;S.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=Xt.pop()||S.expando+"_"+Ct.guid++;return this[e]=!0,e}}),S.ajaxPrefilter("json jsonp",function(e,t,n){var r,i,o,a=!1!==e.jsonp&&(Vt.test(e.url)?"url":"string"==typeof e.data&&0===(e.contentType||"").indexOf("application/x-www-form-urlencoded")&&Vt.test(e.data)&&"data");if(a||"jsonp"===e.dataTypes[0])return r=e.jsonpCallback=m(e.jsonpCallback)?e.jsonpCallback():e.jsonpCallback,a?e[a]=e[a].replace(Vt,"$1"+r):!1!==e.jsonp&&(e.url+=(Et.test(e.url)?"&":"?")+e.jsonp+"="+r),e.converters["script json"]=function(){return o||S.error(r+" was not called"),o[0]},e.dataTypes[0]="json",i=C[r],C[r]=function(){o=arguments},n.always(function(){void 0===i?S(C).removeProp(r):C[r]=i,e[r]&&(e.jsonpCallback=t.jsonpCallback,Xt.push(r)),o&&m(i)&&i(o[0]),o=i=void 0}),"script"}),y.createHTMLDocument=((Ut=E.implementation.createHTMLDocument("").body).innerHTML="",2===Ut.childNodes.length),S.parseHTML=function(e,t,n){return"string"!=typeof e?[]:("boolean"==typeof t&&(n=t,t=!1),t||(y.createHTMLDocument?((r=(t=E.implementation.createHTMLDocument("")).createElement("base")).href=E.location.href,t.head.appendChild(r)):t=E),o=!n&&[],(i=N.exec(e))?[t.createElement(i[1])]:(i=xe([e],t,o),o&&o.length&&S(o).remove(),S.merge([],i.childNodes)));var r,i,o},S.fn.load=function(e,t,n){var r,i,o,a=this,s=e.indexOf(" ");return-1").append(S.parseHTML(e)).find(r):e)}).always(n&&function(e,t){a.each(function(){n.apply(this,o||[e.responseText,t,e])})}),this},S.expr.pseudos.animated=function(t){return S.grep(S.timers,function(e){return t===e.elem}).length},S.offset={setOffset:function(e,t,n){var r,i,o,a,s,u,l=S.css(e,"position"),c=S(e),f={};"static"===l&&(e.style.position="relative"),s=c.offset(),o=S.css(e,"top"),u=S.css(e,"left"),("absolute"===l||"fixed"===l)&&-1<(o+u).indexOf("auto")?(a=(r=c.position()).top,i=r.left):(a=parseFloat(o)||0,i=parseFloat(u)||0),m(t)&&(t=t.call(e,n,S.extend({},s))),null!=t.top&&(f.top=t.top-s.top+a),null!=t.left&&(f.left=t.left-s.left+i),"using"in t?t.using.call(e,f):("number"==typeof f.top&&(f.top+="px"),"number"==typeof f.left&&(f.left+="px"),c.css(f))}},S.fn.extend({offset:function(t){if(arguments.length)return void 0===t?this:this.each(function(e){S.offset.setOffset(this,t,e)});var e,n,r=this[0];return r?r.getClientRects().length?(e=r.getBoundingClientRect(),n=r.ownerDocument.defaultView,{top:e.top+n.pageYOffset,left:e.left+n.pageXOffset}):{top:0,left:0}:void 0},position:function(){if(this[0]){var e,t,n,r=this[0],i={top:0,left:0};if("fixed"===S.css(r,"position"))t=r.getBoundingClientRect();else{t=this.offset(),n=r.ownerDocument,e=r.offsetParent||n.documentElement;while(e&&(e===n.body||e===n.documentElement)&&"static"===S.css(e,"position"))e=e.parentNode;e&&e!==r&&1===e.nodeType&&((i=S(e).offset()).top+=S.css(e,"borderTopWidth",!0),i.left+=S.css(e,"borderLeftWidth",!0))}return{top:t.top-i.top-S.css(r,"marginTop",!0),left:t.left-i.left-S.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent;while(e&&"static"===S.css(e,"position"))e=e.offsetParent;return e||re})}}),S.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(t,i){var o="pageYOffset"===i;S.fn[t]=function(e){return $(this,function(e,t,n){var r;if(x(e)?r=e:9===e.nodeType&&(r=e.defaultView),void 0===n)return r?r[i]:e[t];r?r.scrollTo(o?r.pageXOffset:n,o?n:r.pageYOffset):e[t]=n},t,e,arguments.length)}}),S.each(["top","left"],function(e,n){S.cssHooks[n]=$e(y.pixelPosition,function(e,t){if(t)return t=Be(e,n),Me.test(t)?S(e).position()[n]+"px":t})}),S.each({Height:"height",Width:"width"},function(a,s){S.each({padding:"inner"+a,content:s,"":"outer"+a},function(r,o){S.fn[o]=function(e,t){var n=arguments.length&&(r||"boolean"!=typeof e),i=r||(!0===e||!0===t?"margin":"border");return $(this,function(e,t,n){var r;return x(e)?0===o.indexOf("outer")?e["inner"+a]:e.document.documentElement["client"+a]:9===e.nodeType?(r=e.documentElement,Math.max(e.body["scroll"+a],r["scroll"+a],e.body["offset"+a],r["offset"+a],r["client"+a])):void 0===n?S.css(e,t,i):S.style(e,t,n,i)},s,n?e:void 0,n)}})}),S.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){S.fn[t]=function(e){return this.on(t,e)}}),S.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)},hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),S.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,n){S.fn[n]=function(e,t){return 0Previous',nextArrow:'Next ',autoplay:!1,autoplaySpeed:3e3,centerMode:!1,centerPadding:"50px",cssEase:"ease",customPaging:function(e,t){return i('
').appendTo(e.$slider):e.$slides.wrapAll('
').parent(),e.$list=e.$slideTrack.wrap('
').parent(),e.$slideTrack.css("opacity",0),!0!==e.options.centerMode&&!0!==e.options.swipeToSlide||(e.options.slidesToScroll=1),i("img[data-lazy]",e.$slider).not("[src]").addClass("slick-loading"),e.setupInfinite(),e.buildArrows(),e.buildDots(),e.updateDots(),e.setSlideClasses("number"==typeof e.currentSlide?e.currentSlide:0),!0===e.options.draggable&&e.$list.addClass("draggable")},e.prototype.buildRows=function(){var i,e,t,o,s,n,r,l=this;if(o=document.createDocumentFragment(),n=l.$slider.children(),l.options.rows>1){for(r=l.options.slidesPerRow*l.options.rows,s=Math.ceil(n.length/r),i=0;ir.breakpoints[o]&&(s=r.breakpoints[o]));null!==s?null!==r.activeBreakpoint?(s!==r.activeBreakpoint||t)&&(r.activeBreakpoint=s,"unslick"===r.breakpointSettings[s]?r.unslick(s):(r.options=i.extend({},r.originalSettings,r.breakpointSettings[s]),!0===e&&(r.currentSlide=r.options.initialSlide),r.refresh(e)),l=s):(r.activeBreakpoint=s,"unslick"===r.breakpointSettings[s]?r.unslick(s):(r.options=i.extend({},r.originalSettings,r.breakpointSettings[s]),!0===e&&(r.currentSlide=r.options.initialSlide),r.refresh(e)),l=s):null!==r.activeBreakpoint&&(r.activeBreakpoint=null,r.options=r.originalSettings,!0===e&&(r.currentSlide=r.options.initialSlide),r.refresh(e),l=s),e||!1===l||r.$slider.trigger("breakpoint",[r,l])}},e.prototype.changeSlide=function(e,t){var o,s,n,r=this,l=i(e.currentTarget);switch(l.is("a")&&e.preventDefault(),l.is("li")||(l=l.closest("li")),n=r.slideCount%r.options.slidesToScroll!=0,o=n?0:(r.slideCount-r.currentSlide)%r.options.slidesToScroll,e.data.message){case"previous":s=0===o?r.options.slidesToScroll:r.options.slidesToShow-o,r.slideCount>r.options.slidesToShow&&r.slideHandler(r.currentSlide-s,!1,t);break;case"next":s=0===o?r.options.slidesToScroll:o,r.slideCount>r.options.slidesToShow&&r.slideHandler(r.currentSlide+s,!1,t);break;case"index":var d=0===e.data.index?0:e.data.index||l.index()*r.options.slidesToScroll;r.slideHandler(r.checkNavigable(d),!1,t),l.children().trigger("focus");break;default:return}},e.prototype.checkNavigable=function(i){var e,t;if(e=this.getNavigableIndexes(),t=0,i>e[e.length-1])i=e[e.length-1];else for(var o in e){if(ie.options.slidesToShow&&(e.$prevArrow&&e.$prevArrow.off("click.slick",e.changeSlide),e.$nextArrow&&e.$nextArrow.off("click.slick",e.changeSlide),!0===e.options.accessibility&&(e.$prevArrow&&e.$prevArrow.off("keydown.slick",e.keyHandler),e.$nextArrow&&e.$nextArrow.off("keydown.slick",e.keyHandler))),e.$list.off("touchstart.slick mousedown.slick",e.swipeHandler),e.$list.off("touchmove.slick mousemove.slick",e.swipeHandler),e.$list.off("touchend.slick mouseup.slick",e.swipeHandler),e.$list.off("touchcancel.slick mouseleave.slick",e.swipeHandler),e.$list.off("click.slick",e.clickHandler),i(document).off(e.visibilityChange,e.visibility),e.cleanUpSlideEvents(),!0===e.options.accessibility&&e.$list.off("keydown.slick",e.keyHandler),!0===e.options.focusOnSelect&&i(e.$slideTrack).children().off("click.slick",e.selectHandler),i(window).off("orientationchange.slick.slick-"+e.instanceUid,e.orientationChange),i(window).off("resize.slick.slick-"+e.instanceUid,e.resize),i("[draggable!=true]",e.$slideTrack).off("dragstart",e.preventDefault),i(window).off("load.slick.slick-"+e.instanceUid,e.setPosition)},e.prototype.cleanUpSlideEvents=function(){var e=this;e.$list.off("mouseenter.slick",i.proxy(e.interrupt,e,!0)),e.$list.off("mouseleave.slick",i.proxy(e.interrupt,e,!1))},e.prototype.cleanUpRows=function(){var i,e=this;e.options.rows>1&&((i=e.$slides.children().children()).removeAttr("style"),e.$slider.empty().append(i))},e.prototype.clickHandler=function(i){!1===this.shouldClick&&(i.stopImmediatePropagation(),i.stopPropagation(),i.preventDefault())},e.prototype.destroy=function(e){var t=this;t.autoPlayClear(),t.touchObject={},t.cleanUpEvents(),i(".slick-cloned",t.$slider).detach(),t.$dots&&t.$dots.remove(),t.$prevArrow&&t.$prevArrow.length&&(t.$prevArrow.removeClass("slick-disabled slick-arrow slick-hidden").removeAttr("aria-hidden aria-disabled tabindex").css("display",""),t.htmlExpr.test(t.options.prevArrow)&&t.$prevArrow.remove()),t.$nextArrow&&t.$nextArrow.length&&(t.$nextArrow.removeClass("slick-disabled slick-arrow slick-hidden").removeAttr("aria-hidden aria-disabled tabindex").css("display",""),t.htmlExpr.test(t.options.nextArrow)&&t.$nextArrow.remove()),t.$slides&&(t.$slides.removeClass("slick-slide slick-active slick-center slick-visible slick-current").removeAttr("aria-hidden").removeAttr("data-slick-index").each(function(){i(this).attr("style",i(this).data("originalStyling"))}),t.$slideTrack.children(this.options.slide).detach(),t.$slideTrack.detach(),t.$list.detach(),t.$slider.append(t.$slides)),t.cleanUpRows(),t.$slider.removeClass("slick-slider"),t.$slider.removeClass("slick-initialized"),t.$slider.removeClass("slick-dotted"),t.unslicked=!0,e||t.$slider.trigger("destroy",[t])},e.prototype.disableTransition=function(i){var e=this,t={};t[e.transitionType]="",!1===e.options.fade?e.$slideTrack.css(t):e.$slides.eq(i).css(t)},e.prototype.fadeSlide=function(i,e){var t=this;!1===t.cssTransitions?(t.$slides.eq(i).css({zIndex:t.options.zIndex}),t.$slides.eq(i).animate({opacity:1},t.options.speed,t.options.easing,e)):(t.applyTransition(i),t.$slides.eq(i).css({opacity:1,zIndex:t.options.zIndex}),e&&setTimeout(function(){t.disableTransition(i),e.call()},t.options.speed))},e.prototype.fadeSlideOut=function(i){var e=this;!1===e.cssTransitions?e.$slides.eq(i).animate({opacity:0,zIndex:e.options.zIndex-2},e.options.speed,e.options.easing):(e.applyTransition(i),e.$slides.eq(i).css({opacity:0,zIndex:e.options.zIndex-2}))},e.prototype.filterSlides=e.prototype.slickFilter=function(i){var e=this;null!==i&&(e.$slidesCache=e.$slides,e.unload(),e.$slideTrack.children(this.options.slide).detach(),e.$slidesCache.filter(i).appendTo(e.$slideTrack),e.reinit())},e.prototype.focusHandler=function(){var e=this;e.$slider.off("focus.slick blur.slick").on("focus.slick blur.slick","*",function(t){t.stopImmediatePropagation();var o=i(this);setTimeout(function(){e.options.pauseOnFocus&&(e.focussed=o.is(":focus"),e.autoPlay())},0)})},e.prototype.getCurrent=e.prototype.slickCurrentSlide=function(){return this.currentSlide},e.prototype.getDotCount=function(){var i=this,e=0,t=0,o=0;if(!0===i.options.infinite)if(i.slideCount<=i.options.slidesToShow)++o;else for(;en.options.slidesToShow&&(n.slideOffset=n.slideWidth*n.options.slidesToShow*-1,s=-1,!0===n.options.vertical&&!0===n.options.centerMode&&(2===n.options.slidesToShow?s=-1.5:1===n.options.slidesToShow&&(s=-2)),r=t*n.options.slidesToShow*s),n.slideCount%n.options.slidesToScroll!=0&&i+n.options.slidesToScroll>n.slideCount&&n.slideCount>n.options.slidesToShow&&(i>n.slideCount?(n.slideOffset=(n.options.slidesToShow-(i-n.slideCount))*n.slideWidth*-1,r=(n.options.slidesToShow-(i-n.slideCount))*t*-1):(n.slideOffset=n.slideCount%n.options.slidesToScroll*n.slideWidth*-1,r=n.slideCount%n.options.slidesToScroll*t*-1))):i+n.options.slidesToShow>n.slideCount&&(n.slideOffset=(i+n.options.slidesToShow-n.slideCount)*n.slideWidth,r=(i+n.options.slidesToShow-n.slideCount)*t),n.slideCount<=n.options.slidesToShow&&(n.slideOffset=0,r=0),!0===n.options.centerMode&&n.slideCount<=n.options.slidesToShow?n.slideOffset=n.slideWidth*Math.floor(n.options.slidesToShow)/2-n.slideWidth*n.slideCount/2:!0===n.options.centerMode&&!0===n.options.infinite?n.slideOffset+=n.slideWidth*Math.floor(n.options.slidesToShow/2)-n.slideWidth:!0===n.options.centerMode&&(n.slideOffset=0,n.slideOffset+=n.slideWidth*Math.floor(n.options.slidesToShow/2)),e=!1===n.options.vertical?i*n.slideWidth*-1+n.slideOffset:i*t*-1+r,!0===n.options.variableWidth&&(o=n.slideCount<=n.options.slidesToShow||!1===n.options.infinite?n.$slideTrack.children(".slick-slide").eq(i):n.$slideTrack.children(".slick-slide").eq(i+n.options.slidesToShow),e=!0===n.options.rtl?o[0]?-1*(n.$slideTrack.width()-o[0].offsetLeft-o.width()):0:o[0]?-1*o[0].offsetLeft:0,!0===n.options.centerMode&&(o=n.slideCount<=n.options.slidesToShow||!1===n.options.infinite?n.$slideTrack.children(".slick-slide").eq(i):n.$slideTrack.children(".slick-slide").eq(i+n.options.slidesToShow+1),e=!0===n.options.rtl?o[0]?-1*(n.$slideTrack.width()-o[0].offsetLeft-o.width()):0:o[0]?-1*o[0].offsetLeft:0,e+=(n.$list.width()-o.outerWidth())/2)),e},e.prototype.getOption=e.prototype.slickGetOption=function(i){return this.options[i]},e.prototype.getNavigableIndexes=function(){var i,e=this,t=0,o=0,s=[];for(!1===e.options.infinite?i=e.slideCount:(t=-1*e.options.slidesToScroll,o=-1*e.options.slidesToScroll,i=2*e.slideCount);t-1*o.swipeLeft)return e=n,!1}),Math.abs(i(e).attr("data-slick-index")-o.currentSlide)||1):o.options.slidesToScroll},e.prototype.goTo=e.prototype.slickGoTo=function(i,e){this.changeSlide({data:{message:"index",index:parseInt(i)}},e)},e.prototype.init=function(e){var t=this;i(t.$slider).hasClass("slick-initialized")||(i(t.$slider).addClass("slick-initialized"),t.buildRows(),t.buildOut(),t.setProps(),t.startLoad(),t.loadSlider(),t.initializeEvents(),t.updateArrows(),t.updateDots(),t.checkResponsive(!0),t.focusHandler()),e&&t.$slider.trigger("init",[t]),!0===t.options.accessibility&&t.initADA(),t.options.autoplay&&(t.paused=!1,t.autoPlay())},e.prototype.initADA=function(){var e=this,t=Math.ceil(e.slideCount/e.options.slidesToShow),o=e.getNavigableIndexes().filter(function(i){return i>=0&&ii.options.slidesToShow&&(i.$prevArrow.off("click.slick").on("click.slick",{message:"previous"},i.changeSlide),i.$nextArrow.off("click.slick").on("click.slick",{message:"next"},i.changeSlide),!0===i.options.accessibility&&(i.$prevArrow.on("keydown.slick",i.keyHandler),i.$nextArrow.on("keydown.slick",i.keyHandler)))},e.prototype.initDotEvents=function(){var e=this;!0===e.options.dots&&(i("li",e.$dots).on("click.slick",{message:"index"},e.changeSlide),!0===e.options.accessibility&&e.$dots.on("keydown.slick",e.keyHandler)),!0===e.options.dots&&!0===e.options.pauseOnDotsHover&&i("li",e.$dots).on("mouseenter.slick",i.proxy(e.interrupt,e,!0)).on("mouseleave.slick",i.proxy(e.interrupt,e,!1))},e.prototype.initSlideEvents=function(){var e=this;e.options.pauseOnHover&&(e.$list.on("mouseenter.slick",i.proxy(e.interrupt,e,!0)),e.$list.on("mouseleave.slick",i.proxy(e.interrupt,e,!1)))},e.prototype.initializeEvents=function(){var e=this;e.initArrowEvents(),e.initDotEvents(),e.initSlideEvents(),e.$list.on("touchstart.slick mousedown.slick",{action:"start"},e.swipeHandler),e.$list.on("touchmove.slick mousemove.slick",{action:"move"},e.swipeHandler),e.$list.on("touchend.slick mouseup.slick",{action:"end"},e.swipeHandler),e.$list.on("touchcancel.slick mouseleave.slick",{action:"end"},e.swipeHandler),e.$list.on("click.slick",e.clickHandler),i(document).on(e.visibilityChange,i.proxy(e.visibility,e)),!0===e.options.accessibility&&e.$list.on("keydown.slick",e.keyHandler),!0===e.options.focusOnSelect&&i(e.$slideTrack).children().on("click.slick",e.selectHandler),i(window).on("orientationchange.slick.slick-"+e.instanceUid,i.proxy(e.orientationChange,e)),i(window).on("resize.slick.slick-"+e.instanceUid,i.proxy(e.resize,e)),i("[draggable!=true]",e.$slideTrack).on("dragstart",e.preventDefault),i(window).on("load.slick.slick-"+e.instanceUid,e.setPosition),i(e.setPosition)},e.prototype.initUI=function(){var i=this;!0===i.options.arrows&&i.slideCount>i.options.slidesToShow&&(i.$prevArrow.show(),i.$nextArrow.show()),!0===i.options.dots&&i.slideCount>i.options.slidesToShow&&i.$dots.show()},e.prototype.keyHandler=function(i){var e=this;i.target.tagName.match("TEXTAREA|INPUT|SELECT")||(37===i.keyCode&&!0===e.options.accessibility?e.changeSlide({data:{message:!0===e.options.rtl?"next":"previous"}}):39===i.keyCode&&!0===e.options.accessibility&&e.changeSlide({data:{message:!0===e.options.rtl?"previous":"next"}}))},e.prototype.lazyLoad=function(){function e(e){i("img[data-lazy]",e).each(function(){var e=i(this),t=i(this).attr("data-lazy"),o=i(this).attr("data-srcset"),s=i(this).attr("data-sizes")||n.$slider.attr("data-sizes"),r=document.createElement("img");r.onload=function(){e.animate({opacity:0},100,function(){o&&(e.attr("srcset",o),s&&e.attr("sizes",s)),e.attr("src",t).animate({opacity:1},200,function(){e.removeAttr("data-lazy data-srcset data-sizes").removeClass("slick-loading")}),n.$slider.trigger("lazyLoaded",[n,e,t])})},r.onerror=function(){e.removeAttr("data-lazy").removeClass("slick-loading").addClass("slick-lazyload-error"),n.$slider.trigger("lazyLoadError",[n,e,t])},r.src=t})}var t,o,s,n=this;if(!0===n.options.centerMode?!0===n.options.infinite?s=(o=n.currentSlide+(n.options.slidesToShow/2+1))+n.options.slidesToShow+2:(o=Math.max(0,n.currentSlide-(n.options.slidesToShow/2+1)),s=n.options.slidesToShow/2+1+2+n.currentSlide):(o=n.options.infinite?n.options.slidesToShow+n.currentSlide:n.currentSlide,s=Math.ceil(o+n.options.slidesToShow),!0===n.options.fade&&(o>0&&o--,s<=n.slideCount&&s++)),t=n.$slider.find(".slick-slide").slice(o,s),"anticipated"===n.options.lazyLoad)for(var r=o-1,l=s,d=n.$slider.find(".slick-slide"),a=0;a=n.slideCount-n.options.slidesToShow?e(n.$slider.find(".slick-cloned").slice(0,n.options.slidesToShow)):0===n.currentSlide&&e(n.$slider.find(".slick-cloned").slice(-1*n.options.slidesToShow))},e.prototype.loadSlider=function(){var i=this;i.setPosition(),i.$slideTrack.css({opacity:1}),i.$slider.removeClass("slick-loading"),i.initUI(),"progressive"===i.options.lazyLoad&&i.progressiveLazyLoad()},e.prototype.next=e.prototype.slickNext=function(){this.changeSlide({data:{message:"next"}})},e.prototype.orientationChange=function(){var i=this;i.checkResponsive(),i.setPosition()},e.prototype.pause=e.prototype.slickPause=function(){var i=this;i.autoPlayClear(),i.paused=!0},e.prototype.play=e.prototype.slickPlay=function(){var i=this;i.autoPlay(),i.options.autoplay=!0,i.paused=!1,i.focussed=!1,i.interrupted=!1},e.prototype.postSlide=function(e){var t=this;t.unslicked||(t.$slider.trigger("afterChange",[t,e]),t.animating=!1,t.slideCount>t.options.slidesToShow&&t.setPosition(),t.swipeLeft=null,t.options.autoplay&&t.autoPlay(),!0===t.options.accessibility&&(t.initADA(),t.options.focusOnChange&&i(t.$slides.get(t.currentSlide)).attr("tabindex",0).focus()))},e.prototype.prev=e.prototype.slickPrev=function(){this.changeSlide({data:{message:"previous"}})},e.prototype.preventDefault=function(i){i.preventDefault()},e.prototype.progressiveLazyLoad=function(e){e=e||1;var t,o,s,n,r,l=this,d=i("img[data-lazy]",l.$slider);d.length?(t=d.first(),o=t.attr("data-lazy"),s=t.attr("data-srcset"),n=t.attr("data-sizes")||l.$slider.attr("data-sizes"),(r=document.createElement("img")).onload=function(){s&&(t.attr("srcset",s),n&&t.attr("sizes",n)),t.attr("src",o).removeAttr("data-lazy data-srcset data-sizes").removeClass("slick-loading"),!0===l.options.adaptiveHeight&&l.setPosition(),l.$slider.trigger("lazyLoaded",[l,t,o]),l.progressiveLazyLoad()},r.onerror=function(){e<3?setTimeout(function(){l.progressiveLazyLoad(e+1)},500):(t.removeAttr("data-lazy").removeClass("slick-loading").addClass("slick-lazyload-error"),l.$slider.trigger("lazyLoadError",[l,t,o]),l.progressiveLazyLoad())},r.src=o):l.$slider.trigger("allImagesLoaded",[l])},e.prototype.refresh=function(e){var t,o,s=this;o=s.slideCount-s.options.slidesToShow,!s.options.infinite&&s.currentSlide>o&&(s.currentSlide=o),s.slideCount<=s.options.slidesToShow&&(s.currentSlide=0),t=s.currentSlide,s.destroy(!0),i.extend(s,s.initials,{currentSlide:t}),s.init(),e||s.changeSlide({data:{message:"index",index:t}},!1)},e.prototype.registerBreakpoints=function(){var e,t,o,s=this,n=s.options.responsive||null;if("array"===i.type(n)&&n.length){s.respondTo=s.options.respondTo||"window";for(e in n)if(o=s.breakpoints.length-1,n.hasOwnProperty(e)){for(t=n[e].breakpoint;o>=0;)s.breakpoints[o]&&s.breakpoints[o]===t&&s.breakpoints.splice(o,1),o--;s.breakpoints.push(t),s.breakpointSettings[t]=n[e].settings}s.breakpoints.sort(function(i,e){return s.options.mobileFirst?i-e:e-i})}},e.prototype.reinit=function(){var e=this;e.$slides=e.$slideTrack.children(e.options.slide).addClass("slick-slide"),e.slideCount=e.$slides.length,e.currentSlide>=e.slideCount&&0!==e.currentSlide&&(e.currentSlide=e.currentSlide-e.options.slidesToScroll),e.slideCount<=e.options.slidesToShow&&(e.currentSlide=0),e.registerBreakpoints(),e.setProps(),e.setupInfinite(),e.buildArrows(),e.updateArrows(),e.initArrowEvents(),e.buildDots(),e.updateDots(),e.initDotEvents(),e.cleanUpSlideEvents(),e.initSlideEvents(),e.checkResponsive(!1,!0),!0===e.options.focusOnSelect&&i(e.$slideTrack).children().on("click.slick",e.selectHandler),e.setSlideClasses("number"==typeof e.currentSlide?e.currentSlide:0),e.setPosition(),e.focusHandler(),e.paused=!e.options.autoplay,e.autoPlay(),e.$slider.trigger("reInit",[e])},e.prototype.resize=function(){var e=this;i(window).width()!==e.windowWidth&&(clearTimeout(e.windowDelay),e.windowDelay=window.setTimeout(function(){e.windowWidth=i(window).width(),e.checkResponsive(),e.unslicked||e.setPosition()},50))},e.prototype.removeSlide=e.prototype.slickRemove=function(i,e,t){var o=this;if(i="boolean"==typeof i?!0===(e=i)?0:o.slideCount-1:!0===e?--i:i,o.slideCount<1||i<0||i>o.slideCount-1)return!1;o.unload(),!0===t?o.$slideTrack.children().remove():o.$slideTrack.children(this.options.slide).eq(i).remove(),o.$slides=o.$slideTrack.children(this.options.slide),o.$slideTrack.children(this.options.slide).detach(),o.$slideTrack.append(o.$slides),o.$slidesCache=o.$slides,o.reinit()},e.prototype.setCSS=function(i){var e,t,o=this,s={};!0===o.options.rtl&&(i=-i),e="left"==o.positionProp?Math.ceil(i)+"px":"0px",t="top"==o.positionProp?Math.ceil(i)+"px":"0px",s[o.positionProp]=i,!1===o.transformsEnabled?o.$slideTrack.css(s):(s={},!1===o.cssTransitions?(s[o.animType]="translate("+e+", "+t+")",o.$slideTrack.css(s)):(s[o.animType]="translate3d("+e+", "+t+", 0px)",o.$slideTrack.css(s)))},e.prototype.setDimensions=function(){var i=this;!1===i.options.vertical?!0===i.options.centerMode&&i.$list.css({padding:"0px "+i.options.centerPadding}):(i.$list.height(i.$slides.first().outerHeight(!0)*i.options.slidesToShow),!0===i.options.centerMode&&i.$list.css({padding:i.options.centerPadding+" 0px"})),i.listWidth=i.$list.width(),i.listHeight=i.$list.height(),!1===i.options.vertical&&!1===i.options.variableWidth?(i.slideWidth=Math.ceil(i.listWidth/i.options.slidesToShow),i.$slideTrack.width(Math.ceil(i.slideWidth*i.$slideTrack.children(".slick-slide").length))):!0===i.options.variableWidth?i.$slideTrack.width(5e3*i.slideCount):(i.slideWidth=Math.ceil(i.listWidth),i.$slideTrack.height(Math.ceil(i.$slides.first().outerHeight(!0)*i.$slideTrack.children(".slick-slide").length)));var e=i.$slides.first().outerWidth(!0)-i.$slides.first().width();!1===i.options.variableWidth&&i.$slideTrack.children(".slick-slide").width(i.slideWidth-e)},e.prototype.setFade=function(){var e,t=this;t.$slides.each(function(o,s){e=t.slideWidth*o*-1,!0===t.options.rtl?i(s).css({position:"relative",right:e,top:0,zIndex:t.options.zIndex-2,opacity:0}):i(s).css({position:"relative",left:e,top:0,zIndex:t.options.zIndex-2,opacity:0})}),t.$slides.eq(t.currentSlide).css({zIndex:t.options.zIndex-1,opacity:1})},e.prototype.setHeight=function(){var i=this;if(1===i.options.slidesToShow&&!0===i.options.adaptiveHeight&&!1===i.options.vertical){var e=i.$slides.eq(i.currentSlide).outerHeight(!0);i.$list.css("height",e)}},e.prototype.setOption=e.prototype.slickSetOption=function(){var e,t,o,s,n,r=this,l=!1;if("object"===i.type(arguments[0])?(o=arguments[0],l=arguments[1],n="multiple"):"string"===i.type(arguments[0])&&(o=arguments[0],s=arguments[1],l=arguments[2],"responsive"===arguments[0]&&"array"===i.type(arguments[1])?n="responsive":void 0!==arguments[1]&&(n="single")),"single"===n)r.options[o]=s;else if("multiple"===n)i.each(o,function(i,e){r.options[i]=e});else if("responsive"===n)for(t in s)if("array"!==i.type(r.options.responsive))r.options.responsive=[s[t]];else{for(e=r.options.responsive.length-1;e>=0;)r.options.responsive[e].breakpoint===s[t].breakpoint&&r.options.responsive.splice(e,1),e--;r.options.responsive.push(s[t])}l&&(r.unload(),r.reinit())},e.prototype.setPosition=function(){var i=this;i.setDimensions(),i.setHeight(),!1===i.options.fade?i.setCSS(i.getLeft(i.currentSlide)):i.setFade(),i.$slider.trigger("setPosition",[i])},e.prototype.setProps=function(){var i=this,e=document.body.style;i.positionProp=!0===i.options.vertical?"top":"left","top"===i.positionProp?i.$slider.addClass("slick-vertical"):i.$slider.removeClass("slick-vertical"),void 0===e.WebkitTransition&&void 0===e.MozTransition&&void 0===e.msTransition||!0===i.options.useCSS&&(i.cssTransitions=!0),i.options.fade&&("number"==typeof i.options.zIndex?i.options.zIndex<3&&(i.options.zIndex=3):i.options.zIndex=i.defaults.zIndex),void 0!==e.OTransform&&(i.animType="OTransform",i.transformType="-o-transform",i.transitionType="OTransition",void 0===e.perspectiveProperty&&void 0===e.webkitPerspective&&(i.animType=!1)),void 0!==e.MozTransform&&(i.animType="MozTransform",i.transformType="-moz-transform",i.transitionType="MozTransition",void 0===e.perspectiveProperty&&void 0===e.MozPerspective&&(i.animType=!1)),void 0!==e.webkitTransform&&(i.animType="webkitTransform",i.transformType="-webkit-transform",i.transitionType="webkitTransition",void 0===e.perspectiveProperty&&void 0===e.webkitPerspective&&(i.animType=!1)),void 0!==e.msTransform&&(i.animType="msTransform",i.transformType="-ms-transform",i.transitionType="msTransition",void 0===e.msTransform&&(i.animType=!1)),void 0!==e.transform&&!1!==i.animType&&(i.animType="transform",i.transformType="transform",i.transitionType="transition"),i.transformsEnabled=i.options.useTransform&&null!==i.animType&&!1!==i.animType},e.prototype.setSlideClasses=function(i){var e,t,o,s,n=this;if(t=n.$slider.find(".slick-slide").removeClass("slick-active slick-center slick-current").attr("aria-hidden","true"),n.$slides.eq(i).addClass("slick-current"),!0===n.options.centerMode){var r=n.options.slidesToShow%2==0?1:0;e=Math.floor(n.options.slidesToShow/2),!0===n.options.infinite&&(i>=e&&i<=n.slideCount-1-e?n.$slides.slice(i-e+r,i+e+1).addClass("slick-active").attr("aria-hidden","false"):(o=n.options.slidesToShow+i,t.slice(o-e+1+r,o+e+2).addClass("slick-active").attr("aria-hidden","false")),0===i?t.eq(t.length-1-n.options.slidesToShow).addClass("slick-center"):i===n.slideCount-1&&t.eq(n.options.slidesToShow).addClass("slick-center")),n.$slides.eq(i).addClass("slick-center")}else i>=0&&i<=n.slideCount-n.options.slidesToShow?n.$slides.slice(i,i+n.options.slidesToShow).addClass("slick-active").attr("aria-hidden","false"):t.length<=n.options.slidesToShow?t.addClass("slick-active").attr("aria-hidden","false"):(s=n.slideCount%n.options.slidesToShow,o=!0===n.options.infinite?n.options.slidesToShow+i:i,n.options.slidesToShow==n.options.slidesToScroll&&n.slideCount-is.options.slidesToShow)){for(o=!0===s.options.centerMode?s.options.slidesToShow+1:s.options.slidesToShow,e=s.slideCount;e>s.slideCount-o;e-=1)t=e-1,i(s.$slides[t]).clone(!0).attr("id","").attr("data-slick-index",t-s.slideCount).prependTo(s.$slideTrack).addClass("slick-cloned");for(e=0;ea.getDotCount()*a.options.slidesToScroll))!1===a.options.fade&&(o=a.currentSlide,!0!==t?a.animateSlide(r,function(){a.postSlide(o)}):a.postSlide(o));else if(!1===a.options.infinite&&!0===a.options.centerMode&&(i<0||i>a.slideCount-a.options.slidesToScroll))!1===a.options.fade&&(o=a.currentSlide,!0!==t?a.animateSlide(r,function(){a.postSlide(o)}):a.postSlide(o));else{if(a.options.autoplay&&clearInterval(a.autoPlayTimer),s=o<0?a.slideCount%a.options.slidesToScroll!=0?a.slideCount-a.slideCount%a.options.slidesToScroll:a.slideCount+o:o>=a.slideCount?a.slideCount%a.options.slidesToScroll!=0?0:o-a.slideCount:o,a.animating=!0,a.$slider.trigger("beforeChange",[a,a.currentSlide,s]),n=a.currentSlide,a.currentSlide=s,a.setSlideClasses(a.currentSlide),a.options.asNavFor&&(l=(l=a.getNavTarget()).slick("getSlick")).slideCount<=l.options.slidesToShow&&l.setSlideClasses(a.currentSlide),a.updateDots(),a.updateArrows(),!0===a.options.fade)return!0!==t?(a.fadeSlideOut(n),a.fadeSlide(s,function(){a.postSlide(s)})):a.postSlide(s),void a.animateHeight();!0!==t?a.animateSlide(d,function(){a.postSlide(s)}):a.postSlide(s)}},e.prototype.startLoad=function(){var i=this;!0===i.options.arrows&&i.slideCount>i.options.slidesToShow&&(i.$prevArrow.hide(),i.$nextArrow.hide()),!0===i.options.dots&&i.slideCount>i.options.slidesToShow&&i.$dots.hide(),i.$slider.addClass("slick-loading")},e.prototype.swipeDirection=function(){var i,e,t,o,s=this;return i=s.touchObject.startX-s.touchObject.curX,e=s.touchObject.startY-s.touchObject.curY,t=Math.atan2(e,i),(o=Math.round(180*t/Math.PI))<0&&(o=360-Math.abs(o)),o<=45&&o>=0?!1===s.options.rtl?"left":"right":o<=360&&o>=315?!1===s.options.rtl?"left":"right":o>=135&&o<=225?!1===s.options.rtl?"right":"left":!0===s.options.verticalSwiping?o>=35&&o<=135?"down":"up":"vertical"},e.prototype.swipeEnd=function(i){var e,t,o=this;if(o.dragging=!1,o.swiping=!1,o.scrolling)return o.scrolling=!1,!1;if(o.interrupted=!1,o.shouldClick=!(o.touchObject.swipeLength>10),void 0===o.touchObject.curX)return!1;if(!0===o.touchObject.edgeHit&&o.$slider.trigger("edge",[o,o.swipeDirection()]),o.touchObject.swipeLength>=o.touchObject.minSwipe){switch(t=o.swipeDirection()){case"left":case"down":e=o.options.swipeToSlide?o.checkNavigable(o.currentSlide+o.getSlideCount()):o.currentSlide+o.getSlideCount(),o.currentDirection=0;break;case"right":case"up":e=o.options.swipeToSlide?o.checkNavigable(o.currentSlide-o.getSlideCount()):o.currentSlide-o.getSlideCount(),o.currentDirection=1}"vertical"!=t&&(o.slideHandler(e),o.touchObject={},o.$slider.trigger("swipe",[o,t]))}else o.touchObject.startX!==o.touchObject.curX&&(o.slideHandler(o.currentSlide),o.touchObject={})},e.prototype.swipeHandler=function(i){var e=this;if(!(!1===e.options.swipe||"ontouchend"in document&&!1===e.options.swipe||!1===e.options.draggable&&-1!==i.type.indexOf("mouse")))switch(e.touchObject.fingerCount=i.originalEvent&&void 0!==i.originalEvent.touches?i.originalEvent.touches.length:1,e.touchObject.minSwipe=e.listWidth/e.options.touchThreshold,!0===e.options.verticalSwiping&&(e.touchObject.minSwipe=e.listHeight/e.options.touchThreshold),i.data.action){case"start":e.swipeStart(i);break;case"move":e.swipeMove(i);break;case"end":e.swipeEnd(i)}},e.prototype.swipeMove=function(i){var e,t,o,s,n,r,l=this;return n=void 0!==i.originalEvent?i.originalEvent.touches:null,!(!l.dragging||l.scrolling||n&&1!==n.length)&&(e=l.getLeft(l.currentSlide),l.touchObject.curX=void 0!==n?n[0].pageX:i.clientX,l.touchObject.curY=void 0!==n?n[0].pageY:i.clientY,l.touchObject.swipeLength=Math.round(Math.sqrt(Math.pow(l.touchObject.curX-l.touchObject.startX,2))),r=Math.round(Math.sqrt(Math.pow(l.touchObject.curY-l.touchObject.startY,2))),!l.options.verticalSwiping&&!l.swiping&&r>4?(l.scrolling=!0,!1):(!0===l.options.verticalSwiping&&(l.touchObject.swipeLength=r),t=l.swipeDirection(),void 0!==i.originalEvent&&l.touchObject.swipeLength>4&&(l.swiping=!0,i.preventDefault()),s=(!1===l.options.rtl?1:-1)*(l.touchObject.curX>l.touchObject.startX?1:-1),!0===l.options.verticalSwiping&&(s=l.touchObject.curY>l.touchObject.startY?1:-1),o=l.touchObject.swipeLength,l.touchObject.edgeHit=!1,!1===l.options.infinite&&(0===l.currentSlide&&"right"===t||l.currentSlide>=l.getDotCount()&&"left"===t)&&(o=l.touchObject.swipeLength*l.options.edgeFriction,l.touchObject.edgeHit=!0),!1===l.options.vertical?l.swipeLeft=e+o*s:l.swipeLeft=e+o*(l.$list.height()/l.listWidth)*s,!0===l.options.verticalSwiping&&(l.swipeLeft=e+o*s),!0!==l.options.fade&&!1!==l.options.touchMove&&(!0===l.animating?(l.swipeLeft=null,!1):void l.setCSS(l.swipeLeft))))},e.prototype.swipeStart=function(i){var e,t=this;if(t.interrupted=!0,1!==t.touchObject.fingerCount||t.slideCount<=t.options.slidesToShow)return t.touchObject={},!1;void 0!==i.originalEvent&&void 0!==i.originalEvent.touches&&(e=i.originalEvent.touches[0]),t.touchObject.startX=t.touchObject.curX=void 0!==e?e.pageX:i.clientX,t.touchObject.startY=t.touchObject.curY=void 0!==e?e.pageY:i.clientY,t.dragging=!0},e.prototype.unfilterSlides=e.prototype.slickUnfilter=function(){var i=this;null!==i.$slidesCache&&(i.unload(),i.$slideTrack.children(this.options.slide).detach(),i.$slidesCache.appendTo(i.$slideTrack),i.reinit())},e.prototype.unload=function(){var e=this;i(".slick-cloned",e.$slider).remove(),e.$dots&&e.$dots.remove(),e.$prevArrow&&e.htmlExpr.test(e.options.prevArrow)&&e.$prevArrow.remove(),e.$nextArrow&&e.htmlExpr.test(e.options.nextArrow)&&e.$nextArrow.remove(),e.$slides.removeClass("slick-slide slick-active slick-visible slick-current").attr("aria-hidden","true").css("width","")},e.prototype.unslick=function(i){var e=this;e.$slider.trigger("unslick",[e,i]),e.destroy()},e.prototype.updateArrows=function(){var i=this;Math.floor(i.options.slidesToShow/2),!0===i.options.arrows&&i.slideCount>i.options.slidesToShow&&!i.options.infinite&&(i.$prevArrow.removeClass("slick-disabled").attr("aria-disabled","false"),i.$nextArrow.removeClass("slick-disabled").attr("aria-disabled","false"),0===i.currentSlide?(i.$prevArrow.addClass("slick-disabled").attr("aria-disabled","true"),i.$nextArrow.removeClass("slick-disabled").attr("aria-disabled","false")):i.currentSlide>=i.slideCount-i.options.slidesToShow&&!1===i.options.centerMode?(i.$nextArrow.addClass("slick-disabled").attr("aria-disabled","true"),i.$prevArrow.removeClass("slick-disabled").attr("aria-disabled","false")):i.currentSlide>=i.slideCount-1&&!0===i.options.centerMode&&(i.$nextArrow.addClass("slick-disabled").attr("aria-disabled","true"),i.$prevArrow.removeClass("slick-disabled").attr("aria-disabled","false")))},e.prototype.updateDots=function(){var i=this;null!==i.$dots&&(i.$dots.find("li").removeClass("slick-active").end(),i.$dots.find("li").eq(Math.floor(i.currentSlide/i.options.slidesToScroll)).addClass("slick-active"))},e.prototype.visibility=function(){var i=this;i.options.autoplay&&(document[i.hidden]?i.interrupted=!0:i.interrupted=!1)},i.fn.slick=function(){var i,t,o=this,s=arguments[0],n=Array.prototype.slice.call(arguments,1),r=o.length;for(i=0;i
--
--
+!!! note
+ Trivy is an open source project that relies on public free infrastructure. In case of extreme load, you may encounter rate limiting when Trivy attempts to connect to external resources.
-The following hosts are required in order to fetch them:
+The rest of this document details each resource's connectivity requirements and network related considerations.
-- `ghcr.io`
-- `pkg-containers.githubusercontent.com`
+## OCI Databases
-The databases are pulled by Trivy using the [OCI Distribution](https://github.com/opencontainers/distribution-spec) specification, which is a simple HTTPS-based protocol.
+Trivy's Vulnerability, Java, and Checks Bundle are packaged as OCI images and stored in public container registries.
-[VEX Hub](https://github.com/aquasecurity/vexhub) is distributed from GitHub over HTTPS.
-The following hosts are required in order to fetch it:
+### Connectivity requirements
-- `api.github.com`
-- `codeload.github.com`
-
-## Running Trivy in air-gapped environment
-
-An air-gapped environment refers to situations where the network connectivity from the machine Trivy runs on is blocked or restricted.
-
-In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis.
-
-## Offline Mode
-
-By default, Trivy will attempt to download latest databases. If it fails, the scan might fail. To avoid this behavior, you can tell Trivy to not attempt to download database files:
-
-- `--skip-db-update` to skip updating the main vulnerability database.
-- `--skip-java-db-update` to skip updating the Java vulnerability database.
-- `--skip-check-update` to skip updating the misconfiguration database.
-
-```shell
-trivy image --skip-db-update --skip-java-db-update --offline-scan --skip-check-update myimage
-```
-
-## Self-Hosting
-
-### OCI Databases
-
-You can host the databases on your own local OCI registry.
-
-First, make a copy of the databases in a container registry that is accessible to Trivy. The databases are in:
-
-- `ghcr.io/aquasecurity/trivy-db:2`
-- `ghcr.io/aquasecurity/trivy-java-db:1`
-- `ghcr.io/aquasecurity/trivy-checks:0`
-
-Then, tell Trivy to use the local registry:
-
-```shell
-trivy image \
- --db-repository myregistry.local/trivy-db \
- --java-db-repository myregistry.local/trivy-java-db \
- --checks-bundle-repository myregistry.local/trivy-checks \
- myimage
-```
+The specific registries and locations are detailed in the [databases document](../configuration/db.md).
-#### Authentication
+Communication with OCI Registries follows the [OCI Distribution](https://github.com/opencontainers/distribution-spec) spec.
-If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
+The following hosts are known to be used by the default container registries:
-### VEX Hub
+Registry | Hosts | Additional info
+--- | --- | ---
+Google Artifact Registry | `mirror.gcr.io` `googlecode.l.googleusercontent.com` `ghcr.io` `pkg-containers.githubusercontent.com` .
-1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: .
-1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
-1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
-1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
-1. Make the manifest file available for serving from your server under the `/.well-known` path (e.g `https://server.local/.well-known/vex-repository.json`).
+## Embedded Checks
-Then, tell Trivy to use the local VEX Repository:
+Checks Bundle is embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the database from the time of the Trivy release you are using.
-1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
-1. Disable the default VEX Hub repo (`enabled: false`)
-1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+## VEX Hub
-#### Authentication
+### Connectivity Requirements
-If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
+VEX Hub is hosted as at .
-## Manual cache population
+Trivy is fetching VEX Hub GitHub Repository directly using simple HTTPS requests.
-You can also download the databases files manually and surgically populate the Trivy cache directory with them.
+The following hosts are known to be used by GitHub's services:
-### Downloading the DB files
-
-On a machine with internet access, pull the database container archive from the public registry into your local workspace:
-
-Note that these examples operate in the current working directory.
-
-=== "Using ORAS"
-This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
-
-```shell
-oras pull ghcr.io/aquasecurity/trivy-db:2
-```
-
-You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
-
-```shell
-tar -xzf db.tar.gz
-```
-
-You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files.
-
-=== "Using Trivy"
-This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
-
-```shell
-trivy image --cache-dir . --download-db-only
-```
-
-You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
-
-### Populating the Trivy Cache
-
-In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
-
-```shell
-trivy -h | grep cache
-```
+- `api.github.com`
+- `codeload.github.com`
-For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
+For more information about GitHub connectivity (including specific IP addresses), please refer to [GitHub's connectivity troubleshooting guide](https://docs.github.com/en/get-started/using-github/troubleshooting-connectivity-problems).
-```shell
-TRIVY_CACHE_DIR=/home/user/.cache/trivy
-```
+### Self-hosting
-Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
+You can host a copy of VEX Hub on your own internal server. Please refer to the [self-hosting document](./self-hosting.md#vex-hub) for a detailed guide.
-```shell
-# ensure cache db directory exists
-mkdir -p ${TRIVY_CACHE_DIR}/db
-# copy the db files
-cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
-```
+## Maven Central / Remote Repositories
-### Java DB
+Trivy might call out to Maven central or other remote repositories to fetch in order to correctly identify Java packages during a vulnerability scan.
-For Java DB the process is the same, except for the following:
+### Connectivity requirements
-1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
-2. Archive file name is `javadb.tar.gz`
-3. DB file name is `trivy-java.db`
+Trivy might attempt to connect (over HTTPS) to the following URLs:
-## Misconfigurations scanning
+- `https://repo.maven.apache.org/maven2`
-Note that the misconfigurations checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
+### Offline mode
-The misconfiguration scanner can be configured to load checks from a local directory, using the `--config-check` flag. In an air-gapped scenario you can copy the checks library from [Trivy checks repository](https://github.com/aquasecurity/trivy-checks) into a local directory, and load it with this flag. See more in the [Misconfiguration scanner documentation](../scanner/misconfiguration/index.md).
+There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
diff --git a/docs/docs/advanced/self-hosting.md b/docs/docs/advanced/self-hosting.md
new file mode 100644
index 000000000000..25ef15ea3a01
--- /dev/null
+++ b/docs/docs/advanced/self-hosting.md
@@ -0,0 +1,132 @@
+# Self-Hosting Trivy's Databases
+
+This document explains how to host Trivy's [external dependencies](./air-gap.md) in your own infrastructure to prevent external network access. If you haven't already, please familiarize yourself with the [Databases document](../configuration/db.md) that explains about the different databases used by Trivy and the different configuration options that control them. This guide assumes you are already familiar with the concepts explained there.
+
+## OCI databases
+
+The following [Trivy Databases](../configuration/db.md) are packaged as OCI images:
+
+- `trivy-db`
+- `trivy-java-db`
+- `trivy-checks`
+
+To host these databases in your own infrastructure:
+
+### Make a local copy
+
+Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
+
+!!! note
+ You will need to keep the databases updated in order to maintain relevant scanning results over time.
+
+### Configure Trivy
+
+Use the appropriate [database location flags](../configuration/db.md#database-locations) to change the db-repository location:
+
+- `--db-repository`
+- `--java-db-repository`
+- `--checks-bundle-repository`
+
+### Authentication
+
+If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
+
+### OCI Media Types
+
+When serving, proxying, or manipulating Trivy's databases, note that the media type of the OCI layer is not a standard container image type:
+
+DB | Media Type | Reference
+--- | --- | ---
+`trivy-db` | `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip` |
+`trivy-java-db` | `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip` | https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
+`trivy-checks` | `application/vnd.oci.image.manifest.v1+json` | https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
+
+## Manual cache population
+
+Trivy uses a local cache directory to store the database files, as described in the [cache](../configuration/cache.md) document.
+You can download the databases files and surgically populate the Trivy cache directory with them.
+
+### Downloading the DB files
+
+On a machine with internet access, pull the database container archive from the public registry into your local workspace:
+
+Note that these examples operate in the current working directory.
+
+=== "Using ORAS"
+ This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
+
+ ```shell
+ oras pull ghcr.io/aquasecurity/trivy-db:2
+ ```
+
+ You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
+
+ ```shell
+ tar -xzf db.tar.gz
+ ```
+
+
+=== "Using Trivy"
+ This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
+
+ ```shell
+ trivy image --cache-dir . --download-db-only
+ ```
+
+You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
+
+### Populating the Trivy Cache
+
+In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
+
+```shell
+trivy -h | grep cache
+```
+
+For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
+
+```shell
+TRIVY_CACHE_DIR=/home/user/.cache/trivy
+```
+
+Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
+
+```shell
+# ensure cache db directory exists
+mkdir -p ${TRIVY_CACHE_DIR}/db
+# copy the db files
+cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
+```
+
+### Java DB adaptations
+
+For Java DB the process is the same, except for the following:
+
+1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
+2. Archive file name is `javadb.tar.gz`
+3. DB file name is `trivy-java.db`
+
+## VEX Hub
+
+### Make a local copy
+
+To make a copy of VEX Hub in a location that is accessible to Trivy.
+
+1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: .
+1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: .
+1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
+1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
+1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
+1. Make the manifest file available for serving from your server under the `/.well-known` path (e.g `https://server.local/.well-known/vex-repository.json`).
+
+### Configure Trivy
+
+To configure Trivy to use the local VEX Repository:
+
+1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
+1. Disable the default VEX Hub repo (`enabled: false`)
+1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+
+### Authentication
+
+If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
diff --git a/docs/docs/compliance/compliance.md b/docs/docs/compliance/compliance.md
index 5ff9c6ac6652..29edff649f80 100644
--- a/docs/docs/compliance/compliance.md
+++ b/docs/docs/compliance/compliance.md
@@ -10,7 +10,6 @@ Trivy’s compliance flag lets you curate a specific set of checks into a report
Compliance report is currently supported in the following targets (trivy sub-commands):
- `trivy image`
-- `trivy aws`
- `trivy k8s`
Add the `--compliance` flag to the command line, and set it's value to desired report.
diff --git a/docs/docs/compliance/contrib-compliance.md b/docs/docs/compliance/contrib-compliance.md
index 0b83b688b664..d7151b80b263 100644
--- a/docs/docs/compliance/contrib-compliance.md
+++ b/docs/docs/compliance/contrib-compliance.md
@@ -1,26 +1,26 @@
# Custom Compliance Spec
Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md).
-All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
+All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
-New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance)
+New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance)
If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy.
All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks.
## Contributing new Compliance Specs
-Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
+Compliance specs can be based on new compliance reports becoming available e.g. a new CIS Benchmark version, or identifying missing compliance specs that Trivy users would like to access.
### Create a new Compliance Spec
-The existing compliance specs in Trivy are located under the `trivy-checks/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance)).
+The existing compliance specs in Trivy are located under the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)).
Create a new file under `trivy-checks/specs/compliance/` and name the file in the format of "provider-resource-spectype-version.yaml". For example, the file name for AWS CIS Benchmarks for EKS version 1.4 is: `aws-eks-cis-1.4.yaml`. Note that if the compliance spec is not specific to a provider, the `provider` field can be ignored.
### Minimum spec structure
-The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance).
+The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance).
The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report.
@@ -37,7 +37,7 @@ Additional information is provided below.
Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
-Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available.
+Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance) available.
For example, the following check is detailed in the AWS EKS CIS v1.4 Benchmark:
`3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)`
diff --git a/docs/docs/configuration/db.md b/docs/docs/configuration/db.md
index ccffae1e5302..78189eb2a98c 100644
--- a/docs/docs/configuration/db.md
+++ b/docs/docs/configuration/db.md
@@ -1,126 +1,129 @@
-# DB
+# Trivy Databases
-| Scanner | Supported |
-|:----------------:|:---------:|
-| Vulnerability | ✓ |
-| Misconfiguration | |
-| Secret | |
-| License | |
+When you install Trivy, the installed artifact contains the scanner engine but is lacking relevant security information needed to make security detections and recommendations.
+These so called "databases" are automatically fetched and maintained by Trivy as needed, so normally you shouldn't notice or worry about them.
+This document elaborates on the database management mechanism and its configuration options.
-The vulnerability database and the Java index database are needed only for vulnerability scanning.
-See [here](../scanner/vulnerability.md) for the detail.
+Trivy relies on the following databases:
-## Vulnerability Database
+DB | Artifact name | Contents | Purpose
+--- | --- | --- | ---
+Vulnerabilities DB | `trivy-db` | CVE information collected from various feeds | used only for [vulnerability scanning](../scanner/vulnerability.md)
+Java DB | `trivy-java-db` | Index of Java artifacts and their hash digest | used to identify Java artifacts only in [JAR scanning](../coverage/language/java.md)
+Checks Bundle | `trivy-checks` | Logic of misconfiguration checks | used only in [misconfiguration/IaC scanning](../scanner/misconfiguration/check/builtin.md)
-### Skip update of vulnerability DB
-If you want to skip downloading the vulnerability database, use the `--skip-db-update` option.
+!!! note
+ This is not an exhaustive list of Trivy's external connectivity requirements.
+ There are additional external resources which may be required by specific Trivy features.
+ To learn about external connectivity requirements, see the [Advanced Network Scenarios](../advanced/air-gap.md).
-```
-$ trivy image --skip-db-update python:3.4-alpine3.9
-```
+## Locations
-
-Result
+Trivy's databases are published to the following locations:
-```
-2019-05-16T12:48:08.703+0900 INFO Detecting Alpine vulnerabilities...
-
-python:3.4-alpine3.9 (alpine 3.9.2)
-===================================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| openssl | CVE-2019-1543 | MEDIUM | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 |
-| | | | | | with long nonces |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-```
+| Registry | Image Address | Link
+| --- | --- | ---
+| GHCR | `ghcr.io/aquasecurity/trivy-db` |
+| | `ghcr.io/aquasecurity/trivy-java-db` |
+| | `ghcr.io/aquasecurity/trivy-checks` |
+| Docker Hub | `aquasec/trivy-db` |
+| | `aquasec/trivy-java-db` |
+| | `aquasec/trivy-checks` |
+| AWS ECR | `public.ecr.aws/aquasecurity/trivy-db` |
+| | `public.ecr.aws/aquasecurity/trivy-java-db` |
+| | `public.ecr.aws/aquasecurity/trivy-checks` |
+
+In addition, images are also available via pull-through cache registries like [Google Container Registry Mirror](https://cloud.google.com/artifact-registry/docs/pull-cached-dockerhub-images).
+
+## Default Locations
+
+Trivy will attempt to pull images from the following registries in the order specified.
+
+1. `mirror.gcr.io/aquasec`
+2. `ghcr.io/aquasecurity`
+
+You can specify additional alternative repositories as explained in the [configuring database locations section](#database-locations).
+
+## DB Management Configuration
+
+### Database Locations
+
+You can configure Trivy to download databases from alternative locations by using the flags:
+
+- `--db-repository`
+- `--java-db-repository`
+- `--checks-bundle-repository`
-
+The value should be an image address in a container registry.
-### Only download vulnerability database
-You can also ask `Trivy` to simply retrieve the vulnerability database.
-This is useful to initialize workers in Continuous Integration systems.
+For example:
```
-$ trivy image --download-db-only
+trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
```
-### DB Repository
-`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.
+The flags accepts multiple values, which can be used to specify multiple alternative repository locations. In case of a transient errors (e.g. status 429 or 5xx), Trivy will fall back to alternative registries in the order specified.
+
+For example:
```
-$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
+trivy image --db-repository my.registry.local/trivy-db --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db alpine
```
-The media type of the OCI layer must be `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip`.
-You can reference the OCI manifest of [trivy-db].
-
-
-Manifest
-
-```shell
-{
- "schemaVersion": 2,
- "mediaType": "application/vnd.oci.image.manifest.v1+json",
- "config": {
- "mediaType": "application/vnd.aquasec.trivy.config.v1+json",
- "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
- "size": 2
- },
- "layers": [
- {
- "mediaType": "application/vnd.aquasec.trivy.db.layer.v1.tar+gzip",
- "digest": "sha256:29ad6505b8957c7cd4c367e7c705c641a9020d2be256812c5f4cc2fc099f4f02",
- "size": 55474933,
- "annotations": {
- "org.opencontainers.image.title": "db.tar.gz"
- }
- }
- ],
- "annotations": {
- "org.opencontainers.image.created": "2024-09-11T06:14:51Z"
- }
-}
-```
-
+The Checks Bundle registry location option does not support fallback through multiple options. This is because in case of a failure pulling the Checks Bundle, Trivy will use the embedded checks as a fallback.
+
+!!! note
+ Setting the repository location flags override the default values which include the official db locations. In case you want to preserve the default locations, you should include them in the list the you set as repository locations.
!!!note
- Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
+ When pulling `trivy-db` or `trivy-java-db`, if image tag is not specified, Trivy defaults to the db schema number instead of the `latest` tag.
+
+### Skip updates
+
+You can configure Trivy to not attempt to download any or all database(s), using the flags:
+
+- `--skip-db-update`
+- `--skip-java-db-update`
+- `--skip-check-update`
- `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
+For example:
+```
+trivy image --skip-db-update --skip-java-db-update --skip-check-update alpine
+```
+
+### Only update
-## Java Index Database
-The same options are also available for the Java index DB, which is used for scanning Java applications.
-Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
+You can ask `Trivy` to only update the database without performing a scan. This action will ensure Trivy is up to date, and populate Trivy's database cache for subsequent scans.
-!!! Note
- In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
+- `--download-db-only`
+- `--download-java-db-only`
-Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
+For example:
```
-$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
+trivy image --download-db-only
```
-The media type of the OCI layer must be `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip`.
-You can reference the OCI manifest of [trivy-java-db].
+Note that currently there is no option to download only the Checks Bundle.
-!!!note
- Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
+### Remove Databases
+
+`trivy clean` command removes caches and databases.
+You can select which cache component to remove:
- `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
+option | description
+--- | ---
+`-a`/`--all` | remove all caches
+`--checks-bundle` | remove checks bundle
+`--java-db` | remove Java database
+`--scan-cache` | remove scan cache (container and VM image analysis results)
+`--vuln-db` | remove vulnerability database
-## Remove DBs
-"trivy clean" command removes caches and databases.
+Example:
```
$ trivy clean --vuln-db --java-db
2024-06-24T11:42:31+06:00 INFO Removing vulnerability database...
2024-06-24T11:42:31+06:00 INFO Removing Java database...
```
-
-[trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
-[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
\ No newline at end of file
diff --git a/docs/docs/configuration/index.md b/docs/docs/configuration/index.md
index b70163954beb..8c7aa3475b05 100644
--- a/docs/docs/configuration/index.md
+++ b/docs/docs/configuration/index.md
@@ -1,23 +1,21 @@
# Configuration
-Trivy can be configured using the following ways. Each item takes precedence over the item below it:
+Trivy's settings can be configured in any of the following methods, which will apply in the following precedence:
-- CLI flags
-- Environment variables
-- Configuration file
+1. CLI flags (overrides all other settings)
+2. Environment variables (overrides config file settings)
+3. Configuration file
## CLI Flags
-You can view the list of available flags using the `--help` option.
-For more details, please refer to [the CLI reference](../references/configuration/cli/trivy.md).
+You can view the list of available flags by adding the `--help` flag to a Trivy command, or by exploring the [CLI reference](../references/configuration/cli/trivy.md).
## Environment Variables
-Trivy can be customized by environment variables.
-The environment variable key is the flag name converted by the following procedure.
+Any CLI option can be set as an environment variable. The environment variable name are similar to the CLI option name, with the following augmentations:
- Add `TRIVY_` prefix
-- Make it all uppercase
+- All uppercase letters
- Replace `-` with `_`
-For example,
+For example:
- `--debug` => `TRIVY_DEBUG`
- `--cache-dir` => `TRIVY_CACHE_DIR`
@@ -27,5 +25,6 @@ $ TRIVY_DEBUG=true TRIVY_SEVERITY=CRITICAL trivy image alpine:3.15
```
## Configuration File
-By default, Trivy reads the `trivy.yaml` file.
-For more details, please refer to [the page](../references/configuration/config-file.md).
+Any setting can be set in a YAML file. By default, config file named `trivy.yaml` is read from the current directory where Trivy is run. To load configuration from a different file, use the `--config` flag and specify the config path to load: `trivy --config /etc/trivy/myconfig.yaml`.
+
+The structure and settings of the YAML config file is documented in the [Config file](../references/configuration/config-file.md) document.
diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md
index 39ecb6e5333c..636766692d11 100644
--- a/docs/docs/configuration/reporting.md
+++ b/docs/docs/configuration/reporting.md
@@ -428,7 +428,7 @@ $ trivy convert --format table --severity CRITICAL result.json
```
!!! note
- JSON reports from "trivy aws" and "trivy k8s" are not yet supported.
+ JSON reports from "trivy k8s" are not yet supported.
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
[action]: https://github.com/aquasecurity/trivy-action
@@ -450,8 +450,8 @@ $ trivy convert --format table --severity CRITICAL result.json
[dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
[poetry-lock]: ../coverage/language/python.md#poetry
[gemfile-lock]: ../coverage/language/ruby.md#bundler
-[go-mod]: ../coverage/language/golang.md#go-modules
-[composer-lock]: ../coverage/language/php.md#composer
+[go-mod]: ../coverage/language/golang.md#go-module
+[composer-lock]: ../coverage/language/php.md#composerlock
[pom-xml]: ../coverage/language/java.md#pomxml
[gradle-lockfile]: ../coverage/language/java.md#gradlelock
[sbt-lockfile]: ../coverage/language/java.md#sbt
diff --git a/docs/docs/coverage/kubernetes.md b/docs/docs/coverage/kubernetes.md
index 5f2b3a62fc5e..9e925ca39900 100644
--- a/docs/docs/coverage/kubernetes.md
+++ b/docs/docs/coverage/kubernetes.md
@@ -17,7 +17,7 @@ Container image is scanned for:
Kubernetes resource definition is scanned for:
-- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
+- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom)
- Misconfigurations
- Exposed secrets
diff --git a/docs/docs/coverage/language/golang.md b/docs/docs/coverage/language/golang.md
index cd1a30c53e9c..ca3f880bef45 100644
--- a/docs/docs/coverage/language/golang.md
+++ b/docs/docs/coverage/language/golang.md
@@ -12,17 +12,17 @@ The following scanners are supported.
The table below provides an outline of the features Trivy offers.
-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | [Detection Priority][detection-priority] |
-|----------|:-----------:|:-----------------|:------------------------------------:|:------------------------:|:----------------------------------------:|
-| Modules | ✅ | Include | [✅](#dependency-graph) | [✅](#standard-library) | [✅](#standard-library) |
-| Binaries | ✅ | Exclude | - | [✅](#standard-library-1) | Not needed |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | [Detection Priority][detection-priority] |
+|----------|:-----------:|:-----------------|:------------------------------------:|:----------------------:|:----------------------------------------:|
+| Modules | ✅ | Include | [✅](#dependency-graph) | [✅](#gomod-stdlib) | [✅](#gomod-stdlib) |
+| Binaries | ✅ | Exclude | - | [✅](#go-binary-stdlib) | Not needed |
!!! note
When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself.
For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
## Data Sources
-The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+The data sources are listed [here](../../scanner/vulnerability.md#langpkg-data-sources).
Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules.
## Go Module
@@ -60,12 +60,12 @@ If you want to have better detection, please consider updating the Go version in
$ go mod tidy -go=1.18
```
-### Main Module
+### Main Module { #gomod-main }
Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module.
For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself.
Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
-### Standard Library
+### Standard Library { #gomod-stdlib }
Detecting the version of Go used in the project can be tricky.
The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment.
Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
@@ -105,7 +105,7 @@ In other cases, Go uses the `(devel)` version[^2].
In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
If unsuccessful, the version will be empty[^3].
-### Standard Library
+### Standard Library { #go-binary-stdlib }
Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries.
It possibly produces false positives.
See [the caveat](#stdlib-vulnerabilities) for details.
@@ -120,7 +120,7 @@ There are a few ways to mitigate this:
2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.
### Empty Version
-As described in the [Main Module](#main-module-1) section, the main module of Go binaries might have an empty version.
+As described in the [Main Module](#gomod-main) section, the main module of Go binaries might have an empty version.
Also, dependencies replaced with local ones will have an empty version.
[^1]: It doesn't require the Internet access.
diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md
index df8203f93691..74d578852241 100644
--- a/docs/docs/coverage/language/index.md
+++ b/docs/docs/coverage/language/index.md
@@ -16,7 +16,7 @@ This is because Trivy primarily categorizes targets into two groups:
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
-| Language | File | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
+| Language | File | Image[^4] | Rootfs[^5] | Filesystem[^6] | Repository[^7] |
|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
| [Ruby](ruby.md) | Gemfile.lock | - | - | ✅ | ✅ |
| | gemspec | ✅ | ✅ | - | - |
@@ -25,7 +25,6 @@ On the other hand, when the target is a post-build artifact, like a container im
| | requirements.txt | - | - | ✅ | ✅ |
| | egg package[^1] | ✅ | ✅ | - | - |
| | wheel package[^2] | ✅ | ✅ | - | - |
-| | conda package[^3] | ✅ | ✅ | - | - |
| [PHP](php.md) | composer.lock | - | - | ✅ | ✅ |
| | installed.json | ✅ | ✅ | - | - |
| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ |
@@ -35,8 +34,8 @@ On the other hand, when the target is a post-build artifact, like a container im
| [.NET](dotnet.md) | packages.lock.json | ✅ | ✅ | ✅ | ✅ |
| | packages.config | ✅ | ✅ | ✅ | ✅ |
| | .deps.json | ✅ | ✅ | ✅ | ✅ |
-| | *Packages.props[^11] | ✅ | ✅ | ✅ | ✅ |
-| [Java](java.md) | JAR/WAR/PAR/EAR[^4] | ✅ | ✅ | - | - |
+| | *Packages.props[^9] | ✅ | ✅ | ✅ | ✅ |
+| [Java](java.md) | JAR/WAR/PAR/EAR[^3] | ✅ | ✅ | - | - |
| | pom.xml | - | - | ✅ | ✅ |
| | *gradle.lockfile | - | - | ✅ | ✅ |
| | *.sbt.lock | - | - | ✅ | ✅ |
@@ -45,7 +44,7 @@ On the other hand, when the target is a post-build artifact, like a container im
| [Rust](rust.md) | Cargo.lock | ✅ | ✅ | ✅ | ✅ |
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - |
| [C/C++](c.md) | conan.lock | - | - | ✅ | ✅ |
-| [Elixir](elixir.md) | mix.lock[^10] | - | - | ✅ | ✅ |
+| [Elixir](elixir.md) | mix.lock[^8] | - | - | ✅ | ✅ |
| [Dart](dart.md) | pubspec.lock | - | - | ✅ | ✅ |
| [Swift](swift.md) | Podfile.lock | - | - | ✅ | ✅ |
| | Package.resolved | - | - | ✅ | ✅ |
@@ -61,12 +60,10 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
-[^3]: `envs/*/conda-meta/*.json`
-[^4]: `*.jar`, `*.war`, `*.par` and `*.ear`
-[^5]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^6]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
-[^9]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
-[^10]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
-[^11]: `Directory.Packages.props` and legacy `Packages.props` file names are supported
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
+[^9]: `Directory.Packages.props` and legacy `Packages.props` file names are supported
diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md
index 30aca897670a..934d4149d4d8 100644
--- a/docs/docs/coverage/language/java.md
+++ b/docs/docs/coverage/language/java.md
@@ -60,7 +60,7 @@ Trivy reproduces Maven's repository selection and priority:
!!! Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
- Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
+ Information about data sources for Java you can see [here](../../scanner/vulnerability.md#langpkg-data-sources).
You can disable connecting to the maven repository with the `--offline-scan` flag.
The `--offline-scan` flag does not affect the Trivy database.
diff --git a/docs/docs/coverage/language/python.md b/docs/docs/coverage/language/python.md
index 27b776ec2d75..6b249adfcb8b 100644
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -44,7 +44,7 @@ Trivy parses your files generated by package managers in filesystem/repository s
#### Dependency detection
By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
-Using the [--detection-priority comprehensive](#detection-priority) option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging.
+Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging.
In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.
```
diff --git a/docs/docs/coverage/os/oracle.md b/docs/docs/coverage/os/oracle.md
index 3799918b9a31..46ab22bc5238 100644
--- a/docs/docs/coverage/os/oracle.md
+++ b/docs/docs/coverage/os/oracle.md
@@ -28,6 +28,19 @@ See [here](../../scanner/vulnerability.md#data-sources).
### Fixed Version
Trivy takes fixed versions from [Oracle security advisories][alerts].
+#### Flavors
+Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
+
+| Flavor | Format | Example |
+|:-------:|:------------------------------------:|------------------------------------------------------|
+| normal | version without `fips` and `ksplice` | 3.6.16-4.el8 |
+| fips | `*_fips` | 10:3.6.16-4.0.1.el8_fips |
+| ksplice | `*.ksplice*.*` | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 |
+
+
+For example Trivy finds [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) only for the `normal` and `fips` flavors.
+For the `ksplice` flavor, [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) will be skipped.
+
### Severity
Trivy determines vulnerability severity based on the severity metric provided in [Oracle security advisories][alerts].
For example, the security patch for [CVE-2023-0464][CVE-2023-0464] is provided as [ELSA-2023-2645][ELSA-2023-2645].
diff --git a/docs/docs/coverage/others/index.md b/docs/docs/coverage/others/index.md
new file mode 100644
index 000000000000..2616fb358d53
--- /dev/null
+++ b/docs/docs/coverage/others/index.md
@@ -0,0 +1,28 @@
+# Others
+
+In this section we have placed images, package managers and files that we can't assign to existing sections.
+
+Trivy supports them for
+
+- [SBOM][sbom]
+- [Vulnerabilities][vuln]
+- [Licenses][license]
+
+## Supported elements
+
+| Element | File | Image[^1] | Rootfs[^2] | Filesystem[^3] | Repository[^4] |
+|--------------------------------|-----------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
+| [Bitnami packages](bitnami.md) | `/opt/bitnami//.spdx-.spdx` | ✅ | ✅ | - | - |
+| [Conda](conda.md) | `/envs//conda-meta/.json` | ✅ | ✅ | - | - |
+| | `environment.yml` | - | - | ✅ | ✅ |
+| [RPM Archives](rpm.md) | `*.rpm` | ✅[^5] | ✅[^5] | ✅[^5] | ✅[^5] |
+
+[sbom]: ../../supply-chain/sbom.md
+[vuln]: ../../scanner/vulnerability.md
+[license]: ../../scanner/license.md
+
+[^1]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^2]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^3]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^4]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^5]: Only if the `TRIVY_EXPERIMENTAL_RPM_ARCHIVE` env is set.
diff --git a/docs/docs/index.md b/docs/docs/index.md
index a475356b734e..b45469756c68 100644
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -1,5 +1,6 @@
# Docs
-In this section you can find the complete reference documentation for all the different features and settings that Trivy has to offer.
+Welcome to the Trivy documentation!
+Here you can find complete and thorough information about every aspect of Trivy, how to use it, features available, and configuration options.
-👈 Please use the side-navigation on the left in order to browse the different topics.
+👈 Please use the left side navigation browse the different topics.
diff --git a/docs/docs/plugin/user-guide.md b/docs/docs/plugin/user-guide.md
index a02cd6643321..e809f0784735 100644
--- a/docs/docs/plugin/user-guide.md
+++ b/docs/docs/plugin/user-guide.md
@@ -103,7 +103,6 @@ VERSION:
dev
Scanning Commands
- aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md
index 804b33725522..7cc65a04e949 100644
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -13,7 +13,7 @@ trivy config [flags] DIR
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md
index 534f72b44bfc..4bf6aa064999 100644
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -23,13 +23,13 @@ trivy filesystem [flags] PATH
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy filesystem [flags] PATH
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md
index 1e749c923db8..41bc6ce842bc 100644
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -37,13 +37,13 @@ trivy image [flags] IMAGE_NAME
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (docker-cis-1.6.0)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
@@ -74,7 +74,7 @@ trivy image [flags] IMAGE_NAME
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--input string input file path instead of image name
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md
index 9ec7f87a1966..9290ec0719b8 100644
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -33,12 +33,12 @@ trivy kubernetes [flags] [CONTEXT]
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
@@ -70,7 +70,7 @@ trivy kubernetes [flags] [CONTEXT]
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes, available with '--scanners misconfig'
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md
index fd076b4f1131..38ae6611b595 100644
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -23,13 +23,13 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--commit string pass the commit hash to be scanned
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md
index b4fbfa5b68cd..b84dcc5cd2c3 100644
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -26,12 +26,12 @@ trivy rootfs [flags] ROOTDIR
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
@@ -58,7 +58,7 @@ trivy rootfs [flags] ROOTDIR
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md
index 13b4cd95a582..9456e8883532 100644
--- a/docs/docs/references/configuration/cli/trivy_sbom.md
+++ b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -24,7 +24,7 @@ trivy sbom [flags] SBOM_PATH
--cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
@@ -41,7 +41,7 @@ trivy sbom [flags] SBOM_PATH
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
diff --git a/docs/docs/references/configuration/cli/trivy_server.md b/docs/docs/references/configuration/cli/trivy_server.md
index 80eacd43ee4f..794cad7bb6e6 100644
--- a/docs/docs/references/configuration/cli/trivy_server.md
+++ b/docs/docs/references/configuration/cli/trivy_server.md
@@ -22,7 +22,7 @@ trivy server [flags]
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--download-db-only download/update vulnerability database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for server
diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md
index 08e706242495..1074d878d866 100644
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -23,11 +23,11 @@ trivy vm [flags] VM_IMAGE
--aws-region string AWS region to scan
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
- --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
+ --checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
- --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+ --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
@@ -52,7 +52,7 @@ trivy vm [flags] VM_IMAGE
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes, available with '--scanners misconfig'
- --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+ --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md
index 8534503b8170..365d2e5a57a9 100644
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
@@ -105,6 +105,7 @@ db:
# Same as '--java-db-repository'
java-repository:
+ - mirror.gcr.io/aquasec/trivy-java-db:1
- ghcr.io/aquasecurity/trivy-java-db:1
# Same as '--skip-java-db-update'
@@ -115,6 +116,7 @@ db:
# Same as '--db-repository'
repository:
+ - mirror.gcr.io/aquasec/trivy-db:2
- ghcr.io/aquasecurity/trivy-db:2
# Same as '--skip-db-update'
@@ -373,7 +375,7 @@ license:
```yaml
misconfiguration:
# Same as '--checks-bundle-repository'
- checks-bundle-repository: "ghcr.io/aquasecurity/trivy-checks:1"
+ checks-bundle-repository: "mirror.gcr.io/aquasec/trivy-checks:1"
cloudformation:
# Same as '--cf-params'
diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md
index 2c9a74a0e89a..5d51b0532200 100644
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -269,4 +269,4 @@ $ trivy clean --all
[air-gapped]: ../advanced/air-gap.md
[network]: ../advanced/air-gap.md#network-requirements
-[redis-cache]: ../../vulnerability/examples/cache/#cache-backend
+[redis-cache]: ../configuration/cache.md#redis
diff --git a/docs/docs/scanner/misconfiguration/check/builtin.md b/docs/docs/scanner/misconfiguration/check/builtin.md
index c4ca18e79006..77b68f7ed09d 100644
--- a/docs/docs/scanner/misconfiguration/check/builtin.md
+++ b/docs/docs/scanner/misconfiguration/check/builtin.md
@@ -9,7 +9,7 @@ See [here](../../../coverage/iac/index.md) for the list of supported config type
When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.
## Checks Distribution
-Trivy checks are distributed as an [OPA bundle](opa-bundle) hosted in the following GitHub Container Registry: .
+Trivy checks are distributed as an [OPA bundle][opa-bundle] hosted in the following GitHub Container Registry: .
Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
### External connectivity
diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md
index ba5d0014d6bf..9d4e908c667b 100644
--- a/docs/docs/scanner/vulnerability.md
+++ b/docs/docs/scanner/vulnerability.md
@@ -113,7 +113,7 @@ To hide unfixed/unfixable vulnerabilities, you can use the `--ignore-unfixed` fl
### Supported Languages
See [here](../coverage/language/index.md#supported-languages) for the supported languages.
-### Data Sources
+### Data Sources { #langpkg-data-sources }
| Language | Source | Commercial Use | Delay[^1] |
|----------|-----------------------------------------------------|:--------------:|:---------:|
@@ -141,10 +141,10 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
-- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries)
-- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries)
-- [Rust Binaries with embedded information](../coverage/language/rust/#binaries)
-- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images)
+- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor.md#non-packaged-binaries)
+- [Go Binaries with embedded module information](../coverage/language/golang.md#go-binary)
+- [Rust Binaries with embedded information](../coverage/language/rust.md#binaries)
+- [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets)
## Kubernetes
@@ -152,28 +152,15 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components by scanni
### Data Sources
-| Vendor | Source |
-| ------------- |---------------------------------------------|
-| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
+| Vendor | Source |
+|------------|---------------------------------------------|
+| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
[^1]: Some manual triage and correction has been made.
## Databases
-Trivy utilizes several databases containing information relevant for vulnerability scanning.
-When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically, so normally users can be oblivious to it.
-
-For CLI flags related to the database, please refer to [this page](../configuration/db.md).
-
-### Vulnerability Database
-This is Trivy's main database which contains vulnerability information, as collected from the datasources mentioned above.
-It is built every six hours on [GitHub](https://github.com/aquasecurity/trivy-db).
-
-### Java Index Database
-When scanning JAR files, Trivy relies on a dedicated database for identifying the groupId, artifactId, and version of the scanned JAR files. This database is only used when scanning JAR files, however your scanned artifacts might contain JAR files that you're not aware of.
-This database is built once a day on [GitHub](https://github.com/aquasecurity/trivy-java-db).
-
-### External connectivity
-Trivy needs to connect to the internet to download the databases. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../advanced/air-gap.md).
+The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
+For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
## Detection Behavior
Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
diff --git a/docs/docs/supply-chain/attestation/sbom.md b/docs/docs/supply-chain/attestation/sbom.md
index 5d2667d0e100..50493016b677 100644
--- a/docs/docs/supply-chain/attestation/sbom.md
+++ b/docs/docs/supply-chain/attestation/sbom.md
@@ -9,7 +9,7 @@ And, Trivy can take an SBOM attestation as input and scan for vulnerabilities
## Sign with a local key pair
-Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys).
```bash
$ cosign generate-key-pair
diff --git a/docs/docs/supply-chain/attestation/vuln.md b/docs/docs/supply-chain/attestation/vuln.md
index b1484387266a..812601190679 100644
--- a/docs/docs/supply-chain/attestation/vuln.md
+++ b/docs/docs/supply-chain/attestation/vuln.md
@@ -154,7 +154,7 @@ $ trivy image --format cosign-vuln --output vuln.json alpine:3.10
### Sign with a local key pair
-Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation).
+Cosign can generate key pairs and use them for signing and verification. After you run the following command, you will get a public and private key pair. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys).
```bash
$ cosign generate-key-pair
diff --git a/docs/docs/supply-chain/sbom.md b/docs/docs/supply-chain/sbom.md
index f2f2d55c79a5..454cb834bc33 100644
--- a/docs/docs/supply-chain/sbom.md
+++ b/docs/docs/supply-chain/sbom.md
@@ -738,6 +738,7 @@ See [here](../target/sbom.md) for more details.
### SBOM Detection inside Targets
Trivy searches for SBOM files in container images with the following extensions:
+
- `.spdx`
- `.spdx.json`
- `.cdx`
@@ -762,7 +763,7 @@ It is enabled in the following targets.
When scanning container images, Trivy can discover SBOM for those images. [See here](../target/container_image.md) for more details.
-[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
+[spdx]: https://spdx.github.io/spdx-spec/v2.2.2/
[cyclonedx]: https://cyclonedx.org/
[sbom]: https://cyclonedx.org/capabilities/sbom/
diff --git a/docs/docs/supply-chain/vex/oci.md b/docs/docs/supply-chain/vex/oci.md
index a8b33bfe45cb..d50c210a97c1 100644
--- a/docs/docs/supply-chain/vex/oci.md
+++ b/docs/docs/supply-chain/vex/oci.md
@@ -87,7 +87,7 @@ You can also refer to [Trivy's example](https://github.com/aquasecurity/trivy/bl
### Step 2: Generate and Upload a VEX Attestation to an OCI Registry
-You can use the [Cosign command](https://docs.sigstore.dev/verifying/attestation/) to generate and upload the VEX attestation.
+You can use the [Cosign command](https://docs.sigstore.dev/cosign/verifying/attestation/) to generate and upload the VEX attestation.
Cosign offers methods both with and without keys.
For detailed instructions, please refer to the Cosign documentation.
diff --git a/docs/docs/target/aws.md b/docs/docs/target/aws.md
deleted file mode 100644
index ef23825129f9..000000000000
--- a/docs/docs/target/aws.md
+++ /dev/null
@@ -1,109 +0,0 @@
-# Amazon Web Services
-
-!!! warning "EXPERIMENTAL"
- This feature might change without preserving backwards compatibility.
-
-The Trivy AWS CLI allows you to scan your AWS account for misconfigurations.
-You can either run the CLI locally or integrate it into your CI/CD pipeline.
-
-Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too.
-
-The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks.
-
-Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform.
-
-You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached.
-
-Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region.
-
-Trivy currently supports the following scanning for AWS accounts.
-
-- Misconfigurations
-
-## CLI Commands
-
-Scan a full AWS account (all supported services):
-
-```shell
-trivy aws --region us-east-1
-```
-
-You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these.
-
-
-
-The summary view is the default when scanning multiple services.
-
-Scan a specific service:
-
-```shell
-trivy aws --service s3
-```
-
-Scan multiple services:
-
-```shell
-# --service s3,ec2 works too
-trivy aws --service s3 --service ec2
-```
-
-Show results for a specific AWS resource:
-
-```shell
-trivy aws --service s3 --arn arn:aws:s3:::example-bucket
-```
-
-All ARNs with detected issues will be displayed when showing results for their associated service.
-
-## Compliance
-This section describes AWS specific compliance reports.
-For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
-
-### Built in reports
-
-the following reports are available out of the box:
-
-| Compliance | Name for command | More info |
-|------------------------------------|------------------|------------------------------------------------------------------------------------------------------|
-| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) |
-| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) |
-
-### Examples
-
-Scan a cloud account and generate a compliance summary report:
-
-```
-$ trivy aws --compliance= --report=summary
-```
-
-***Note*** : The `Issues` column represent the total number of failed checks for this control.
-
-
-Get all of the detailed output for checks:
-
-```
-$ trivy aws --compliance= --report all
-```
-
-Report result in JSON format:
-
-```
-$ trivy aws --compliance= --report all --format json
-```
-
-## Cached Results
-
-By default, Trivy will cache a representation of each AWS service for 24 hours.
-This means you can filter and view results for a service without having to wait for the entire scan to run again.
-If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`.
-Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.).
-Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.
-
-## Custom Checks
-
-You can write custom checks for Trivy to evaluate against your AWS account.
-These checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/).
-See the [Custom Checks](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom checks.
-
-Custom checks in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud checks.
-See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom checks.
diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md
index 274b43862339..8129c0c071e0 100644
--- a/docs/docs/target/container_image.md
+++ b/docs/docs/target/container_image.md
@@ -272,7 +272,7 @@ $ trivy image aquasec/nginx
This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported.
-Before performing Trivy commands, you must enable the podman.sock systemd service on your machine.
+If you prefer to keep the socket open at all times, then before performing Trivy commands, you can enable the podman.sock systemd service on your machine.
For more details, see [here](https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md#enable-the-podman-service-on-the-server-machine).
@@ -293,6 +293,15 @@ localhost/test latest efc372d4e0de About a minute ago 7.94 MB
$ trivy image test
```
+If you prefer not to keep the socket open at all times, but to limit the socket opening for your trivy scanning duration only then you can scan your image with the following command:
+
+```bash
+podman system service --time=0 "${TMP_PODMAN_SOCKET}" &
+PODMAN_SYSTEM_SERVICE_PID="$!"
+trivy image --podman-host="${TMP_PODMAN_SOCKET}" --docker-host="${TMP_PODMAN_SOCKET}" test
+kill "${PODMAN_SYSTEM_SERVICE_PID}"
+```
+
### Container Registry
Trivy supports registries that comply with the following specifications.
diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md
index 4ea50035df1c..5d6a5f184463 100644
--- a/docs/docs/target/sbom.md
+++ b/docs/docs/target/sbom.md
@@ -6,7 +6,7 @@ Trivy can take the following SBOM formats as an input and scan for vulnerabiliti
- SPDX
- SPDX JSON
- CycloneDX-type attestation
-- [KBOM](./kubernetes.md#KBOM) in CycloneDX format
+- [KBOM](./kubernetes.md#kbom) in CycloneDX format
To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
The input format is automatically detected.
@@ -118,7 +118,7 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
## KBOM
-To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).
+To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#kbom).
The supported Kubernetes distributions for core components vulnerability scanning are:
diff --git a/docs/docs/target/vm.md b/docs/docs/target/vm.md
index e2c2cac74467..44ab945ce35d 100644
--- a/docs/docs/target/vm.md
+++ b/docs/docs/target/vm.md
@@ -12,7 +12,7 @@ The following targets are currently supported:
- AWS EC2
- Amazon Machine Image (AMI)
- Amazon Elastic Block Store (EBS) Snapshot
-
+
### Local file
Pass the path to your local VM image file.
@@ -58,7 +58,7 @@ Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
│ │ │ │ │ │ cause named to terminate... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25214 │
├────────────────────────────┼────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
-...
+...
```
@@ -234,7 +234,7 @@ Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
| ZFS | |
-[vmdk]: https://www.vmware.com/app/vmdk/?src=vmdk
+[vmdk]: https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc
[ebsapi-elements]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html#ebsapi-elements
[coldsnap]: https://github.com/awslabs/coldsnap
diff --git a/docs/ecosystem/ide.md b/docs/ecosystem/ide.md
index e179eb7883cd..142433c45b65 100644
--- a/docs/ecosystem/ide.md
+++ b/docs/ecosystem/ide.md
@@ -1,11 +1,13 @@
# IDE and developer tools Integrations
## VSCode (Official)
+
[Visual Studio Code](https://code.visualstudio.com/) is an open source versatile code editor and development environment.
👉 Get it at:
## JetBrains (Official)
+
[JetBrains](https://jetbrains.com) makes IDEs such as Goland, Pycharm, IntelliJ, Webstorm, and more.
The Trivy plugin for JetBrains IDEs lets you use Trivy right from your development environment.
@@ -13,6 +15,7 @@ The Trivy plugin for JetBrains IDEs lets you use Trivy right from your developme
👉 Get it at:
## Kubernetes Lens (Official)
+
[Kubernetes Lens](https://k8slens.dev/) is a management application for Kubernetes clusters.
Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloads and view the results in the Lens UI.
@@ -20,6 +23,7 @@ Trivy has an extension for Kubernetes Lens that lets you scan Kubernetes workloa
👉 Get it at:
## Vim (Community)
+
[Vim](https://www.vim.org/) is a terminal based text editor.
Vim plugin for Trivy to install and run Trivy.
@@ -27,6 +31,7 @@ Vim plugin for Trivy to install and run Trivy.
👉 Get it at:
## Docker Desktop (Community)
+
[Docker Desktop](https://www.docker.com/products/docker-desktop/) is an easy way to install [Docker]() container engine on your development machine, and manage it in a GUI .
Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs
@@ -34,11 +39,13 @@ Trivy Docker Desktop extension for scanning container images for vulnerabilities
👉 Get it at:
## Rancher Desktop (Community)
+
[Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and manage it in a GUI.
-Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation:
+Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation:
## LazyTrivy (Community)
+
A terminal native UI for Trivy
👉 Get it at:
@@ -64,3 +71,9 @@ A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting
A CDK Construct Library to scan an image with trivy in CDK codes.
👉 Get it at:
+
+## Headlamp plugin (Community)
+
+[Headlamp](https://headlamp.dev/) is a user-friendly Kubernetes UI focused on extensibility. The Kubescape plugin extends Headlamp with views on Trivy reports.
+
+👉 Get it at:
diff --git a/docs/getting-started/index.md b/docs/getting-started/index.md
new file mode 100644
index 000000000000..73ddddafda48
--- /dev/null
+++ b/docs/getting-started/index.md
@@ -0,0 +1,74 @@
+# First steps with Trivy
+
+## Get Trivy
+
+Trivy is available in most common distribution channels. The complete list of installation options is available in the [Installation](./installation.md) page. Here are a few popular examples:
+
+- macOS: `brew install trivy`
+- Docker: `docker run aquasec/trivy`
+- Download binary from [GitHub Release](https://github.com/aquasecurity/trivy/releases/latest/)
+- See [Installation](./installation.md) for more
+
+Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem](../ecosystem/index.md) page. Here are a few popular options examples:
+
+- [GitHub Actions](https://github.com/aquasecurity/trivy-action)
+- [Kubernetes operator](https://github.com/aquasecurity/trivy-operator)
+- [VS Code plugin](https://github.com/aquasecurity/trivy-vscode-extension)
+- See [Ecosystem](../ecosystem/index.md) for more
+
+## General usage
+
+Trivy's Command Line Interface pattern follows its major concepts: targets (what you want to scan), and scanners (what you want to scan for):
+
+```bash
+trivy [--scanners ]
+```
+
+### Examples
+
+Scan a container image from registry, with the default scanner which is Vulnerabilities scanner:
+
+```bash
+trivy image python:3.4-alpine
+```
+
+
+
+
+Scan a local code repository, for vulnerabilities, exposed secrets and misconfigurations:
+
+```bash
+trivy fs --scanners vuln,secret,misconfig /path/to/myproject
+```
+
+
+
+
+Scan a Kubernetes cluster, with all available scanners, and show a summary report:
+
+```bash
+trivy k8s --report summary cluster
+```
+
+
+
+## Learn more
+
+Now that you up and ready, here are some resources to help you deepen your knowledge:
+
+- Learn more about Trivy's capabilities by exploring the complete [documentation](../docs/index.md).
+- Explore community questions and under [GitHub Discussions](https://github.com/aquasecurity/trivy/discussions).
+- Stay up to date by watching for [New Releases & Announcements](https://github.com/aquasecurity/trivy/discussions/categories/announcements).
+- Follow Trivy on Twitter/X: [@aquatrivy](https://x.com/aquatrivy)
+- Explore and subscribe to our YouTube channel [@AquaSecOSS](http://youtube.com/@aquasecoss)
+
+# Want more? Check out Aqua
+
+If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
+You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
+In addition, check out the website for more information about our products and services.
+If you'd like to contact Aqua or request a demo, please use this form:
diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md
index 6e3c8cd0cfd2..f29c1b484b20 100644
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -1,10 +1,47 @@
# Installing Trivy
-In this section you will find an aggregation of the different ways to install Trivy. installations are listed as either "official" or "community". Official integrations are developed by the core Trivy team and supported by it. Community integrations are integrations developed by the community, and collected here for your convenience. For support or questions about community integrations, please contact the original developers.
+In this section you will find an aggregation of the different ways to install Trivy. Installation options are labeled as either "Official" or "Community". Official installations are developed by the Trivy team and supported by it. Community installations could be developed by anyone from the Trivy community, and collected here for your convenience. For support or questions about community installations, please contact the original developers.
-## Install using Package Manager
+!!! note
+ If you are looking to integrate Trivy into another system, such as CI/CD, IDE, Kubernetes, etc, please see [Ecosystem section](../ecosystem/index.md) to explore integrations of Trivy with other tools.
-### RHEL/CentOS (Official)
+## Container image (Official)
+
+Use one of the official Trivy images:
+
+| Registry | Repository | Link |
+| --- | --- | --- |
+| Docker Hub | `docker.io/aquasec/trivy` | https://hub.docker.com/r/aquasec/trivy |
+| GitHub Container Registry (GHCR) | `ghcr.io/aquasecurity/trivy` | https://github.com/orgs/aquasecurity/packages/container/package/trivy |
+| AWS Elastic Container Registry (ECR) | `public.ecr.aws/aquasecurity/trivy` | https://gallery.ecr.aws/aquasecurity/trivy |
+
+!!! Tip
+ It is advisable to mount a persistent [cache dir](../docs/configuration/cache.md) on the host into the Trivy container.
+
+!!! Tip
+ For scanning container images with Trivy, mount the container engine socket from the host into the Trivy container.
+
+Example:
+
+``` bash
+docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image python:3.4-alpine
+```
+
+## GitHub Release (Official)
+
+1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).
+2. Unpack the downloaded archive (`tar -xzf ./trivy.tar.gz`).
+3. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
+
+## Install Script (Official)
+
+For convenience, you can use the install script to download and install Trivy from GitHub Release.
+
+```bash
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }}
+```
+
+## RHEL/CentOS (Official)
=== "Repository"
Add repository setting to `/etc/yum.repos.d`.
@@ -28,7 +65,7 @@ In this section you will find an aggregation of the different ways to install Tr
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/{{ git.tag }}/trivy_{{ git.tag[1:] }}_Linux-64bit.rpm
```
-### Debian/Ubuntu (Official)
+## Debian/Ubuntu (Official)
=== "Repository"
Add repository setting to `/etc/apt/sources.list.d`.
@@ -48,22 +85,20 @@ In this section you will find an aggregation of the different ways to install Tr
sudo dpkg -i trivy_{{ git.tag[1:] }}_Linux-64bit.deb
```
-### Homebrew (Official)
+## Homebrew (Official)
-Homebrew for MacOS and Linux.
+Homebrew for macOS and Linux.
```bash
brew install trivy
```
-### Windows (Official)
+## Windows (Official)
1. Download trivy_x.xx.x_windows-64bit.zip file from [releases page](https://github.com/aquasecurity/trivy/releases/).
2. Unzip file and copy to any folder.
-3. Ensure PATH environment variable is configured to folder trivy installed.
-
-### Arch Linux (Community)
+## Arch Linux (Community)
Arch Linux Package Repository.
@@ -76,9 +111,9 @@ References:
-
-### MacPorts (Community)
+## MacPorts (Community)
-[MacPorts](https://www.macports.org) for MacOS.
+[MacPorts](https://www.macports.org) for macOS.
```bash
sudo port install trivy
@@ -87,9 +122,9 @@ sudo port install trivy
References:
- \
- --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
- --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- ```
-
-2. You should get the following output
- ```shell
- Verification for index.docker.io/aquasec/trivy:latest --
- The following checks were performed on each of these signatures:
- - The cosign claims were validated
- - Existence of the claims in the transparency log was verified offline
- - The code-signing certificate was verified using trusted certificate authority certificates
-
- ....
- ```
-
-### Verifying signed binaries
-
-1. Download the required tarball, associated signature and certificate files
-2. Use the following command for keyless verification:
- ```shell
- cosign verify-blob \
- --certificate \
- --signature \
- --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
- --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- ```
-3. You should get the following output
- ```
- Verified OK
- ```
-
-For example:
+## Verifying container image
+
+Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
+
+```shell
+cosign verify aquasec/trivy: \
+--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+You should get the following output
+
+```
+Verification for index.docker.io/aquasec/trivy:latest --
+The following checks were performed on each of these signatures:
+ - The cosign claims were validated
+ - Existence of the claims in the transparency log was verified offline
+ - The code-signing certificate was verified using trusted certificate authority certificates
+
+ ....
+```
+
+## Verifying binary
+
+Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
+
+Use the following command for keyless verification:
```shell
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
-$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
- --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
- --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
- --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
- --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
-
-Vetified OK
+cosign verify-blob \
+--certificate \
+--signature \
+--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+You should get the following output
+
+```
+Verified OK
```
## Verifying a GPG signature
@@ -63,37 +50,33 @@ RPM and Deb packages are also signed by GPG.
### Verifying RPM
-The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).
-
-1. Download the public key
- ```shell
- curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
- --output pub.key
- ```
-2. Import the key
- ```shell
- rpm --import pub.key
- ```
-3. Verify that the key has been imported
- ```shell
- rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
- ```
- You should get the following output
- ```shell
- gpg(trivy)
- ```
-
-4. Download the required binary
- ```shell
- curl -L https://github.com/aquasecurity/trivy/releases/download//.rpm \
- --output trivy.rpm
- ```
-5. Check the binary with the following command
- ```shell
- rpm -K trivy.rpm
- ```
- You should get the following output
- ```shell
- trivy.rpm: digests signatures OK
- ```
+The public key is available at .
+First, download and import the key:
+
+```shell
+curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
+--output pub.key
+rpm --import pub.key
+rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
+```
+
+You should get the following output:
+
+```
+gpg(trivy)
+```
+
+Then you can verify the signature:
+
+```shell
+curl -L https://github.com/aquasecurity/trivy/releases/download//.rpm \
+--output trivy.rpm
+rpm -K trivy.rpm
+```
+
+You should get the following output
+
+```
+trivy.rpm: digests signatures OK
+```
diff --git a/docs/index.md b/docs/index.md
index b72367364181..782c8942f2e7 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,140 +1,10 @@
---
+template: home.html
hide:
-- toc
+ - navigation
+ - toc
+ - path
+ - tags
---
-{ align=right }
-# Trivy Documentation
-
-👋 Welcome to Trivy Documentation! To help you get around, please notice the different sections at the top global menu:
-
-- You are currently in the [Getting Started] section where you can find general information and help with first steps.
-- In the [Tutorials] section you can find step-by-step guides that help you accomplish specific tasks.
-- In the [Docs] section you can find the complete reference documentation for all of the different features and settings that Trivy has to offer.
-- In the [Ecosystem] section you can find how Trivy works together with other tools and applications that you might already use.
-- In the [Contributing] section you can find technical developer documentation and contribution guidelines.
-
-# About Trivy
-
-Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner. Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
-
-Targets (what Trivy can scan):
-
-- Container Image
-- Filesystem
-- Git Repository (remote)
-- Virtual Machine Image
-- Kubernetes
-- AWS
-
-Scanners (what Trivy can find there):
-
-- OS packages and software dependencies in use (SBOM)
-- Known vulnerabilities (CVEs)
-- IaC issues and misconfigurations
-- Sensitive information and secrets
-- Software licenses
-
-Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
-
-To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][Docs] for detailed information.
-
-## Quick Start
-
-### Get Trivy
-
-Trivy is available in most common distribution channels. The complete list of installation options is available in the [Installation] page. Here are a few popular examples:
-
-- `brew install trivy`
-- `docker run aquasec/trivy`
-- Download binary from [--scanners ]
-```
-
-Examples:
-
-```bash
-trivy image python:3.4-alpine
-```
-
-
-Result
-
-
-
-
- Demo: Vulnerability Detection
-
-
-
-
-```bash
-trivy fs --scanners vuln,secret,misconfig myproject/
-```
-
-
-Result
-
-
-
-
- Demo: Misconfiguration Detection
-
-
-
-
-```bash
-trivy k8s --report summary cluster
-```
-
-
-Result
-
-
- Demo: Secret Detection
-
-
-
-
-# Want more? Check out Aqua
-
-If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
-You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
-In addition check out the website for more information about our products and services.
-If you'd like to contact Aqua or request a demo, please use this form:
-
----
-
-Trivy is an [Aqua Security][aquasec] open source project.
-Learn about our open source work and portfolio [here][oss].
-Contact us about any matter by opening a GitHub Discussion [here][discussions]
-
-[Ecosystem]: ./ecosystem/index.md
-[Installation]: getting-started/installation.md
-[pronunciation]: getting-started/faq.md#how-to-pronounce-the-name-trivy
-[Scanning Coverage]: ./docs/coverage/index.md
-
-[aquasec]: https://aquasec.com
-[oss]: https://www.aquasec.com/products/open-source-projects/
-[discussions]: https://github.com/aquasecurity/trivy/discussions
-
-[homepage]: https://trivy.dev
-[Tutorials]: ./tutorials/overview
-[Docs]: ./docs
-[Getting Started]: ./
-[Contributing]: ./community/contribute/issue
+
diff --git a/docs/overrides/home.html b/docs/overrides/home.html
new file mode 100644
index 000000000000..bb73736d80d2
--- /dev/null
+++ b/docs/overrides/home.html
@@ -0,0 +1,244 @@
+{% extends "main.html" %}
+
+{% block content %}
+
+{% endblock %}
+
+{% block hero %}
+
Click here to go to latest.
diff --git a/docs/tutorials/integrations/gitlab-ci.md b/docs/tutorials/integrations/gitlab-ci.md
index 8b4e8c34e7bb..afef98f3681b 100644
--- a/docs/tutorials/integrations/gitlab-ci.md
+++ b/docs/tutorials/integrations/gitlab-ci.md
@@ -114,7 +114,7 @@ container_scanning:
Depending on the edition of gitlab you have or your desired workflow, the
container scanning template may not meet your needs. As an addition to the
above container scanning template, a template for
-[code climate](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality.html)
+[code climate](https://docs.gitlab.com/ee/ci/testing/code_quality.html)
has been included. The key things to update from the above examples are
the `template` and `report` type. An updated example is below.
diff --git a/docs/tutorials/kubernetes/cluster-scanning.md b/docs/tutorials/kubernetes/cluster-scanning.md
index 4cd2de6ee694..e18595579900 100644
--- a/docs/tutorials/kubernetes/cluster-scanning.md
+++ b/docs/tutorials/kubernetes/cluster-scanning.md
@@ -59,7 +59,7 @@ This has several benefits:
- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.
-There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
+There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation.
Please follow the Trivy Operator documentation for further information on:
diff --git a/docs/tutorials/shell/shell-completion.md b/docs/tutorials/shell/shell-completion.md
index 1f9f3ecb154d..a9d21e3f2bc4 100644
--- a/docs/tutorials/shell/shell-completion.md
+++ b/docs/tutorials/shell/shell-completion.md
@@ -49,7 +49,6 @@ trivy completion zsh > "${fpath[1]}/_trivy"
```bash
$ trivy [tab]
-aws -- scan aws account
completion -- Generate the autocompletion script for the specified shell
config -- Scan config files for misconfigurations
filesystem -- Scan local filesystem
diff --git a/docs/tutorials/signing/vuln-attestation.md b/docs/tutorials/signing/vuln-attestation.md
index 2e4b487306c6..7cd85e2052da 100644
--- a/docs/tutorials/signing/vuln-attestation.md
+++ b/docs/tutorials/signing/vuln-attestation.md
@@ -8,7 +8,7 @@ This tutorial details how to
#### Prerequisites
1. [Trivy CLI](../../getting-started/installation.md) installed
-2. [Cosign CLI](https://docs.sigstore.dev/system_config/installation/) installed
+2. [Cosign CLI](https://docs.sigstore.dev/cosign/system_config/installation/) installed
3. Ensure that you have access to a container image in a remote container registry that you own/within your account. In this tutorial, we will use DockerHub.
## Scan Container Image for vulnerabilities
diff --git a/go.mod b/go.mod
index c7bb5f608c47..97bf99e8b249 100644
--- a/go.mod
+++ b/go.mod
@@ -1,13 +1,11 @@
module github.com/aquasecurity/trivy
-go 1.22.0
-
-toolchain go1.22.4
+go 1.22.9
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
- github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
+ github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
+ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
github.com/BurntSushi/toml v1.4.0
github.com/CycloneDX/cyclonedx-go v0.9.1
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
@@ -15,42 +13,44 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alecthomas/chroma v0.10.0
github.com/alicebob/miniredis/v2 v2.33.0
- github.com/antchfx/htmlquery v1.3.2
+ github.com/antchfx/htmlquery v1.3.3
github.com/apparentlymart/go-cidr v1.1.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
- github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d
+ github.com/aquasecurity/go-version v0.0.0-20241105054539-1951e80d786f
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
- github.com/aquasecurity/trivy-checks v1.2.2
- github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1
+ github.com/aquasecurity/trivy-checks v1.3.0
+ github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc
- github.com/aws/aws-sdk-go-v2 v1.31.0
- github.com/aws/aws-sdk-go-v2/config v1.27.38
- github.com/aws/aws-sdk-go-v2/credentials v1.17.36
- github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.1
- github.com/aws/aws-sdk-go-v2/service/ecr v1.35.2
- github.com/aws/aws-sdk-go-v2/service/s3 v1.63.2
- github.com/aws/aws-sdk-go-v2/service/sts v1.31.2 // indirect
- github.com/aws/smithy-go v1.21.0
+ github.com/aws/aws-sdk-go-v2 v1.32.5
+ github.com/aws/aws-sdk-go-v2/config v1.28.5
+ github.com/aws/aws-sdk-go-v2/credentials v1.17.46
+ github.com/aws/aws-sdk-go-v2/service/ec2 v1.193.0
+ github.com/aws/aws-sdk-go-v2/service/ecr v1.36.6
+ github.com/aws/aws-sdk-go-v2/service/s3 v1.68.0
+ github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 // indirect
+ github.com/aws/smithy-go v1.22.1
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
- github.com/bmatcuk/doublestar/v4 v4.6.1
+ github.com/bmatcuk/doublestar/v4 v4.7.1
github.com/cenkalti/backoff/v4 v4.3.0
github.com/cheggaaa/pb/v3 v3.1.5
- github.com/containerd/containerd v1.7.22
- github.com/csaf-poc/csaf_distribution/v3 v3.0.0
- github.com/docker/cli v27.2.1+incompatible
+ github.com/containerd/containerd/v2 v2.0.0
+ github.com/containerd/platforms v1.0.0-rc.0
+ github.com/distribution/reference v0.6.0
+ github.com/docker/cli v27.3.1+incompatible
github.com/docker/docker v27.3.1+incompatible
github.com/docker/go-connections v0.5.0
- github.com/fatih/color v1.17.0
+ github.com/fatih/color v1.18.0
github.com/go-git/go-git/v5 v5.12.0
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-redis/redis/v8 v8.11.5
+ github.com/gocsaf/csaf/v3 v3.1.0
github.com/golang-jwt/jwt/v5 v5.2.1
github.com/google/go-containerregistry v0.20.2
github.com/google/go-github/v62 v62.0.0
@@ -64,11 +64,11 @@ require (
github.com/hashicorp/go-version v1.7.0
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/hashicorp/hc-install v0.9.0
- github.com/hashicorp/hcl/v2 v2.22.0
+ github.com/hashicorp/hcl/v2 v2.23.0
github.com/hashicorp/terraform-exec v0.21.0
github.com/in-toto/in-toto-golang v0.9.0
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
- github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
+ github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
github.com/knqyf263/go-rpmdb v0.1.1
github.com/knqyf263/nested v0.0.1
@@ -88,8 +88,8 @@ require (
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
- github.com/moby/buildkit v0.16.0
- github.com/open-policy-agent/opa v0.68.1-0.20240903211041-76f7038ea2d1
+ github.com/moby/buildkit v0.17.2
+ github.com/open-policy-agent/opa v0.70.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
@@ -110,41 +110,41 @@ require (
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.19.0
github.com/stretchr/testify v1.9.0
- github.com/testcontainers/testcontainers-go v0.33.0
- github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0
- github.com/tetratelabs/wazero v1.8.0
+ github.com/testcontainers/testcontainers-go v0.34.0
+ github.com/testcontainers/testcontainers-go/modules/localstack v0.34.0
+ github.com/tetratelabs/wazero v1.8.1
github.com/twitchtv/twirp v8.1.3+incompatible
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
github.com/zclconf/go-cty v1.15.0
- github.com/zclconf/go-cty-yaml v1.0.3
+ github.com/zclconf/go-cty-yaml v1.1.0
go.etcd.io/bbolt v1.3.11
- golang.org/x/crypto v0.27.0
- golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
- golang.org/x/mod v0.21.0
- golang.org/x/net v0.29.0
- golang.org/x/sync v0.8.0
- golang.org/x/term v0.25.0
- golang.org/x/text v0.18.0
+ golang.org/x/crypto v0.29.0
+ golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+ golang.org/x/mod v0.22.0
+ golang.org/x/net v0.31.0
+ golang.org/x/sync v0.9.0
+ golang.org/x/term v0.26.0
+ golang.org/x/text v0.20.0
golang.org/x/vuln v1.1.3
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
- google.golang.org/protobuf v1.34.2
+ google.golang.org/protobuf v1.35.2
gopkg.in/yaml.v3 v3.0.1
- helm.sh/helm/v3 v3.16.1
+ helm.sh/helm/v3 v3.16.3
k8s.io/api v0.31.2
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
- modernc.org/sqlite v1.33.1
+ modernc.org/sqlite v1.34.1
sigs.k8s.io/yaml v1.4.0
)
require (
cloud.google.com/go v0.112.1 // indirect
- cloud.google.com/go/compute/metadata v0.3.0 // indirect
+ cloud.google.com/go/compute/metadata v0.5.0 // indirect
cloud.google.com/go/iam v1.1.6 // indirect
cloud.google.com/go/storage v1.39.1 // indirect
dario.cat/mergo v1.0.1 // indirect
- github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
- github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+ github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
+ github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -162,27 +162,27 @@ require (
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
- github.com/Microsoft/hcsshim v0.12.0 // indirect
+ github.com/Microsoft/hcsshim v0.12.9 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
- github.com/agnivade/levenshtein v1.1.1 // indirect
+ github.com/agnivade/levenshtein v1.2.0 // indirect
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
- github.com/antchfx/xpath v1.3.1 // indirect
+ github.com/antchfx/xpath v1.3.2 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.55.5 // indirect
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
+ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
- github.com/aws/aws-sdk-go-v2/service/sso v1.23.2 // indirect
- github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
@@ -191,29 +191,29 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.3.8 // indirect
- github.com/containerd/cgroups/v3 v3.0.2 // indirect
- github.com/containerd/containerd/api v1.7.19 // indirect
- github.com/containerd/continuity v0.4.3 // indirect
- github.com/containerd/errdefs v0.1.0 // indirect
+ github.com/containerd/cgroups/v3 v3.0.3 // indirect
+ github.com/containerd/containerd v1.7.23 // indirect
+ github.com/containerd/containerd/api v1.8.0 // indirect
+ github.com/containerd/continuity v0.4.4 // indirect
+ github.com/containerd/errdefs v1.0.0 // indirect
+ github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/containerd/fifo v1.1.0 // indirect
github.com/containerd/log v0.1.0 // indirect
- github.com/containerd/platforms v0.2.1 // indirect
+ github.com/containerd/plugin v1.0.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
- github.com/containerd/ttrpc v1.2.5 // indirect
- github.com/containerd/typeurl/v2 v2.2.0 // indirect
- github.com/cpuguy83/dockercfg v0.3.1 // indirect
- github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+ github.com/containerd/ttrpc v1.2.6 // indirect
+ github.com/containerd/typeurl/v2 v2.2.2 // indirect
+ github.com/cpuguy83/dockercfg v0.3.2 // indirect
+ github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
- github.com/cyphar/filepath-securejoin v0.3.1 // indirect
+ github.com/cyphar/filepath-securejoin v0.3.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
- github.com/distribution/reference v0.6.0 // indirect
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
- github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
@@ -281,7 +281,7 @@ require (
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
- github.com/klauspost/compress v1.17.9 // indirect
+ github.com/klauspost/compress v1.17.11 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
@@ -303,7 +303,7 @@ require (
github.com/moby/patternmatcher v0.6.0 // indirect
github.com/moby/spdystream v0.4.0 // indirect
github.com/moby/sys/mountinfo v0.7.2 // indirect
- github.com/moby/sys/sequential v0.5.0 // indirect
+ github.com/moby/sys/sequential v0.6.0 // indirect
github.com/moby/sys/signal v0.7.1 // indirect
github.com/moby/sys/user v0.3.0 // indirect
github.com/moby/sys/userns v0.1.0 // indirect
@@ -318,16 +318,18 @@ require (
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runtime-spec v1.2.0 // indirect
- github.com/opencontainers/selinux v1.11.0 // indirect
+ github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
+ github.com/opencontainers/selinux v1.11.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
- github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+ github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pkg/errors v0.9.1 // indirect
+ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
- github.com/prometheus/client_golang v1.20.2 // indirect
+ github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
@@ -353,6 +355,7 @@ require (
github.com/spf13/afero v1.11.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
+ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
@@ -375,25 +378,25 @@ require (
github.com/yusufpapurcu/wmi v1.2.4 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
- go.opentelemetry.io/otel v1.28.0 // indirect
- go.opentelemetry.io/otel/metric v1.28.0 // indirect
- go.opentelemetry.io/otel/sdk v1.28.0 // indirect
- go.opentelemetry.io/otel/trace v1.28.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
+ go.opentelemetry.io/otel v1.31.0 // indirect
+ go.opentelemetry.io/otel/metric v1.31.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.31.0 // indirect
+ go.opentelemetry.io/otel/trace v1.31.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
- golang.org/x/oauth2 v0.21.0 // indirect
- golang.org/x/sys v0.26.0 // indirect
+ golang.org/x/oauth2 v0.22.0 // indirect
+ golang.org/x/sys v0.27.0 // indirect
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
- golang.org/x/time v0.6.0 // indirect
- golang.org/x/tools v0.24.0 // indirect
+ golang.org/x/time v0.7.0 // indirect
+ golang.org/x/tools v0.25.0 // indirect
google.golang.org/api v0.172.0 // indirect
google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
- google.golang.org/grpc v1.66.0 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
+ google.golang.org/grpc v1.67.1 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
@@ -401,9 +404,9 @@ require (
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
- k8s.io/apiextensions-apiserver v0.31.0 // indirect
+ k8s.io/apiextensions-apiserver v0.31.1 // indirect
k8s.io/apimachinery v0.31.2 // indirect
- k8s.io/apiserver v0.31.0 // indirect
+ k8s.io/apiserver v0.31.2 // indirect
k8s.io/cli-runtime v0.31.2 // indirect
k8s.io/client-go v0.31.2 // indirect
k8s.io/component-base v0.31.2 // indirect
@@ -422,4 +425,6 @@ require (
sigs.k8s.io/kustomize/api v0.17.2 // indirect
sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+ tags.cncf.io/container-device-interface v0.8.0 // indirect
+ tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
)
diff --git a/go.sum b/go.sum
index 991cad7e2929..c07a334522a3 100644
--- a/go.sum
+++ b/go.sum
@@ -68,8 +68,8 @@ cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz
cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
-cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
-cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
+cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4=
cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0=
@@ -193,20 +193,22 @@ dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 h1:dIScnXFlF784X79oi7MzVT6GWqr/W1uUt0pB5CsDs9M=
+github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw=
github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg=
github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM=
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw=
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs=
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvULkDNfdXOgrjtg6UYJPFBJyuEcRCAw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64=
@@ -235,6 +237,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -266,8 +270,8 @@ github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hcsshim v0.12.0 h1:rbICA+XZFwrBef2Odk++0LjFvClNCJGRK+fsrP254Ts=
-github.com/Microsoft/hcsshim v0.12.0/go.mod h1:RZV12pcHCXQ42XnlQ3pz6FZfmrC1C+R4gaOHhRNML1g=
+github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg=
+github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y=
github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -283,8 +287,8 @@ github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1o
github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
-github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
+github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY=
+github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek=
github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -321,10 +325,10 @@ github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/antchfx/htmlquery v1.3.2 h1:85YdttVkR1rAY+Oiv/nKI4FCimID+NXhDn82kz3mEvs=
-github.com/antchfx/htmlquery v1.3.2/go.mod h1:1mbkcEgEarAokJiWhTfr4hR06w/q2ZZjnYLrDt6CTUk=
-github.com/antchfx/xpath v1.3.1 h1:PNbFuUqHwWl0xRjvUPjJ95Agbmdj2uzzIwmQKgu4oCk=
-github.com/antchfx/xpath v1.3.1/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
+github.com/antchfx/htmlquery v1.3.3 h1:x6tVzrRhVNfECDaVxnZi1mEGrQg3mjE/rxbH2Pe6dNE=
+github.com/antchfx/htmlquery v1.3.3/go.mod h1:WeU3N7/rL6mb6dCwtE30dURBnBieKDC/fR8t6X+cKjU=
+github.com/antchfx/xpath v1.3.2 h1:LNjzlsSjinu3bQpw9hWMY9ocB80oLOWuQqFvO6xt51U=
+github.com/antchfx/xpath v1.3.2/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU=
github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
@@ -341,18 +345,18 @@ github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 h1:
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.mod h1:olhPNdiiAAMiSujemd1O/sc6GcyePr23f/6uGKtthNg=
github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
-github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d h1:4zour5Sh9chOg+IqIinIcJ3qtr3cIf8FdFY6aArlXBw=
-github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d/go.mod h1:1cPOp4BaQZ1G2F5fnw4dFz6pkOyXJI9KTuak8ghIl3U=
+github.com/aquasecurity/go-version v0.0.0-20241105054539-1951e80d786f h1:6mwfszC0VohA3NF75EX8pPStmmL0spZnTlkLp83M69c=
+github.com/aquasecurity/go-version v0.0.0-20241105054539-1951e80d786f/go.mod h1:1cPOp4BaQZ1G2F5fnw4dFz6pkOyXJI9KTuak8ghIl3U=
github.com/aquasecurity/table v1.8.0 h1:9ntpSwrUfjrM6/YviArlx/ZBGd6ix8W+MtojQcM7tv0=
github.com/aquasecurity/table v1.8.0/go.mod h1:eqOmvjjB7AhXFgFqpJUEE/ietg7RrMSJZXyTN8E/wZw=
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqYjz7qDqK+cVOtF2Lk6CxjytYItP6Pgf3wGsNE=
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-checks v1.2.2 h1:EVHi0gthYzDLfqdAqBBwVGfg2l/gdZ622pIlC9rP+lU=
-github.com/aquasecurity/trivy-checks v1.2.2/go.mod h1:TNV0QNVFyBIkt865eO2PtfpubmHt3Ve19Klny//SWIU=
-github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 h1:G0gnacAORRUqz2Tm5MqivSpldY2GZ74ijhJcMsae+sA=
-github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1/go.mod h1:PYkSRx4dlgFATEt+okGwibvbxVEtqsOdH+vX/saACYE=
+github.com/aquasecurity/trivy-checks v1.3.0 h1:Z4+wxxApNSJOLcmGPWQ9cS3NGmT/yTaPCTMavIeuVEQ=
+github.com/aquasecurity/trivy-checks v1.3.0/go.mod h1:WDo8IKyW4FvA69uKYmamSIy3RosCOiBuA1Kfxuigiy0=
+github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw=
+github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc h1:/mFBYIK9RY+L8s1CIbQbJ5B3v0YmoDSu5eAzavvMa+Y=
@@ -366,44 +370,44 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.31.0 h1:3V05LbxTSItI5kUqNwhJrrrY1BAXxXt0sN0l72QmG5U=
-github.com/aws/aws-sdk-go-v2 v1.31.0/go.mod h1:ztolYtaEUtdpf9Wftr31CJfLVjOnD/CVRkKOOYgF8hA=
-github.com/aws/aws-sdk-go-v2/config v1.27.38 h1:mMVyJJuSUdbD4zKXoxDgWrgM60QwlFEg+JhihCq6wCw=
-github.com/aws/aws-sdk-go-v2/config v1.27.38/go.mod h1:6xOiNEn58bj/64MPKx89r6G/el9JZn8pvVbquSqTKK4=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.36 h1:zwI5WrT+oWWfzSKoTNmSyeBKQhsFRJRv+PGW/UZW+Yk=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.36/go.mod h1:3AG/sY1rc9NJrNWcN/3KPU4SIDPGTrd/qegKB0TnFdE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF/DqhBkBCeDiJDcaqIT5pA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 h1:kYQ3H1u0ANr9KEKlGs/jTLrBFPo8P8NaH/w7A01NeeM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18/go.mod h1:r506HmK5JDUh9+Mw4CfGJGSSoqIiLCndAuqXuhbv67Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 h1:Z7IdFUONvTcvS7YuhtVxN99v2cCoHRXOS4mTr0B/pUc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18/go.mod h1:DkKMmksZVVyat+Y+r1dEOgJEfUeA7UngIHWeKsi0yNc=
+github.com/aws/aws-sdk-go-v2 v1.32.5 h1:U8vdWJuY7ruAkzaOdD7guwJjD06YSKmnKCJs7s3IkIo=
+github.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
+github.com/aws/aws-sdk-go-v2/config v1.28.5 h1:Za41twdCXbuyyWv9LndXxZZv3QhTG1DinqlFsSuvtI0=
+github.com/aws/aws-sdk-go-v2/config v1.28.5/go.mod h1:4VsPbHP8JdcdUDmbTVgNL/8w9SqOkM5jyY8ljIxLO3o=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.46 h1:AU7RcriIo2lXjUfHFnFKYsLCwgbz1E7Mm95ieIRDNUg=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.46/go.mod h1:1FmYyLGL08KQXQ6mcTlifyFXfJVCNJTVGuQP4m0d/UA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 h1:sDSXIrlsFSFJtWKLQS4PUWRvrT580rrnuLydJrCQ/yA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20/go.mod h1:WZ/c+w0ofps+/OUqMwWgnfrgzZH1DZO1RIkktICsqnY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 h1:4usbeaes3yJnCFC7kfeyhkdkPtoRYPa/hTmCqMpKpLI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 h1:N1zsICrQglfzaBnrfM0Ys00860C+QFwu6u/5+LomP+o=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 h1:SeDJWG4pmye+/aO6k+zt9clPTUy1MXqUmkW8rbAddQg=
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1/go.mod h1:wRzaW0v9GGQS0h//wpsVDw3Hah5gs5UP+NxoyGeZIGM=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.1 h1:TwFjSwRn1kR1i1qeq5cQBRwRaZ80JQS8BHsJTb6QBk8=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.1/go.mod h1:W6sNzs5T4VpZn1Vy+FMKw8s24vt5k6zPJXcNOK0asBo=
-github.com/aws/aws-sdk-go-v2/service/ecr v1.35.2 h1:bVNvja4oEB7v+VL1yP46hWthCPp+KYpZBLS2AifM5PY=
-github.com/aws/aws-sdk-go-v2/service/ecr v1.35.2/go.mod h1:oRaGEExKI6Pqcow+Tt7wpJf73/Srcj/CUJv5Eb9QFhg=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.193.0 h1:RhSoBFT5/8tTmIseJUXM6INTXTQDF8+0oyxWBnozIms=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.193.0/go.mod h1:mzj8EEjIHSN2oZRXiw1Dd+uB4HZTl7hC8nBzX9IZMWw=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.36.6 h1:zg+3FGHA0PBs0KM25qE/rOf2o5zsjNa1g/Qq83+SDI0=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.36.6/go.mod h1:ZSq54Z9SIsOTf1Efwgw1msilSs4XVEfVQiP9nYVnKpM=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 h1:QFASJGfT8wMXtuP3D5CRmMjARHv9ZmzFUMJznHDOY3w=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5/go.mod h1:QdZ3OmoIjSX+8D1OPAzPxDfjXASbBMDsz9qvtyIhtik=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 h1:Xbwbmk44URTiHNx6PNo0ujDE6ERlsCKJD3u1zfnzAPg=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20/go.mod h1:oAfOFzUB14ltPZj1rWwRc3d/6OgD76R8KlvU3EqM9Fg=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 h1:wtpJ4zcwrSbwhECWQoI/g6WM9zqCcSpHDJIWSbMLOu4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5/go.mod h1:qu/W9HXQbbQ4+1+JcZp0ZNPV31ym537ZJN+fiS7Ti8E=
github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU=
github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.63.2 h1:1iXmXy8SJzQVMGvo40TSzBYS9ig6BSyXfRIMzLfmBfE=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.63.2/go.mod h1:NLTqRLe3pUNu3nTEHI6XlHLKYmc8fbHUdMxAB6+s41Q=
-github.com/aws/aws-sdk-go-v2/service/sso v1.23.2 h1:yzi/y/vKlLyzOfG7pSu5ONNGRxHIgLeDrV4w2AMRCo0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.23.2/go.mod h1:XRlMvmad0ZNL+75C5FYdMvbbLkd6qiqz6foR1nA1PXY=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2 h1:3gb6pYhYLjo8rB1h2Tqs61wpjRd3rQymYcVq/pp0yxI=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2/go.mod h1:FnvDM4sfa+isJ3kDXIzAB9GAwVSzFzSy97uZ3IsHo4E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.31.2 h1:O6tyji8mXmBGsHvTCB0VIhrDw19lGTUSbKIyjnw79s8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.31.2/go.mod h1:yMWe0F+XG0DkRZK5ODZhG7BEFYhLXi2dqGsv6tX0cgI=
-github.com/aws/smithy-go v1.21.0 h1:H7L8dtDRk0P1Qm6y0ji7MCYMQObJ5R9CRpyPhRUkLYA=
-github.com/aws/smithy-go v1.21.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.68.0 h1:bFpcqdwtAEsgpZXvkTxIThFQx/EM0oV6kXmfFIGjxME=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.68.0/go.mod h1:ralv4XawHjEMaHOWnTFushl0WRqim/gQWesAMF6hTow=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 h1:3zu537oLmsPfDMyjnUS2g+F2vITgy5pB74tHI+JBNoM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.6/go.mod h1:WJSZH2ZvepM6t6jwu4w/Z45Eoi75lPN7DcydSRtJg6Y=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 h1:K0OQAsDywb0ltlFrZm0JHPY3yZp/S9OaoLU33S7vPS8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5/go.mod h1:ORITg+fyuMoeiQFiVGoqB3OydVTLkClw/ljbblMq6Cc=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 h1:6SZUVRQNvExYlMLbHdlKB48x0fLbc2iVROyaNEwBHbU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.1/go.mod h1:GqWyYCwLXnlUB1lOAXQyNSPqPLQJvmo8J0DWBzp9mtg=
+github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
+github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -418,8 +422,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn
github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
-github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0CXv75Q=
+github.com/bmatcuk/doublestar/v4 v4.7.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A=
@@ -480,44 +484,49 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUo
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
-github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0=
-github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE=
-github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0=
-github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g=
-github.com/containerd/containerd/api v1.7.19 h1:VWbJL+8Ap4Ju2mx9c9qS1uFSB1OVYr5JJrW2yT5vFoA=
-github.com/containerd/containerd/api v1.7.19/go.mod h1:fwGavl3LNwAV5ilJ0sbrABL44AQxmNjDRcwheXDb6Ig=
-github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
-github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
-github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM=
-github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0=
+github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
+github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
+github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ=
+github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
+github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
+github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
+github.com/containerd/containerd/v2 v2.0.0 h1:qLDdFaAykQrIyLiqwQrNLLz95wiC36bAZVwioUwqShM=
+github.com/containerd/containerd/v2 v2.0.0/go.mod h1:j25kDy9P48/ngb1sxWIFfK6GsnqOHoSqo1EpAod20VQ=
+github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
+github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
-github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
+github.com/containerd/platforms v1.0.0-rc.0 h1:GuHWSKgVVO3POn6nRBB4sH63uPOLa87yuuhsGLWaXAA=
+github.com/containerd/platforms v1.0.0-rc.0/go.mod h1:T1XAzzOdYs3it7l073MNXyxRwQofJfqwi/8cRjufIk4=
+github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
+github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
-github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU=
-github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
-github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso=
-github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g=
+github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4=
+github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
+github.com/containerd/typeurl/v2 v2.2.2 h1:3jN/k2ysKuPCsln5Qv8bzR9cxal8XjkxPogJfSNO31k=
+github.com/containerd/typeurl/v2 v2.2.2/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
-github.com/cpuguy83/dockercfg v0.3.1 h1:/FpZ+JaygUR/lZP2NlFI2DVfrOEMAIKP5wWEJdoYe9E=
-github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
+github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
+github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
+github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
-github.com/csaf-poc/csaf_distribution/v3 v3.0.0 h1:ob9+Fmpff0YWgTP3dYaw7G2hKQ9cegh9l3zksc+q3sM=
-github.com/csaf-poc/csaf_distribution/v3 v3.0.0/go.mod h1:uilCTiNKivq+6zrDvjtZaUeLk70oe21iwKivo6ILwlQ=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE=
-github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc=
+github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
+github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -530,8 +539,8 @@ github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWa
github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=
+github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
@@ -545,8 +554,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
-github.com/docker/cli v27.2.1+incompatible h1:U5BPtiD0viUzjGAjV1p0MGB8eVA3L3cbIrnyWmSJI70=
-github.com/docker/cli v27.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ=
+github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
@@ -593,8 +602,8 @@ github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZM
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
-github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
-github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
@@ -638,8 +647,8 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@@ -701,6 +710,8 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
github.com/goccy/go-yaml v1.8.1/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
github.com/goccy/go-yaml v1.9.5 h1:Eh/+3uk9kLxG4koCX6lRMAPS1OaMSAi+FJcya0INdB0=
github.com/goccy/go-yaml v1.9.5/go.mod h1:U/jl18uSupI5rdI2jmuCswEA2htH9eXfferR3KfscvA=
+github.com/gocsaf/csaf/v3 v3.1.0 h1:XXmpMdR6OOGR2R7Av4LQpGNYQ/4IbquaYWfxsCs0Hro=
+github.com/gocsaf/csaf/v3 v3.1.0/go.mod h1:3nGOg1D8A/Z7PQ69Or7J6flfT+ILsvPlMXSBKR7BZsY=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
@@ -716,8 +727,8 @@ github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
-github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
+github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -866,8 +877,8 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJr
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -906,8 +917,8 @@ github.com/hashicorp/hc-install v0.9.0 h1:2dIk8LcvANwtv3QZLckxcjyF5w8KVtiMxu6G6e
github.com/hashicorp/hc-install v0.9.0/go.mod h1:+6vOP+mf3tuGgMApVYtmsnDoKWMDcFXeTxCACYZ8SFg=
github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/hcl/v2 v2.22.0 h1:hkZ3nCtqeJsDhPRFz5EA9iwcG1hNWGePOTw6oyul12M=
-github.com/hashicorp/hcl/v2 v2.22.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
+github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
+github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
github.com/hashicorp/terraform-exec v0.21.0 h1:uNkLAe95ey5Uux6KJdua6+cv8asgILFVWkd/RG0D2XQ=
github.com/hashicorp/terraform-exec v0.21.0/go.mod h1:1PPeMYou+KDUSSeRE9szMZ/oHf4fYUmB923Wzbq1ICg=
github.com/hashicorp/terraform-json v0.22.1 h1:xft84GZR0QzjPVWs4lRUwvTcPnegqlyS7orfb5Ltvec=
@@ -952,17 +963,19 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs=
+github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
-github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422 h1:PPPlUUqPP6fLudIK4n0l0VU4KT2cQGnheW9x8pNiCHI=
-github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422/go.mod h1:ijAmSS4jErO6+KRzcK6ixsm3Vt96hMhJ+W+x+VmbrQA=
+github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23 h1:dWzdsqjh1p2gNtRKqNwuBvKqMNwnLOPLzVZT1n6DK7s=
+github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23/go.mod h1:lUaIXCWzf7BRKTY5iEcrYy1TfgbYLYVIS/B2vPkJzOc=
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 h1:aC6MEAs3PE3lWD7lqrJfDxHd6hcced9R4JTZu85cJwU=
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
github.com/knqyf263/go-rpmdb v0.1.1 h1:oh68mTCvp1XzxdU7EfafcWzzfstUZAEa3MW0IJye584=
@@ -1064,8 +1077,9 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.16.0 h1:wOVBj1o5YNVad/txPQNXUXdelm7Hs/i0PUFjzbK0VKE=
-github.com/moby/buildkit v0.16.0/go.mod h1:Xqx/5GlrqE1yIRORk0NSCVDFpQAU1WjlT6KHYZdisIQ=
+github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
+github.com/moby/buildkit v0.17.2 h1:/jgk/MuXbA7jeXMkknOpHYB+Ct4aNvQHkBB7SxD3D4U=
+github.com/moby/buildkit v0.17.2/go.mod h1:vr5vltV8wt4F2jThbNOChfbAklJ0DOW11w36v210hOg=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
@@ -1076,8 +1090,8 @@ github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8
github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=
github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8=
github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
@@ -1099,6 +1113,7 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI=
github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA=
+github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -1129,16 +1144,20 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
-github.com/open-policy-agent/opa v0.68.1-0.20240903211041-76f7038ea2d1 h1:GQrryTKpunLNDc2NdhNL1FzfrbuNvo45s76anGdqz9k=
-github.com/open-policy-agent/opa v0.68.1-0.20240903211041-76f7038ea2d1/go.mod h1:5E5SvaPwTpwt2WM177I9Z3eT7qUpmOGjk1ZdHs+TZ4w=
+github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U=
+github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
+github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
+github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
+github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553 h1:c4u0GIH0w2Q57Pm2Oldrq6EiHFnLCCnRs98A+ggj/YQ=
@@ -1154,8 +1173,8 @@ github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoX
github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
@@ -1167,6 +1186,8 @@ github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjL
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -1178,8 +1199,8 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg=
-github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -1200,6 +1221,8 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe
github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/redis/go-redis/v9 v9.6.1 h1:HHDteefn6ZkTtY5fGUE8tj8uy85AHk6zP7CpzIAM0y4=
+github.com/redis/go-redis/v9 v9.6.1/go.mod h1:0C0c6ycQsdpVNQpxb1njEQIqkx5UcsM8FJCQLgE9+RA=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -1269,6 +1292,7 @@ github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00J
github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
@@ -1317,18 +1341,20 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
-github.com/testcontainers/testcontainers-go v0.33.0 h1:zJS9PfXYT5O0ZFXM2xxXfk4J5UMw/kRiISng037Gxdw=
-github.com/testcontainers/testcontainers-go v0.33.0/go.mod h1:W80YpTa8D5C3Yy16icheD01UTDu+LmXIA2Keo+jWtT8=
-github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0 h1:AhbUGUjneEnMyTV5aTsPYzDiAWrba1duPtiV+Z9CKdY=
-github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0/go.mod h1:J5vMq1fXXiTfwcJplMClHhn+j8+MbIMv7Lic4d9E8qU=
-github.com/tetratelabs/wazero v1.8.0 h1:iEKu0d4c2Pd+QSRieYbnQC9yiFlMS9D+Jr0LsRmcF4g=
-github.com/tetratelabs/wazero v1.8.0/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs=
+github.com/testcontainers/testcontainers-go v0.34.0 h1:5fbgF0vIN5u+nD3IWabQwRybuB4GY8G2HHgCkbMzMHo=
+github.com/testcontainers/testcontainers-go v0.34.0/go.mod h1:6P/kMkQe8yqPHfPWNulFGdFHTD8HB2vLq/231xY2iPQ=
+github.com/testcontainers/testcontainers-go/modules/localstack v0.34.0 h1:WkjVmea0XQyGTY10Er8fOsVjHQ77iJCmTExnx6fC3Tw=
+github.com/testcontainers/testcontainers-go/modules/localstack v0.34.0/go.mod h1:rTo76O/BBeAtfazMQqLvfwBrntBBwDP7/+Z60dm3e9U=
+github.com/tetratelabs/wazero v1.8.1 h1:NrcgVbWfkWvVc4UtT4LRLDf91PsOzDzefMdwhLfA550=
+github.com/tetratelabs/wazero v1.8.1/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs=
github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
@@ -1353,6 +1379,7 @@ github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4A
github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
@@ -1404,8 +1431,8 @@ github.com/zclconf/go-cty v1.15.0 h1:tTCRWxsexYUmtt/wVxgDClUe+uQusuI443uL6e+5sXQ
github.com/zclconf/go-cty v1.15.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
-github.com/zclconf/go-cty-yaml v1.0.3 h1:og/eOQ7lvA/WWhHGFETVWNduJM7Rjsv2RRpx1sdFMLc=
-github.com/zclconf/go-cty-yaml v1.0.3/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
+github.com/zclconf/go-cty-yaml v1.1.0 h1:nP+jp0qPHv2IhUVqmQSzjvqAWcObN0KBkUl2rWBdig0=
+github.com/zclconf/go-cty-yaml v1.1.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
@@ -1422,24 +1449,24 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 h1:yMkBS9yViCc7U7yeLzJPM2XizlfdVvBRSmsQDWu6qc0=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0/go.mod h1:n8MR6/liuGB5EmTETUBeU5ZgqMOlqKRxUaqPQBOANZ8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM=
+go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
+go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 h1:K0XaT3DwHAcV4nKLzcQvwAgSyisUghWoY20I7huthMk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0/go.mod h1:B5Ki776z/MBnVha1Nzwp5arlzBbE3+1jk+pGmaP5HME=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 h1:FFeLy03iVTXP6ffeN2iXrxfGsZGCjVx0/4KlizjyBwU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0/go.mod h1:TMu73/k1CP8nBUpDLc71Wj/Kf7ZS9FK5b53VapRsP9o=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 h1:lUsI2TYsQw2r1IASwoROaCnjdj2cvC2+Jbxvk6nHnWU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0/go.mod h1:2HpZxxQurfGxJlJDblybejHB6RX6pmExPNe517hREw4=
+go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE=
+go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY=
+go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
+go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
+go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys=
+go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
@@ -1466,8 +1493,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1478,8 +1505,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
-golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1509,8 +1536,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1569,8 +1596,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1596,8 +1623,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1615,8 +1642,8 @@ golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1638,6 +1665,7 @@ golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1706,8 +1734,8 @@ golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1718,8 +1746,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1734,13 +1762,13 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -1799,8 +1827,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE=
+golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg=
golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw=
golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1973,10 +2001,10 @@ google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz
google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s=
google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U=
-google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg=
+google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -2012,8 +2040,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu
google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c=
-google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -2030,8 +2058,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
+google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -2070,8 +2098,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c=
-helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps=
+helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY=
+helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -2081,12 +2109,12 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
-k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk=
-k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk=
+k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40=
+k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ=
k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY=
-k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk=
+k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
+k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ=
k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q=
k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
@@ -2121,8 +2149,8 @@ modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
-modernc.org/sqlite v1.33.1 h1:trb6Z3YYoeM9eDL1O8do81kP+0ejv+YzgyFo+Gwy0nM=
-modernc.org/sqlite v1.33.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
+modernc.org/sqlite v1.34.1 h1:u3Yi6M0N8t9yKRDwhXcyp1eS5/ErhPTBggxWFuR6Hfk=
+modernc.org/sqlite v1.34.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -2148,3 +2176,7 @@ sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
+tags.cncf.io/container-device-interface v0.8.0/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
+tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=
diff --git a/helm/trivy/Chart.yaml b/helm/trivy/Chart.yaml
index 3695c704a2e8..70da66749c7d 100644
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
-version: 0.8.0
-appVersion: 0.55.0
+version: 0.9.0
+appVersion: 0.57.1
description: Trivy helm chart
keywords:
- scanner
diff --git a/integration/client_server_test.go b/integration/client_server_test.go
index 4afed3fdc155..0df09c6ae051 100644
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -559,7 +559,7 @@ func TestClientServerWithRedis(t *testing.T) {
})
// Terminate the Redis container
- require.NoError(t, redisC.Terminate(ctx))
+ require.NoError(t, testcontainers.TerminateContainer(redisC))
t.Run("sad path", func(t *testing.T) {
osArgs := setupClient(t, testArgs, addr, cacheDir)
diff --git a/integration/integration_test.go b/integration/integration_test.go
index 96c8f54a67e9..21cdfe4facd9 100644
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -41,7 +41,7 @@ import (
var update = flag.Bool("update", false, "update golden files")
-const SPDXSchema = "https://raw.githubusercontent.com/spdx/spdx-spec/development/v%s/schemas/spdx-schema.json"
+const SPDXSchema = "https://raw.githubusercontent.com/spdx/spdx-spec/support/v%s/schemas/spdx-schema.json"
func initDB(t *testing.T) string {
fixtureDir := filepath.Join("testdata", "fixtures", "db")
diff --git a/integration/registry_test.go b/integration/registry_test.go
index 25ddaf5b2814..3f0469e2c396 100644
--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -132,7 +132,7 @@ func TestRegistry(t *testing.T) {
// set up auth server
authC, err := setupAuthServer(ctx, baseDir)
require.NoError(t, err)
- defer authC.Terminate(ctx)
+ testcontainers.CleanupContainer(t, authC)
authURL, err := getURL(ctx, authC, authPort)
require.NoError(t, err)
@@ -140,7 +140,7 @@ func TestRegistry(t *testing.T) {
// set up registry
registryC, err := setupRegistry(ctx, baseDir, authURL)
require.NoError(t, err)
- defer registryC.Terminate(ctx)
+ testcontainers.CleanupContainer(t, registryC)
registryURL, err := getURL(ctx, registryC, registryPort)
require.NoError(t, err)
diff --git a/integration/testdata/fixtures/db/oracle.yaml b/integration/testdata/fixtures/db/oracle.yaml
index 7cc73092d651..8418edcfd6cb 100644
--- a/integration/testdata/fixtures/db/oracle.yaml
+++ b/integration/testdata/fixtures/db/oracle.yaml
@@ -4,7 +4,11 @@
pairs:
- key: CVE-2019-3823
value:
- FixedVersion: 7.61.1-11.el8
+ FixedVersion: "7.61.1-11.el8"
+ Entries:
+ - FixedVersion: "7.61.1-11.el8"
- key: CVE-2019-5436
value:
- FixedVersion: 7.61.1-12.el8
+ FixedVersion: "7.61.1-12.el8"
+ Entries:
+ - FixedVersion: "7.61.1-12.el8"
diff --git a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
index 9f23585a01da..3afc57682556 100644
--- a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
@@ -111,7 +111,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.118"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Adduser Developers "
+ }
},
{
"bom-ref": "pkg:deb/debian/apt@1.8.2?arch=amd64&distro=debian-10.2",
@@ -156,7 +159,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.8.2"
}
- ]
+ ],
+ "supplier": {
+ "name": "APT Development Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -196,7 +202,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "10.3+deb10u2"
}
- ]
+ ],
+ "supplier": {
+ "name": "Santiago Vila "
+ }
},
{
"bom-ref": "pkg:deb/debian/base-passwd@3.5.46?arch=amd64&distro=debian-10.2",
@@ -241,7 +250,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.5.46"
}
- ]
+ ],
+ "supplier": {
+ "name": "Colin Watson "
+ }
},
{
"bom-ref": "pkg:deb/debian/bash@5.0-4?arch=amd64&distro=debian-10.2",
@@ -285,7 +297,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "5.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Matthias Klose "
+ }
},
{
"bom-ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64&distro=debian-10.2&epoch=1",
@@ -399,7 +414,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/ca-certificates@20190110?arch=all&distro=debian-10.2",
@@ -449,7 +467,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "20190110"
}
- ]
+ ],
+ "supplier": {
+ "name": "Michael Shuler "
+ }
},
{
"bom-ref": "pkg:deb/debian/coreutils@8.30-3?arch=amd64&distro=debian-10.2",
@@ -493,7 +514,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "8.30"
}
- ]
+ ],
+ "supplier": {
+ "name": "Michael Stone "
+ }
},
{
"bom-ref": "pkg:deb/debian/dash@0.5.10.2-5?arch=amd64&distro=debian-10.2",
@@ -537,7 +561,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.5.10.2"
}
- ]
+ ],
+ "supplier": {
+ "name": "Andrej Shadura "
+ }
},
{
"bom-ref": "pkg:deb/debian/debconf@1.5.71?arch=all&distro=debian-10.2",
@@ -577,7 +604,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.5.71"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debconf Developers "
+ }
},
{
"bom-ref": "pkg:deb/debian/debian-archive-keyring@2019.1?arch=all&distro=debian-10.2",
@@ -617,7 +647,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2019.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Release Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/debianutils@4.8.6.1?arch=amd64&distro=debian-10.2",
@@ -657,7 +690,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "4.8.6.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Clint Adams "
+ }
},
{
"bom-ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64&distro=debian-10.2&epoch=1",
@@ -710,7 +746,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.7"
}
- ]
+ ],
+ "supplier": {
+ "name": "Santiago Vila "
+ }
},
{
"bom-ref": "pkg:deb/debian/dpkg@1.19.7?arch=amd64&distro=debian-10.2",
@@ -770,7 +809,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.19.7"
}
- ]
+ ],
+ "supplier": {
+ "name": "Dpkg Developers "
+ }
},
{
"bom-ref": "pkg:deb/debian/e2fsprogs@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -819,7 +861,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.44.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Theodore Y. Ts'o "
+ }
},
{
"bom-ref": "pkg:deb/debian/fdisk@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -933,7 +978,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/findutils@4.6.0%2Bgit%2B20190209-2?arch=amd64&distro=debian-10.2",
@@ -982,7 +1030,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "4.6.0+git+20190209"
}
- ]
+ ],
+ "supplier": {
+ "name": "Andreas Metzler "
+ }
},
{
"bom-ref": "pkg:deb/debian/gcc-8-base@8.3.0-6?arch=amd64&distro=debian-10.2",
@@ -1051,7 +1102,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "8.3.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GCC Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64&distro=debian-10.2",
@@ -1150,7 +1204,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.2.12"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GnuPG Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/grep@3.3-1?arch=amd64&distro=debian-10.2",
@@ -1199,7 +1256,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.3"
}
- ]
+ ],
+ "supplier": {
+ "name": "Anibal Monsalve Salazar "
+ }
},
{
"bom-ref": "pkg:deb/debian/gzip@1.9-3?arch=amd64&distro=debian-10.2",
@@ -1243,7 +1303,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.9"
}
- ]
+ ],
+ "supplier": {
+ "name": "Bdale Garbee "
+ }
},
{
"bom-ref": "pkg:deb/debian/hostname@3.21?arch=amd64&distro=debian-10.2",
@@ -1283,7 +1346,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.21"
}
- ]
+ ],
+ "supplier": {
+ "name": "Michael Meskes "
+ }
},
{
"bom-ref": "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all&distro=debian-10.2",
@@ -1333,7 +1399,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.56+nmu1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian systemd Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libacl1@2.2.53-4?arch=amd64&distro=debian-10.2",
@@ -1392,7 +1461,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.2.53"
}
- ]
+ ],
+ "supplier": {
+ "name": "Guillem Jover "
+ }
},
{
"bom-ref": "pkg:deb/debian/libapt-pkg5.0@1.8.2?arch=amd64&distro=debian-10.2",
@@ -1437,7 +1509,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.8.2"
}
- ]
+ ],
+ "supplier": {
+ "name": "APT Development Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64&distro=debian-10.2&epoch=1",
@@ -1500,7 +1575,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.4.48"
}
- ]
+ ],
+ "supplier": {
+ "name": "Guillem Jover "
+ }
},
{
"bom-ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all&distro=debian-10.2&epoch=1",
@@ -1558,7 +1636,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.8.4"
}
- ]
+ ],
+ "supplier": {
+ "name": "Laurent Bigonville "
+ }
},
{
"bom-ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64&distro=debian-10.2&epoch=1",
@@ -1616,7 +1697,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.8.4"
}
- ]
+ ],
+ "supplier": {
+ "name": "Laurent Bigonville "
+ }
},
{
"bom-ref": "pkg:deb/debian/libblkid1@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -1730,7 +1814,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/libbz2-1.0@1.0.6-9.2~deb10u1?arch=amd64&distro=debian-10.2",
@@ -1779,7 +1866,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.0.6"
}
- ]
+ ],
+ "supplier": {
+ "name": "Anibal Monsalve Salazar "
+ }
},
{
"bom-ref": "pkg:deb/debian/libc-bin@2.28-10?arch=amd64&distro=debian-10.2",
@@ -1828,7 +1918,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.28"
}
- ]
+ ],
+ "supplier": {
+ "name": "GNU Libc Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libc6@2.28-10?arch=amd64&distro=debian-10.2",
@@ -1877,7 +1970,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.28"
}
- ]
+ ],
+ "supplier": {
+ "name": "GNU Libc Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libcap-ng0@0.7.9-2?arch=amd64&distro=debian-10.2",
@@ -1931,7 +2027,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.7.9"
}
- ]
+ ],
+ "supplier": {
+ "name": "Pierre Chifflier "
+ }
},
{
"bom-ref": "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -1968,7 +2067,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.44.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Theodore Y. Ts'o "
+ }
},
{
"bom-ref": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.5?arch=amd64&distro=debian-10.2",
@@ -2005,7 +2107,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "5.3.28+dfsg1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Berkeley DB Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libdebconfclient0@0.249?arch=amd64&distro=debian-10.2",
@@ -2038,7 +2143,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.249"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Install System Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libext2fs2@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -2087,7 +2195,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.44.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Theodore Y. Ts'o "
+ }
},
{
"bom-ref": "pkg:deb/debian/libfdisk1@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -2201,7 +2312,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/libffi6@3.2.1-9?arch=amd64&distro=debian-10.2",
@@ -2245,7 +2359,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.2.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GCC Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64&distro=debian-10.2&epoch=1",
@@ -2282,7 +2399,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "8.3.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GCC Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgcrypt20@1.8.4-5?arch=amd64&distro=debian-10.2",
@@ -2331,7 +2451,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.8.4"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GnuTLS Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgdbm-compat4@1.18.1-4?arch=amd64&distro=debian-10.2",
@@ -2395,7 +2518,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.18.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Dmitry Bogatov "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgdbm6@1.18.1-4?arch=amd64&distro=debian-10.2",
@@ -2459,7 +2585,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.18.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Dmitry Bogatov "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64&distro=debian-10.2&epoch=2",
@@ -2522,7 +2651,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "6.1.2+dfsg"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Science Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgnutls30@3.6.7-4?arch=amd64&distro=debian-10.2",
@@ -2616,7 +2748,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.6.7"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GnuTLS Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libgpg-error0@1.35-1?arch=amd64&distro=debian-10.2",
@@ -2685,7 +2820,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.35"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GnuPG Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libhogweed4@3.4.1-1?arch=amd64&distro=debian-10.2",
@@ -2722,7 +2860,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.4.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Magnus Holmgren "
+ }
},
{
"bom-ref": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64&distro=debian-10.2",
@@ -2796,7 +2937,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.0.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Libidn team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libjemalloc2@5.1.0-3?arch=amd64&distro=debian-10.2",
@@ -2865,7 +3009,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "5.1.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Faidon Liambotis "
+ }
},
{
"bom-ref": "pkg:deb/debian/liblz4-1@1.8.3-1?arch=amd64&distro=debian-10.2",
@@ -2919,7 +3066,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.8.3"
}
- ]
+ ],
+ "supplier": {
+ "name": "Nobuhiro Iwamatsu "
+ }
},
{
"bom-ref": "pkg:deb/debian/liblzma5@5.2.4-1?arch=amd64&distro=debian-10.2",
@@ -3033,7 +3183,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "5.2.4"
}
- ]
+ ],
+ "supplier": {
+ "name": "Jonathan Nieder "
+ }
},
{
"bom-ref": "pkg:deb/debian/libmount1@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -3147,7 +3300,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -3184,7 +3340,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "6.1+20181013"
}
- ]
+ ],
+ "supplier": {
+ "name": "Craig Small "
+ }
},
{
"bom-ref": "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -3221,7 +3380,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "6.1+20181013"
}
- ]
+ ],
+ "supplier": {
+ "name": "Craig Small "
+ }
},
{
"bom-ref": "pkg:deb/debian/libnettle6@3.4.1-1?arch=amd64&distro=debian-10.2",
@@ -3305,7 +3467,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.4.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Magnus Holmgren "
+ }
},
{
"bom-ref": "pkg:deb/debian/libp11-kit0@0.23.15-2?arch=amd64&distro=debian-10.2",
@@ -3369,7 +3534,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.23.15"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GnuTLS Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libpam-modules-bin@1.3.1-5?arch=amd64&distro=debian-10.2",
@@ -3413,7 +3581,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.3.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Steve Langasek "
+ }
},
{
"bom-ref": "pkg:deb/debian/libpam-modules@1.3.1-5?arch=amd64&distro=debian-10.2",
@@ -3457,7 +3628,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.3.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Steve Langasek "
+ }
},
{
"bom-ref": "pkg:deb/debian/libpam-runtime@1.3.1-5?arch=all&distro=debian-10.2",
@@ -3501,7 +3675,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.3.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Steve Langasek "
+ }
},
{
"bom-ref": "pkg:deb/debian/libpam0g@1.3.1-5?arch=amd64&distro=debian-10.2",
@@ -3545,7 +3722,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.3.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Steve Langasek "
+ }
},
{
"bom-ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64&distro=debian-10.2&epoch=2",
@@ -3586,7 +3766,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "8.39"
}
- ]
+ ],
+ "supplier": {
+ "name": "Matthew Vernon "
+ }
},
{
"bom-ref": "pkg:deb/debian/libreadline7@7.0-5?arch=amd64&distro=debian-10.2",
@@ -3635,7 +3818,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "7.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Matthias Klose "
+ }
},
{
"bom-ref": "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64&distro=debian-10.2",
@@ -3779,7 +3965,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.5.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libseccomp2@2.3.3-4?arch=amd64&distro=debian-10.2",
@@ -3823,7 +4012,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.3.3"
}
- ]
+ ],
+ "supplier": {
+ "name": "Kees Cook "
+ }
},
{
"bom-ref": "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64&distro=debian-10.2",
@@ -3872,7 +4064,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.8"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian SELinux maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libsemanage-common@2.8-2?arch=all&distro=debian-10.2",
@@ -3921,7 +4116,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.8"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian SELinux maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libsemanage1@2.8-2?arch=amd64&distro=debian-10.2",
@@ -3970,7 +4168,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.8"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian SELinux maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libsepol1@2.8-1?arch=amd64&distro=debian-10.2",
@@ -4019,7 +4220,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.8"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian SELinux maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libsmartcols1@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -4133,7 +4337,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/libss2@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -4170,7 +4377,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.44.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Theodore Y. Ts'o "
+ }
},
{
"bom-ref": "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -4207,7 +4417,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.1.1d"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian OpenSSL Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/libstdc%2B%2B6@8.3.0-6?arch=amd64&distro=debian-10.2",
@@ -4244,7 +4457,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "8.3.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GCC Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libsystemd0@241-7~deb10u2?arch=amd64&distro=debian-10.2",
@@ -4318,7 +4534,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "241"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian systemd Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libtasn1-6@4.13-3?arch=amd64&distro=debian-10.2",
@@ -4377,7 +4596,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "4.13"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian GnuTLS Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -4414,7 +4636,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "6.1+20181013"
}
- ]
+ ],
+ "supplier": {
+ "name": "Craig Small "
+ }
},
{
"bom-ref": "pkg:deb/debian/libudev1@241-7~deb10u2?arch=amd64&distro=debian-10.2",
@@ -4488,7 +4713,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "241"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian systemd Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/libunistring2@0.9.10-1?arch=amd64&distro=debian-10.2",
@@ -4582,7 +4810,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.9.10"
}
- ]
+ ],
+ "supplier": {
+ "name": "J\u00f6rg Frings-F\u00fcrst "
+ }
},
{
"bom-ref": "pkg:deb/debian/libuuid1@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -4696,7 +4927,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/libyaml-0-2@0.2.1-1?arch=amd64&distro=debian-10.2",
@@ -4745,7 +4979,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.2.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Anders Kaseorg "
+ }
},
{
"bom-ref": "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64&distro=debian-10.2",
@@ -4809,7 +5046,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.3.8+dfsg"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Med Packaging Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1",
@@ -4857,7 +5097,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "4.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Shadow package maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/mawk@1.3.3-17%2Bb3?arch=amd64&distro=debian-10.2",
@@ -4901,7 +5144,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.3.3"
}
- ]
+ ],
+ "supplier": {
+ "name": "Steve Langasek "
+ }
},
{
"bom-ref": "pkg:deb/debian/mount@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -5015,7 +5261,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/ncurses-base@6.1%2B20181013-2%2Bdeb10u2?arch=all&distro=debian-10.2",
@@ -5052,7 +5301,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "6.1+20181013"
}
- ]
+ ],
+ "supplier": {
+ "name": "Craig Small "
+ }
},
{
"bom-ref": "pkg:deb/debian/ncurses-bin@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -5089,7 +5341,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "6.1+20181013"
}
- ]
+ ],
+ "supplier": {
+ "name": "Craig Small "
+ }
},
{
"bom-ref": "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64&distro=debian-10.2",
@@ -5126,7 +5381,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.1.1d"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian OpenSSL Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1",
@@ -5174,7 +5432,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "4.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Shadow package maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/perl-base@5.28.1-6?arch=amd64&distro=debian-10.2",
@@ -5211,7 +5472,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "5.28.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Niko Tyni "
+ }
},
{
"bom-ref": "pkg:deb/debian/rake@12.3.1-3?arch=all&distro=debian-10.2",
@@ -5255,7 +5519,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "12.3.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/readline-common@7.0-5?arch=all&distro=debian-10.2",
@@ -5304,7 +5571,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "7.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Matthias Klose "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby-did-you-mean@1.2.1-1?arch=all&distro=debian-10.2",
@@ -5348,7 +5618,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.2.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby-minitest@5.11.3-1?arch=all&distro=debian-10.2",
@@ -5392,7 +5665,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "5.11.3"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby-net-telnet@0.1.1-2?arch=all&distro=debian-10.2",
@@ -5436,7 +5712,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.1.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby-power-assert@1.1.1-1?arch=all&distro=debian-10.2",
@@ -5485,7 +5764,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.1.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby-test-unit@3.2.8-1?arch=all&distro=debian-10.2",
@@ -5544,7 +5826,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.2.8"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby-xmlrpc@0.3.0-2?arch=all&distro=debian-10.2",
@@ -5588,7 +5873,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "0.3.0"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64&distro=debian-10.2",
@@ -5732,7 +6020,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.5.5"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Team "
+ }
},
{
"bom-ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64&distro=debian-10.2&epoch=1",
@@ -5781,7 +6072,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.5.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "Antonio Terceiro "
+ }
},
{
"bom-ref": "pkg:deb/debian/rubygems-integration@1.11?arch=all&distro=debian-10.2",
@@ -5821,7 +6115,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.11"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian Ruby Extras Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/sed@4.7-1?arch=amd64&distro=debian-10.2",
@@ -5865,7 +6162,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "4.7"
}
- ]
+ ],
+ "supplier": {
+ "name": "Clint Adams "
+ }
},
{
"bom-ref": "pkg:deb/debian/sysvinit-utils@2.93-8?arch=amd64&distro=debian-10.2",
@@ -5914,7 +6214,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.93"
}
- ]
+ ],
+ "supplier": {
+ "name": "Debian sysvinit maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64&distro=debian-10.2",
@@ -5963,7 +6266,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.30+dfsg"
}
- ]
+ ],
+ "supplier": {
+ "name": "Bdale Garbee "
+ }
},
{
"bom-ref": "pkg:deb/debian/tzdata@2019c-0%2Bdeb10u1?arch=all&distro=debian-10.2",
@@ -6000,7 +6306,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2019c"
}
- ]
+ ],
+ "supplier": {
+ "name": "GNU Libc Maintainers "
+ }
},
{
"bom-ref": "pkg:deb/debian/util-linux@2.33.1-0.1?arch=amd64&distro=debian-10.2",
@@ -6114,7 +6423,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "2.33.1"
}
- ]
+ ],
+ "supplier": {
+ "name": "LaMont Jones "
+ }
},
{
"bom-ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64&distro=debian-10.2&epoch=1",
@@ -6162,7 +6474,10 @@
"name": "aquasecurity:trivy:SrcVersion",
"value": "1.2.11.dfsg"
}
- ]
+ ],
+ "supplier": {
+ "name": "Mark Brown "
+ }
},
{
"bom-ref": "pkg:gem/activesupport@6.0.2.1",
@@ -9325,4 +9640,4 @@
}
],
"vulnerabilities": []
-}
+}
\ No newline at end of file
diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden
index dadc7adcf600..704f4fa10b03 100644
--- a/integration/testdata/opensuse-leap-151.json.golden
+++ b/integration/testdata/opensuse-leap-151.json.golden
@@ -5,7 +5,7 @@
"ArtifactType": "container_image",
"Metadata": {
"OS": {
- "Family": "opensuse.leap",
+ "Family": "opensuse-leap",
"Name": "15.1",
"EOSL": true
},
@@ -57,16 +57,16 @@
},
"Results": [
{
- "Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
+ "Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse-leap 15.1)",
"Class": "os-pkgs",
- "Type": "opensuse.leap",
+ "Type": "opensuse-leap",
"Vulnerabilities": [
{
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
"PkgName": "libopenssl1_1",
"PkgIdentifier": {
- "PURL": "pkg:rpm/opensuse/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+ "PURL": "pkg:rpm/opensuse/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse-leap-15.1",
"UID": "898b73ddd0412f57"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
@@ -99,7 +99,7 @@
"PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
"PkgName": "openssl-1_1",
"PkgIdentifier": {
- "PURL": "pkg:rpm/opensuse/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
+ "PURL": "pkg:rpm/opensuse/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse-leap-15.1",
"UID": "58980d005de43f54"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
diff --git a/integration/testdata/opensuse-tumbleweed.json.golden b/integration/testdata/opensuse-tumbleweed.json.golden
index a15146616bc2..d8bfb9940ebc 100644
--- a/integration/testdata/opensuse-tumbleweed.json.golden
+++ b/integration/testdata/opensuse-tumbleweed.json.golden
@@ -5,7 +5,7 @@
"ArtifactType": "container_image",
"Metadata": {
"OS": {
- "Family": "opensuse.tumbleweed",
+ "Family": "opensuse-tumbleweed",
"Name": "20240607"
},
"ImageID": "sha256:580e73f5c823232e6587136e9f5428a89afdf77a123bb8575d08208e0cc34b12",
@@ -60,16 +60,16 @@
},
"Results": [
{
- "Target": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz (opensuse.tumbleweed 20240607)",
+ "Target": "testdata/fixtures/images/opensuse-tumbleweed.tar.gz (opensuse-tumbleweed 20240607)",
"Class": "os-pkgs",
- "Type": "opensuse.tumbleweed",
+ "Type": "opensuse-tumbleweed",
"Vulnerabilities": [
{
"VulnerabilityID": "openSUSE-SU-2024:13065-1",
"PkgID": "libopenssl3@3.1.4-9.1.x86_64",
"PkgName": "libopenssl3",
"PkgIdentifier": {
- "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse-tumbleweed-20240607",
"UID": "f051425f385d2b99"
},
"InstalledVersion": "3.1.4-9.1",
diff --git a/integration/testdata/sl-micro-rancher5.4.json.golden b/integration/testdata/sl-micro-rancher5.4.json.golden
index 99e2ad4ca599..1ff0660a9b34 100644
--- a/integration/testdata/sl-micro-rancher5.4.json.golden
+++ b/integration/testdata/sl-micro-rancher5.4.json.golden
@@ -5,7 +5,7 @@
"ArtifactType": "container_image",
"Metadata": {
"OS": {
- "Family": "suse linux enterprise micro",
+ "Family": "slem",
"Name": "5.4"
},
"ImageID": "sha256:c45ec974938acac29c893b5d273d73e4ebdd7e6a97b6fa861dfbd8dd430b9016",
@@ -61,9 +61,9 @@
},
"Results": [
{
- "Target": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz (suse linux enterprise micro 5.4)",
+ "Target": "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz (slem 5.4)",
"Class": "os-pkgs",
- "Type": "suse linux enterprise micro"
+ "Type": "slem"
}
]
}
diff --git a/internal/testutil/util.go b/internal/testutil/util.go
index 50286f9880a2..c24f17788f0a 100644
--- a/internal/testutil/util.go
+++ b/internal/testutil/util.go
@@ -8,6 +8,7 @@ import (
"testing"
"github.com/liamg/memoryfs"
+ "github.com/samber/lo"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -36,6 +37,16 @@ func AssertRuleNotFound(t *testing.T, ruleID string, results scan.Results, messa
assert.False(t, found, append([]any{message}, args...)...)
}
+func AssertRuleNotFailed(t *testing.T, ruleID string, results scan.Results, message string, args ...any) {
+ failedExists := ruleIDInResults(ruleID, results.GetFailed())
+ assert.False(t, failedExists, append([]any{message}, args...)...)
+ passedResults := lo.Filter(results, func(res scan.Result, _ int) bool {
+ return res.Status() == scan.StatusPassed || res.Status() == scan.StatusIgnored
+ })
+ passedExists := ruleIDInResults(ruleID, passedResults)
+ assert.True(t, passedExists, append([]any{message}, args...)...)
+}
+
func ruleIDInResults(ruleID string, results scan.Results) bool {
for _, res := range results {
if res.Rule().LongID() == ruleID {
diff --git a/magefiles/magefile.go b/magefiles/magefile.go
index 5b08e907f0c0..6adff2d92864 100644
--- a/magefiles/magefile.go
+++ b/magefiles/magefile.go
@@ -75,6 +75,22 @@ func (Tool) Wire() error {
return sh.Run("go", "install", "github.com/google/wire/cmd/wire@v0.5.0")
}
+// Sass installs saas if not installed. npm is assumed to be available
+func (Tool) Sass() error {
+ if installed("sass") {
+ return nil
+ }
+ return sh.Run("npm", "install", "-g", "saas")
+}
+
+// PipTools installs PipTools if not installed. python is assumed to be available and relevant environment to have been activated
+func (Tool) PipTools() error {
+ if installed("pip-compile") {
+ return nil
+ }
+ return sh.Run("python", "-m", "pip", "install", "pip-tools")
+}
+
// GolangciLint installs golangci-lint
func (t Tool) GolangciLint() error {
const version = "v1.61.0"
@@ -420,13 +436,41 @@ func Label() error {
type Docs mg.Namespace
+// Prepare CSS
+func (Docs) Css() error {
+ const (
+ homepageSass = "docs/assets/css/trivy_v1_homepage.scss"
+ )
+ homepageCss := strings.TrimSuffix(homepageSass, ".scss") + ".min.css"
+ if updated, err := target.Path(homepageCss, homepageSass); err != nil {
+ return err
+ } else if !updated {
+ return nil
+ }
+ return sh.Run("sass", "--no-source-map", "--style=compressed", homepageSass, homepageCss)
+}
+
+// Prepare python requirements
+func (Docs) Pip() error {
+ const (
+ requirementsIn = "docs/build/requirements.in"
+ )
+ requirementsTxt := strings.TrimSuffix(requirementsIn, ".in") + ".txt"
+ if updated, err := target.Path(requirementsTxt, requirementsIn); err != nil {
+ return err
+ } else if !updated {
+ return nil
+ }
+ return sh.Run("pip-compile", requirementsIn, "--output-file", requirementsTxt)
+}
+
// Serve launches MkDocs development server to preview the documentation page
func (Docs) Serve() error {
const (
- mkdocsImage = "aquasec/mkdocs-material:dev"
+ mkdocsImage = "trivy-docs:dev"
mkdocsPort = "8000"
)
- if err := sh.Run("docker", "build", "-t", mkdocsImage, "-f", "docs/build/Dockerfile", "docs/build"); err != nil {
+ if err := sh.Run("docker", "build", "-t", mkdocsImage, "docs/build"); err != nil {
return err
}
return sh.Run("docker", "run", "--name", "mkdocs-serve", "--rm", "-v", "${PWD}:/docs", "-p", mkdocsPort+":8000", mkdocsImage)
diff --git a/mkdocs.yml b/mkdocs.yml
index ab3d51b71275..ebd591e69558 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -1,14 +1,15 @@
site_name: Trivy
site_url: https://aquasecurity.github.io/trivy/
-site_description: A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI
+site_description: Trivy - All-in-one open source security scanner
docs_dir: docs/
repo_name: GitHub
repo_url: https://github.com/aquasecurity/trivy
edit_uri: "blob/main/docs/"
nav:
- - Getting Started:
- - Overview: index.md
+ - Home: index.md
+ - Getting Started:
+ - First steps: getting-started/index.md
- Installation: getting-started/installation.md
- Signature Verification: getting-started/signature-verification.md
- FAQ: getting-started/faq.md
@@ -48,7 +49,6 @@ nav:
- Code Repository: docs/target/repository.md
- Virtual Machine Image: docs/target/vm.md
- Kubernetes: docs/target/kubernetes.md
- - AWS: docs/target/aws.md
- SBOM: docs/target/sbom.md
- Scanner:
- Vulnerability: docs/scanner/vulnerability.md
@@ -110,6 +110,7 @@ nav:
- Kubernetes: docs/coverage/iac/kubernetes.md
- Terraform: docs/coverage/iac/terraform.md
- Others:
+ - Overview: docs/coverage/others/index.md
- Bitnami Images: docs/coverage/others/bitnami.md
- Conda: docs/coverage/others/conda.md
- RPM Archives: docs/coverage/others/rpm.md
@@ -120,7 +121,7 @@ nav:
- Skipping Files: docs/configuration/skipping.md
- Reporting: docs/configuration/reporting.md
- Cache: docs/configuration/cache.md
- - DB: docs/configuration/db.md
+ - Databases: docs/configuration/db.md
- Others: docs/configuration/others.md
- Supply Chain:
- SBOM: docs/supply-chain/sbom.md
@@ -142,7 +143,8 @@ nav:
- Developer guide: docs/plugin/developer-guide.md
- Advanced:
- Modules: docs/advanced/modules.md
- - Advanced Network Scenarios: docs/advanced/air-gap.md
+ - Connectivity and Network considerations: docs/advanced/air-gap.md
+ - Self-Hosting Trivy's Databases: docs/advanced/self-hosting.md
- Container Image:
- Embed in Dockerfile: docs/advanced/container/embed-in-dockerfile.md
- Unpacked container image filesystem: docs/advanced/container/unpacked-filesystem.md
@@ -218,6 +220,7 @@ nav:
- Backporting: community/maintainer/backporting.md
- Help Wanted: community/maintainer/help-wanted.md
- Triage: community/maintainer/triage.md
+
theme:
name: material
custom_dir: docs/overrides
@@ -232,24 +235,27 @@ theme:
- content.tabs.link
- content.code.annotate
- content.code.copy
+ font:
+ text: Inter
markdown_extensions:
+ - abbr
+ - admonition
+ - attr_list
+ - def_list
+ - footnotes
+ - md_in_html
+ - toc:
+ permalink: true
- pymdownx.highlight
+ - pymdownx.details
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
- - admonition
- - footnotes
- - attr_list
- pymdownx.tabbed:
alternate_style: true
- - def_list
- - pymdownx.details
- - pymdownx.emoji:
- emoji_index: !!python/name:materialx.emoji.twemoji
- emoji_generator: !!python/name:materialx.emoji.to_svg
extra:
generator: false
diff --git a/pkg/db/db.go b/pkg/db/db.go
index 70fbb93a5a91..99f7e1c8ad10 100644
--- a/pkg/db/db.go
+++ b/pkg/db/db.go
@@ -29,6 +29,10 @@ var (
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-db", db.SchemaVersion)
defaultGHCRRepository = lo.Must(name.NewTag(DefaultGHCRRepository))
+ // GCR mirror
+ DefaultGCRRepository = fmt.Sprintf("%s:%d", "mirror.gcr.io/aquasec/trivy-db", db.SchemaVersion)
+ defaultGCRRepository = lo.Must(name.NewTag(DefaultGCRRepository))
+
Init = db.Init
Close = db.Close
Path = db.Path
@@ -73,6 +77,7 @@ func Dir(cacheDir string) string {
func NewClient(dbDir string, quiet bool, opts ...Option) *Client {
o := &options{
dbRepositories: []name.Reference{
+ defaultGCRRepository,
defaultGHCRRepository,
},
}
diff --git a/pkg/dependency/parser/golang/binary/parse.go b/pkg/dependency/parser/golang/binary/parse.go
index 2a7a2a128de7..617303dd5497 100644
--- a/pkg/dependency/parser/golang/binary/parse.go
+++ b/pkg/dependency/parser/golang/binary/parse.go
@@ -9,10 +9,12 @@ import (
"sort"
"strings"
+ "github.com/samber/lo"
"github.com/spf13/pflag"
"golang.org/x/mod/semver"
"golang.org/x/xerrors"
+ "github.com/aquasecurity/trivy/pkg/dependency"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
xio "github.com/aquasecurity/trivy/pkg/x/io"
@@ -64,27 +66,12 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
pkgs := make(ftypes.Packages, 0, len(info.Deps)+2)
pkgs = append(pkgs, ftypes.Package{
// Add the Go version used to build this binary.
+ ID: dependency.ID(ftypes.GoBinary, "stdlib", stdlibVersion),
Name: "stdlib",
Version: stdlibVersion,
Relationship: ftypes.RelationshipDirect, // Considered a direct dependency as the main module depends on the standard packages.
})
- // There are times when gobinaries don't contain Main information.
- // e.g. `Go` binaries (e.g. `go`, `gofmt`, etc.)
- if info.Main.Path != "" {
- pkgs = append(pkgs, ftypes.Package{
- // Add main module
- Name: info.Main.Path,
- // Only binaries installed with `go install` contain semver version of the main module.
- // Other binaries use the `(devel)` version, but still may contain a stamped version
- // set via `go build -ldflags='-X main.version='`, so we fallback to this as.
- // as a secondary source.
- // See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477.
- Version: cmp.Or(p.checkVersion(info.Main.Path, info.Main.Version), p.ParseLDFlags(info.Main.Path, ldflags)),
- Relationship: ftypes.RelationshipRoot,
- })
- }
-
for _, dep := range info.Deps {
// binaries with old go version may incorrectly add module in Deps
// In this case Path == "", Version == "Devel"
@@ -98,14 +85,49 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
mod = dep.Replace
}
+ version := p.checkVersion(mod.Path, mod.Version)
pkgs = append(pkgs, ftypes.Package{
- Name: mod.Path,
- Version: p.checkVersion(mod.Path, mod.Version),
+ ID: dependency.ID(ftypes.GoBinary, mod.Path, version),
+ Name: mod.Path,
+ Version: version,
+ Relationship: ftypes.RelationshipUnknown,
+ })
+ }
+
+ // There are times when gobinaries don't contain Main information.
+ // e.g. `Go` binaries (e.g. `go`, `gofmt`, etc.)
+ var deps []ftypes.Dependency
+ if info.Main.Path != "" {
+ // Only binaries installed with `go install` contain semver version of the main module.
+ // Other binaries use the `(devel)` version, but still may contain a stamped version
+ // set via `go build -ldflags='-X main.version='`, so we fallback to this as.
+ // as a secondary source.
+ // See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477.
+ version := cmp.Or(p.checkVersion(info.Main.Path, info.Main.Version), p.ParseLDFlags(info.Main.Path, ldflags))
+ root := ftypes.Package{
+ ID: dependency.ID(ftypes.GoBinary, info.Main.Path, version),
+ Name: info.Main.Path,
+ Version: version,
+ Relationship: ftypes.RelationshipRoot,
+ }
+
+ depIDs := lo.Map(pkgs, func(pkg ftypes.Package, _ int) string {
+ return pkg.ID
})
+ sort.Strings(depIDs)
+
+ deps = []ftypes.Dependency{
+ {
+ ID: root.ID,
+ DependsOn: depIDs, // Consider all packages as dependencies of the main module.
+ },
+ }
+ // Add main module
+ pkgs = append(pkgs, root)
}
sort.Sort(pkgs)
- return pkgs, nil, nil
+ return pkgs, deps, nil
}
// checkVersion detects `(devel)` versions, removes them and adds a debug message about it.
@@ -153,7 +175,12 @@ func (p *Parser) ParseLDFlags(name string, flags []string) string {
// [1]: Versions that use prefixes from `defaultPrefixes`
// [2]: Other versions
var foundVersions = make([][]string, 3)
- defaultPrefixes := []string{"main", "common", "version", "cmd"}
+ defaultPrefixes := []string{
+ "main",
+ "common",
+ "version",
+ "cmd",
+ }
for key, val := range x {
// It's valid to set the -X flags with quotes so we trim any that might
// have been provided: Ex:
diff --git a/pkg/dependency/parser/golang/binary/parse_test.go b/pkg/dependency/parser/golang/binary/parse_test.go
index aade2a32cf24..eebb652a2a4d 100644
--- a/pkg/dependency/parser/golang/binary/parse_test.go
+++ b/pkg/dependency/parser/golang/binary/parse_test.go
@@ -14,111 +14,166 @@ import (
func TestParse(t *testing.T) {
wantPkgs := []ftypes.Package{
{
+ ID: "github.com/aquasecurity/test",
Name: "github.com/aquasecurity/test",
Version: "",
Relationship: ftypes.RelationshipRoot,
},
{
+ ID: "stdlib@v1.15.2",
Name: "stdlib",
Version: "v1.15.2",
Relationship: ftypes.RelationshipDirect,
},
{
+ ID: "github.com/aquasecurity/go-pep440-version@v0.0.0-20210121094942-22b2f8951d46",
Name: "github.com/aquasecurity/go-pep440-version",
Version: "v0.0.0-20210121094942-22b2f8951d46",
},
{
+ ID: "github.com/aquasecurity/go-version@v0.0.0-20210121072130-637058cfe492",
Name: "github.com/aquasecurity/go-version",
Version: "v0.0.0-20210121072130-637058cfe492",
},
{
+ ID: "golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
Name: "golang.org/x/xerrors",
Version: "v0.0.0-20200804184101-5ec99f83aff1",
},
}
+ wantDeps := []ftypes.Dependency{
+ {
+ ID: "github.com/aquasecurity/test",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-pep440-version@v0.0.0-20210121094942-22b2f8951d46",
+ "github.com/aquasecurity/go-version@v0.0.0-20210121072130-637058cfe492",
+ "golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
+ "stdlib@v1.15.2",
+ },
+ },
+ }
tests := []struct {
name string
inputFile string
- want []ftypes.Package
+ wantPkgs []ftypes.Package
+ wantDeps []ftypes.Dependency
wantErr string
}{
{
name: "ELF",
inputFile: "testdata/test.elf",
- want: wantPkgs,
+ wantPkgs: wantPkgs,
+ wantDeps: wantDeps,
},
{
name: "PE",
inputFile: "testdata/test.exe",
- want: wantPkgs,
+ wantPkgs: wantPkgs,
+ wantDeps: wantDeps,
},
{
name: "Mach-O",
inputFile: "testdata/test.macho",
- want: wantPkgs,
+ wantPkgs: wantPkgs,
+ wantDeps: wantDeps,
},
{
name: "with replace directive",
inputFile: "testdata/replace.elf",
- want: []ftypes.Package{
+ wantPkgs: []ftypes.Package{
{
+ ID: "github.com/ebati/trivy-mod-parse",
Name: "github.com/ebati/trivy-mod-parse",
Version: "",
Relationship: ftypes.RelationshipRoot,
},
{
+ ID: "stdlib@v1.16.4",
Name: "stdlib",
Version: "v1.16.4",
Relationship: ftypes.RelationshipDirect,
},
{
+ ID: "github.com/davecgh/go-spew@v1.1.1",
Name: "github.com/davecgh/go-spew",
Version: "v1.1.1",
},
{
+ ID: "github.com/go-sql-driver/mysql@v1.5.0",
Name: "github.com/go-sql-driver/mysql",
Version: "v1.5.0",
},
},
+ wantDeps: []ftypes.Dependency{
+ {
+ ID: "github.com/ebati/trivy-mod-parse",
+ DependsOn: []string{
+ "github.com/davecgh/go-spew@v1.1.1",
+ "github.com/go-sql-driver/mysql@v1.5.0",
+ "stdlib@v1.16.4",
+ },
+ },
+ },
},
{
name: "with semver main module version",
inputFile: "testdata/semver-main-module-version.macho",
- want: []ftypes.Package{
+ wantPkgs: []ftypes.Package{
{
+ ID: "go.etcd.io/bbolt@v1.3.5",
Name: "go.etcd.io/bbolt",
Version: "v1.3.5",
Relationship: ftypes.RelationshipRoot,
},
{
+ ID: "stdlib@v1.20.6",
Name: "stdlib",
Version: "v1.20.6",
Relationship: ftypes.RelationshipDirect,
},
},
+ wantDeps: []ftypes.Dependency{
+ {
+ ID: "go.etcd.io/bbolt@v1.3.5",
+ DependsOn: []string{
+ "stdlib@v1.20.6",
+ },
+ },
+ },
},
{
name: "with -ldflags=\"-X main.version=v1.0.0\"",
inputFile: "testdata/main-version-via-ldflags.elf",
- want: []ftypes.Package{
+ wantPkgs: []ftypes.Package{
{
+ ID: "github.com/aquasecurity/test@v1.0.0",
Name: "github.com/aquasecurity/test",
Version: "v1.0.0",
Relationship: ftypes.RelationshipRoot,
},
{
+ ID: "stdlib@v1.22.1",
Name: "stdlib",
Version: "v1.22.1",
Relationship: ftypes.RelationshipDirect,
},
},
+ wantDeps: []ftypes.Dependency{
+ {
+ ID: "github.com/aquasecurity/test@v1.0.0",
+ DependsOn: []string{
+ "stdlib@v1.22.1",
+ },
+ },
+ },
},
{
name: "goexperiment",
inputFile: "testdata/goexperiment",
- want: []ftypes.Package{
+ wantPkgs: []ftypes.Package{
{
+ ID: "stdlib@v1.22.1",
Name: "stdlib",
Version: "v1.22.1",
Relationship: ftypes.RelationshipDirect,
@@ -137,15 +192,15 @@ func TestParse(t *testing.T) {
require.NoError(t, err)
defer f.Close()
- got, _, err := binary.NewParser().Parse(f)
+ gotPkgs, gotDeps, err := binary.NewParser().Parse(f)
if tt.wantErr != "" {
- require.Error(t, err)
- assert.Contains(t, err.Error(), tt.wantErr)
+ assert.ErrorContains(t, err, tt.wantErr)
return
}
require.NoError(t, err)
- assert.Equal(t, tt.want, got)
+ assert.Equal(t, tt.wantPkgs, gotPkgs)
+ assert.Equal(t, tt.wantDeps, gotDeps)
})
}
}
diff --git a/pkg/dependency/parser/golang/mod/parse.go b/pkg/dependency/parser/golang/mod/parse.go
index ddcd2ccc880e..f108b2101890 100644
--- a/pkg/dependency/parser/golang/mod/parse.go
+++ b/pkg/dependency/parser/golang/mod/parse.go
@@ -4,6 +4,7 @@ import (
"fmt"
"io"
"regexp"
+ "sort"
"strconv"
"strings"
@@ -101,17 +102,6 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
}
}
- // Main module
- if m := modFileParsed.Module; m != nil {
- pkgs[m.Mod.Path] = ftypes.Package{
- ID: packageID(m.Mod.Path, m.Mod.Version),
- Name: m.Mod.Path,
- Version: m.Mod.Version,
- ExternalReferences: p.GetExternalRefs(m.Mod.Path),
- Relationship: ftypes.RelationshipRoot,
- }
- }
-
// Required modules
for _, require := range modFileParsed.Require {
// Skip indirect dependencies less than Go 1.17
@@ -163,7 +153,36 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
}
}
- return lo.Values(pkgs), nil, nil
+ var deps ftypes.Dependencies
+ // Main module
+ if m := modFileParsed.Module; m != nil {
+ root := ftypes.Package{
+ ID: packageID(m.Mod.Path, m.Mod.Version),
+ Name: m.Mod.Path,
+ Version: m.Mod.Version,
+ ExternalReferences: p.GetExternalRefs(m.Mod.Path),
+ Relationship: ftypes.RelationshipRoot,
+ }
+
+ // Store child dependencies for the root package (main module).
+ // We will build a dependency graph for Direct/Indirect in `fanal` using additional files.
+ dependsOn := lo.FilterMap(lo.Values(pkgs), func(pkg ftypes.Package, _ int) (string, bool) {
+ return pkg.ID, pkg.Relationship == ftypes.RelationshipDirect
+ })
+
+ sort.Strings(dependsOn)
+ deps = append(deps, ftypes.Dependency{
+ ID: root.ID,
+ DependsOn: dependsOn,
+ })
+
+ pkgs[root.Name] = root
+ }
+
+ pkgSlice := lo.Values(pkgs)
+ sort.Sort(ftypes.Packages(pkgSlice))
+
+ return pkgSlice, deps, nil
}
// lessThan checks if the Go version is less than `.`
diff --git a/pkg/dependency/parser/golang/mod/parse_test.go b/pkg/dependency/parser/golang/mod/parse_test.go
index 10bda7f01144..5d407f57081f 100644
--- a/pkg/dependency/parser/golang/mod/parse_test.go
+++ b/pkg/dependency/parser/golang/mod/parse_test.go
@@ -2,7 +2,6 @@ package mod
import (
"os"
- "sort"
"testing"
"github.com/stretchr/testify/assert"
@@ -18,74 +17,86 @@ func TestParse(t *testing.T) {
file string
replace bool
useMinVersion bool
- want []ftypes.Package
+ wantPkgs []ftypes.Package
+ wantDeps []ftypes.Dependency
}{
{
name: "normal with stdlib",
file: "testdata/normal/go.mod",
replace: true,
useMinVersion: true,
- want: GoModNormal,
+ wantPkgs: GoModNormal,
+ wantDeps: GoModNormalDeps,
},
{
- name: "normal",
- file: "testdata/normal/go.mod",
- replace: true,
- want: GoModNormalWithoutStdlib,
+ name: "normal",
+ file: "testdata/normal/go.mod",
+ replace: true,
+ wantPkgs: GoModNormalWithoutStdlib,
+ wantDeps: GoModNormalWithoutStdlibDeps,
},
{
- name: "without go version",
- file: "testdata/no-go-version/gomod",
- replace: true,
- want: GoModNoGoVersion,
+ name: "without go version",
+ file: "testdata/no-go-version/gomod",
+ replace: true,
+ wantPkgs: GoModNoGoVersion,
+ wantDeps: defaultGoDepParserDeps,
},
{
- name: "replace",
- file: "testdata/replaced/go.mod",
- replace: true,
- want: GoModReplaced,
+ name: "replace",
+ file: "testdata/replaced/go.mod",
+ replace: true,
+ wantPkgs: GoModReplaced,
+ wantDeps: GoModReplacedDeps,
},
{
- name: "no replace",
- file: "testdata/replaced/go.mod",
- replace: false,
- want: GoModUnreplaced,
+ name: "no replace",
+ file: "testdata/replaced/go.mod",
+ replace: false,
+ wantPkgs: GoModUnreplaced,
+ wantDeps: GoModUnreplacedDeps,
},
{
- name: "replace with version",
- file: "testdata/replaced-with-version/go.mod",
- replace: true,
- want: GoModReplacedWithVersion,
+ name: "replace with version",
+ file: "testdata/replaced-with-version/go.mod",
+ replace: true,
+ wantPkgs: GoModReplacedWithVersion,
+ wantDeps: GoModReplacedWithVersionDeps,
},
{
- name: "replaced with version mismatch",
- file: "testdata/replaced-with-version-mismatch/go.mod",
- replace: true,
- want: GoModReplacedWithVersionMismatch,
+ name: "replaced with version mismatch",
+ file: "testdata/replaced-with-version-mismatch/go.mod",
+ replace: true,
+ wantPkgs: GoModReplacedWithVersionMismatch,
+ wantDeps: defaultGoDepParserDeps,
},
{
- name: "replaced with local path",
- file: "testdata/replaced-with-local-path/go.mod",
- replace: true,
- want: GoModReplacedWithLocalPath,
+ name: "replaced with local path",
+ file: "testdata/replaced-with-local-path/go.mod",
+ replace: true,
+ wantPkgs: GoModReplacedWithLocalPath,
+ wantDeps: defaultGoDepParserDeps,
},
{
- name: "replaced with local path and version",
- file: "testdata/replaced-with-local-path-and-version/go.mod",
- replace: true,
- want: GoModReplacedWithLocalPathAndVersion,
+ name: "replaced with local path and version",
+ file: "testdata/replaced-with-local-path-and-version/go.mod",
+ replace: true,
+ wantPkgs: GoModReplacedWithLocalPathAndVersion,
+ wantDeps: defaultGoDepParserDeps,
},
{
- name: "replaced with local path and version, mismatch",
- file: "testdata/replaced-with-local-path-and-version-mismatch/go.mod",
- replace: true,
- want: GoModReplacedWithLocalPathAndVersionMismatch,
+ name: "replaced with local path and version, mismatch",
+ file: "testdata/replaced-with-local-path-and-version-mismatch/go.mod",
+ replace: true,
+ wantPkgs: GoModReplacedWithLocalPathAndVersionMismatch,
+ wantDeps: defaultGoDepParserDeps,
},
{
- name: "go 1.16",
- file: "testdata/go116/go.mod",
- replace: true,
- want: GoMod116,
+ name: "go 1.16",
+ file: "testdata/go116/go.mod",
+ replace: true,
+ wantPkgs: GoMod116,
+ wantDeps: defaultGoDepParserDeps,
},
}
@@ -94,13 +105,11 @@ func TestParse(t *testing.T) {
f, err := os.Open(tt.file)
require.NoError(t, err)
- got, _, err := NewParser(tt.replace, tt.useMinVersion).Parse(f)
+ gotPkgs, gotDeps, err := NewParser(tt.replace, tt.useMinVersion).Parse(f)
require.NoError(t, err)
- sort.Sort(ftypes.Packages(got))
- sort.Sort(ftypes.Packages(tt.want))
-
- assert.Equal(t, tt.want, got)
+ assert.Equal(t, tt.wantPkgs, gotPkgs)
+ assert.Equal(t, tt.wantDeps, gotDeps)
})
}
}
diff --git a/pkg/dependency/parser/golang/mod/parse_testcase.go b/pkg/dependency/parser/golang/mod/parse_testcase.go
index b8ed49008926..70a163c50516 100644
--- a/pkg/dependency/parser/golang/mod/parse_testcase.go
+++ b/pkg/dependency/parser/golang/mod/parse_testcase.go
@@ -20,12 +20,6 @@ var (
},
},
},
- {
- ID: "stdlib@v1.22.5",
- Name: "stdlib",
- Version: "v1.22.5",
- Relationship: ftypes.RelationshipDirect,
- },
{
ID: "github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
Name: "github.com/aquasecurity/go-version",
@@ -38,6 +32,12 @@ var (
},
},
},
+ {
+ ID: "stdlib@v1.22.5",
+ Name: "stdlib",
+ Version: "v1.22.5",
+ Relationship: ftypes.RelationshipDirect,
+ },
{
ID: "github.com/davecgh/go-spew@v1.1.2-0.20180830191138-d8f796af33cc",
Name: "github.com/davecgh/go-spew",
@@ -82,10 +82,29 @@ var (
},
}
+ GoModNormalDeps = ftypes.Dependencies{
+ {
+ ID: "github.com/org/repo",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
+ "stdlib@v1.22.5",
+ },
+ },
+ }
+
GoModNormalWithoutStdlib = slices.DeleteFunc(slices.Clone(GoModNormal), func(f ftypes.Package) bool {
return f.Name == "stdlib"
})
+ GoModNormalWithoutStdlibDeps = ftypes.Dependencies{
+ {
+ ID: "github.com/org/repo",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
+ },
+ },
+ }
+
// execute go mod tidy in replaced folder
GoModReplaced = []ftypes.Package{
{
@@ -118,6 +137,14 @@ var (
Relationship: ftypes.RelationshipIndirect,
},
}
+ GoModReplacedDeps = ftypes.Dependencies{
+ {
+ ID: "github.com/org/repo",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237",
+ },
+ },
+ }
// execute go mod tidy in replaced folder
GoModUnreplaced = []ftypes.Package{
@@ -152,6 +179,15 @@ var (
},
}
+ GoModUnreplacedDeps = ftypes.Dependencies{
+ {
+ ID: "github.com/org/repo",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20211110174639-8257534ffed3",
+ },
+ },
+ }
+
// execute go mod tidy in replaced-with-version folder
GoModReplacedWithVersion = []ftypes.Package{
{
@@ -185,6 +221,15 @@ var (
},
}
+ GoModReplacedWithVersionDeps = ftypes.Dependencies{
+ {
+ ID: "github.com/org/repo",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237",
+ },
+ },
+ }
+
// execute go mod tidy in replaced-with-version-mismatch folder
GoModReplacedWithVersionMismatch = []ftypes.Package{
{
@@ -230,6 +275,15 @@ var (
},
}
+ defaultGoDepParserDeps = ftypes.Dependencies{
+ {
+ ID: "github.com/org/repo",
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20211224170007-df43bca6b6ff",
+ },
+ },
+ }
+
// execute go mod tidy in replaced-with-local-path folder
GoModReplacedWithLocalPath = []ftypes.Package{
{
diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
index 6990d3c7e84d..152096c2caea 100644
--- a/pkg/detector/library/driver.go
+++ b/pkg/detector/library/driver.go
@@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
InstalledVersion: pkgVer,
FixedVersion: createFixedVersions(adv),
DataSource: adv.DataSource,
+ Custom: adv.Custom,
}
vulns = append(vulns, vuln)
}
diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go
index 10c3ad304f29..cf8af718f783 100644
--- a/pkg/detector/library/driver_test.go
+++ b/pkg/detector/library/driver_test.go
@@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) {
},
},
},
+ {
+ name: "Custom data for vulnerability",
+ fixtures: []string{
+ "testdata/fixtures/go-custom-data.yaml",
+ "testdata/fixtures/data-source.yaml",
+ },
+ libType: ftypes.GoBinary,
+ args: args{
+ pkgName: "github.com/docker/docker",
+ pkgVer: "23.0.14",
+ },
+ want: []types.DetectedVulnerability{
+ {
+ VulnerabilityID: "GHSA-v23v-6jw2-98fq",
+ PkgName: "github.com/docker/docker",
+ InstalledVersion: "23.0.14",
+ FixedVersion: "23.0.15, 26.1.5, 27.1.1, 25.0.6",
+ DataSource: &dbTypes.DataSource{
+ ID: vulnerability.GHSA,
+ Name: "GitHub Security Advisory Go",
+ URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
+ },
+ Custom: map[string]any{"Severity": 2.0},
+ },
+ },
+ },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml
index eeb4a57e9637..087f960d2c58 100644
--- a/pkg/detector/library/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -25,3 +25,8 @@
ID: "ghsa"
Name: "GitHub Security Advisory Pip"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+ - key: "go::GitHub Security Advisory Go"
+ value:
+ ID: "ghsa"
+ Name: "GitHub Security Advisory Go"
+ URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
diff --git a/pkg/detector/library/testdata/fixtures/go-custom-data.yaml b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml
new file mode 100644
index 000000000000..aea7b8c7cd01
--- /dev/null
+++ b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml
@@ -0,0 +1,18 @@
+- bucket: "go::GitHub Security Advisory Go"
+ pairs:
+ - bucket: github.com/docker/docker
+ pairs:
+ - key: "GHSA-v23v-6jw2-98fq"
+ value:
+ PatchedVersions:
+ - "23.0.15"
+ - "26.1.5"
+ - "27.1.1"
+ - "25.0.6"
+ VulnerableVersions:
+ - ">=19.03.0, <23.0.15"
+ - ">=26.0.0, <26.1.5"
+ - ">=27.0.0, <27.1.1"
+ - ">=24.0.0, <25.0.6"
+ Custom:
+ Severity: 2
\ No newline at end of file
diff --git a/pkg/detector/ospkg/oracle/oracle.go b/pkg/detector/ospkg/oracle/oracle.go
index dd66c11a3cf1..3dbc8c90677f 100644
--- a/pkg/detector/ospkg/oracle/oracle.go
+++ b/pkg/detector/ospkg/oracle/oracle.go
@@ -2,7 +2,6 @@ package oracle
import (
"context"
- "strings"
"time"
version "github.com/knqyf263/go-rpm-version"
@@ -43,16 +42,6 @@ func NewScanner() *Scanner {
}
}
-func extractKsplice(v string) string {
- subs := strings.Split(strings.ToLower(v), ".")
- for _, s := range subs {
- if strings.HasPrefix(s, "ksplice") {
- return s
- }
- }
- return ""
-}
-
// Detect scans and return vulnerability in Oracle scanner
func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
osVer = osver.Major(osVer)
@@ -69,10 +58,9 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
- // when one of them doesn't have ksplice, we'll also skip it
- // extract kspliceX and compare it with kspliceY in advisories
- // if kspliceX and kspliceY are different, we will skip the advisory
- if extractKsplice(adv.FixedVersion) != extractKsplice(pkg.Release) {
+ // We need to use only advisories from the same flavor as the package flavors.
+ // See more in https://github.com/aquasecurity/trivy/issues/1967
+ if oracleoval.PackageFlavor(adv.FixedVersion) != oracleoval.PackageFlavor(pkg.Release) {
continue
}
diff --git a/pkg/detector/ospkg/oracle/oracle_test.go b/pkg/detector/ospkg/oracle/oracle_test.go
index 6fdc73a90e6a..834bc06d9406 100644
--- a/pkg/detector/ospkg/oracle/oracle_test.go
+++ b/pkg/detector/ospkg/oracle/oracle_test.go
@@ -221,6 +221,42 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
+ {
+ name: "with fips",
+ fixtures: []string{
+ "testdata/fixtures/oracle7.yaml",
+ "testdata/fixtures/data-source.yaml",
+ },
+ args: args{
+ osVer: "7",
+ pkgs: []ftypes.Package{
+ {
+ Name: "gnutls",
+ Epoch: 10,
+ Version: "3.6.15",
+ Release: "4.0.1.el8_fips",
+ Arch: "x86_64",
+ SrcEpoch: 2,
+ SrcName: "gnutls",
+ SrcVersion: "3.6.15",
+ SrcRelease: "4.0.1.el8_fips",
+ },
+ },
+ },
+ want: []types.DetectedVulnerability{
+ {
+ VulnerabilityID: "CVE-2021-20232",
+ PkgName: "gnutls",
+ InstalledVersion: "10:3.6.15-4.0.1.el8_fips",
+ FixedVersion: "10:3.6.16-4.0.1.el8_fips",
+ DataSource: &dbTypes.DataSource{
+ ID: vulnerability.OracleOVAL,
+ Name: "Oracle Linux OVAL definitions",
+ URL: "https://linux.oracle.com/security/oval/",
+ },
+ },
+ },
+ },
{
name: "malformed",
fixtures: []string{
diff --git a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml
index 47c9931d8f1c..7dce7818c32e 100644
--- a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml
+++ b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml
@@ -5,8 +5,21 @@
- key: CVE-2020-8177
value:
FixedVersion: "7.29.0-59.0.1.el7_9.1"
+ Entries:
+ - FixedVersion: "7.29.0-59.0.1.el7_9.1"
- bucket: glibc
pairs:
- key: CVE-2017-1000364
value:
FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
+ Entries:
+ - FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
+ - bucket: gnutls
+ pairs:
+ - key: CVE-2021-20232
+ value:
+ FixedVersion: "3.6.16-4.el8"
+ Entries:
+ - FixedVersion: "10:3.6.16-4.0.1.el8_fips"
+ - FixedVersion: "3.6.16-4.el8"
+
diff --git a/pkg/detector/ospkg/suse/suse_test.go b/pkg/detector/ospkg/suse/suse_test.go
index 9d480f18b0ea..abd21c6478a7 100644
--- a/pkg/detector/ospkg/suse/suse_test.go
+++ b/pkg/detector/ospkg/suse/suse_test.go
@@ -243,20 +243,20 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want bool
}{
{
- name: "opensuse.tumbleweed",
+ name: "opensuse-tumbleweed",
now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
args: args{
- osFamily: "opensuse.tumbleweed",
+ osFamily: "opensuse-tumbleweed",
osVer: "",
},
distribution: suse.OpenSUSETumbleweed,
want: true,
},
{
- name: "opensuse.leap42.3",
+ name: "opensuse-leap42.3",
now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
args: args{
- osFamily: "opensuse.leap",
+ osFamily: "opensuse-leap",
osVer: "42.3",
},
distribution: suse.OpenSUSE,
@@ -266,7 +266,7 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
name: "sles12.3",
now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
args: args{
- osFamily: "suse linux enterprise server",
+ osFamily: "sles",
osVer: "12.3",
},
distribution: suse.SUSEEnterpriseLinux,
@@ -276,7 +276,7 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
name: "latest",
now: time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
args: args{
- osFamily: "opensuse.leap",
+ osFamily: "opensuse-leap",
osVer: "999.0",
},
want: true,
diff --git a/pkg/fanal/analyzer/buildinfo/content_manifest.go b/pkg/fanal/analyzer/buildinfo/content_manifest.go
index 1c99a9783ebe..7d5372dc7266 100644
--- a/pkg/fanal/analyzer/buildinfo/content_manifest.go
+++ b/pkg/fanal/analyzer/buildinfo/content_manifest.go
@@ -31,6 +31,10 @@ func (a contentManifestAnalyzer) Analyze(_ context.Context, target analyzer.Anal
return nil, xerrors.Errorf("invalid content manifest: %w", err)
}
+ if len(manifest.ContentSets) == 0 {
+ return nil, nil
+ }
+
return &analyzer.AnalysisResult{
BuildInfo: &types.BuildInfo{
ContentSets: manifest.ContentSets,
diff --git a/pkg/fanal/analyzer/buildinfo/content_manifest_test.go b/pkg/fanal/analyzer/buildinfo/content_manifest_test.go
index c7d8b880f5a1..61ad8ebde1cb 100644
--- a/pkg/fanal/analyzer/buildinfo/content_manifest_test.go
+++ b/pkg/fanal/analyzer/buildinfo/content_manifest_test.go
@@ -31,6 +31,11 @@ func Test_contentManifestAnalyzer_Analyze(t *testing.T) {
},
},
},
+ {
+ name: "happy path for non-contentSets file",
+ input: "testdata/content_manifests/sbom-purl.json",
+ want: nil,
+ },
{
name: "broken json",
input: "testdata/content_manifests/broken.json",
diff --git a/pkg/fanal/analyzer/buildinfo/testdata/content_manifests/sbom-purl.json b/pkg/fanal/analyzer/buildinfo/testdata/content_manifests/sbom-purl.json
new file mode 100644
index 000000000000..8e73ade1d8f3
--- /dev/null
+++ b/pkg/fanal/analyzer/buildinfo/testdata/content_manifests/sbom-purl.json
@@ -0,0 +1,9 @@
+{
+ "image_contents": {
+ "dependencies": [
+ {
+ "purl": "pkg:rpm/redhat/zstd@1.5.1-2.el9?arch=src&checksum=sha256:f1ddea14d19746b867e69b48d128dd9c2d3e8cc021a5ea7b0674b48356ad3341&repository_id=rhel-9-base-source"
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/pkg/fanal/analyzer/imgconf/apk/apk.go b/pkg/fanal/analyzer/imgconf/apk/apk.go
index 794eb9797e5d..04aa244313c1 100644
--- a/pkg/fanal/analyzer/imgconf/apk/apk.go
+++ b/pkg/fanal/analyzer/imgconf/apk/apk.go
@@ -16,6 +16,7 @@ import (
"github.com/samber/lo"
"golang.org/x/xerrors"
+ "github.com/aquasecurity/trivy/pkg/dependency"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
@@ -134,6 +135,7 @@ func (a alpineCmdAnalyzer) parseConfig(apkIndexArchive *apkIndex, config *v1.Con
pkgs = a.resolveDependencies(apkIndexArchive, pkgs)
results := a.guessVersion(apkIndexArchive, pkgs, history.Created.Time)
for _, result := range results {
+ result.Identifier.UID = dependency.UID("", result)
uniqPkgs[result.Name] = result
}
}
diff --git a/pkg/fanal/analyzer/imgconf/apk/apk_test.go b/pkg/fanal/analyzer/imgconf/apk/apk_test.go
index 8577d5c3c054..93da80f87e0b 100644
--- a/pkg/fanal/analyzer/imgconf/apk/apk_test.go
+++ b/pkg/fanal/analyzer/imgconf/apk/apk_test.go
@@ -570,454 +570,793 @@ var (
{
Name: "acl",
Version: "2.2.52-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "784f131cd326111",
+ },
},
{
Name: "apr",
Version: "1.6.5-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "1e7a6d0bda73a74f",
+ },
},
{
Name: "apr-util",
Version: "1.6.1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "a2c929c03d9ad61a",
+ },
},
{
Name: "argon2",
Version: "20171227-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "f1f015346e9d54db",
+ },
},
{
Name: "argon2-dev",
Version: "20171227-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "dd027c90469eaea2",
+ },
},
{
Name: "argon2-libs",
Version: "20171227-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "c18902624988b224",
+ },
},
{
Name: "attr",
Version: "2.4.47-r7",
+ Identifier: types.PkgIdentifier{
+ UID: "88e3c95b0bd83fe",
+ },
},
{
Name: "autoconf",
Version: "2.69-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "9282eebaa2edb18e",
+ },
},
{
Name: "bash",
Version: "4.4.19-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "b9623518df2580d7",
+ },
},
{
Name: "binutils",
Version: "2.31.1-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "6eb2b9ef787d20e5",
+ },
},
{
Name: "busybox",
Version: "1.29.3-r10",
+ Identifier: types.PkgIdentifier{
+ UID: "6d4fece8eb9aed1b",
+ },
},
{
Name: "bzip2",
Version: "1.0.6-r6",
+ Identifier: types.PkgIdentifier{
+ UID: "f10a7652e98de81",
+ },
},
{
Name: "ca-certificates",
Version: "20190108-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "78b6dea410b11547",
+ },
},
{
Name: "coreutils",
Version: "8.30-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "a65f04a5f1682ef3",
+ },
},
{
Name: "curl",
Version: "7.64.0-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "653b9f8ab041d5ac",
+ },
},
{
Name: "curl-dev",
Version: "7.64.0-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "cdaa10b4d0045df",
+ },
},
{
Name: "cyrus-sasl",
Version: "2.1.27-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "11f463e17f11fc11",
+ },
},
{
Name: "db",
Version: "5.3.28-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "3c96ed610406070f",
+ },
},
{
Name: "dpkg",
Version: "1.19.2-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "291cdf92161b7a35",
+ },
},
{
Name: "dpkg-dev",
Version: "1.19.2-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "c87dd7f90913b9c0",
+ },
},
{
Name: "expat",
Version: "2.2.6-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "c17cef592b4cd1ac",
+ },
},
{
Name: "file",
Version: "5.36-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "e9eac8d2344654b6",
+ },
},
{
Name: "g++",
Version: "8.3.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "b5a17a376ce78648",
+ },
},
{
Name: "gcc",
Version: "8.3.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "e0028b3f4edb10d0",
+ },
},
{
Name: "gdbm",
Version: "1.13-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "ddf8257d2b4ffc7b",
+ },
},
{
Name: "git",
Version: "2.20.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "7df769c499baac3e",
+ },
},
{
Name: "gmp",
Version: "6.1.2-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "9543ab8b3ef71c6b",
+ },
},
{
Name: "gnupg",
Version: "2.2.12-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "af5a8477a7bb8a39",
+ },
},
{
Name: "gnutls",
Version: "3.6.7-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "7b8292fb2158b405",
+ },
},
{
Name: "isl",
Version: "0.18-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "ff5808fa3be09223",
+ },
},
{
Name: "libacl",
Version: "2.2.52-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "e1110bb9fa71e9b6",
+ },
},
{
Name: "libassuan",
Version: "2.5.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "5c27356bfc0c8063",
+ },
},
{
Name: "libatomic",
Version: "8.3.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "9c448437636ec536",
+ },
},
{
Name: "libattr",
Version: "2.4.47-r7",
+ Identifier: types.PkgIdentifier{
+ UID: "58d4cb13b94c427c",
+ },
},
{
Name: "libbz2",
Version: "1.0.6-r6",
+ Identifier: types.PkgIdentifier{
+ UID: "b88167f64940af66",
+ },
},
{
Name: "libc-dev",
Version: "0.7.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "804732077a4c662b",
+ },
},
{
Name: "libcap",
Version: "2.26-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "9fe6eb7eda727396",
+ },
},
{
Name: "libcrypto1.1",
Version: "1.1.1b-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "68da5e7990c8780c",
+ },
},
{
Name: "libcurl",
Version: "7.64.0-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "49e0a68f77f67462",
+ },
},
{
Name: "libedit",
Version: "20181209.3.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "cb42283699ac3423",
+ },
},
{
Name: "libedit-dev",
Version: "20181209.3.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "e02c3a224e18a6b2",
+ },
},
{
Name: "libffi",
Version: "3.2.1-r6",
+ Identifier: types.PkgIdentifier{
+ UID: "68833f89f34bd7ec",
+ },
},
{
Name: "libgcc",
Version: "8.3.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "27519ea7a3464bc0",
+ },
},
{
Name: "libgcrypt",
Version: "1.8.4-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "f05eadedb8dc0151",
+ },
},
{
Name: "libgomp",
Version: "8.3.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "543d8918635c52d6",
+ },
},
{
Name: "libgpg-error",
Version: "1.33-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "db991adc17654512",
+ },
},
{
Name: "libksba",
Version: "1.3.5-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "2bdff3fcdb38fcc9",
+ },
},
{
Name: "libldap",
Version: "2.4.47-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "7d1e18d46af8e64d",
+ },
},
{
Name: "libmagic",
Version: "5.36-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "8de0dc2316c7f08c",
+ },
},
{
Name: "libsasl",
Version: "2.1.27-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "32ade945216e13cb",
+ },
},
{
Name: "libsodium",
Version: "1.0.16-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "7510915bba932b1b",
+ },
},
{
Name: "libsodium-dev",
Version: "1.0.16-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "df3b47abf3f1411f",
+ },
},
{
Name: "libssh2",
Version: "1.8.2-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "7cf64ca05155ca9c",
+ },
},
{
Name: "libssh2-dev",
Version: "1.8.2-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "8afd5b832f1d474c",
+ },
},
{
Name: "libssl1.1",
Version: "1.1.1b-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "b35faf606cddd965",
+ },
},
{
Name: "libstdc++",
Version: "8.3.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "e56259710bdc7ded",
+ },
},
{
Name: "libtasn1",
Version: "4.13-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "d78c8e47a85a4185",
+ },
},
{
Name: "libunistring",
Version: "0.9.10-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "5f31755a4db496df",
+ },
},
{
Name: "libuuid",
Version: "2.33-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "af33ae09a75e4ee2",
+ },
},
{
Name: "libxml2",
Version: "2.9.9-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "f772ed5552f4248f",
+ },
},
{
Name: "libxml2-dev",
Version: "2.9.9-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "3aa56b4d41995ecc",
+ },
},
{
Name: "lz4",
Version: "1.8.3-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "16fe8f309f000a",
+ },
},
{
Name: "lz4-libs",
Version: "1.8.3-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "f1cc72d3a4f0e3fa",
+ },
},
{
Name: "m4",
Version: "1.4.18-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "279041efb6311a55",
+ },
},
{
Name: "make",
Version: "4.2.1-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "aedc2f116a0a656",
+ },
},
{
Name: "mercurial",
Version: "4.9.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "dd8db352af0fe45d",
+ },
},
{
Name: "mpc1",
Version: "1.0.3-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "4ac00bb3c9d7b863",
+ },
},
{
Name: "mpfr3",
Version: "3.1.5-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "7351997d7d25f69a",
+ },
},
{
Name: "musl",
Version: "1.1.20-r4",
+ Identifier: types.PkgIdentifier{
+ UID: "8e5756f96b3b5f6",
+ },
},
{
Name: "musl-dev",
Version: "1.1.20-r4",
+ Identifier: types.PkgIdentifier{
+ UID: "2232888b0c99c2d",
+ },
},
{
Name: "ncurses",
Version: "6.1_p20190105-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "df982c6c8f287e6a",
+ },
},
{
Name: "ncurses-dev",
Version: "6.1_p20190105-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "80932f0ecaf2d5f8",
+ },
},
{
Name: "ncurses-libs",
Version: "6.1_p20190105-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "d8410f98ecc55ce4",
+ },
},
{
Name: "ncurses-terminfo",
Version: "6.1_p20190105-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "c60fc6e5a37d8a95",
+ },
},
{
Name: "ncurses-terminfo-base",
Version: "6.1_p20190105-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "c2beca25e6a5371f",
+ },
},
{
Name: "nettle",
Version: "3.4.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "96dcec63030bedbb",
+ },
},
{
Name: "nghttp2",
Version: "1.35.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "ba6c36de650ae267",
+ },
},
{
Name: "nghttp2-dev",
Version: "1.35.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "db9600175e13927",
+ },
},
{
Name: "nghttp2-libs",
Version: "1.35.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "66cd303081642354",
+ },
},
{
Name: "npth",
Version: "1.6-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "4a8c2366f7da081d",
+ },
},
{
Name: "openldap",
Version: "2.4.47-r2",
+ Identifier: types.PkgIdentifier{
+ UID: "4e116d327ed660e7",
+ },
},
{
Name: "openssh",
Version: "7.9_p1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "27574c5b357bd209",
+ },
},
{
Name: "openssh-client",
Version: "7.9_p1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "4d095f61f69debef",
+ },
},
{
Name: "openssh-keygen",
Version: "7.9_p1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "12cb2bcb1f6c2295",
+ },
},
{
Name: "openssh-server",
Version: "7.9_p1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "dee48c5c90bff0d6",
+ },
},
{
Name: "openssh-server-common",
Version: "7.9_p1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "ad06b8d442f8a162",
+ },
},
{
Name: "openssh-sftp-server",
Version: "7.9_p1-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "e0bc3d8e794f06c8",
+ },
},
{
Name: "openssl",
Version: "1.1.1b-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "1c8ae81a9b60513c",
+ },
},
{
Name: "openssl-dev",
Version: "1.1.1b-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "c6549ade045edac",
+ },
},
{
Name: "p11-kit",
Version: "0.23.14-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "4f77fc5f062368fc",
+ },
},
{
Name: "patch",
Version: "2.7.6-r4",
+ Identifier: types.PkgIdentifier{
+ UID: "49b5c14cbee185b7",
+ },
},
{
Name: "pcre2",
Version: "10.32-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "c3733a676cf271ba",
+ },
},
{
Name: "perl",
Version: "5.26.3-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "10e2893a9ea288e",
+ },
},
{
Name: "pinentry",
Version: "1.1.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "783866fca9a015bd",
+ },
},
{
Name: "pkgconf",
Version: "1.6.0-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "33d19ebaf35432b0",
+ },
},
{
Name: "python2",
Version: "2.7.16-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "a839b2c9a5f9ba73",
+ },
},
{
Name: "re2c",
Version: "1.1.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "ec7d28a39ed7dfb6",
+ },
},
{
Name: "readline",
Version: "7.0.003-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "7d4d5810d005452c",
+ },
},
{
Name: "serf",
Version: "1.3.9-r5",
+ Identifier: types.PkgIdentifier{
+ UID: "7f23c377c19eff2f",
+ },
},
{
Name: "sqlite",
Version: "3.26.0-r3",
+ Identifier: types.PkgIdentifier{
+ UID: "1eab4ef4d3ea8c3c",
+ },
},
{
Name: "sqlite-dev",
Version: "3.26.0-r3",
+ Identifier: types.PkgIdentifier{
+ UID: "4dcddd5956410d59",
+ },
},
{
Name: "sqlite-libs",
Version: "3.26.0-r3",
+ Identifier: types.PkgIdentifier{
+ UID: "9790a2922ebbad67",
+ },
},
{
Name: "subversion",
Version: "1.11.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "9de851271909a16",
+ },
},
{
Name: "subversion-libs",
Version: "1.11.1-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "f55079ee39f32296",
+ },
},
{
Name: "tar",
Version: "1.32-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "ee612e956fb56928",
+ },
},
{
Name: "unzip",
Version: "6.0-r4",
+ Identifier: types.PkgIdentifier{
+ UID: "a0da1ecf3082e04",
+ },
},
{
Name: "util-linux",
Version: "2.33-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "1405b9526350c651",
+ },
},
{
Name: "wget",
Version: "1.20.3-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "a5b83a24d7129300",
+ },
},
{
Name: "xz",
Version: "5.2.4-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "253d1bd8b99d6062",
+ },
},
{
Name: "xz-libs",
Version: "5.2.4-r0",
+ Identifier: types.PkgIdentifier{
+ UID: "a42777c05ddb55f3",
+ },
},
{
Name: "zip",
Version: "3.0-r7",
+ Identifier: types.PkgIdentifier{
+ UID: "2039aba6424806a4",
+ },
},
{
Name: "zlib",
Version: "1.2.11-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "b742ac29b1f34e",
+ },
},
{
Name: "zlib-dev",
Version: "1.2.11-r1",
+ Identifier: types.PkgIdentifier{
+ UID: "e9a8669a86602c9d",
+ },
},
}
)
diff --git a/pkg/fanal/analyzer/language/golang/binary/binary_test.go b/pkg/fanal/analyzer/language/golang/binary/binary_test.go
index 041d43e1b45b..650968667e06 100644
--- a/pkg/fanal/analyzer/language/golang/binary/binary_test.go
+++ b/pkg/fanal/analyzer/language/golang/binary/binary_test.go
@@ -30,24 +30,35 @@ func Test_gobinaryLibraryAnalyzer_Analyze(t *testing.T) {
FilePath: "testdata/executable_gobinary",
Packages: types.Packages{
{
+ ID: "github.com/aquasecurity/test",
Name: "github.com/aquasecurity/test",
Version: "",
Relationship: types.RelationshipRoot,
+ DependsOn: []string{
+ "github.com/aquasecurity/go-pep440-version@v0.0.0-20210121094942-22b2f8951d46",
+ "github.com/aquasecurity/go-version@v0.0.0-20210121072130-637058cfe492",
+ "golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
+ "stdlib@v1.15.2",
+ },
},
{
+ ID: "stdlib@v1.15.2",
Name: "stdlib",
Version: "v1.15.2",
Relationship: types.RelationshipDirect,
},
{
+ ID: "github.com/aquasecurity/go-pep440-version@v0.0.0-20210121094942-22b2f8951d46",
Name: "github.com/aquasecurity/go-pep440-version",
Version: "v0.0.0-20210121094942-22b2f8951d46",
},
{
+ ID: "github.com/aquasecurity/go-version@v0.0.0-20210121072130-637058cfe492",
Name: "github.com/aquasecurity/go-version",
Version: "v0.0.0-20210121072130-637058cfe492",
},
{
+ ID: "golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
Name: "golang.org/x/xerrors",
Version: "v0.0.0-20200804184101-5ec99f83aff1",
},
diff --git a/pkg/fanal/analyzer/language/golang/mod/mod.go b/pkg/fanal/analyzer/language/golang/mod/mod.go
index 52d7b32f3bee..bb6117f3a100 100644
--- a/pkg/fanal/analyzer/language/golang/mod/mod.go
+++ b/pkg/fanal/analyzer/language/golang/mod/mod.go
@@ -101,6 +101,9 @@ func (a *gomodAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalys
a.logger.Warn("Unable to collect additional info", log.Err(err))
}
+ // Add orphan indirect dependencies under the main module
+ a.addOrphanIndirectDepsUnderRoot(apps)
+
return &analyzer.AnalysisResult{
Applications: apps,
}, nil
@@ -212,6 +215,40 @@ func (a *gomodAnalyzer) collectDeps(modDir, pkgID string) (types.Dependency, err
}, nil
}
+// addOrphanIndirectDepsUnderRoot handles indirect dependencies that have no identifiable parent packages in the dependency tree.
+// This situation can occur when:
+// - $GOPATH/pkg directory doesn't exist
+// - Module cache is incomplete
+// - etc.
+//
+// In such cases, indirect packages become "orphaned" - they exist in the dependency list
+// but have no connection to the dependency tree. This function resolves this issue by:
+// 1. Finding the root (main) module
+// 2. Identifying all indirect dependencies that have no parent packages
+// 3. Adding these orphaned indirect dependencies under the main module
+//
+// This ensures that all packages remain visible in the dependency tree, even when the complete
+// dependency chain cannot be determined.
+func (a *gomodAnalyzer) addOrphanIndirectDepsUnderRoot(apps []types.Application) {
+ for _, app := range apps {
+ // Find the main module
+ _, rootIdx, found := lo.FindIndexOf(app.Packages, func(pkg types.Package) bool {
+ return pkg.Relationship == types.RelationshipRoot
+ })
+ if !found {
+ continue
+ }
+
+ // Collect all orphan indirect dependencies that are unable to identify parents
+ parents := app.Packages.ParentDeps()
+ orphanDeps := lo.FilterMap(app.Packages, func(pkg types.Package, _ int) (string, bool) {
+ return pkg.ID, pkg.Relationship == types.RelationshipIndirect && len(parents[pkg.ID]) == 0
+ })
+ // Add orphan indirect dependencies under the main module
+ app.Packages[rootIdx].DependsOn = append(app.Packages[rootIdx].DependsOn, orphanDeps...)
+ }
+}
+
func parse(fsys fs.FS, path string, parser language.Parser) (*types.Application, error) {
f, err := fsys.Open(path)
if err != nil {
diff --git a/pkg/fanal/analyzer/language/golang/mod/mod_test.go b/pkg/fanal/analyzer/language/golang/mod/mod_test.go
index 3963bcebbad9..c2e0370d172a 100644
--- a/pkg/fanal/analyzer/language/golang/mod/mod_test.go
+++ b/pkg/fanal/analyzer/language/golang/mod/mod_test.go
@@ -36,6 +36,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
ID: "github.com/org/repo",
Name: "github.com/org/repo",
Relationship: types.RelationshipRoot,
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237",
+ },
ExternalReferences: []types.ExternalRef{
{
Type: types.RefVCS,
@@ -86,6 +89,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
ID: "github.com/org/repo",
Name: "github.com/org/repo",
Relationship: types.RelationshipRoot,
+ DependsOn: []string{
+ "github.com/sad/sad@v0.0.1",
+ },
ExternalReferences: []types.ExternalRef{
{
Type: types.RefVCS,
@@ -110,6 +116,69 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
},
},
},
+ {
+ name: "no pkg dir found",
+ files: []string{
+ "testdata/no-pkg-found/mod",
+ },
+ want: &analyzer.AnalysisResult{
+ Applications: []types.Application{
+ {
+ Type: types.GoModule,
+ FilePath: "go.mod",
+ Packages: types.Packages{
+ {
+ ID: "github.com/org/repo",
+ Name: "github.com/org/repo",
+ Relationship: types.RelationshipRoot,
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v1.0.0",
+ "github.com/aquasecurity/go-version@v1.0.1",
+ "golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1", // No parent found, so it's added here.
+ },
+ ExternalReferences: []types.ExternalRef{
+ {
+ Type: types.RefVCS,
+ URL: "https://github.com/org/repo",
+ },
+ },
+ },
+ {
+ ID: "github.com/aquasecurity/go-dep-parser@v1.0.0",
+ Name: "github.com/aquasecurity/go-dep-parser",
+ Version: "v1.0.0",
+ Relationship: types.RelationshipDirect,
+ ExternalReferences: []types.ExternalRef{
+ {
+ Type: types.RefVCS,
+ URL: "https://github.com/aquasecurity/go-dep-parser",
+ },
+ },
+ },
+ {
+ ID: "github.com/aquasecurity/go-version@v1.0.1",
+ Name: "github.com/aquasecurity/go-version",
+ Version: "v1.0.1",
+ Relationship: types.RelationshipDirect,
+ ExternalReferences: []types.ExternalRef{
+ {
+ Type: types.RefVCS,
+ URL: "https://github.com/aquasecurity/go-version",
+ },
+ },
+ },
+ {
+ ID: "golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
+ Name: "golang.org/x/xerrors",
+ Version: "v0.0.0-20200804184101-5ec99f83aff1",
+ Relationship: types.RelationshipIndirect,
+ Indirect: true,
+ },
+ },
+ },
+ },
+ },
+ },
{
name: "less than 1.17",
files: []string{
@@ -126,6 +195,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
ID: "github.com/org/repo",
Name: "github.com/org/repo",
Relationship: types.RelationshipRoot,
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd",
+ },
ExternalReferences: []types.ExternalRef{
{
Type: types.RefVCS,
@@ -178,6 +250,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
ID: "github.com/org/repo",
Name: "github.com/org/repo",
Relationship: types.RelationshipRoot,
+ DependsOn: []string{
+ "github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd",
+ },
ExternalReferences: []types.ExternalRef{
{
Type: types.RefVCS,
diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found/mod
new file mode 100644
index 000000000000..2f64bb82f7a8
--- /dev/null
+++ b/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found/mod
@@ -0,0 +1,10 @@
+module github.com/org/repo
+
+go 1.23
+
+require (
+ github.com/aquasecurity/go-dep-parser v1.0.0
+ github.com/aquasecurity/go-version v1.0.1
+)
+
+require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
\ No newline at end of file
diff --git a/pkg/fanal/artifact/local/fs.go b/pkg/fanal/artifact/local/fs.go
index 2f5ef7fe4ecd..b6c2d46c839a 100644
--- a/pkg/fanal/artifact/local/fs.go
+++ b/pkg/fanal/artifact/local/fs.go
@@ -82,6 +82,7 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) {
if err != nil {
return artifact.Reference{}, xerrors.Errorf("failed to prepare filesystem for post analysis: %w", err)
}
+ defer composite.Cleanup()
err = a.walker.Walk(a.rootPath, a.artifactOption.WalkerOption, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
dir := a.rootPath
diff --git a/pkg/fanal/artifact/local/fs_test.go b/pkg/fanal/artifact/local/fs_test.go
index dbef68e893bb..868bdf6a8b8d 100644
--- a/pkg/fanal/artifact/local/fs_test.go
+++ b/pkg/fanal/artifact/local/fs_test.go
@@ -918,7 +918,6 @@ func TestTerraformPlanSnapshotMisconfScan(t *testing.T) {
types.SystemFileFilteringPostHandler,
},
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
DisableEmbeddedPolicies: true,
DisableEmbeddedLibraries: false,
Namespaces: []string{"user"},
@@ -956,7 +955,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
DisableEmbeddedLibraries: true,
@@ -1017,7 +1015,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
DisableEmbeddedLibraries: true,
@@ -1100,7 +1097,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
DisableEmbeddedLibraries: true,
@@ -1131,7 +1127,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/params/code/rego"},
CloudFormationParamVars: []string{"./testdata/misconfig/cloudformation/params/cfparams.json"},
@@ -1188,7 +1183,6 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/passed/rego"},
DisableEmbeddedLibraries: true,
@@ -1275,7 +1269,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/single-failure/rego"},
DisableEmbeddedLibraries: true,
@@ -1332,7 +1325,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/multiple-failures/rego"},
DisableEmbeddedLibraries: true,
@@ -1389,7 +1381,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/no-results/rego"},
},
@@ -1419,7 +1410,6 @@ func TestDockerfileMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/dockerfile/passed/rego"},
DisableEmbeddedLibraries: true,
@@ -1508,7 +1498,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/single-failure/rego"},
DisableEmbeddedLibraries: true,
@@ -1570,7 +1559,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/multiple-failures/rego"},
DisableEmbeddedLibraries: true,
@@ -1655,7 +1643,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/no-results/rego"},
},
@@ -1685,7 +1672,6 @@ func TestKubernetesMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/kubernetes/passed/rego"},
DisableEmbeddedLibraries: true,
@@ -1774,7 +1760,6 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/azurearm/single-failure/rego"},
},
@@ -1834,7 +1819,6 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/azurearm/multiple-failures/rego"},
},
@@ -1916,7 +1900,6 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/azurearm/no-results/rego"},
},
@@ -1946,7 +1929,6 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/azurearm/passed/rego"},
},
@@ -2032,7 +2014,6 @@ func TestMixedConfigurationScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/mixed/rego"},
DisableEmbeddedLibraries: true,
@@ -2153,7 +2134,6 @@ func TestJSONConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/json/passed/checks"},
},
@@ -2226,7 +2206,6 @@ func TestJSONConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/json/with-schema/checks"},
},
@@ -2316,7 +2295,6 @@ func TestYAMLConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/yaml/passed/checks"},
},
@@ -2389,7 +2367,6 @@ func TestYAMLConfigScan(t *testing.T) {
},
artifactOpt: artifact.Option{
MisconfScannerOption: misconf.ScannerOption{
- RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/yaml/with-schema/checks"},
},
diff --git a/pkg/fanal/image/daemon/containerd.go b/pkg/fanal/image/daemon/containerd.go
index 109081d5bae5..faa5c8d98c3f 100644
--- a/pkg/fanal/image/daemon/containerd.go
+++ b/pkg/fanal/image/daemon/containerd.go
@@ -10,12 +10,12 @@ import (
"strings"
"time"
- "github.com/containerd/containerd"
- "github.com/containerd/containerd/content"
- "github.com/containerd/containerd/images/archive"
- "github.com/containerd/containerd/namespaces"
- "github.com/containerd/containerd/platforms"
- refdocker "github.com/containerd/containerd/reference/docker"
+ "github.com/containerd/containerd/v2/client"
+ "github.com/containerd/containerd/v2/core/content"
+ "github.com/containerd/containerd/v2/core/images/archive"
+ "github.com/containerd/containerd/v2/pkg/namespaces"
+ "github.com/containerd/platforms"
+ "github.com/distribution/reference"
api "github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/go-connections/nat"
@@ -52,12 +52,12 @@ func (n familiarNamed) String() string {
return string(n)
}
-func imageWriter(client *containerd.Client, img containerd.Image, platform types.Platform) imageSave {
+func imageWriter(c *client.Client, img client.Image, platform types.Platform) imageSave {
return func(ctx context.Context, ref []string) (io.ReadCloser, error) {
if len(ref) < 1 {
return nil, xerrors.New("no image reference")
}
- imgOpts := archive.WithImage(client.ImageService(), ref[0])
+ imgOpts := archive.WithImage(c.ImageService(), ref[0])
manifestOpts := archive.WithManifest(img.Target())
var platformMatchComparer platforms.MatchComparer
@@ -69,7 +69,7 @@ func imageWriter(client *containerd.Client, img containerd.Image, platform types
platOpts := archive.WithPlatform(platformMatchComparer)
pr, pw := io.Pipe()
go func() {
- pw.CloseWithError(archive.Export(ctx, client.ContentStore(), pw, imgOpts, manifestOpts, platOpts))
+ pw.CloseWithError(archive.Export(ctx, c.ContentStore(), pw, imgOpts, manifestOpts, platOpts))
}()
return pr, nil
}
@@ -94,17 +94,17 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
return nil, cleanup, err
}
- var options []containerd.ClientOpt
+ var options []client.Opt
if opts.RegistryOptions.Platform.Platform != nil {
ociPlatform, err := platforms.Parse(opts.RegistryOptions.Platform.String())
if err != nil {
return nil, cleanup, err
}
- options = append(options, containerd.WithDefaultPlatform(platforms.OnlyStrict(ociPlatform)))
+ options = append(options, client.WithDefaultPlatform(platforms.OnlyStrict(ociPlatform)))
}
- client, err := containerd.New(addr, options...)
+ c, err := client.New(addr, options...)
if err != nil {
return nil, cleanup, xerrors.Errorf("failed to initialize a containerd client: %w", err)
}
@@ -116,7 +116,7 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
ctx = namespaces.WithNamespace(ctx, namespace)
- imgs, err := client.ListImages(ctx, searchFilters...)
+ imgs, err := c.ListImages(ctx, searchFilters...)
if err != nil {
return nil, cleanup, xerrors.Errorf("failed to list images from containerd client: %w", err)
}
@@ -133,7 +133,7 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
}
cleanup = func() {
- _ = client.Close()
+ _ = c.Close()
_ = f.Close()
_ = os.Remove(f.Name())
}
@@ -144,21 +144,21 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
}
return &image{
- opener: imageOpener(ctx, ref.String(), f, imageWriter(client, img, opts.RegistryOptions.Platform)),
+ opener: imageOpener(ctx, ref.String(), f, imageWriter(c, img, opts.RegistryOptions.Platform)),
inspect: insp,
history: history,
}, cleanup, nil
}
-func parseReference(imageName string) (refdocker.Reference, []string, error) {
- ref, err := refdocker.ParseAnyReference(imageName)
+func parseReference(imageName string) (reference.Reference, []string, error) {
+ ref, err := reference.ParseAnyReference(imageName)
if err != nil {
return nil, nil, xerrors.Errorf("parse error: %w", err)
}
- d, isDigested := ref.(refdocker.Digested)
- n, isNamed := ref.(refdocker.Named)
- nt, isNamedAndTagged := ref.(refdocker.NamedTagged)
+ d, isDigested := ref.(reference.Digested)
+ n, isNamed := ref.(reference.Named)
+ nt, isNamedAndTagged := ref.(reference.NamedTagged)
// a name plus a digest
// example: name@sha256:41adb3ef...
@@ -168,7 +168,7 @@ func parseReference(imageName string) (refdocker.Reference, []string, error) {
// comma-separated filter is logically anded
return ref, []string{
fmt.Sprintf(`name~="^%s(:|@).*",target.digest==%q`, n.Name(), dgst),
- fmt.Sprintf(`name~="^%s(:|@).*",target.digest==%q`, refdocker.FamiliarName(n), dgst),
+ fmt.Sprintf(`name~="^%s(:|@).*",target.digest==%q`, reference.FamiliarName(n), dgst),
}, nil
}
@@ -184,7 +184,7 @@ func parseReference(imageName string) (refdocker.Reference, []string, error) {
tag := nt.Tag()
return familiarNamed(imageName), []string{
fmt.Sprintf(`name=="%s:%s"`, nt.Name(), tag),
- fmt.Sprintf(`name=="%s:%s"`, refdocker.FamiliarName(nt), tag),
+ fmt.Sprintf(`name=="%s:%s"`, reference.FamiliarName(nt), tag),
}, nil
}
@@ -193,7 +193,7 @@ func parseReference(imageName string) (refdocker.Reference, []string, error) {
// readImageConfig reads the config spec (`application/vnd.oci.image.config.v1+json`) for img.platform from content store.
// ported from https://github.com/containerd/nerdctl/blob/7dfbaa2122628921febeb097e7a8a86074dc931d/pkg/imgutil/imgutil.go#L377-L393
-func readImageConfig(ctx context.Context, img containerd.Image) (ocispec.Image, ocispec.Descriptor, error) {
+func readImageConfig(ctx context.Context, img client.Image) (ocispec.Image, ocispec.Descriptor, error) {
var config ocispec.Image
configDesc, err := img.Config(ctx) // aware of img.platform
@@ -211,19 +211,19 @@ func readImageConfig(ctx context.Context, img containerd.Image) (ocispec.Image,
}
// ported from https://github.com/containerd/nerdctl/blob/d110fea18018f13c3f798fa6565e482f3ff03591/pkg/inspecttypes/dockercompat/dockercompat.go#L279-L321
-func inspect(ctx context.Context, img containerd.Image, ref refdocker.Reference) (api.ImageInspect, []v1.History, refdocker.Reference, error) {
- if _, ok := ref.(refdocker.Digested); ok {
+func inspect(ctx context.Context, img client.Image, ref reference.Reference) (api.ImageInspect, []v1.History, reference.Reference, error) {
+ if _, ok := ref.(reference.Digested); ok {
ref = familiarNamed(img.Name())
}
var tag string
- if tagged, ok := ref.(refdocker.Tagged); ok {
+ if tagged, ok := ref.(reference.Tagged); ok {
tag = tagged.Tag()
}
var repository string
- if n, isNamed := ref.(refdocker.Named); isNamed {
- repository = refdocker.FamiliarName(n)
+ if n, isNamed := ref.(reference.Named); isNamed {
+ repository = reference.FamiliarName(n)
}
imgConfig, imgConfigDesc, err := readImageConfig(ctx, img)
diff --git a/pkg/fanal/image/registry/google/google.go b/pkg/fanal/image/registry/google/google.go
index 3c58f0de005f..19e91b024640 100644
--- a/pkg/fanal/image/registry/google/google.go
+++ b/pkg/fanal/image/registry/google/google.go
@@ -28,7 +28,15 @@ const gcrURLSuffix = ".gcr.io"
// Google artifact registry
const garURLSuffix = "-docker.pkg.dev"
+// Google mirror registry
+const gmrURLDomain = "mirror.gcr.io"
+
func (g *Registry) CheckOptions(domain string, option types.RegistryOptions) (intf.RegistryClient, error) {
+ // We assume there is no chance that `mirror.gcr.io` will require authentication.
+ // So we need to skip `mirror.gcr.io` to avoid errors confusing users when downloading DB's.
+ if domain == gmrURLDomain {
+ return nil, xerrors.Errorf("mirror.gcr.io doesn't require authentication")
+ }
if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) {
return nil, xerrors.Errorf("Google registry: %w", types.InvalidURLPattern)
}
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
index 09bf98fd3da8..2efd3e7658f5 100644
--- a/pkg/fanal/secret/builtin-rules.go
+++ b/pkg/fanal/secret/builtin-rules.go
@@ -59,6 +59,7 @@ var (
CategoryNewRelic = types.SecretRuleCategory("NewRelic")
CategoryNpm = types.SecretRuleCategory("Npm")
CategoryPlanetscale = types.SecretRuleCategory("Planetscale")
+ CategoryPrivatePackagist = types.SecretRuleCategory("Private Packagist")
CategoryPostman = types.SecretRuleCategory("Postman")
CategoryPulumi = types.SecretRuleCategory("Pulumi")
CategoryRubyGems = types.SecretRuleCategory("RubyGems")
@@ -743,6 +744,15 @@ var builtinRules = []Rule{
Regex: MustCompile(`pscale_tkn_(?i)[a-z0-9\-_\.]{43}`),
Keywords: []string{"pscale_tkn_"},
},
+ {
+ ID: "private-packagist-token",
+ Category: CategoryPrivatePackagist,
+ Title: "Private Packagist token",
+ Severity: "HIGH",
+ // https://packagist.com/docs/composer-authentication#token-format
+ Regex: MustCompile(`packagist_[ou][ru]t_(?i)[a-f0-9]{68}`),
+ Keywords: []string{"packagist_uut_", "packagist_ort_", "packagist_out_"},
+ },
{
ID: "postman-api-token",
Category: CategoryPostman,
diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
index f17b1150dd4a..0df6403c13a7 100644
--- a/pkg/fanal/secret/scanner_test.go
+++ b/pkg/fanal/secret/scanner_test.go
@@ -668,6 +668,117 @@ func TestSecretScanner(t *testing.T) {
},
},
}
+ wantFindingPrivatePackagistOrgReadToken := types.SecretFinding{
+ RuleID: "private-packagist-token",
+ Category: secret.CategoryPrivatePackagist,
+ Title: "Private Packagist token",
+ Severity: "HIGH",
+ StartLine: 1,
+ EndLine: 1,
+ Match: "ORG_READ_TOKEN=**********************************************************************************",
+ Code: types.Code{
+ Lines: []types.Line{
+ {
+ Number: 1,
+ Content: "ORG_READ_TOKEN=**********************************************************************************",
+ Highlighted: "ORG_READ_TOKEN=**********************************************************************************",
+ IsCause: true,
+ FirstCause: true,
+ LastCause: true,
+ },
+ {
+ Number: 2,
+ Content: "ORG_WRITE_TOKEN=**********************************************************************************",
+ Highlighted: "ORG_WRITE_TOKEN=**********************************************************************************",
+ IsCause: false,
+ FirstCause: false,
+ LastCause: false,
+ },
+ },
+ },
+ }
+ wantFindingPrivatePackagistOrgUpdateToken := types.SecretFinding{
+ RuleID: "private-packagist-token",
+ Category: secret.CategoryPrivatePackagist,
+ Title: "Private Packagist token",
+ Severity: "HIGH",
+ StartLine: 2,
+ EndLine: 2,
+ Match: "ORG_WRITE_TOKEN=**********************************************************************************",
+ Code: types.Code{
+ Lines: []types.Line{
+ {
+ Number: 1,
+ Content: "ORG_READ_TOKEN=**********************************************************************************",
+ Highlighted: "ORG_READ_TOKEN=**********************************************************************************",
+ IsCause: false,
+ FirstCause: false,
+ LastCause: false,
+ },
+ {
+ Number: 2,
+ Content: "ORG_WRITE_TOKEN=**********************************************************************************",
+ Highlighted: "ORG_WRITE_TOKEN=**********************************************************************************",
+ IsCause: true,
+ FirstCause: true,
+ LastCause: true,
+ },
+ {
+ Number: 3,
+ Content: "USER_TOKEN=**********************************************************************************",
+ Highlighted: "USER_TOKEN=**********************************************************************************",
+ IsCause: false,
+ FirstCause: false,
+ LastCause: false,
+ },
+ },
+ },
+ }
+ wantFindingPrivatePackagistUserToken := types.SecretFinding{
+ RuleID: "private-packagist-token",
+ Category: secret.CategoryPrivatePackagist,
+ Title: "Private Packagist token",
+ Severity: "HIGH",
+ StartLine: 3,
+ EndLine: 3,
+ Match: "USER_TOKEN=**********************************************************************************",
+ Code: types.Code{
+ Lines: []types.Line{
+ {
+ Number: 1,
+ Content: "ORG_READ_TOKEN=**********************************************************************************",
+ Highlighted: "ORG_READ_TOKEN=**********************************************************************************",
+ IsCause: false,
+ FirstCause: false,
+ LastCause: false,
+ },
+ {
+ Number: 2,
+ Content: "ORG_WRITE_TOKEN=**********************************************************************************",
+ Highlighted: "ORG_WRITE_TOKEN=**********************************************************************************",
+ IsCause: false,
+ FirstCause: false,
+ LastCause: false,
+ },
+ {
+ Number: 3,
+ Content: "USER_TOKEN=**********************************************************************************",
+ Highlighted: "USER_TOKEN=**********************************************************************************",
+ IsCause: true,
+ FirstCause: true,
+ LastCause: true,
+ },
+ {
+ Number: 4,
+ Content: "",
+ Highlighted: "",
+ IsCause: false,
+ FirstCause: false,
+ LastCause: false,
+ },
+ },
+ },
+ }
wantFindingHuggingFace := types.SecretFinding{
RuleID: "hugging-face-access-token",
Category: secret.CategoryHuggingFace,
@@ -941,6 +1052,19 @@ func TestSecretScanner(t *testing.T) {
Findings: []types.SecretFinding{wantFindingJWT},
},
},
+ {
+ name: "find Private Packagist tokens",
+ configPath: filepath.Join("testdata", "config.yaml"),
+ inputFilePath: filepath.Join("testdata", "private-packagist.txt"),
+ want: types.Secret{
+ FilePath: filepath.Join("testdata", "private-packagist.txt"),
+ Findings: []types.SecretFinding{
+ wantFindingPrivatePackagistOrgReadToken,
+ wantFindingPrivatePackagistOrgUpdateToken,
+ wantFindingPrivatePackagistUserToken,
+ },
+ },
+ },
{
name: "include when keyword found",
configPath: filepath.Join("testdata", "config-happy-keywords.yaml"),
diff --git a/pkg/fanal/secret/testdata/private-packagist.txt b/pkg/fanal/secret/testdata/private-packagist.txt
new file mode 100644
index 000000000000..cfcdb2169a28
--- /dev/null
+++ b/pkg/fanal/secret/testdata/private-packagist.txt
@@ -0,0 +1,3 @@
+ORG_READ_TOKEN=packagist_ort_6675e11a686c692f3f2e3b6ce528c3d122d22d912ea69a20713cdf51714ba710ad74
+ORG_WRITE_TOKEN=packagist_out_d63BD7be741c67ca810f924225b525fa5d20e6e1b316c8bfc0a1b33c68e4861bd5a4
+USER_TOKEN=packagist_uut_02f17e5917451dcdcc2995157e08cac2976a0373097b95d7021ba7a6844437973421
diff --git a/pkg/fanal/test/integration/containerd_test.go b/pkg/fanal/test/integration/containerd_test.go
index 420949cd42d3..375c5cd77c62 100644
--- a/pkg/fanal/test/integration/containerd_test.go
+++ b/pkg/fanal/test/integration/containerd_test.go
@@ -15,13 +15,12 @@ import (
"testing"
"time"
- "github.com/samber/lo"
-
- "github.com/containerd/containerd"
- "github.com/containerd/containerd/images"
- "github.com/containerd/containerd/namespaces"
+ "github.com/containerd/containerd/v2/client"
+ "github.com/containerd/containerd/v2/core/images"
+ "github.com/containerd/containerd/v2/pkg/namespaces"
dockercontainer "github.com/docker/docker/api/types/container"
v1 "github.com/google/go-containerregistry/pkg/v1"
+ "github.com/samber/lo"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/testcontainers/testcontainers-go"
@@ -37,7 +36,7 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
-func setupContainerd(t *testing.T, ctx context.Context, namespace string) *containerd.Client {
+func setupContainerd(t *testing.T, ctx context.Context, namespace string) *client.Client {
t.Helper()
tmpDir := t.TempDir()
@@ -54,9 +53,9 @@ func setupContainerd(t *testing.T, ctx context.Context, namespace string) *conta
startContainerd(t, ctx, tmpDir)
// Retry up to 3 times until containerd is ready
- var client *containerd.Client
+ var c *client.Client
iteration, _, err := lo.AttemptWhileWithDelay(3, 1*time.Second, func(int, time.Duration) (error, bool) {
- client, err = containerd.New(socketPath)
+ c, err = client.New(socketPath)
if err != nil {
if !errors.Is(err, os.ErrPermission) {
return err, false // unexpected error
@@ -64,13 +63,13 @@ func setupContainerd(t *testing.T, ctx context.Context, namespace string) *conta
return err, true
}
t.Cleanup(func() {
- require.NoError(t, client.Close())
+ require.NoError(t, c.Close())
})
return nil, false
})
require.NoErrorf(t, err, "attempted %d times ", iteration)
- return client
+ return c
}
func startContainerd(t *testing.T, ctx context.Context, hostPath string) {
@@ -102,6 +101,7 @@ func startContainerd(t *testing.T, ctx context.Context, hostPath string) {
Started: true,
})
require.NoError(t, err)
+ testcontainers.CleanupContainer(t, containerdC)
_, _, err = containerdC.Exec(ctx, []string{
"chmod",
@@ -109,10 +109,6 @@ func startContainerd(t *testing.T, ctx context.Context, hostPath string) {
"/run/containerd/containerd.sock",
})
require.NoError(t, err)
-
- t.Cleanup(func() {
- require.NoError(t, containerdC.Terminate(ctx))
- })
}
// Each of these tests imports an image and tags it with the name found in the
diff --git a/pkg/fanal/test/integration/library_test.go b/pkg/fanal/test/integration/library_test.go
index ebe17d6e2188..c124ee25826b 100644
--- a/pkg/fanal/test/integration/library_test.go
+++ b/pkg/fanal/test/integration/library_test.go
@@ -91,7 +91,7 @@ var tests = []testCase{
imageFile: "../../../../integration/testdata/fixtures/images/opensuse-leap-151.tar.gz",
wantOS: types.OS{
Name: "15.1",
- Family: "opensuse.leap",
+ Family: "opensuse-leap",
},
},
{
@@ -100,7 +100,7 @@ var tests = []testCase{
imageFile: "../../../../integration/testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
wantOS: types.OS{
Name: "20240607",
- Family: "opensuse.tumbleweed",
+ Family: "opensuse-tumbleweed",
},
},
{
@@ -110,7 +110,7 @@ var tests = []testCase{
imageFile: "../../../../integration/testdata/fixtures/images/suse-15.3_ndb.tar.gz",
wantOS: types.OS{
Name: "15.3",
- Family: "suse linux enterprise server",
+ Family: "sles",
},
},
{
diff --git a/pkg/fanal/test/integration/registry_test.go b/pkg/fanal/test/integration/registry_test.go
index 4bca93f0ccba..35a32536600e 100644
--- a/pkg/fanal/test/integration/registry_test.go
+++ b/pkg/fanal/test/integration/registry_test.go
@@ -73,7 +73,7 @@ func TestTLSRegistry(t *testing.T) {
Started: true,
})
require.NoError(t, err)
- defer registryC.Terminate(ctx)
+ testcontainers.CleanupContainer(t, registryC)
registryURL, err := getRegistryURL(ctx, registryC, registryPort)
require.NoError(t, err)
diff --git a/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden b/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
index fa00e70aa6e6..1f36a656bc28 100644
--- a/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/opensuse-tumbleweed.json.golden
@@ -3,7 +3,7 @@
"ID": "aaa_base@84.87+git20240523.10a5692-1.1.x86_64",
"Name": "aaa_base",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/aaa_base@84.87%2Bgit20240523.10a5692-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/aaa_base@84.87%2Bgit20240523.10a5692-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "fe755017155caefc"
},
"Version": "84.87+git20240523.10a5692",
@@ -34,7 +34,7 @@
"ID": "bash@5.2.26-12.1.x86_64",
"Name": "bash",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/bash@5.2.26-12.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/bash@5.2.26-12.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ce56393f87add219"
},
"Version": "5.2.26",
@@ -61,7 +61,7 @@
"ID": "bash-sh@5.2.26-12.1.noarch",
"Name": "bash-sh",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/bash-sh@5.2.26-12.1?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/bash-sh@5.2.26-12.1?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "7363186d472571e0"
},
"Version": "5.2.26",
@@ -87,7 +87,7 @@
"ID": "boost-license1_85_0@1.85.0-1.2.noarch",
"Name": "boost-license1_85_0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/boost-license1_85_0@1.85.0-1.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/boost-license1_85_0@1.85.0-1.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "2d87c856df6862ee"
},
"Version": "1.85.0",
@@ -110,7 +110,7 @@
"ID": "branding-openSUSE@84.87.20240405-1.2.noarch",
"Name": "branding-openSUSE",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/branding-openSUSE@84.87.20240405-1.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/branding-openSUSE@84.87.20240405-1.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "acda90b5f91cb463"
},
"Version": "84.87.20240405",
@@ -133,7 +133,7 @@
"ID": "ca-certificates@2+git20240415.3fe9324-1.1.noarch",
"Name": "ca-certificates",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/ca-certificates@2%2Bgit20240415.3fe9324-1.1?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/ca-certificates@2%2Bgit20240415.3fe9324-1.1?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "7a18ce239fe8c044"
},
"Version": "2+git20240415.3fe9324",
@@ -162,7 +162,7 @@
"ID": "ca-certificates-mozilla@2.66-1.2.noarch",
"Name": "ca-certificates-mozilla",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/ca-certificates-mozilla@2.66-1.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/ca-certificates-mozilla@2.66-1.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "362f343aa3c5d416"
},
"Version": "2.66",
@@ -189,7 +189,7 @@
"ID": "coreutils@9.5-1.1.x86_64",
"Name": "coreutils",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/coreutils@9.5-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/coreutils@9.5-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "9483aa372c47866d"
},
"Version": "9.5",
@@ -221,7 +221,7 @@
"ID": "cracklib-dict-small@2.9.11-1.4.x86_64",
"Name": "cracklib-dict-small",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/cracklib-dict-small@2.9.11-1.4?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/cracklib-dict-small@2.9.11-1.4?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "cc38aea883124e41"
},
"Version": "2.9.11",
@@ -244,7 +244,7 @@
"ID": "crypto-policies@20230920.570ea89-3.2.noarch",
"Name": "crypto-policies",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/crypto-policies@20230920.570ea89-3.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/crypto-policies@20230920.570ea89-3.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "ebef887879b412aa"
},
"Version": "20230920.570ea89",
@@ -267,7 +267,7 @@
"ID": "curl@8.8.0-1.1.x86_64",
"Name": "curl",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/curl@8.8.0-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/curl@8.8.0-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "50b6514bae052e62"
},
"Version": "8.8.0",
@@ -295,7 +295,7 @@
"ID": "file-magic@5.45-2.2.noarch",
"Name": "file-magic",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/file-magic@5.45-2.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/file-magic@5.45-2.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "9318efe3deebc83a"
},
"Version": "5.45",
@@ -318,7 +318,7 @@
"ID": "filesystem@84.87-15.3.x86_64",
"Name": "filesystem",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/filesystem@84.87-15.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/filesystem@84.87-15.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "379508af5bc6bae5"
},
"Version": "84.87",
@@ -344,7 +344,7 @@
"ID": "fillup@1.42-281.1.x86_64",
"Name": "fillup",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/fillup@1.42-281.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/fillup@1.42-281.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "7d48bfb3846c8056"
},
"Version": "1.42",
@@ -370,7 +370,7 @@
"ID": "glibc@2.39-9.1.x86_64",
"Name": "glibc",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/glibc@2.39-9.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/glibc@2.39-9.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "77433316d747193b"
},
"Version": "2.39",
@@ -396,7 +396,7 @@
"ID": "glibc-locale-base@2.39-9.1.x86_64",
"Name": "glibc-locale-base",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/glibc-locale-base@2.39-9.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/glibc-locale-base@2.39-9.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "7f6f8a5c2e27af75"
},
"Version": "2.39",
@@ -422,7 +422,7 @@
"ID": "gpg-pubkey@29b700a4-62b07e22.",
"Name": "gpg-pubkey",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/gpg-pubkey@29b700a4-62b07e22?arch=None&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/gpg-pubkey@29b700a4-62b07e22?arch=None&distro=opensuse-tumbleweed-20240607",
"UID": "562934f3f56669a5"
},
"Version": "29b700a4",
@@ -440,7 +440,7 @@
"ID": "gpg-pubkey@39db7c82-510a966b.",
"Name": "gpg-pubkey",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/gpg-pubkey@39db7c82-510a966b?arch=None&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/gpg-pubkey@39db7c82-510a966b?arch=None&distro=opensuse-tumbleweed-20240607",
"UID": "5e72dadde79df0d4"
},
"Version": "39db7c82",
@@ -458,7 +458,7 @@
"ID": "gpg2@2.4.5-1.1.x86_64",
"Name": "gpg2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/gpg2@2.4.5-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/gpg2@2.4.5-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "e95cc1c58ec7e824"
},
"Version": "2.4.5",
@@ -496,7 +496,7 @@
"ID": "grep@3.11-3.1.x86_64",
"Name": "grep",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/grep@3.11-3.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/grep@3.11-3.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "7c3b5ec5d53fa9f9"
},
"Version": "3.11",
@@ -524,7 +524,7 @@
"ID": "gzip@1.13-3.1.x86_64",
"Name": "gzip",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/gzip@1.13-3.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/gzip@1.13-3.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f51af60e831e41e"
},
"Version": "1.13",
@@ -551,7 +551,7 @@
"ID": "krb5@1.21.2-5.1.x86_64",
"Name": "krb5",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/krb5@1.21.2-5.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/krb5@1.21.2-5.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f22a7694d8a232ac"
},
"Version": "1.21.2",
@@ -583,7 +583,7 @@
"ID": "libabsl_lite_2401_0_0@20240116.2-2.1.x86_64",
"Name": "libabsl_lite_2401_0_0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libabsl_lite_2401_0_0@20240116.2-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libabsl_lite_2401_0_0@20240116.2-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "24307f175234d50"
},
"Version": "20240116.2",
@@ -611,7 +611,7 @@
"ID": "libacl1@2.3.2-2.1.x86_64",
"Name": "libacl1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libacl1@2.3.2-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libacl1@2.3.2-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "6e55e249889869ed"
},
"Version": "2.3.2",
@@ -637,7 +637,7 @@
"ID": "libassuan0@2.5.7-1.1.x86_64",
"Name": "libassuan0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libassuan0@2.5.7-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libassuan0@2.5.7-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "4a9f149fc3b4d802"
},
"Version": "2.5.7",
@@ -664,7 +664,7 @@
"ID": "libattr1@2.5.2-1.2.x86_64",
"Name": "libattr1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libattr1@2.5.2-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libattr1@2.5.2-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "bf6e596e053cc667"
},
"Version": "2.5.2",
@@ -690,7 +690,7 @@
"ID": "libaudit1@3.1.1-1.6.x86_64",
"Name": "libaudit1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libaudit1@3.1.1-1.6?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libaudit1@3.1.1-1.6?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "c2ab09cc3b09bf56"
},
"Version": "3.1.1",
@@ -716,7 +716,7 @@
"ID": "libaugeas0@1.14.1-1.3.x86_64",
"Name": "libaugeas0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libaugeas0@1.14.1-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libaugeas0@1.14.1-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "bc9b541f623eec37"
},
"Version": "1.14.1",
@@ -744,7 +744,7 @@
"ID": "libblkid1@2.40.1-2.1.x86_64",
"Name": "libblkid1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libblkid1@2.40.1-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libblkid1@2.40.1-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "bcf4491906d1eb4d"
},
"Version": "2.40.1",
@@ -771,7 +771,7 @@
"ID": "libboost_thread1_85_0@1.85.0-1.2.x86_64",
"Name": "libboost_thread1_85_0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libboost_thread1_85_0@1.85.0-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libboost_thread1_85_0@1.85.0-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "b8612fd1d8aa51a7"
},
"Version": "1.85.0",
@@ -800,7 +800,7 @@
"ID": "libbrotlicommon1@1.1.0-1.3.x86_64",
"Name": "libbrotlicommon1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libbrotlicommon1@1.1.0-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libbrotlicommon1@1.1.0-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f1d7b84b18abde08"
},
"Version": "1.1.0",
@@ -826,7 +826,7 @@
"ID": "libbrotlidec1@1.1.0-1.3.x86_64",
"Name": "libbrotlidec1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libbrotlidec1@1.1.0-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libbrotlidec1@1.1.0-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "5c297a82e6701a0d"
},
"Version": "1.1.0",
@@ -853,7 +853,7 @@
"ID": "libbz2-1@1.0.8-5.10.x86_64",
"Name": "libbz2-1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libbz2-1@1.0.8-5.10?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libbz2-1@1.0.8-5.10?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "702f3dd378cba8f0"
},
"Version": "1.0.8",
@@ -879,7 +879,7 @@
"ID": "libcap-ng0@0.8.5-1.1.x86_64",
"Name": "libcap-ng0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libcap-ng0@0.8.5-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libcap-ng0@0.8.5-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "b40d6fdd09912405"
},
"Version": "0.8.5",
@@ -905,7 +905,7 @@
"ID": "libcap2@2.70-1.1.x86_64",
"Name": "libcap2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libcap2@2.70-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libcap2@2.70-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "c33018bbf8c4bdfa"
},
"Version": "2.70",
@@ -931,7 +931,7 @@
"ID": "libcom_err2@1.47.0-4.2.x86_64",
"Name": "libcom_err2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libcom_err2@1.47.0-4.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libcom_err2@1.47.0-4.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "58b023020895cfea"
},
"Version": "1.47.0",
@@ -957,7 +957,7 @@
"ID": "libcrypt1@4.4.36-1.6.x86_64",
"Name": "libcrypt1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libcrypt1@4.4.36-1.6?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libcrypt1@4.4.36-1.6?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "541be9a801034440"
},
"Version": "4.4.36",
@@ -983,7 +983,7 @@
"ID": "libcurl4@8.8.0-1.1.x86_64",
"Name": "libcurl4",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libcurl4@8.8.0-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libcurl4@8.8.0-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "59c3c7a8962c110a"
},
"Version": "8.8.0",
@@ -1019,7 +1019,7 @@
"ID": "libeconf0@0.6.3-1.1.x86_64",
"Name": "libeconf0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libeconf0@0.6.3-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libeconf0@0.6.3-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "9e3e97464bc6164b"
},
"Version": "0.6.3",
@@ -1045,7 +1045,7 @@
"ID": "libfa1@1.14.1-1.3.x86_64",
"Name": "libfa1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libfa1@1.14.1-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libfa1@1.14.1-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "9df420b84b79a62"
},
"Version": "1.14.1",
@@ -1071,7 +1071,7 @@
"ID": "libfdisk1@2.40.1-2.1.x86_64",
"Name": "libfdisk1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libfdisk1@2.40.1-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libfdisk1@2.40.1-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ab47b44e7c45eab1"
},
"Version": "2.40.1",
@@ -1099,7 +1099,7 @@
"ID": "libffi8@3.4.6-1.1.x86_64",
"Name": "libffi8",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libffi8@3.4.6-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libffi8@3.4.6-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "a569681a5276bde6"
},
"Version": "3.4.6",
@@ -1125,7 +1125,7 @@
"ID": "libgcc_s1@14.1.0+git10173-1.1.x86_64",
"Name": "libgcc_s1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libgcc_s1@14.1.0%2Bgit10173-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libgcc_s1@14.1.0%2Bgit10173-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "3130b825fbc3a81e"
},
"Version": "14.1.0+git10173",
@@ -1151,7 +1151,7 @@
"ID": "libgcrypt20@1.10.3-3.3.x86_64",
"Name": "libgcrypt20",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libgcrypt20@1.10.3-3.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libgcrypt20@1.10.3-3.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ac38e6e75132d1c6"
},
"Version": "1.10.3",
@@ -1178,7 +1178,7 @@
"ID": "libglib-2_0-0@2.80.2-1.1.x86_64",
"Name": "libglib-2_0-0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libglib-2_0-0@2.80.2-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libglib-2_0-0@2.80.2-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "e3dccc27a6f44a3d"
},
"Version": "2.80.2",
@@ -1205,7 +1205,7 @@
"ID": "libgmp10@6.3.0-3.2.x86_64",
"Name": "libgmp10",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libgmp10@6.3.0-3.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libgmp10@6.3.0-3.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "fb3994e26d59ae4f"
},
"Version": "6.3.0",
@@ -1231,7 +1231,7 @@
"ID": "libgpg-error0@1.49-1.1.x86_64",
"Name": "libgpg-error0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libgpg-error0@1.49-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libgpg-error0@1.49-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "a3b16ea69b05fe60"
},
"Version": "1.49",
@@ -1257,7 +1257,7 @@
"ID": "libgpgme11@1.23.2-4.2.x86_64",
"Name": "libgpgme11",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libgpgme11@1.23.2-4.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libgpgme11@1.23.2-4.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "6d9271ab523fb009"
},
"Version": "1.23.2",
@@ -1286,7 +1286,7 @@
"ID": "libidn2-0@2.3.7-1.2.x86_64",
"Name": "libidn2-0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libidn2-0@2.3.7-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libidn2-0@2.3.7-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ae81c3e9fc0d0fc3"
},
"Version": "2.3.7",
@@ -1313,7 +1313,7 @@
"ID": "libkeyutils1@1.6.3-7.2.x86_64",
"Name": "libkeyutils1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libkeyutils1@1.6.3-7.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libkeyutils1@1.6.3-7.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f9f931edfe4b540c"
},
"Version": "1.6.3",
@@ -1339,7 +1339,7 @@
"ID": "libksba8@1.6.6-1.1.x86_64",
"Name": "libksba8",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libksba8@1.6.6-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libksba8@1.6.6-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "c532eef98bb36938"
},
"Version": "1.6.6",
@@ -1366,7 +1366,7 @@
"ID": "libldap2@2.6.7-2.1.x86_64",
"Name": "libldap2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libldap2@2.6.7-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libldap2@2.6.7-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "55fa8e45be9ed78"
},
"Version": "2.6.7",
@@ -1394,7 +1394,7 @@
"ID": "liblua5_4-5@5.4.6-3.3.x86_64",
"Name": "liblua5_4-5",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/liblua5_4-5@5.4.6-3.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/liblua5_4-5@5.4.6-3.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "98b4001b2f59f46"
},
"Version": "5.4.6",
@@ -1420,7 +1420,7 @@
"ID": "liblz4-1@1.9.4-2.8.x86_64",
"Name": "liblz4-1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/liblz4-1@1.9.4-2.8?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/liblz4-1@1.9.4-2.8?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "267a6bfb140f0d45"
},
"Version": "1.9.4",
@@ -1446,7 +1446,7 @@
"ID": "liblzma5@5.6.2-1.1.x86_64",
"Name": "liblzma5",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/liblzma5@5.6.2-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/liblzma5@5.6.2-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "304510f1f6669e2c"
},
"Version": "5.6.2",
@@ -1472,7 +1472,7 @@
"ID": "libmagic1@5.45-2.2.x86_64",
"Name": "libmagic1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libmagic1@5.45-2.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libmagic1@5.45-2.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "d8fdc2934df34a83"
},
"Version": "5.45",
@@ -1503,7 +1503,7 @@
"ID": "libmount1@2.40.1-2.1.x86_64",
"Name": "libmount1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libmount1@2.40.1-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libmount1@2.40.1-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "8386ec24a06557ea"
},
"Version": "2.40.1",
@@ -1531,7 +1531,7 @@
"ID": "libncurses6@6.5.20240601-38.1.x86_64",
"Name": "libncurses6",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libncurses6@6.5.20240601-38.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libncurses6@6.5.20240601-38.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "9513bf16199cee6b"
},
"Version": "6.5.20240601",
@@ -1560,7 +1560,7 @@
"ID": "libnghttp2-14@1.61.0-1.1.x86_64",
"Name": "libnghttp2-14",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libnghttp2-14@1.61.0-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libnghttp2-14@1.61.0-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "de28696676fc1ebd"
},
"Version": "1.61.0",
@@ -1586,7 +1586,7 @@
"ID": "libnpth0@1.7-1.1.x86_64",
"Name": "libnpth0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libnpth0@1.7-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libnpth0@1.7-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "7bff27e583fb62b3"
},
"Version": "1.7",
@@ -1612,7 +1612,7 @@
"ID": "libnss_usrfiles2@2.27.1-1.2.x86_64",
"Name": "libnss_usrfiles2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libnss_usrfiles2@2.27.1-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libnss_usrfiles2@2.27.1-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "d3c8c8f840c86b12"
},
"Version": "2.27.1",
@@ -1638,7 +1638,7 @@
"ID": "libopenssl-3-fips-provider@3.1.4-9.1.x86_64",
"Name": "libopenssl-3-fips-provider",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libopenssl-3-fips-provider@3.1.4-9.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libopenssl-3-fips-provider@3.1.4-9.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "65c56c2870042412"
},
"Version": "3.1.4",
@@ -1665,7 +1665,7 @@
"ID": "libopenssl3@3.1.4-9.1.x86_64",
"Name": "libopenssl3",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f051425f385d2b99"
},
"Version": "3.1.4",
@@ -1693,7 +1693,7 @@
"ID": "libp11-kit0@0.25.3-1.3.x86_64",
"Name": "libp11-kit0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libp11-kit0@0.25.3-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libp11-kit0@0.25.3-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "fbca9a69218ce8e7"
},
"Version": "0.25.3",
@@ -1720,7 +1720,7 @@
"ID": "libpcre2-8-0@10.43-3.1.x86_64",
"Name": "libpcre2-8-0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libpcre2-8-0@10.43-3.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libpcre2-8-0@10.43-3.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "dabdfbc56d214ae6"
},
"Version": "10.43",
@@ -1746,7 +1746,7 @@
"ID": "libpopt0@1.19-1.8.x86_64",
"Name": "libpopt0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libpopt0@1.19-1.8?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libpopt0@1.19-1.8?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "98fa32fcd9ee1e39"
},
"Version": "1.19",
@@ -1772,7 +1772,7 @@
"ID": "libprocps8@3.3.17-17.1.x86_64",
"Name": "libprocps8",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libprocps8@3.3.17-17.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libprocps8@3.3.17-17.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f874f4997e1438be"
},
"Version": "3.3.17",
@@ -1799,7 +1799,7 @@
"ID": "libprotobuf-lite25_3_0@25.3-11.2.x86_64",
"Name": "libprotobuf-lite25_3_0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libprotobuf-lite25_3_0@25.3-11.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libprotobuf-lite25_3_0@25.3-11.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "b306bfd6494e6405"
},
"Version": "25.3",
@@ -1828,7 +1828,7 @@
"ID": "libpsl5@0.21.5-1.2.x86_64",
"Name": "libpsl5",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libpsl5@0.21.5-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libpsl5@0.21.5-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "5d2411f7ede68692"
},
"Version": "0.21.5",
@@ -1856,7 +1856,7 @@
"ID": "libreadline8@8.2.10-1.3.x86_64",
"Name": "libreadline8",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libreadline8@8.2.10-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libreadline8@8.2.10-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "9271e2cd0119054c"
},
"Version": "8.2.10",
@@ -1883,7 +1883,7 @@
"ID": "libsasl2-3@2.1.28-8.1.x86_64",
"Name": "libsasl2-3",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsasl2-3@2.1.28-8.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsasl2-3@2.1.28-8.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "fe2536ad8601f334"
},
"Version": "2.1.28",
@@ -1909,7 +1909,7 @@
"ID": "libselinux1@3.6-1.3.x86_64",
"Name": "libselinux1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libselinux1@3.6-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libselinux1@3.6-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "6bc8fe60a073ba96"
},
"Version": "3.6",
@@ -1936,7 +1936,7 @@
"ID": "libsemanage-conf@3.6-2.1.x86_64",
"Name": "libsemanage-conf",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsemanage-conf@3.6-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsemanage-conf@3.6-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "56c91988ca2e8ce5"
},
"Version": "3.6",
@@ -1959,7 +1959,7 @@
"ID": "libsemanage2@3.6-2.1.x86_64",
"Name": "libsemanage2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsemanage2@3.6-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsemanage2@3.6-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "d945b0271ed45cf5"
},
"Version": "3.6",
@@ -1990,7 +1990,7 @@
"ID": "libsepol2@3.6-1.3.x86_64",
"Name": "libsepol2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsepol2@3.6-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsepol2@3.6-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f2aaf81754d3169d"
},
"Version": "3.6",
@@ -2016,7 +2016,7 @@
"ID": "libsigc-2_0-0@2.12.1-2.3.x86_64",
"Name": "libsigc-2_0-0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsigc-2_0-0@2.12.1-2.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsigc-2_0-0@2.12.1-2.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "c4d52d6f33dee391"
},
"Version": "2.12.1",
@@ -2044,7 +2044,7 @@
"ID": "libsmartcols1@2.40.1-2.1.x86_64",
"Name": "libsmartcols1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsmartcols1@2.40.1-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsmartcols1@2.40.1-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "5302abe63411170d"
},
"Version": "2.40.1",
@@ -2070,7 +2070,7 @@
"ID": "libsolv-tools-base@0.7.29-1.1.x86_64",
"Name": "libsolv-tools-base",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsolv-tools-base@0.7.29-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsolv-tools-base@0.7.29-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f2adb3efc201c696"
},
"Version": "0.7.29",
@@ -2102,7 +2102,7 @@
"ID": "libsqlite3-0@3.46.0-1.1.x86_64",
"Name": "libsqlite3-0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsqlite3-0@3.46.0-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsqlite3-0@3.46.0-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "d9bf1a49d16f0c"
},
"Version": "3.46.0",
@@ -2128,7 +2128,7 @@
"ID": "libssh-config@0.10.6-2.1.x86_64",
"Name": "libssh-config",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libssh-config@0.10.6-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libssh-config@0.10.6-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "8628d51e34c2f5b1"
},
"Version": "0.10.6",
@@ -2151,7 +2151,7 @@
"ID": "libssh4@0.10.6-2.1.x86_64",
"Name": "libssh4",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libssh4@0.10.6-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libssh4@0.10.6-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "d07880785aee16c8"
},
"Version": "0.10.6",
@@ -2181,7 +2181,7 @@
"ID": "libstdc++6@14.1.0+git10173-1.1.x86_64",
"Name": "libstdc++6",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libstdc%2B%2B6@14.1.0%2Bgit10173-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libstdc%2B%2B6@14.1.0%2Bgit10173-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f3345c3d3261e7e9"
},
"Version": "14.1.0+git10173",
@@ -2208,7 +2208,7 @@
"ID": "libsubid4@4.15.1-1.2.x86_64",
"Name": "libsubid4",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsubid4@4.15.1-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsubid4@4.15.1-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "e155b313aa6da812"
},
"Version": "4.15.1",
@@ -2236,7 +2236,7 @@
"ID": "libsystemd0@255.7-2.1.x86_64",
"Name": "libsystemd0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libsystemd0@255.7-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libsystemd0@255.7-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "4fa3c2608f054287"
},
"Version": "255.7",
@@ -2267,7 +2267,7 @@
"ID": "libtasn1-6@4.19.0-1.7.x86_64",
"Name": "libtasn1-6",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libtasn1-6@4.19.0-1.7?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libtasn1-6@4.19.0-1.7?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "35e287fcdf033bd1"
},
"Version": "4.19.0",
@@ -2293,7 +2293,7 @@
"ID": "libudev1@255.7-2.1.x86_64",
"Name": "libudev1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libudev1@255.7-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libudev1@255.7-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "4ae1c62105f1f901"
},
"Version": "255.7",
@@ -2320,7 +2320,7 @@
"ID": "libunistring5@1.2-1.1.x86_64",
"Name": "libunistring5",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libunistring5@1.2-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libunistring5@1.2-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "e8be56f8ad59a760"
},
"Version": "1.2",
@@ -2346,7 +2346,7 @@
"ID": "libusb-1_0-0@1.0.27-1.2.x86_64",
"Name": "libusb-1_0-0",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libusb-1_0-0@1.0.27-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libusb-1_0-0@1.0.27-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "dab90c8d517b4ee4"
},
"Version": "1.0.27",
@@ -2373,7 +2373,7 @@
"ID": "libuuid1@2.40.1-2.1.x86_64",
"Name": "libuuid1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libuuid1@2.40.1-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libuuid1@2.40.1-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "bc5c46e1650d4a95"
},
"Version": "2.40.1",
@@ -2399,7 +2399,7 @@
"ID": "libverto1@0.3.2-3.3.x86_64",
"Name": "libverto1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libverto1@0.3.2-3.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libverto1@0.3.2-3.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "8c13b7ac8ed99616"
},
"Version": "0.3.2",
@@ -2425,7 +2425,7 @@
"ID": "libxml2-2@2.12.7-1.1.x86_64",
"Name": "libxml2-2",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libxml2-2@2.12.7-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libxml2-2@2.12.7-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "1285499ab636c5d9"
},
"Version": "2.12.7",
@@ -2453,7 +2453,7 @@
"ID": "libyaml-cpp0_8@0.8.0-1.3.x86_64",
"Name": "libyaml-cpp0_8",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libyaml-cpp0_8@0.8.0-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libyaml-cpp0_8@0.8.0-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "d743795a2d65f87b"
},
"Version": "0.8.0",
@@ -2481,7 +2481,7 @@
"ID": "libz1@1.3.1-1.1.x86_64",
"Name": "libz1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libz1@1.3.1-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libz1@1.3.1-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "f09857fffac622a"
},
"Version": "1.3.1",
@@ -2507,7 +2507,7 @@
"ID": "libzck1@1.4.0-2.1.x86_64",
"Name": "libzck1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libzck1@1.4.0-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libzck1@1.4.0-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "76b3d8e58402a974"
},
"Version": "1.4.0",
@@ -2535,7 +2535,7 @@
"ID": "libzstd1@1.5.6-1.1.x86_64",
"Name": "libzstd1",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libzstd1@1.5.6-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libzstd1@1.5.6-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "4edc1117cd2019eb"
},
"Version": "1.5.6",
@@ -2561,7 +2561,7 @@
"ID": "libzypp@17.34.1-1.1.x86_64",
"Name": "libzypp",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/libzypp@17.34.1-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/libzypp@17.34.1-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "3545239e91f3bd9"
},
"Version": "17.34.1",
@@ -2606,7 +2606,7 @@
"ID": "login_defs@4.15.1-1.2.noarch",
"Name": "login_defs",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/login_defs@4.15.1-1.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/login_defs@4.15.1-1.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "1695371f9551a301"
},
"Version": "4.15.1",
@@ -2632,7 +2632,7 @@
"ID": "lsb-release@3.3-1.3.noarch",
"Name": "lsb-release",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/lsb-release@3.3-1.3?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/lsb-release@3.3-1.3?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "8c82a3a248c52a13"
},
"Version": "3.3",
@@ -2659,7 +2659,7 @@
"ID": "ncurses-utils@6.5.20240601-38.1.x86_64",
"Name": "ncurses-utils",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/ncurses-utils@6.5.20240601-38.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/ncurses-utils@6.5.20240601-38.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "90d23a67ceb37784"
},
"Version": "6.5.20240601",
@@ -2686,7 +2686,7 @@
"ID": "netcfg@11.6-13.3.noarch",
"Name": "netcfg",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/netcfg@11.6-13.3?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/netcfg@11.6-13.3?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "c32526003d9c5528"
},
"Version": "11.6",
@@ -2712,7 +2712,7 @@
"ID": "openSUSE-build-key@1.0-53.1.x86_64",
"Name": "openSUSE-build-key",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/openSUSE-build-key@1.0-53.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/openSUSE-build-key@1.0-53.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ed8309d0e84993e4"
},
"Version": "1.0",
@@ -2739,7 +2739,7 @@
"ID": "openSUSE-release@20240607-2943.1.x86_64",
"Name": "openSUSE-release",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/openSUSE-release@20240607-2943.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/openSUSE-release@20240607-2943.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ad908712f8c8e5ab"
},
"Version": "20240607",
@@ -2766,7 +2766,7 @@
"ID": "openSUSE-release-appliance-docker@20240607-2943.1.x86_64",
"Name": "openSUSE-release-appliance-docker",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/openSUSE-release-appliance-docker@20240607-2943.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/openSUSE-release-appliance-docker@20240607-2943.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "46f06026407817a0"
},
"Version": "20240607",
@@ -2789,7 +2789,7 @@
"ID": "openssl@3.1.4-3.2.noarch",
"Name": "openssl",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/openssl@3.1.4-3.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/openssl@3.1.4-3.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "cd2ead77021cf857"
},
"Version": "3.1.4",
@@ -2815,7 +2815,7 @@
"ID": "openssl-3@3.1.4-9.1.x86_64",
"Name": "openssl-3",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/openssl-3@3.1.4-9.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/openssl-3@3.1.4-9.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "da148866e5ba5d92"
},
"Version": "3.1.4",
@@ -2846,7 +2846,7 @@
"ID": "p11-kit@0.25.3-1.3.x86_64",
"Name": "p11-kit",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/p11-kit@0.25.3-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/p11-kit@0.25.3-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "7da38dbf3cd84149"
},
"Version": "0.25.3",
@@ -2874,7 +2874,7 @@
"ID": "p11-kit-tools@0.25.3-1.3.x86_64",
"Name": "p11-kit-tools",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/p11-kit-tools@0.25.3-1.3?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/p11-kit-tools@0.25.3-1.3?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "fb534863cc7b3050"
},
"Version": "0.25.3",
@@ -2902,7 +2902,7 @@
"ID": "pam@1.6.1-1.1.x86_64",
"Name": "pam",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/pam@1.6.1-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/pam@1.6.1-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "2cc82a7c85091dc0"
},
"Version": "1.6.1",
@@ -2935,7 +2935,7 @@
"ID": "patterns-base-fips@20200505-51.1.x86_64",
"Name": "patterns-base-fips",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/patterns-base-fips@20200505-51.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/patterns-base-fips@20200505-51.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "70a74594ade38509"
},
"Version": "20200505",
@@ -2958,7 +2958,7 @@
"ID": "patterns-base-minimal_base@20200505-51.1.x86_64",
"Name": "patterns-base-minimal_base",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/patterns-base-minimal_base@20200505-51.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/patterns-base-minimal_base@20200505-51.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "22550c4b68de6581"
},
"Version": "20200505",
@@ -2987,7 +2987,7 @@
"ID": "permctl@1699_20240522-1.1.x86_64",
"Name": "permctl",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/permctl@1699_20240522-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/permctl@1699_20240522-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "cfcd9931dafbea39"
},
"Version": "1699_20240522",
@@ -3016,7 +3016,7 @@
"ID": "permissions@1699_20240522-1.1.x86_64",
"Name": "permissions",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/permissions@1699_20240522-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/permissions@1699_20240522-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "971d93fae8da6b23"
},
"Version": "1699_20240522",
@@ -3043,7 +3043,7 @@
"ID": "permissions-config@1699_20240522-1.1.noarch",
"Name": "permissions-config",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/permissions-config@1699_20240522-1.1?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/permissions-config@1699_20240522-1.1?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "8bd3994be34b3e73"
},
"Version": "1699_20240522",
@@ -3072,7 +3072,7 @@
"ID": "pinentry@1.2.1-3.5.x86_64",
"Name": "pinentry",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/pinentry@1.2.1-3.5?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/pinentry@1.2.1-3.5?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "90686edea2822ef8"
},
"Version": "1.2.1",
@@ -3102,7 +3102,7 @@
"ID": "procps@3.3.17-17.1.x86_64",
"Name": "procps",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/procps@3.3.17-17.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/procps@3.3.17-17.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "41a25e357a85fe17"
},
"Version": "3.3.17",
@@ -3131,7 +3131,7 @@
"ID": "rpm@4.19.1.1-3.2.x86_64",
"Name": "rpm",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/rpm@4.19.1.1-3.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/rpm@4.19.1.1-3.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "6385ed7e7827135a"
},
"Version": "4.19.1.1",
@@ -3170,7 +3170,7 @@
"ID": "rpm-config-SUSE@20240214-1.2.noarch",
"Name": "rpm-config-SUSE",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/rpm-config-SUSE@20240214-1.2?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/rpm-config-SUSE@20240214-1.2?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "b0a53b3b9cd8de6e"
},
"Version": "20240214",
@@ -3198,7 +3198,7 @@
"ID": "sed@4.9-2.6.x86_64",
"Name": "sed",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/sed@4.9-2.6?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/sed@4.9-2.6?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "465c6c9c97824acd"
},
"Version": "4.9",
@@ -3226,7 +3226,7 @@
"ID": "shadow@4.15.1-1.2.x86_64",
"Name": "shadow",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/shadow@4.15.1-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/shadow@4.15.1-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "7fefaa914168ef4f"
},
"Version": "4.15.1",
@@ -3265,7 +3265,7 @@
"ID": "system-user-root@20190513-2.16.noarch",
"Name": "system-user-root",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/system-user-root@20190513-2.16?arch=noarch&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/system-user-root@20190513-2.16?arch=noarch&distro=opensuse-tumbleweed-20240607",
"UID": "cc450033801f0db5"
},
"Version": "20190513",
@@ -3288,7 +3288,7 @@
"ID": "tar@1.35-2.2.x86_64",
"Name": "tar",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/tar@1.35-2.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/tar@1.35-2.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "6f7d60b91f9b815f"
},
"Version": "1.35",
@@ -3316,7 +3316,7 @@
"ID": "terminfo-base@6.5.20240601-38.1.x86_64",
"Name": "terminfo-base",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/terminfo-base@6.5.20240601-38.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/terminfo-base@6.5.20240601-38.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "ba53240ca965e6c0"
},
"Version": "6.5.20240601",
@@ -3342,7 +3342,7 @@
"ID": "timezone@2024a-3.2.x86_64",
"Name": "timezone",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/timezone@2024a-3.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/timezone@2024a-3.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "aa7fc225c615b895"
},
"Version": "2024a",
@@ -3369,7 +3369,7 @@
"ID": "util-linux@2.40.1-2.1.x86_64",
"Name": "util-linux",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/util-linux@2.40.1-2.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/util-linux@2.40.1-2.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "1440e3eb3dfc6c5"
},
"Version": "2.40.1",
@@ -3412,7 +3412,7 @@
"ID": "xz@5.6.2-1.1.x86_64",
"Name": "xz",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/xz@5.6.2-1.1?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/xz@5.6.2-1.1?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "1c46963e750a4a9"
},
"Version": "5.6.2",
@@ -3440,7 +3440,7 @@
"ID": "zypper@1.14.73-1.2.x86_64",
"Name": "zypper",
"Identifier": {
- "PURL": "pkg:rpm/opensuse/zypper@1.14.73-1.2?arch=x86_64&distro=opensuse.tumbleweed-20240607",
+ "PURL": "pkg:rpm/opensuse/zypper@1.14.73-1.2?arch=x86_64&distro=opensuse-tumbleweed-20240607",
"UID": "9d7cafcab0f1fed2"
},
"Version": "1.14.73",
diff --git a/pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedpkgsfromcmds.golden b/pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedpkgsfromcmds.golden
index 818db8d5c29d..e8e3f5943dbe 100644
--- a/pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedpkgsfromcmds.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedpkgsfromcmds.golden
@@ -1,499 +1,665 @@
[
{
"Name": "acl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "181b417cffad616f"
+ },
"Version": "2.2.52-r3",
"Layer": {}
},
{
"Name": "apr",
- "Identifier": {},
+ "Identifier": {
+ "UID": "5083f2ffc2b7a814"
+ },
"Version": "1.6.3-r0",
"Layer": {}
},
{
"Name": "apr-util",
- "Identifier": {},
+ "Identifier": {
+ "UID": "1e0af1c3510210ba"
+ },
"Version": "1.6.1-r1",
"Layer": {}
},
{
"Name": "attr",
- "Identifier": {},
+ "Identifier": {
+ "UID": "a47bcc9298df6cb9"
+ },
"Version": "2.4.47-r6",
"Layer": {}
},
{
"Name": "autoconf",
- "Identifier": {},
+ "Identifier": {
+ "UID": "3c70caeaed9a6ff9"
+ },
"Version": "2.69-r0",
"Layer": {}
},
{
"Name": "bash",
- "Identifier": {},
+ "Identifier": {
+ "UID": "b9623518df2580d7"
+ },
"Version": "4.4.19-r1",
"Layer": {}
},
{
"Name": "binutils",
- "Identifier": {},
+ "Identifier": {
+ "UID": "9c6d3cbf28294d8c"
+ },
"Version": "2.30-r1",
"Layer": {}
},
{
"Name": "binutils-libs",
- "Identifier": {},
+ "Identifier": {
+ "UID": "bd787142d4ac226b"
+ },
"Version": "2.30-r1",
"Layer": {}
},
{
"Name": "busybox",
- "Identifier": {},
+ "Identifier": {
+ "UID": "7d2e7c1078ba7eb"
+ },
"Version": "1.27.2-r11",
"Layer": {}
},
{
"Name": "bzip2",
- "Identifier": {},
+ "Identifier": {
+ "UID": "f10a7652e98de81"
+ },
"Version": "1.0.6-r6",
"Layer": {}
},
{
"Name": "ca-certificates",
- "Identifier": {},
+ "Identifier": {
+ "UID": "15130b963760c251"
+ },
"Version": "20171114-r0",
"Layer": {}
},
{
"Name": "coreutils",
- "Identifier": {},
+ "Identifier": {
+ "UID": "62b3a9f524fb42ae"
+ },
"Version": "8.28-r0",
"Layer": {}
},
{
"Name": "cyrus-sasl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "3d54d810df71de08"
+ },
"Version": "2.1.26-r11",
"Layer": {}
},
{
"Name": "db",
- "Identifier": {},
+ "Identifier": {
+ "UID": "c516bbf8a0460592"
+ },
"Version": "5.3.28-r0",
"Layer": {}
},
{
"Name": "dpkg",
- "Identifier": {},
+ "Identifier": {
+ "UID": "48abb525a6e6484c"
+ },
"Version": "1.18.24-r0",
"Layer": {}
},
{
"Name": "dpkg-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "751199098a59e38a"
+ },
"Version": "1.18.24-r0",
"Layer": {}
},
{
"Name": "expat",
- "Identifier": {},
+ "Identifier": {
+ "UID": "39fb7474be7cbbd1"
+ },
"Version": "2.2.5-r0",
"Layer": {}
},
{
"Name": "file",
- "Identifier": {},
+ "Identifier": {
+ "UID": "fce3c3b5b4ca8c61"
+ },
"Version": "5.32-r0",
"Layer": {}
},
{
"Name": "g++",
- "Identifier": {},
+ "Identifier": {
+ "UID": "e38d4fbb4801e54"
+ },
"Version": "6.4.0-r5",
"Layer": {}
},
{
"Name": "gcc",
- "Identifier": {},
+ "Identifier": {
+ "UID": "7e7a1343cbee2437"
+ },
"Version": "6.4.0-r5",
"Layer": {}
},
{
"Name": "gdbm",
- "Identifier": {},
+ "Identifier": {
+ "UID": "ddf8257d2b4ffc7b"
+ },
"Version": "1.13-r1",
"Layer": {}
},
{
"Name": "gmp",
- "Identifier": {},
+ "Identifier": {
+ "UID": "9543ab8b3ef71c6b"
+ },
"Version": "6.1.2-r1",
"Layer": {}
},
{
"Name": "gnupg",
- "Identifier": {},
+ "Identifier": {
+ "UID": "dc05954810cd6512"
+ },
"Version": "2.2.3-r1",
"Layer": {}
},
{
"Name": "gnutls",
- "Identifier": {},
+ "Identifier": {
+ "UID": "3895e3c8d3c4eec5"
+ },
"Version": "3.6.1-r0",
"Layer": {}
},
{
"Name": "isl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "ff5808fa3be09223"
+ },
"Version": "0.18-r0",
"Layer": {}
},
{
"Name": "libacl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "8496f22e32d90dd9"
+ },
"Version": "2.2.52-r3",
"Layer": {}
},
{
"Name": "libassuan",
- "Identifier": {},
+ "Identifier": {
+ "UID": "7c44d43ad91014bb"
+ },
"Version": "2.4.4-r0",
"Layer": {}
},
{
"Name": "libatomic",
- "Identifier": {},
+ "Identifier": {
+ "UID": "cc7cbb7bdeaceb7a"
+ },
"Version": "6.4.0-r5",
"Layer": {}
},
{
"Name": "libattr",
- "Identifier": {},
+ "Identifier": {
+ "UID": "6ab5fd8ad7ea3579"
+ },
"Version": "2.4.47-r6",
"Layer": {}
},
{
"Name": "libbz2",
- "Identifier": {},
+ "Identifier": {
+ "UID": "b88167f64940af66"
+ },
"Version": "1.0.6-r6",
"Layer": {}
},
{
"Name": "libc-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "804732077a4c662b"
+ },
"Version": "0.7.1-r0",
"Layer": {}
},
{
"Name": "libcap",
- "Identifier": {},
+ "Identifier": {
+ "UID": "d0374637d7ee148"
+ },
"Version": "2.25-r1",
"Layer": {}
},
{
"Name": "libedit",
- "Identifier": {},
+ "Identifier": {
+ "UID": "a9e7bdfc780a5205"
+ },
"Version": "20170329.3.1-r3",
"Layer": {}
},
{
"Name": "libedit-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "cc15a0075f19fb29"
+ },
"Version": "20170329.3.1-r3",
"Layer": {}
},
{
"Name": "libffi",
- "Identifier": {},
+ "Identifier": {
+ "UID": "2e7d2428b7208794"
+ },
"Version": "3.2.1-r4",
"Layer": {}
},
{
"Name": "libgcc",
- "Identifier": {},
+ "Identifier": {
+ "UID": "337db1c98d7a2b24"
+ },
"Version": "6.4.0-r5",
"Layer": {}
},
{
"Name": "libgcrypt",
- "Identifier": {},
+ "Identifier": {
+ "UID": "607b2546f0faa0dd"
+ },
"Version": "1.8.3-r0",
"Layer": {}
},
{
"Name": "libgomp",
- "Identifier": {},
+ "Identifier": {
+ "UID": "6405f9ce160ce36"
+ },
"Version": "6.4.0-r5",
"Layer": {}
},
{
"Name": "libgpg-error",
- "Identifier": {},
+ "Identifier": {
+ "UID": "2e7c4543143270ba"
+ },
"Version": "1.27-r1",
"Layer": {}
},
{
"Name": "libksba",
- "Identifier": {},
+ "Identifier": {
+ "UID": "2bdff3fcdb38fcc9"
+ },
"Version": "1.3.5-r0",
"Layer": {}
},
{
"Name": "libldap",
- "Identifier": {},
+ "Identifier": {
+ "UID": "9a1c31386d4c51d1"
+ },
"Version": "2.4.45-r3",
"Layer": {}
},
{
"Name": "libmagic",
- "Identifier": {},
+ "Identifier": {
+ "UID": "ce8c19b21901c2ec"
+ },
"Version": "5.32-r0",
"Layer": {}
},
{
"Name": "libressl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "e0990fc64593fc34"
+ },
"Version": "2.6.5-r0",
"Layer": {}
},
{
"Name": "libressl-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "2fc58a084fad510b"
+ },
"Version": "2.6.5-r0",
"Layer": {}
},
{
"Name": "libressl2.6-libcrypto",
- "Identifier": {},
+ "Identifier": {
+ "UID": "b9b01ba0fd3c2f96"
+ },
"Version": "2.6.5-r0",
"Layer": {}
},
{
"Name": "libressl2.6-libssl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "7450166187e3c122"
+ },
"Version": "2.6.5-r0",
"Layer": {}
},
{
"Name": "libressl2.6-libtls",
- "Identifier": {},
+ "Identifier": {
+ "UID": "31e6fafea5aee605"
+ },
"Version": "2.6.5-r0",
"Layer": {}
},
{
"Name": "libsasl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "a5d9eed6b200ec9e"
+ },
"Version": "2.1.26-r11",
"Layer": {}
},
{
"Name": "libsodium",
- "Identifier": {},
+ "Identifier": {
+ "UID": "d37655d3df6e7f60"
+ },
"Version": "1.0.15-r0",
"Layer": {}
},
{
"Name": "libsodium-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "9ad59860b74f3bc9"
+ },
"Version": "1.0.15-r0",
"Layer": {}
},
{
"Name": "libstdc++",
- "Identifier": {},
+ "Identifier": {
+ "UID": "3cb038e2e3f8f2d3"
+ },
"Version": "6.4.0-r5",
"Layer": {}
},
{
"Name": "libtasn1",
- "Identifier": {},
+ "Identifier": {
+ "UID": "d64e086f11523544"
+ },
"Version": "4.12-r3",
"Layer": {}
},
{
"Name": "libunistring",
- "Identifier": {},
+ "Identifier": {
+ "UID": "f011d575a1de2df6"
+ },
"Version": "0.9.7-r0",
"Layer": {}
},
{
"Name": "m4",
- "Identifier": {},
+ "Identifier": {
+ "UID": "9a0327634e852d10"
+ },
"Version": "1.4.18-r0",
"Layer": {}
},
{
"Name": "make",
- "Identifier": {},
+ "Identifier": {
+ "UID": "5563a4c45ccc0ca6"
+ },
"Version": "4.2.1-r0",
"Layer": {}
},
{
"Name": "mercurial",
- "Identifier": {},
+ "Identifier": {
+ "UID": "5b844daeeb0ae32c"
+ },
"Version": "4.5.2-r0",
"Layer": {}
},
{
"Name": "mpc1",
- "Identifier": {},
+ "Identifier": {
+ "UID": "4ac00bb3c9d7b863"
+ },
"Version": "1.0.3-r1",
"Layer": {}
},
{
"Name": "mpfr3",
- "Identifier": {},
+ "Identifier": {
+ "UID": "7351997d7d25f69a"
+ },
"Version": "3.1.5-r1",
"Layer": {}
},
{
"Name": "musl",
- "Identifier": {},
+ "Identifier": {
+ "UID": "61c9bbf17ebf0ec5"
+ },
"Version": "1.1.18-r3",
"Layer": {}
},
{
"Name": "musl-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "bddc3ce8e670295c"
+ },
"Version": "1.1.18-r3",
"Layer": {}
},
{
"Name": "ncurses",
- "Identifier": {},
+ "Identifier": {
+ "UID": "268c30a59b31f30f"
+ },
"Version": "6.0_p20171125-r1",
"Layer": {}
},
{
"Name": "ncurses-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "35e387a2169b6c35"
+ },
"Version": "6.0_p20171125-r1",
"Layer": {}
},
{
"Name": "ncurses-libs",
- "Identifier": {},
+ "Identifier": {
+ "UID": "a698bd167c8edb63"
+ },
"Version": "6.0_p20171125-r1",
"Layer": {}
},
{
"Name": "ncurses-terminfo",
- "Identifier": {},
+ "Identifier": {
+ "UID": "1d756cb96659dfe8"
+ },
"Version": "6.0_p20171125-r1",
"Layer": {}
},
{
"Name": "ncurses-terminfo-base",
- "Identifier": {},
+ "Identifier": {
+ "UID": "70b90293a1ffd5c"
+ },
"Version": "6.0_p20171125-r1",
"Layer": {}
},
{
"Name": "nettle",
- "Identifier": {},
+ "Identifier": {
+ "UID": "2279fda8e0f37088"
+ },
"Version": "3.3-r0",
"Layer": {}
},
{
"Name": "npth",
- "Identifier": {},
+ "Identifier": {
+ "UID": "5d5e661f25ccd3bb"
+ },
"Version": "1.5-r1",
"Layer": {}
},
{
"Name": "openldap",
- "Identifier": {},
+ "Identifier": {
+ "UID": "f951698c7542567d"
+ },
"Version": "2.4.45-r3",
"Layer": {}
},
{
"Name": "p11-kit",
- "Identifier": {},
+ "Identifier": {
+ "UID": "f9a3b6ef16728be3"
+ },
"Version": "0.23.2-r2",
"Layer": {}
},
{
"Name": "patch",
- "Identifier": {},
+ "Identifier": {
+ "UID": "59097ece63a1532"
+ },
"Version": "2.7.5-r2",
"Layer": {}
},
{
"Name": "pcre2",
- "Identifier": {},
+ "Identifier": {
+ "UID": "46c51355357283bd"
+ },
"Version": "10.30-r0",
"Layer": {}
},
{
"Name": "pinentry",
- "Identifier": {},
+ "Identifier": {
+ "UID": "e0aa8991cc0d7ea9"
+ },
"Version": "1.0.0-r0",
"Layer": {}
},
{
"Name": "pkgconf",
- "Identifier": {},
+ "Identifier": {
+ "UID": "558f6d8317744a54"
+ },
"Version": "1.3.10-r0",
"Layer": {}
},
{
"Name": "python2",
- "Identifier": {},
+ "Identifier": {
+ "UID": "7e33eccd3ce9ae3f"
+ },
"Version": "2.7.15-r2",
"Layer": {}
},
{
"Name": "re2c",
- "Identifier": {},
+ "Identifier": {
+ "UID": "6dbcd72a6ade1945"
+ },
"Version": "1.0.2-r0",
"Layer": {}
},
{
"Name": "readline",
- "Identifier": {},
+ "Identifier": {
+ "UID": "c1cfb597544b76a5"
+ },
"Version": "7.0.003-r0",
"Layer": {}
},
{
"Name": "serf",
- "Identifier": {},
+ "Identifier": {
+ "UID": "94872f984b4a0583"
+ },
"Version": "1.3.9-r3",
"Layer": {}
},
{
"Name": "subversion",
- "Identifier": {},
+ "Identifier": {
+ "UID": "8fa2da2cba41429c"
+ },
"Version": "1.9.7-r0",
"Layer": {}
},
{
"Name": "subversion-libs",
- "Identifier": {},
+ "Identifier": {
+ "UID": "2591b779b8cc1ec5"
+ },
"Version": "1.9.7-r0",
"Layer": {}
},
{
"Name": "xz",
- "Identifier": {},
+ "Identifier": {
+ "UID": "74d9b4a853a25311"
+ },
"Version": "5.2.3-r1",
"Layer": {}
},
{
"Name": "xz-libs",
- "Identifier": {},
+ "Identifier": {
+ "UID": "e6072b890db87763"
+ },
"Version": "5.2.3-r1",
"Layer": {}
},
{
"Name": "zlib",
- "Identifier": {},
+ "Identifier": {
+ "UID": "b742ac29b1f34e"
+ },
"Version": "1.2.11-r1",
"Layer": {}
},
{
"Name": "zlib-dev",
- "Identifier": {},
+ "Identifier": {
+ "UID": "e9a8669a86602c9d"
+ },
"Version": "1.2.11-r1",
"Layer": {}
}
diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go
index c304f40bac5f..2e746f065782 100644
--- a/pkg/fanal/types/const.go
+++ b/pkg/fanal/types/const.go
@@ -31,14 +31,14 @@ const (
Debian OSType = "debian"
Fedora OSType = "fedora"
OpenSUSE OSType = "opensuse"
- OpenSUSELeap OSType = "opensuse.leap"
- OpenSUSETumbleweed OSType = "opensuse.tumbleweed"
+ OpenSUSELeap OSType = "opensuse-leap"
+ OpenSUSETumbleweed OSType = "opensuse-tumbleweed"
Oracle OSType = "oracle"
Photon OSType = "photon"
RedHat OSType = "redhat"
Rocky OSType = "rocky"
- SLEMicro OSType = "suse linux enterprise micro"
- SLES OSType = "suse linux enterprise server"
+ SLEMicro OSType = "slem"
+ SLES OSType = "sles"
Ubuntu OSType = "ubuntu"
Wolfi OSType = "wolfi"
)
diff --git a/pkg/flag/db_flags.go b/pkg/flag/db_flags.go
index df0d6c6f5194..cea4b82eaec6 100644
--- a/pkg/flag/db_flags.go
+++ b/pkg/flag/db_flags.go
@@ -53,13 +53,13 @@ var (
DBRepositoryFlag = Flag[[]string]{
Name: "db-repository",
ConfigName: "db.repository",
- Default: []string{db.DefaultGHCRRepository},
+ Default: []string{db.DefaultGCRRepository, db.DefaultGHCRRepository},
Usage: "OCI repository(ies) to retrieve trivy-db in order of priority",
}
JavaDBRepositoryFlag = Flag[[]string]{
Name: "java-db-repository",
ConfigName: "db.java-repository",
- Default: []string{javadb.DefaultGHCRRepository},
+ Default: []string{javadb.DefaultGCRRepository, javadb.DefaultGHCRRepository},
Usage: "OCI repository(ies) to retrieve trivy-java-db in order of priority",
}
LightFlag = Flag[bool]{
diff --git a/pkg/flag/db_flags_test.go b/pkg/flag/db_flags_test.go
index 4f742e74ed68..33c0b6fdee04 100644
--- a/pkg/flag/db_flags_test.go
+++ b/pkg/flag/db_flags_test.go
@@ -66,10 +66,16 @@ func TestDBFlagGroup_ToOptions(t *testing.T) {
{
name: "multiple repos",
fields: fields{
- SkipDBUpdate: true,
- DownloadDBOnly: false,
- DBRepository: []string{"ghcr.io/aquasecurity/trivy-db:2", "gallery.ecr.aws/aquasecurity/trivy-db:2"},
- JavaDBRepository: []string{"ghcr.io/aquasecurity/trivy-java-db:1", "gallery.ecr.aws/aquasecurity/trivy-java-db:1"},
+ SkipDBUpdate: true,
+ DownloadDBOnly: false,
+ DBRepository: []string{
+ "mirror.gcr.io/aquasec/trivy-db:2",
+ "ghcr.io/aquasecurity/trivy-db:2",
+ },
+ JavaDBRepository: []string{
+ "mirror.gcr.io/aquasec/trivy-java-db:1",
+ "ghcr.io/aquasecurity/trivy-java-db:1",
+ },
},
want: flag.DBOptions{
SkipDBUpdate: true,
diff --git a/pkg/flag/report_flags_test.go b/pkg/flag/report_flags_test.go
index b113d7c62f97..ab4baa53fbff 100644
--- a/pkg/flag/report_flags_test.go
+++ b/pkg/flag/report_flags_test.go
@@ -213,7 +213,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
t.Run("Error on non existing ignore file", func(t *testing.T) {
t.Cleanup(viper.Reset)
- setValue(flag.IgnoreFileFlag.ConfigName, string("doesntexist"))
+ setValue(flag.IgnoreFileFlag.ConfigName, "doesntexist")
f := &flag.ReportFlagGroup{
IgnoreFile: flag.IgnoreFileFlag.Clone(),
}
diff --git a/pkg/iac/adapters/cloudformation/aws/ecs/ecs_test.go b/pkg/iac/adapters/cloudformation/aws/ecs/ecs_test.go
index c6323a1df926..9cf56b0d8b6f 100644
--- a/pkg/iac/adapters/cloudformation/aws/ecs/ecs_test.go
+++ b/pkg/iac/adapters/cloudformation/aws/ecs/ecs_test.go
@@ -32,8 +32,8 @@ Resources:
-
Name: "busybox"
Image: "busybox"
- Cpu: 256
- Memory: 512
+ Cpu: "256"
+ Memory: "512"
Essential: true
Privileged: true
Environment:
@@ -68,8 +68,8 @@ Resources:
{
Name: types.StringTest("busybox"),
Image: types.StringTest("busybox"),
- CPU: types.IntTest(256),
- Memory: types.IntTest(512),
+ CPU: types.StringTest("256"),
+ Memory: types.StringTest("512"),
Essential: types.BoolTest(true),
Privileged: types.BoolTest(true),
Environment: []ecs.EnvVar{
diff --git a/pkg/iac/adapters/cloudformation/aws/ecs/task_definition.go b/pkg/iac/adapters/cloudformation/aws/ecs/task_definition.go
index 9c2e342bb6f3..b4cc39205147 100644
--- a/pkg/iac/adapters/cloudformation/aws/ecs/task_definition.go
+++ b/pkg/iac/adapters/cloudformation/aws/ecs/task_definition.go
@@ -45,8 +45,8 @@ func getContainerDefinitions(r *parser.Resource) ([]ecs.ContainerDefinition, err
Metadata: containerDef.Metadata(),
Name: containerDef.GetStringProperty("Name"),
Image: containerDef.GetStringProperty("Image"),
- CPU: containerDef.GetIntProperty("Cpu"),
- Memory: containerDef.GetIntProperty("Memory"),
+ CPU: containerDef.GetStringProperty("Cpu"),
+ Memory: containerDef.GetStringProperty("Memory"),
Essential: containerDef.GetBoolProperty("Essential"),
Privileged: containerDef.GetBoolProperty("Privileged"),
Environment: envVars,
diff --git a/pkg/iac/adapters/terraform/aws/ecs/adapt_test.go b/pkg/iac/adapters/terraform/aws/ecs/adapt_test.go
index c35bcc12d9b1..9c70a3b1abee 100644
--- a/pkg/iac/adapters/terraform/aws/ecs/adapt_test.go
+++ b/pkg/iac/adapters/terraform/aws/ecs/adapt_test.go
@@ -91,8 +91,8 @@ func Test_adaptTaskDefinitionResource(t *testing.T) {
"name": "my_service",
"image": "my_image",
"essential": true,
- "memory": 256,
- "cpu": 2,
+ "memory": "256",
+ "cpu": "2",
"environment": [
{ "name": "ENVIRONMENT", "value": "development" }
]
@@ -125,8 +125,8 @@ func Test_adaptTaskDefinitionResource(t *testing.T) {
Metadata: iacTypes.NewTestMetadata(),
Name: iacTypes.String("my_service", iacTypes.NewTestMetadata()),
Image: iacTypes.String("my_image", iacTypes.NewTestMetadata()),
- CPU: iacTypes.Int(2, iacTypes.NewTestMetadata()),
- Memory: iacTypes.Int(256, iacTypes.NewTestMetadata()),
+ CPU: iacTypes.String("2", iacTypes.NewTestMetadata()),
+ Memory: iacTypes.String("256", iacTypes.NewTestMetadata()),
Essential: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
Privileged: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
Environment: []ecs.EnvVar{
diff --git a/pkg/iac/providers/aws/ecs/ecs.go b/pkg/iac/providers/aws/ecs/ecs.go
index b0728c2bbf7f..36e9938c80f2 100755
--- a/pkg/iac/providers/aws/ecs/ecs.go
+++ b/pkg/iac/providers/aws/ecs/ecs.go
@@ -43,8 +43,8 @@ func CreateDefinitionsFromString(metadata iacTypes.Metadata, str string) ([]Cont
type containerDefinitionJSON struct {
Name string `json:"name"`
Image string `json:"image"`
- CPU int `json:"cpu"`
- Memory int `json:"memory"`
+ CPU string `json:"cpu"`
+ Memory string `json:"memory"`
Essential bool `json:"essential"`
PortMappings []portMappingJSON `json:"portMappings"`
EnvVars []envVarJSON `json:"environment"`
@@ -77,8 +77,8 @@ func (j containerDefinitionJSON) convert(metadata iacTypes.Metadata) ContainerDe
Metadata: metadata,
Name: iacTypes.String(j.Name, metadata),
Image: iacTypes.String(j.Image, metadata),
- CPU: iacTypes.Int(j.CPU, metadata),
- Memory: iacTypes.Int(j.Memory, metadata),
+ CPU: iacTypes.String(j.CPU, metadata),
+ Memory: iacTypes.String(j.Memory, metadata),
Essential: iacTypes.Bool(j.Essential, metadata),
PortMappings: mappings,
Environment: envVars,
@@ -87,13 +87,11 @@ func (j containerDefinitionJSON) convert(metadata iacTypes.Metadata) ContainerDe
}
type ContainerDefinition struct {
- Metadata iacTypes.Metadata
- Name iacTypes.StringValue
- Image iacTypes.StringValue
- // TODO: CPU and Memory are strings
- // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-cpu
- CPU iacTypes.IntValue
- Memory iacTypes.IntValue
+ Metadata iacTypes.Metadata
+ Name iacTypes.StringValue
+ Image iacTypes.StringValue
+ CPU iacTypes.StringValue
+ Memory iacTypes.StringValue
Essential iacTypes.BoolValue
PortMappings []PortMapping
Environment []EnvVar
diff --git a/pkg/iac/rego/embed.go b/pkg/iac/rego/embed.go
index 4679102033c2..c5416f50c0cc 100644
--- a/pkg/iac/rego/embed.go
+++ b/pkg/iac/rego/embed.go
@@ -71,15 +71,6 @@ func RegisterRegoRules(modules map[string]*ast.Module) {
rules.Register(metadata.ToRule())
}
-
- for _, check := range rules.GetRegistered() {
- if !check.Deprecated && check.CanCheck() {
- if _, exists := regoCheckIDs[check.AVDID]; exists {
- log.Warn("Ignore duplicate Go check", log.String("avdid", check.AVDID))
- rules.Deregister(check)
- }
- }
- }
}
func LoadEmbeddedPolicies() (map[string]*ast.Module, error) {
diff --git a/pkg/iac/rego/embed_test.go b/pkg/iac/rego/embed_test.go
index 9ed0b00747ed..90541f5e2397 100644
--- a/pkg/iac/rego/embed_test.go
+++ b/pkg/iac/rego/embed_test.go
@@ -2,7 +2,6 @@ package rego
import (
"testing"
- "testing/fstest"
"github.com/open-policy-agent/opa/ast"
"github.com/stretchr/testify/assert"
@@ -11,7 +10,6 @@ import (
checks "github.com/aquasecurity/trivy-checks"
"github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/state"
)
func Test_EmbeddedLoading(t *testing.T) {
@@ -207,49 +205,3 @@ deny[res]{
})
}
}
-
-func Test_IgnoreDuplicateChecks(t *testing.T) {
- rules.Reset()
-
- r := scan.Rule{
- AVDID: "TEST001",
- Check: func(s *state.State) (results scan.Results) {
- for _, bucket := range s.AWS.S3.Buckets {
- if bucket.Name.Value() == "evil" {
- results.Add("Bucket name should not be evil", bucket.Name)
- }
- }
- return
- },
- }
- reg := rules.Register(r)
- defer rules.Deregister(reg)
-
- fsys := fstest.MapFS{
- "test.rego": &fstest.MapFile{
- Data: []byte(`
-# METADATA
-# title: "Test rego"
-# scope: package
-# schemas:
-# - input: schema["cloud"]
-# custom:
-# avd_id: TEST001
-# severity: LOW
-package user.test001
-
-deny[res] {
- res := result.new("test", {})
-}
-`),
- },
- }
-
- modules, err := LoadPoliciesFromDirs(fsys, ".")
- require.NoError(t, err)
-
- RegisterRegoRules(modules)
- registered := rules.GetRegistered()
- assert.Len(t, registered, 1)
- assert.Equal(t, "TEST001", registered[0].AVDID)
-}
diff --git a/pkg/iac/rego/options.go b/pkg/iac/rego/options.go
index 5cc60284abdb..79a1b951746d 100644
--- a/pkg/iac/rego/options.go
+++ b/pkg/iac/rego/options.go
@@ -4,6 +4,7 @@ import (
"io"
"io/fs"
+ "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
)
@@ -117,3 +118,19 @@ func WithDisabledCheckIDs(ids ...string) options.ScannerOption {
}
}
}
+
+func WithIncludeDeprecatedChecks(enabled bool) options.ScannerOption {
+ return func(s options.ConfigurableScanner) {
+ if ss, ok := s.(*Scanner); ok {
+ ss.includeDeprecatedChecks = true
+ }
+ }
+}
+
+func WithFrameworks(frameworks ...framework.Framework) options.ScannerOption {
+ return func(s options.ConfigurableScanner) {
+ if ss, ok := s.(*Scanner); ok {
+ ss.frameworks = frameworks
+ }
+ }
+}
diff --git a/pkg/iac/rego/scanner.go b/pkg/iac/rego/scanner.go
index f791a45bf74d..094546e78cb7 100644
--- a/pkg/iac/rego/scanner.go
+++ b/pkg/iac/rego/scanner.go
@@ -73,16 +73,6 @@ type Scanner struct {
disabledCheckIDs map[string]struct{}
}
-func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
- s.includeDeprecatedChecks = b
-}
-
-func (s *Scanner) SetRegoOnly(bool) {}
-
-func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
- s.frameworks = frameworks
-}
-
func (s *Scanner) trace(heading string, input any) {
if s.traceWriter == nil {
return
diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json
index bdaad1330898..dd9c10ddeae7 100644
--- a/pkg/iac/rego/schemas/cloud.json
+++ b/pkg/iac/rego/schemas/cloud.json
@@ -1859,7 +1859,7 @@
},
"cpu": {
"type": "object",
- "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
+ "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"environment": {
"type": "array",
@@ -1878,7 +1878,7 @@
},
"memory": {
"type": "object",
- "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
+ "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"name": {
"type": "object",
diff --git a/pkg/iac/rules/rules.go b/pkg/iac/rules/rules.go
deleted file mode 100644
index 96a73deba46f..000000000000
--- a/pkg/iac/rules/rules.go
+++ /dev/null
@@ -1,83 +0,0 @@
-package rules
-
-import (
- trules "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/accessanalyzer"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/apigateway"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/athena"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/cloudfront"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/cloudtrail"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/cloudwatch"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/codebuild"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/config"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/documentdb"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/dynamodb"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ec2"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ecr"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ecs"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/efs"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/eks"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/elasticache"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/elasticsearch"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/elb"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/emr"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/iam"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/kinesis"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/kms"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/lambda"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/mq"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/msk"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/neptune"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/rds"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/redshift"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/s3"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/sam"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/sns"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/sqs"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/ssm"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/aws/workspaces"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/appservice"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/authorization"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/compute"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/container"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/database"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/datafactory"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/datalake"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/keyvault"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/monitor"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/network"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/securitycenter"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/storage"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/azure/synapse"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/cloudstack/compute"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/digitalocean/compute"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/digitalocean/spaces"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/github/actions"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/github/branch_protections"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/github/repositories"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/bigquery"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/compute"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/dns"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/gke"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/iam"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/kms"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/sql"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/google/storage"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/computing"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/dns"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/nas"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/network"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/rdb"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/nifcloud/sslcertificate"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/openstack/compute"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/openstack/networking"
- _ "github.com/aquasecurity/trivy-checks/checks/cloud/oracle/compute"
- _ "github.com/aquasecurity/trivy-checks/checks/kubernetes/network"
-)
-
-func init() {
- for _, r := range trules.GetRules() {
- Register(r)
- }
-}
diff --git a/pkg/iac/scan/rule.go b/pkg/iac/scan/rule.go
index c4318b7aad35..96db0007ffcc 100755
--- a/pkg/iac/scan/rule.go
+++ b/pkg/iac/scan/rule.go
@@ -84,21 +84,6 @@ func (r Rule) ShortCodeDisplayName() string {
return nicify(r.ShortCode)
}
-func (r Rule) CanCheck() bool {
- return r.Check != nil
-}
-
-func (r Rule) Evaluate(s *state.State) Results {
- if !r.CanCheck() {
- return nil
- }
- results := r.Check(s)
- for i := range results {
- results[i].SetRule(r)
- }
- return results
-}
-
var acronyms = []string{
"acl",
"alb",
diff --git a/pkg/iac/scanners/azure/arm/scanner.go b/pkg/iac/scanners/azure/arm/scanner.go
index 410ccd6d18df..2605bf532d1a 100644
--- a/pkg/iac/scanners/azure/arm/scanner.go
+++ b/pkg/iac/scanners/azure/arm/scanner.go
@@ -7,9 +7,7 @@ import (
"sync"
"github.com/aquasecurity/trivy/pkg/iac/adapters/arm"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/scanners"
"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
@@ -24,21 +22,10 @@ var _ scanners.FSScanner = (*Scanner)(nil)
var _ options.ConfigurableScanner = (*Scanner)(nil)
type Scanner struct {
- mu sync.Mutex
- scannerOptions []options.ScannerOption
- logger *log.Logger
- frameworks []framework.Framework
- regoOnly bool
- regoScanner *rego.Scanner
- includeDeprecatedChecks bool
-}
-
-func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
- s.includeDeprecatedChecks = b
-}
-
-func (s *Scanner) SetRegoOnly(regoOnly bool) {
- s.regoOnly = regoOnly
+ mu sync.Mutex
+ scannerOptions []options.ScannerOption
+ logger *log.Logger
+ regoScanner *rego.Scanner
}
func New(opts ...options.ScannerOption) *Scanner {
@@ -56,10 +43,6 @@ func (s *Scanner) Name() string {
return "Azure ARM"
}
-func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
- s.frameworks = frameworks
-}
-
func (s *Scanner) initRegoScanner(srcFS fs.FS) error {
s.mu.Lock()
defer s.mu.Unlock()
@@ -104,28 +87,9 @@ func (s *Scanner) scanDeployments(ctx context.Context, deployments []azure.Deplo
}
func (s *Scanner) scanDeployment(ctx context.Context, deployment azure.Deployment, fsys fs.FS) (scan.Results, error) {
- var results scan.Results
deploymentState := s.adaptDeployment(ctx, deployment)
- if !s.regoOnly {
- for _, rule := range rules.GetRegistered(s.frameworks...) {
- select {
- case <-ctx.Done():
- return nil, ctx.Err()
- default:
- }
-
- if !s.includeDeprecatedChecks && rule.Deprecated {
- continue // skip deprecated checks
- }
-
- ruleResults := rule.Evaluate(deploymentState)
- if len(ruleResults) > 0 {
- results = append(results, ruleResults...)
- }
- }
- }
- regoResults, err := s.regoScanner.ScanInput(ctx, rego.Input{
+ results, err := s.regoScanner.ScanInput(ctx, rego.Input{
Path: deployment.Metadata.Range().GetFilename(),
FS: fsys,
Contents: deploymentState.ToRego(),
@@ -134,7 +98,7 @@ func (s *Scanner) scanDeployment(ctx context.Context, deployment azure.Deploymen
return nil, fmt.Errorf("rego scan error: %w", err)
}
- return append(results, regoResults...), nil
+ return results, nil
}
func (s *Scanner) adaptDeployment(ctx context.Context, deployment azure.Deployment) *state.State {
diff --git a/pkg/iac/scanners/cloudformation/parser/file_context.go b/pkg/iac/scanners/cloudformation/parser/file_context.go
index 949add1ca7c4..e1c8cfa87f40 100644
--- a/pkg/iac/scanners/cloudformation/parser/file_context.go
+++ b/pkg/iac/scanners/cloudformation/parser/file_context.go
@@ -1,6 +1,8 @@
package parser
import (
+ "github.com/samber/lo"
+
"github.com/aquasecurity/trivy/pkg/iac/ignore"
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
)
@@ -71,3 +73,11 @@ func (t *FileContext) missingParameterValues() []string {
}
return missing
}
+
+func (t *FileContext) stripNullProperties() {
+ for _, resource := range t.Resources {
+ resource.Inner.Properties = lo.OmitBy(resource.Inner.Properties, func(k string, v *Property) bool {
+ return v.IsNil()
+ })
+ }
+}
diff --git a/pkg/iac/scanners/cloudformation/parser/parser.go b/pkg/iac/scanners/cloudformation/parser/parser.go
index 696dfcf16349..24d85ba4bbbb 100644
--- a/pkg/iac/scanners/cloudformation/parser/parser.go
+++ b/pkg/iac/scanners/cloudformation/parser/parser.go
@@ -6,6 +6,7 @@ import (
"fmt"
"io"
"io/fs"
+ "path"
"path/filepath"
"strings"
@@ -83,7 +84,7 @@ func (p *Parser) ParseFS(ctx context.Context, fsys fs.FS, dir string) (FileConte
return contexts, nil
}
-func (p *Parser) ParseFile(ctx context.Context, fsys fs.FS, path string) (fctx *FileContext, err error) {
+func (p *Parser) ParseFile(ctx context.Context, fsys fs.FS, filePath string) (fctx *FileContext, err error) {
defer func() {
if e := recover(); e != nil {
err = fmt.Errorf("panic during parse: %s", e)
@@ -105,15 +106,15 @@ func (p *Parser) ParseFile(ctx context.Context, fsys fs.FS, path string) (fctx *
}
sourceFmt := YamlSourceFormat
- if strings.HasSuffix(strings.ToLower(path), ".json") {
+ if path.Ext(filePath) == ".json" {
sourceFmt = JsonSourceFormat
}
- f, err := fsys.Open(filepath.ToSlash(path))
+ f, err := fsys.Open(filePath)
if err != nil {
return nil, err
}
- defer func() { _ = f.Close() }()
+ defer f.Close()
content, err := io.ReadAll(f)
if err != nil {
@@ -123,7 +124,7 @@ func (p *Parser) ParseFile(ctx context.Context, fsys fs.FS, path string) (fctx *
lines := strings.Split(string(content), "\n")
fctx = &FileContext{
- filepath: path,
+ filepath: filePath,
lines: lines,
SourceFormat: sourceFmt,
}
@@ -131,26 +132,28 @@ func (p *Parser) ParseFile(ctx context.Context, fsys fs.FS, path string) (fctx *
switch sourceFmt {
case YamlSourceFormat:
if err := yaml.Unmarshal(content, fctx); err != nil {
- return nil, NewErrInvalidContent(path, err)
+ return nil, NewErrInvalidContent(filePath, err)
}
- fctx.Ignores = ignore.Parse(string(content), path, "")
+ fctx.Ignores = ignore.Parse(string(content), filePath, "")
case JsonSourceFormat:
if err := jfather.Unmarshal(content, fctx); err != nil {
- return nil, NewErrInvalidContent(path, err)
+ return nil, NewErrInvalidContent(filePath, err)
}
}
+ fctx.stripNullProperties()
+
fctx.overrideParameters(p.overridedParameters)
if params := fctx.missingParameterValues(); len(params) > 0 {
- p.logger.Warn("Missing parameter values", log.FilePath(path), log.String("parameters", strings.Join(params, ", ")))
+ p.logger.Warn("Missing parameter values", log.FilePath(filePath), log.String("parameters", strings.Join(params, ", ")))
}
fctx.lines = lines
fctx.SourceFormat = sourceFmt
- fctx.filepath = path
+ fctx.filepath = filePath
- p.logger.Debug("Context loaded from source", log.FilePath(path))
+ p.logger.Debug("Context loaded from source", log.FilePath(filePath))
// the context must be set to conditions before resources
for _, c := range fctx.Conditions {
@@ -158,7 +161,7 @@ func (p *Parser) ParseFile(ctx context.Context, fsys fs.FS, path string) (fctx *
}
for name, r := range fctx.Resources {
- r.configureResource(name, fsys, path, fctx)
+ r.configureResource(name, fsys, filePath, fctx)
}
return fctx, nil
@@ -190,10 +193,10 @@ func (p *Parser) parseParams() error {
return nil
}
-func (p *Parser) parseParametersFile(path string) (Parameters, error) {
- f, err := p.configsFS.Open(path)
+func (p *Parser) parseParametersFile(filePath string) (Parameters, error) {
+ f, err := p.configsFS.Open(filePath)
if err != nil {
- return nil, fmt.Errorf("parameters file %q open error: %w", path, err)
+ return nil, fmt.Errorf("parameters file %q open error: %w", filePath, err)
}
var parameters Parameters
diff --git a/pkg/iac/scanners/cloudformation/parser/parser_test.go b/pkg/iac/scanners/cloudformation/parser/parser_test.go
index aa058c4df855..99dd62294eee 100644
--- a/pkg/iac/scanners/cloudformation/parser/parser_test.go
+++ b/pkg/iac/scanners/cloudformation/parser/parser_test.go
@@ -440,3 +440,52 @@ Conditions:
require.NoError(t, err)
require.Len(t, files, 1)
}
+
+func Test_TemplateWithNullProperty(t *testing.T) {
+ src := `AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+ TestBucket:
+ Type: "AWS::S3::Bucket"
+ Properties:
+ BucketName:`
+
+ fsys := testutil.CreateFS(t, map[string]string{
+ "main.yaml": src,
+ })
+
+ files, err := New().ParseFS(context.TODO(), fsys, ".")
+ require.NoError(t, err)
+ require.Len(t, files, 1)
+
+ file := files[0]
+
+ res := file.GetResourceByLogicalID("TestBucket")
+
+ assert.True(t, res.GetProperty("BucketName").IsNil())
+}
+
+func Test_TemplateWithNullNestedProperty(t *testing.T) {
+ src := `AWSTemplateFormatVersion: "2010-09-09"
+Description: "BAD"
+Resources:
+ TestBucket:
+ Type: "AWS::S3::Bucket"
+ Properties:
+ BucketName: test
+ PublicAccessBlockConfiguration:
+ BlockPublicAcls: null`
+
+ fsys := testutil.CreateFS(t, map[string]string{
+ "main.yaml": src,
+ })
+
+ files, err := New().ParseFS(context.TODO(), fsys, ".")
+ require.NoError(t, err)
+ require.Len(t, files, 1)
+
+ file := files[0]
+
+ res := file.GetResourceByLogicalID("TestBucket")
+
+ assert.True(t, res.GetProperty("PublicAccessBlockConfiguration.BlockPublicAcls").IsNil())
+}
diff --git a/pkg/iac/scanners/cloudformation/scanner.go b/pkg/iac/scanners/cloudformation/scanner.go
index 0e3fec472b96..11ec8a5a06a2 100644
--- a/pkg/iac/scanners/cloudformation/scanner.go
+++ b/pkg/iac/scanners/cloudformation/scanner.go
@@ -8,9 +8,7 @@ import (
"sync"
adapter "github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/scanners"
"github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
@@ -47,33 +45,18 @@ var _ scanners.FSScanner = (*Scanner)(nil)
var _ options.ConfigurableScanner = (*Scanner)(nil)
type Scanner struct {
- mu sync.Mutex
- logger *log.Logger
- parser *parser.Parser
- regoScanner *rego.Scanner
- regoOnly bool
- options []options.ScannerOption
- parserOptions []parser.Option
- frameworks []framework.Framework
- includeDeprecatedChecks bool
-}
-
-func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
- s.includeDeprecatedChecks = b
+ mu sync.Mutex
+ logger *log.Logger
+ parser *parser.Parser
+ regoScanner *rego.Scanner
+ options []options.ScannerOption
+ parserOptions []parser.Option
}
func (s *Scanner) addParserOption(opt parser.Option) {
s.parserOptions = append(s.parserOptions, opt)
}
-func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
- s.frameworks = frameworks
-}
-
-func (s *Scanner) SetRegoOnly(regoOnly bool) {
- s.regoOnly = regoOnly
-}
-
func (s *Scanner) Name() string {
return "CloudFormation"
}
@@ -161,41 +144,13 @@ func (s *Scanner) ScanFile(ctx context.Context, fsys fs.FS, path string) (scan.R
return results, nil
}
-func (s *Scanner) scanFileContext(ctx context.Context, regoScanner *rego.Scanner, cfCtx *parser.FileContext, fsys fs.FS) (results scan.Results, err error) {
+func (s *Scanner) scanFileContext(ctx context.Context, regoScanner *rego.Scanner, cfCtx *parser.FileContext, fsys fs.FS) (scan.Results, error) {
state := adapter.Adapt(*cfCtx)
if state == nil {
return nil, nil
}
- if !s.regoOnly {
- for _, rule := range rules.GetRegistered(s.frameworks...) {
- select {
- case <-ctx.Done():
- return nil, ctx.Err()
- default:
- }
-
- if !s.includeDeprecatedChecks && rule.Deprecated {
- continue // skip deprecated checks
- }
-
- evalResult := rule.Evaluate(state)
- if len(evalResult) > 0 {
- for _, scanResult := range evalResult {
-
- ref := scanResult.Metadata().Reference()
-
- if ref == "" && scanResult.Metadata().Parent() != nil {
- ref = scanResult.Metadata().Parent().Reference()
- }
-
- description := getDescription(scanResult, ref)
- scanResult.OverrideDescription(description)
- results = append(results, scanResult)
- }
- }
- }
- }
- regoResults, err := regoScanner.ScanInput(ctx, rego.Input{
+
+ results, err := regoScanner.ScanInput(ctx, rego.Input{
Path: cfCtx.Metadata().Range().GetFilename(),
FS: fsys,
Contents: state.ToRego(),
@@ -203,7 +158,6 @@ func (s *Scanner) scanFileContext(ctx context.Context, regoScanner *rego.Scanner
if err != nil {
return nil, fmt.Errorf("rego scan error: %w", err)
}
- results = append(results, regoResults...)
// ignore a result based on user input
results.Ignore(cfCtx.Ignores, nil)
@@ -217,14 +171,3 @@ func (s *Scanner) scanFileContext(ctx context.Context, regoScanner *rego.Scanner
return results, nil
}
-
-func getDescription(scanResult scan.Result, ref string) string {
- switch scanResult.Status() {
- case scan.StatusPassed:
- return fmt.Sprintf("Resource '%s' passed check: %s", ref, scanResult.Rule().Summary)
- case scan.StatusIgnored:
- return fmt.Sprintf("Resource '%s' had check ignored: %s", ref, scanResult.Rule().Summary)
- default:
- return scanResult.Description()
- }
-}
diff --git a/pkg/iac/scanners/cloudformation/scanner_test.go b/pkg/iac/scanners/cloudformation/scanner_test.go
index 67ee92cf69c3..36ed3724e160 100644
--- a/pkg/iac/scanners/cloudformation/scanner_test.go
+++ b/pkg/iac/scanners/cloudformation/scanner_test.go
@@ -12,7 +12,6 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/options"
)
func Test_BasicScan(t *testing.T) {
@@ -58,7 +57,7 @@ deny[res] {
`,
})
- scanner := New(rego.WithPolicyDirs("rules"), options.ScannerWithRegoOnly(true))
+ scanner := New(rego.WithPolicyDirs("rules"))
results, err := scanner.ScanFS(context.TODO(), fs, "code")
require.NoError(t, err)
@@ -79,10 +78,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
- CustomChecks: scan.CustomChecks{
- Terraform: (*scan.TerraformCustomCheck)(nil),
- },
- RegoPackage: "data.builtin.dockerfile.DS006",
+ RegoPackage: "data.builtin.dockerfile.DS006",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
@@ -215,7 +211,6 @@ Resources:
})
scanner := New(
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedPolicies(false),
rego.WithPolicyReader(strings.NewReader(bucketNameCheck)),
rego.WithPolicyNamespaces("user"),
diff --git a/pkg/iac/scanners/dockerfile/scanner_test.go b/pkg/iac/scanners/dockerfile/scanner_test.go
index e8c66b27db08..3182b6d02e6f 100644
--- a/pkg/iac/scanners/dockerfile/scanner_test.go
+++ b/pkg/iac/scanners/dockerfile/scanner_test.go
@@ -249,9 +249,7 @@ USER root
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
- CustomChecks: scan.CustomChecks{
- Terraform: (*scan.TerraformCustomCheck)(nil)},
- RegoPackage: "data.builtin.dockerfile.DS006",
+ RegoPackage: "data.builtin.dockerfile.DS006",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
@@ -600,9 +598,7 @@ COPY --from=dep /binary /`
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
- CustomChecks: scan.CustomChecks{
- Terraform: (*scan.TerraformCustomCheck)(nil)},
- RegoPackage: "data.builtin.dockerfile.DS006",
+ RegoPackage: "data.builtin.dockerfile.DS006",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
diff --git a/pkg/iac/scanners/generic/scanner.go b/pkg/iac/scanners/generic/scanner.go
index 5a36709d9a04..90f0103f719d 100644
--- a/pkg/iac/scanners/generic/scanner.go
+++ b/pkg/iac/scanners/generic/scanner.go
@@ -14,7 +14,6 @@ import (
"github.com/BurntSushi/toml"
"gopkg.in/yaml.v3"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
@@ -174,10 +173,6 @@ func (s *GenericScanner) initRegoScanner(srcFS fs.FS) (*rego.Scanner, error) {
return regoScanner, nil
}
-func (*GenericScanner) SetRegoOnly(bool) {}
-func (*GenericScanner) SetIncludeDeprecatedChecks(bool) {}
-func (*GenericScanner) SetFrameworks([]framework.Framework) {}
-
func parseJson(ctx context.Context, r io.Reader, _ string) (any, error) {
var target any
if err := json.NewDecoder(r).Decode(&target); err != nil {
diff --git a/pkg/iac/scanners/generic/scanner_test.go b/pkg/iac/scanners/generic/scanner_test.go
index 46d0eef1653a..1bb637ac5a83 100644
--- a/pkg/iac/scanners/generic/scanner_test.go
+++ b/pkg/iac/scanners/generic/scanner_test.go
@@ -69,10 +69,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
- CustomChecks: scan.CustomChecks{
- Terraform: (*scan.TerraformCustomCheck)(nil),
- },
- RegoPackage: "data.builtin.json.lol",
+ RegoPackage: "data.builtin.json.lol",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
@@ -141,9 +138,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
- CustomChecks: scan.CustomChecks{
- Terraform: (*scan.TerraformCustomCheck)(nil)},
- RegoPackage: "data.builtin.yaml.lol",
+ RegoPackage: "data.builtin.yaml.lol",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
@@ -211,9 +206,7 @@ deny[res] {
Severity: "CRITICAL",
Terraform: &scan.EngineMetadata{},
CloudFormation: &scan.EngineMetadata{},
- CustomChecks: scan.CustomChecks{
- Terraform: (*scan.TerraformCustomCheck)(nil)},
- RegoPackage: "data.builtin.toml.lol",
+ RegoPackage: "data.builtin.toml.lol",
Frameworks: map[framework.Framework][]string{
framework.Default: {},
},
diff --git a/pkg/iac/scanners/helm/scanner.go b/pkg/iac/scanners/helm/scanner.go
index daf8f3108628..6891606d908a 100644
--- a/pkg/iac/scanners/helm/scanner.go
+++ b/pkg/iac/scanners/helm/scanner.go
@@ -12,7 +12,6 @@ import (
"github.com/liamg/memoryfs"
"github.com/aquasecurity/trivy/pkg/iac/detection"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/scanners"
@@ -34,10 +33,6 @@ type Scanner struct {
regoScanner *rego.Scanner
}
-func (s *Scanner) SetIncludeDeprecatedChecks(bool) {}
-func (s *Scanner) SetRegoOnly(bool) {}
-func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {}
-
// New creates a new Scanner
func New(opts ...options.ScannerOption) *Scanner {
s := &Scanner{
diff --git a/pkg/iac/scanners/options/scanner.go b/pkg/iac/scanners/options/scanner.go
index a9561d95130a..420909095bd8 100644
--- a/pkg/iac/scanners/options/scanner.go
+++ b/pkg/iac/scanners/options/scanner.go
@@ -1,31 +1,5 @@
package options
-import (
- "github.com/aquasecurity/trivy/pkg/iac/framework"
-)
-
-type ConfigurableScanner interface {
- SetFrameworks(frameworks []framework.Framework)
- SetRegoOnly(regoOnly bool)
- SetIncludeDeprecatedChecks(bool)
-}
-
-func ScannerWithIncludeDeprecatedChecks(enabled bool) ScannerOption {
- return func(s ConfigurableScanner) {
- s.SetIncludeDeprecatedChecks(enabled)
- }
-}
+type ConfigurableScanner any
type ScannerOption func(s ConfigurableScanner)
-
-func ScannerWithFrameworks(frameworks ...framework.Framework) ScannerOption {
- return func(s ConfigurableScanner) {
- s.SetFrameworks(frameworks)
- }
-}
-
-func ScannerWithRegoOnly(regoOnly bool) ScannerOption {
- return func(s ConfigurableScanner) {
- s.SetRegoOnly(regoOnly)
- }
-}
diff --git a/pkg/iac/scanners/terraform/count_test.go b/pkg/iac/scanners/terraform/count_test.go
index 89aadbbf82c8..fbedaeed5a97 100644
--- a/pkg/iac/scanners/terraform/count_test.go
+++ b/pkg/iac/scanners/terraform/count_test.go
@@ -1,57 +1,54 @@
package terraform
import (
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
+ "github.com/aquasecurity/trivy/pkg/iac/rego"
)
func Test_ResourcesWithCount(t *testing.T) {
var tests = []struct {
- name string
- source string
- expectedResults int
+ name string
+ source string
+ expected int
}{
{
name: "unspecified count defaults to 1",
source: `
- resource "bad" "this" {}
+ resource "aws_s3_bucket" "test" {}
`,
- expectedResults: 1,
+ expected: 1,
},
{
name: "count is literal 1",
source: `
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = 1
}
`,
- expectedResults: 1,
+ expected: 1,
},
{
name: "count is literal 99",
source: `
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = 99
}
`,
- expectedResults: 99,
+ expected: 99,
},
{
name: "count is literal 0",
source: `
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = 0
}
`,
- expectedResults: 0,
+ expected: 0,
},
{
name: "count is 0 from variable",
@@ -59,11 +56,11 @@ func Test_ResourcesWithCount(t *testing.T) {
variable "count" {
default = 0
}
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = var.count
}
`,
- expectedResults: 0,
+ expected: 0,
},
{
name: "count is 1 from variable",
@@ -71,22 +68,22 @@ func Test_ResourcesWithCount(t *testing.T) {
variable "count" {
default = 1
}
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = var.count
}
`,
- expectedResults: 1,
+ expected: 1,
},
{
name: "count is 1 from variable without default",
source: `
variable "count" {
}
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = var.count
}
`,
- expectedResults: 1,
+ expected: 1,
},
{
name: "count is 0 from conditional",
@@ -94,11 +91,11 @@ func Test_ResourcesWithCount(t *testing.T) {
variable "enabled" {
default = false
}
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = var.enabled ? 1 : 0
}
`,
- expectedResults: 0,
+ expected: 0,
},
{
name: "count is 1 from conditional",
@@ -106,11 +103,11 @@ func Test_ResourcesWithCount(t *testing.T) {
variable "enabled" {
default = true
}
- resource "bad" "this" {
+ resource "aws_s3_bucket" "test" {
count = var.enabled ? 1 : 0
}
`,
- expectedResults: 1,
+ expected: 1,
},
{
name: "issue 962",
@@ -120,18 +117,18 @@ func Test_ResourcesWithCount(t *testing.T) {
ok = true
}
- resource "bad" "bad" {
- secure = something.else[0].ok
+ resource "aws_s3_bucket" "test" {
+ bucket = something.else[0].ok ? "test" : ""
}
`,
- expectedResults: 0,
+ expected: 0,
},
{
name: "Test use of count.index",
source: `
-resource "bad" "thing" {
+resource "aws_s3_bucket" "test" {
count = 1
- secure = var.things[count.index]["ok"]
+ bucket = var.things[count.index]["ok"] ? "test" : ""
}
variable "things" {
@@ -145,49 +142,23 @@ variable "things" {
]
}
`,
- expectedResults: 0,
+ expected: 0,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
- r1 := scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc123",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredLabels: []string{"bad"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if resourceBlock.GetAttribute("secure").IsTrue() {
- return
- }
- results.Add(
- "example problem",
- resourceBlock,
- )
- return
- },
- },
- },
- }
- reg := rules.Register(r1)
- defer rules.Deregister(reg)
- results := scanHCL(t, test.source)
- var include string
- var exclude string
- if test.expectedResults > 0 {
- include = r1.LongID()
+ results := scanHCL(t, test.source,
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
+ )
+
+ assert.Len(t, results.GetFailed(), test.expected)
+
+ if test.expected > 0 {
+ testutil.AssertRuleFound(t, "aws-s3-non-empty-bucket", results, "false negative found")
} else {
- exclude = r1.LongID()
- }
- assert.Len(t, results.GetFailed(), test.expectedResults)
- if include != "" {
- testutil.AssertRuleFound(t, include, results, "false negative found")
- }
- if exclude != "" {
- testutil.AssertRuleNotFound(t, exclude, results, "false positive found")
+ testutil.AssertRuleNotFound(t, "aws-s3-non-empty-bucket", results, "false positive found")
}
})
}
diff --git a/pkg/iac/scanners/terraform/deterministic_test.go b/pkg/iac/scanners/terraform/deterministic_test.go
index ccf2b7123e0c..c0e45fa8d8d8 100644
--- a/pkg/iac/scanners/terraform/deterministic_test.go
+++ b/pkg/iac/scanners/terraform/deterministic_test.go
@@ -1,27 +1,20 @@
package terraform
import (
- "context"
+ "strings"
"testing"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser"
+ "github.com/aquasecurity/trivy/pkg/iac/rego"
)
func Test_DeterministicResults(t *testing.T) {
-
- reg := rules.Register(badRule)
- defer rules.Deregister(reg)
-
- fs := testutil.CreateFS(t, map[string]string{
+ fsys := testutil.CreateFS(t, map[string]string{
"first.tf": `
-resource "problem" "uhoh" {
- bad = true
- for_each = other.thing
+resource "aws_s3_bucket" "test" {
+ for_each = other.thing
}
`,
"second.tf": `
@@ -40,12 +33,11 @@ locals {
})
for i := 0; i < 100; i++ {
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), ".")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
+ results, err := scanFS(fsys, ".",
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
+ )
require.NoError(t, err)
- results, _ := executor.New().Execute(modules)
require.Len(t, results.GetFailed(), 2)
}
}
diff --git a/pkg/iac/scanners/terraform/executor/executor.go b/pkg/iac/scanners/terraform/executor/executor.go
index 8e14f778e5b4..2714d50be6fe 100644
--- a/pkg/iac/scanners/terraform/executor/executor.go
+++ b/pkg/iac/scanners/terraform/executor/executor.go
@@ -1,41 +1,33 @@
package executor
import (
+ "context"
"fmt"
- "runtime"
"sort"
- "github.com/samber/lo"
"github.com/zclconf/go-cty/cty"
adapter "github.com/aquasecurity/trivy/pkg/iac/adapters/terraform"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/ignore"
"github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/terraform"
"github.com/aquasecurity/trivy/pkg/iac/types"
- ruleTypes "github.com/aquasecurity/trivy/pkg/iac/types/rules"
"github.com/aquasecurity/trivy/pkg/log"
)
// Executor scans HCL blocks by running all registered rules against them
type Executor struct {
- workspaceName string
- logger *log.Logger
- resultsFilters []func(scan.Results) scan.Results
- regoScanner *rego.Scanner
- regoOnly bool
- includeDeprecatedChecks bool
- frameworks []framework.Framework
+ workspaceName string
+ logger *log.Logger
+ resultsFilters []func(scan.Results) scan.Results
+ regoScanner *rego.Scanner
}
// New creates a new Executor
func New(options ...Option) *Executor {
s := &Executor{
- regoOnly: false,
- logger: log.WithPrefix("terraform executor"),
+ logger: log.WithPrefix("terraform executor"),
}
for _, option := range options {
option(s)
@@ -43,31 +35,16 @@ func New(options ...Option) *Executor {
return s
}
-func (e *Executor) Execute(modules terraform.Modules) (scan.Results, error) {
+func (e *Executor) Execute(ctx context.Context, modules terraform.Modules, basePath string) (scan.Results, error) {
e.logger.Debug("Adapting modules...")
infra := adapter.Adapt(modules)
e.logger.Debug("Adapted module(s) into state data.", log.Int("count", len(modules)))
- threads := runtime.NumCPU()
- if threads > 1 {
- threads--
- }
-
- e.logger.Debug("Using max routines", log.Int("count", threads))
-
- registeredRules := lo.Filter(rules.GetRegistered(e.frameworks...), func(r ruleTypes.RegisteredRule, _ int) bool {
- if !e.includeDeprecatedChecks && r.Deprecated {
- return false // skip deprecated checks
- }
-
- return true
+ results, err := e.regoScanner.ScanInput(ctx, rego.Input{
+ Contents: infra.ToRego(),
+ Path: basePath,
})
- e.logger.Debug("Initialized Go check(s).", log.Int("count", len(registeredRules)))
-
- pool := NewPool(threads, registeredRules, modules, infra, e.regoScanner, e.regoOnly)
-
- results, err := pool.Run()
if err != nil {
return nil, err
}
diff --git a/pkg/iac/scanners/terraform/executor/executor_test.go b/pkg/iac/scanners/terraform/executor/executor_test.go
deleted file mode 100644
index 838701d163f4..000000000000
--- a/pkg/iac/scanners/terraform/executor/executor_test.go
+++ /dev/null
@@ -1,132 +0,0 @@
-package executor
-
-import (
- "context"
- "testing"
-
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
-
- "github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
-)
-
-var panicRule = scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredTypes: []string{"resource"},
- RequiredLabels: []string{"problem"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if resourceBlock.GetAttribute("panic").IsTrue() {
- panic("This is fine")
- }
- return
- },
- },
- },
-}
-
-func Test_PanicInCheckNotAllowed(t *testing.T) {
-
- reg := rules.Register(panicRule)
- defer rules.Deregister(reg)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
-resource "problem" "this" {
- panic = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := New().Execute(modules)
- require.Error(t, err)
-
- assert.Empty(t, results.GetFailed())
-}
-
-func Test_PanicInCheckAllowed(t *testing.T) {
-
- reg := rules.Register(panicRule)
- defer rules.Deregister(reg)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
-resource "problem" "this" {
- panic = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
-
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
- _, err = New().Execute(modules)
- require.Error(t, err)
-}
-
-func Test_PanicNotInCheckNotIncludePassed(t *testing.T) {
-
- reg := rules.Register(panicRule)
- defer rules.Deregister(reg)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
-resource "problem" "this" {
- panic = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, _ := New().Execute(modules)
- require.NoError(t, err)
-
- assert.Empty(t, results.GetFailed())
-}
-
-func Test_PanicNotInCheckNotIncludePassedStopOnError(t *testing.T) {
-
- reg := rules.Register(panicRule)
- defer rules.Deregister(reg)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
-resource "problem" "this" {
- panic = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- _, err = New().Execute(modules)
- require.Error(t, err)
-}
diff --git a/pkg/iac/scanners/terraform/executor/option.go b/pkg/iac/scanners/terraform/executor/option.go
index 70dd1a9520c3..65a6180d7e67 100644
--- a/pkg/iac/scanners/terraform/executor/option.go
+++ b/pkg/iac/scanners/terraform/executor/option.go
@@ -1,19 +1,12 @@
package executor
import (
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/scan"
)
type Option func(s *Executor)
-func OptionWithFrameworks(frameworks ...framework.Framework) Option {
- return func(s *Executor) {
- s.frameworks = frameworks
- }
-}
-
func OptionWithResultsFilter(f func(scan.Results) scan.Results) Option {
return func(s *Executor) {
s.resultsFilters = append(s.resultsFilters, f)
@@ -31,15 +24,3 @@ func OptionWithRegoScanner(s *rego.Scanner) Option {
e.regoScanner = s
}
}
-
-func OptionWithRegoOnly(regoOnly bool) Option {
- return func(e *Executor) {
- e.regoOnly = regoOnly
- }
-}
-
-func OptionWithIncludeDeprecatedChecks(b bool) Option {
- return func(e *Executor) {
- e.includeDeprecatedChecks = b
- }
-}
diff --git a/pkg/iac/scanners/terraform/executor/pool.go b/pkg/iac/scanners/terraform/executor/pool.go
deleted file mode 100644
index cc2091ff71ed..000000000000
--- a/pkg/iac/scanners/terraform/executor/pool.go
+++ /dev/null
@@ -1,289 +0,0 @@
-package executor
-
-import (
- "context"
- "fmt"
- "os"
- "path/filepath"
- runtimeDebug "runtime/debug"
- "strings"
- "sync"
-
- "github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/state"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
- types "github.com/aquasecurity/trivy/pkg/iac/types/rules"
-)
-
-type Pool struct {
- size int
- modules terraform.Modules
- state *state.State
- rules []types.RegisteredRule
- rs *rego.Scanner
- regoOnly bool
-}
-
-func NewPool(size int, rules []types.RegisteredRule, modules terraform.Modules, st *state.State, regoScanner *rego.Scanner, regoOnly bool) *Pool {
- return &Pool{
- size: size,
- rules: rules,
- state: st,
- modules: modules,
- rs: regoScanner,
- regoOnly: regoOnly,
- }
-}
-
-// Run runs the job in the pool - this will only return an error if a job panics
-func (p *Pool) Run() (scan.Results, error) {
-
- outgoing := make(chan Job, p.size*2)
-
- var workers []*Worker
- for i := 0; i < p.size; i++ {
- worker := NewWorker(outgoing)
- go worker.Start()
- workers = append(workers, worker)
- }
-
- if p.rs != nil {
- var basePath string
- if len(p.modules) > 0 {
- basePath = p.modules[0].RootPath()
- }
- outgoing <- ®oJob{
- state: p.state,
- scanner: p.rs,
- basePath: basePath,
- }
- }
-
- if !p.regoOnly {
- for _, r := range p.rules {
- if r.GetRule().CustomChecks.Terraform != nil && r.GetRule().CustomChecks.Terraform.Check != nil {
- // run local hcl rule
- for _, module := range p.modules {
- mod := *module
- outgoing <- &hclModuleRuleJob{
- module: &mod,
- rule: r,
- }
- }
- } else {
- // run defsec rule
- outgoing <- &infraRuleJob{
- state: p.state,
- rule: r,
- }
- }
- }
- }
-
- close(outgoing)
-
- var results scan.Results
- for _, worker := range workers {
- results = append(results, worker.Wait()...)
- if err := worker.Error(); err != nil {
- return nil, err
- }
- }
-
- return results, nil
-}
-
-type Job interface {
- Run() (scan.Results, error)
-}
-
-type infraRuleJob struct {
- state *state.State
- rule types.RegisteredRule
-}
-
-type hclModuleRuleJob struct {
- module *terraform.Module
- rule types.RegisteredRule
-}
-
-type regoJob struct {
- state *state.State
- scanner *rego.Scanner
- basePath string
-}
-
-func (h *infraRuleJob) Run() (_ scan.Results, err error) {
- defer func() {
- if panicErr := recover(); panicErr != nil {
- err = fmt.Errorf("%s\n%s", panicErr, string(runtimeDebug.Stack()))
- }
- }()
-
- return h.rule.Evaluate(h.state), err
-}
-
-func (h *hclModuleRuleJob) Run() (results scan.Results, err error) {
- defer func() {
- if panicErr := recover(); panicErr != nil {
- err = fmt.Errorf("%s\n%s", panicErr, string(runtimeDebug.Stack()))
- }
- }()
- customCheck := h.rule.GetRule().CustomChecks.Terraform
- for _, block := range h.module.GetBlocks() {
- if !isCustomCheckRequiredForBlock(customCheck, block) {
- continue
- }
- results = append(results, customCheck.Check(block, h.module)...)
- }
- results.SetRule(h.rule.GetRule())
- return
-}
-
-func (h *regoJob) Run() (results scan.Results, err error) {
- regoResults, err := h.scanner.ScanInput(context.TODO(), rego.Input{
- Contents: h.state.ToRego(),
- Path: h.basePath,
- })
- if err != nil {
- return nil, fmt.Errorf("rego scan error: %w", err)
- }
- return regoResults, nil
-}
-
-// nolint
-func isCustomCheckRequiredForBlock(custom *scan.TerraformCustomCheck, b *terraform.Block) bool {
-
- var found bool
- for _, requiredType := range custom.RequiredTypes {
- if b.Type() == requiredType {
- found = true
- break
- }
- }
- if !found && len(custom.RequiredTypes) > 0 {
- return false
- }
-
- found = false
- for _, requiredLabel := range custom.RequiredLabels {
- if requiredLabel == "*" || (len(b.Labels()) > 0 && wildcardMatch(requiredLabel, b.TypeLabel())) {
- found = true
- break
- }
- }
- if !found && len(custom.RequiredLabels) > 0 {
- return false
- }
-
- found = false
- if len(custom.RequiredSources) > 0 && b.Type() == terraform.TypeModule.Name() {
- if sourceAttr := b.GetAttribute("source"); sourceAttr.IsNotNil() {
- values := sourceAttr.AsStringValues().AsStrings()
- if len(values) == 0 {
- return false
- }
- sourcePath := values[0]
-
- // resolve module source path to path relative to cwd
- if strings.HasPrefix(sourcePath, ".") {
- sourcePath = cleanPathRelativeToWorkingDir(filepath.Dir(b.GetMetadata().Range().GetFilename()), sourcePath)
- }
-
- for _, requiredSource := range custom.RequiredSources {
- if requiredSource == "*" || wildcardMatch(requiredSource, sourcePath) {
- found = true
- break
- }
- }
- }
- return found
- }
-
- return true
-}
-
-func cleanPathRelativeToWorkingDir(dir, path string) string {
- absPath := filepath.Clean(filepath.Join(dir, path))
- wDir, err := os.Getwd()
- if err != nil {
- return absPath
- }
- relPath, err := filepath.Rel(wDir, absPath)
- if err != nil {
- return absPath
- }
- return relPath
-}
-
-func wildcardMatch(pattern, subject string) bool {
- if pattern == "" {
- return false
- }
- parts := strings.Split(pattern, "*")
- var lastIndex int
- for i, part := range parts {
- if part == "" {
- continue
- }
- if i == 0 {
- if !strings.HasPrefix(subject, part) {
- return false
- }
- }
- if i == len(parts)-1 {
- if !strings.HasSuffix(subject, part) {
- return false
- }
- }
- newIndex := strings.Index(subject, part)
- if newIndex < lastIndex {
- return false
- }
- lastIndex = newIndex
- }
- return true
-}
-
-type Worker struct {
- incoming <-chan Job
- mu sync.Mutex
- results scan.Results
- panic any
-}
-
-func NewWorker(incoming <-chan Job) *Worker {
- w := &Worker{
- incoming: incoming,
- }
- w.mu.Lock()
- return w
-}
-
-func (w *Worker) Start() {
- defer w.mu.Unlock()
- w.results = nil
- for job := range w.incoming {
- func() {
- results, err := job.Run()
- if err != nil {
- w.panic = err
- }
- w.results = append(w.results, results...)
- }()
- }
-}
-
-func (w *Worker) Wait() scan.Results {
- w.mu.Lock()
- defer w.mu.Unlock()
- return w.results
-}
-
-func (w *Worker) Error() error {
- if w.panic == nil {
- return nil
- }
- return fmt.Errorf("job failed: %s", w.panic)
-}
diff --git a/pkg/iac/scanners/terraform/ignore_test.go b/pkg/iac/scanners/terraform/ignore_test.go
index a42abc323d31..7ef6d09d9ca7 100644
--- a/pkg/iac/scanners/terraform/ignore_test.go
+++ b/pkg/iac/scanners/terraform/ignore_test.go
@@ -1,7 +1,6 @@
package terraform
import (
- "context"
"fmt"
"strings"
"testing"
@@ -10,688 +9,278 @@ import (
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
"github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/options"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
)
-var exampleRule = scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc123",
- AVDID: "AWS-ABC-123",
- Aliases: []string{"aws-other-abc123"},
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredLabels: []string{"bad"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if attr, _ := resourceBlock.GetNestedAttribute("secure_settings.enabled"); attr.IsNotNil() {
- if attr.IsFalse() {
- results.Add("example problem", attr)
- }
- } else {
- attr := resourceBlock.GetAttribute("secure")
- if attr.IsNil() {
- results.Add("example problem", resourceBlock)
- }
- if attr.IsFalse() {
- results.Add("example problem", attr)
- }
- }
- return
- },
- },
- },
-}
-
func Test_IgnoreAll(t *testing.T) {
var testCases = []struct {
name string
- inputOptions string
+ source string
assertLength int
}{
{
- name: "IgnoreAll",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false // tfsec:ignore:*
-}
-`,
+ name: "inline rule ignore all checks",
+ source: `resource "aws_s3_bucket" "test" {
+ bucket = "" // %s:ignore:*
+}`,
assertLength: 0,
},
{
- name: "IgnoreLineAboveTheBlock",
- inputOptions: `
-// tfsec:ignore:*
-resource "bad" "my-rule" {
- secure = false
-}
-`,
+ name: "rule above block ignore all checks",
+ source: `// %s:ignore:*
+resource "aws_s3_bucket" "test" {}`,
assertLength: 0,
},
{
- name: "IgnoreLineAboveTheBlockMatchingParamBool",
- inputOptions: `
-// tfsec:ignore:*[secure=false]
-resource "bad" "my-rule" {
- secure = false
-}
-`,
+ name: "rule above block with boolean parameter",
+ source: `// %s:ignore:*[object_lock_enabled=false]
+resource "aws_s3_bucket" "test" {
+ object_lock_enabled = false
+}`,
assertLength: 0,
},
{
- name: "IgnoreLineAboveTheBlockNotMatchingParamBool",
- inputOptions: `
-// tfsec:ignore:*[secure=true]
-resource "bad" "my-rule" {
- secure = false
-}
-`,
+ name: "rule above block with non-matching boolean parameter",
+ source: `// %s:ignore:*[object_lock_enabled=false]
+resource "aws_s3_bucket" "test" {
+ object_lock_enabled = true
+}`,
assertLength: 1,
},
{
- name: "IgnoreLineAboveTheBlockMatchingParamString",
- inputOptions: `
-// tfsec:ignore:*[name=myrule]
-resource "bad" "my-rule" {
- name = "myrule"
- secure = false
-}
-`,
+ name: "rule above block with string parameter",
+ source: `// %s:ignore:*[acl=private]
+resource "aws_s3_bucket" "test" {
+ acl = "private"
+}`,
assertLength: 0,
},
{
- name: "IgnoreLineAboveTheBlockNotMatchingParamString",
- inputOptions: `
-// tfsec:ignore:*[name=myrule2]
-resource "bad" "my-rule" {
- name = "myrule"
- secure = false
-}
-`,
+ name: "rule above block with non-matching string parameter",
+ source: `// %s:ignore:*[acl=private]
+resource "aws_s3_bucket" "test" {
+ acl = "public"
+}`,
assertLength: 1,
},
{
- name: "IgnoreLineAboveTheBlockMatchingParamInt",
- inputOptions: `
-// tfsec:ignore:*[port=123]
-resource "bad" "my-rule" {
- secure = false
- port = 123
-}
-`,
+ name: "rule above block with int parameter",
+ source: `// %s:ignore:*[some_int=123]
+resource "aws_s3_bucket" "test" {
+ some_int = 123
+}`,
assertLength: 0,
},
{
- name: "IgnoreLineAboveTheBlockNotMatchingParamInt",
- inputOptions: `
-// tfsec:ignore:*[port=456]
-resource "bad" "my-rule" {
- secure = false
- port = 123
-}
-`,
+ name: "rule above block with non-matching int parameter",
+ source: `// %s:ignore:*[some_int=456]
+resource "aws_s3_bucket" "test" {
+ some_int = 123
+}`,
assertLength: 1,
},
{
- name: "IgnoreLineStackedAboveTheBlock",
- inputOptions: `
-// tfsec:ignore:*
-// tfsec:ignore:a
-// tfsec:ignore:b
-// tfsec:ignore:c
-// tfsec:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
+ name: "stacked rules above block",
+ source: `// %s:ignore:*
+// %s:ignore:a
+// %s:ignore:b
+// %s:ignore:c
+// %s:ignore:d
+resource "aws_s3_bucket" "test" {}
`,
assertLength: 0,
},
{
- name: "IgnoreLineStackedAboveTheBlockWithoutMatch",
- inputOptions: `
-#tfsec:ignore:*
+ name: "stacked rules above block without a match",
+ source: `#%s:ignore:*
-#tfsec:ignore:x
-#tfsec:ignore:a
-#tfsec:ignore:b
-#tfsec:ignore:c
-#tfsec:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
+#%s:ignore:x
+#%s:ignore:a
+#%s:ignore:b
+#%s:ignore:c
+#%s:ignore:d
+resource "aws_s3_bucket" "test" {}
`,
assertLength: 1,
},
{
- name: "IgnoreLineStackedAboveTheBlockWithHashesWithoutSpaces",
- inputOptions: `
-#tfsec:ignore:*
-#tfsec:ignore:a
-#tfsec:ignore:b
-#tfsec:ignore:c
-#tfsec:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
-`,
- assertLength: 0,
- },
- {
- name: "IgnoreLineStackedAboveTheBlockWithoutSpaces",
- inputOptions: `
-//tfsec:ignore:*
-//tfsec:ignore:a
-//tfsec:ignore:b
-//tfsec:ignore:c
-//tfsec:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
+ name: "stacked rules above block without spaces between '#' comments",
+ source: `#%s:ignore:*
+#%s:ignore:a
+#%s:ignore:b
+#%s:ignore:c
+#%s:ignore:d
+resource "aws_s3_bucket" "test" {}
`,
assertLength: 0,
},
{
- name: "IgnoreLineAboveTheLine",
- inputOptions: `
-resource "bad" "my-rule" {
- # tfsec:ignore:aws-service-abc123
- secure = false
-}
+ name: "stacked rules above block without spaces between '//' comments",
+ source: `//%s:ignore:*
+//%s:ignore:a
+//%s:ignore:b
+//%s:ignore:c
+//%s:ignore:d
+resource "aws_s3_bucket" "test" {}
`,
assertLength: 0,
},
{
- name: "IgnoreWithExpDateIfDateBreachedThenDontIgnore",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false # tfsec:ignore:aws-service-abc123:exp:2000-01-02
-}
-`,
- assertLength: 1,
- },
- {
- name: "IgnoreWithExpDateIfDateNotBreachedThenIgnoreIgnore",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false # tfsec:ignore:aws-service-abc123:exp:2221-01-02
-}
-`,
+ name: "rule above the finding",
+ source: `resource "aws_s3_bucket" "test" {
+ # %s:ignore:aws-s3-non-empty-bucket
+ bucket = ""
+}`,
assertLength: 0,
},
{
- name: "IgnoreWithExpDateIfDateInvalidThenDropTheIgnore",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false # tfsec:ignore:aws-service-abc123:exp:2221-13-02
-}
-`,
+ name: "rule with breached expiration date",
+ source: `resource "aws_s3_bucket" "test" {
+ bucket = "" # %s:ignore:aws-s3-non-empty-bucket:exp:2000-01-02
+}`,
assertLength: 1,
},
{
- name: "IgnoreAboveResourceBlockWithExpDateIfDateNotBreachedThenIgnoreIgnore",
- inputOptions: `
-#tfsec:ignore:aws-service-abc123:exp:2221-01-02
-resource "bad" "my-rule" {
-}
-`,
- assertLength: 0,
- },
- {
- name: "IgnoreAboveResourceBlockWithExpDateAndMultipleIgnoresIfDateNotBreachedThenIgnoreIgnore",
- inputOptions: `
-# tfsec:ignore:aws-service-abc123:exp:2221-01-02
-resource "bad" "my-rule" {
-
-}
-`,
- assertLength: 0,
- },
- {
- name: "IgnoreForImpliedIAMResource",
- inputOptions: `
-terraform {
- required_version = "~> 1.1.6"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = "~> 3.48"
- }
- }
-}
-
-# Retrieve an IAM group defined outside of this Terraform config.
-
-# tfsec:ignore:aws-iam-enforce-mfa
-data "aws_iam_group" "externally_defined_group" {
- group_name = "group-name" # tfsec:ignore:aws-iam-enforce-mfa
-}
-
-# Create an IAM policy and attach it to the group.
-
-# tfsec:ignore:aws-iam-enforce-mfa
-resource "aws_iam_policy" "test_policy" {
- name = "test-policy" # tfsec:ignore:aws-iam-enforce-mfa
- policy = data.aws_iam_policy_document.test_policy.json # tfsec:ignore:aws-iam-enforce-mfa
-}
-
-# tfsec:ignore:aws-iam-enforce-mfa
-resource "aws_iam_group_policy_attachment" "test_policy_attachment" {
- group = data.aws_iam_group.externally_defined_group.group_name # tfsec:ignore:aws-iam-enforce-mfa
- policy_arn = aws_iam_policy.test_policy.arn # tfsec:ignore:aws-iam-enforce-mfa
-}
-
-# tfsec:ignore:aws-iam-enforce-mfa
-data "aws_iam_policy_document" "test_policy" {
- statement {
- sid = "PublishToCloudWatch" # tfsec:ignore:aws-iam-enforce-mfa
- actions = [
- "cloudwatch:PutMetricData", # tfsec:ignore:aws-iam-enforce-mfa
- ]
- resources = ["*"] # tfsec:ignore:aws-iam-enforce-mfa
- }
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreAll",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false // trivy:ignore:*
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreLineAboveTheBlock",
- inputOptions: `
-// trivy:ignore:*
-resource "bad" "my-rule" {
- secure = false
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreLineAboveTheBlockMatchingParamBool",
- inputOptions: `
-// trivy:ignore:*[secure=false]
-resource "bad" "my-rule" {
- secure = false
-}
-`,
+ name: "rule with unbreached expiration date",
+ source: `resource "aws_s3_bucket" "test" {
+ bucket = "" # %s:ignore:aws-s3-non-empty-bucket:exp:2221-01-02
+}`,
assertLength: 0,
},
{
- name: "TrivyIgnoreLineAboveTheBlockNotMatchingParamBool",
- inputOptions: `
-// trivy:ignore:*[secure=true]
-resource "bad" "my-rule" {
- secure = false
-}
-`,
+ name: "rule with invalid expiration date",
+ source: `resource "aws_s3_bucket" "test" {
+ bucket = "" # %s:ignore:aws-s3-non-empty-bucket:exp:2221-13-02
+}`,
assertLength: 1,
},
{
- name: "TrivyIgnoreLineAboveTheBlockMatchingParamString",
- inputOptions: `
-// trivy:ignore:*[name=myrule]
-resource "bad" "my-rule" {
- name = "myrule"
- secure = false
-}
-`,
+ name: "rule above block with unbreached expiration date",
+ source: `#%s:ignore:aws-s3-non-empty-bucket:exp:2221-01-02
+resource "aws_s3_bucket" "test" {}`,
assertLength: 0,
},
{
- name: "TrivyIgnoreLineAboveTheBlockNotMatchingParamString",
- inputOptions: `
-// trivy:ignore:*[name=myrule2]
-resource "bad" "my-rule" {
- name = "myrule"
- secure = false
-}
-`,
- assertLength: 1,
- },
- {
- name: "TrivyIgnoreLineAboveTheBlockMatchingParamInt",
- inputOptions: `
-// trivy:ignore:*[port=123]
-resource "bad" "my-rule" {
- secure = false
- port = 123
-}
-`,
+ name: "trivy inline rule ignore all checks",
+ source: `resource "aws_s3_bucket" "test" {
+ bucket = "" // %s:ignore:*
+}`,
assertLength: 0,
},
- {
- name: "TrivyIgnoreLineAboveTheBlockNotMatchingParamInt",
- inputOptions: `
-// trivy:ignore:*[port=456]
-resource "bad" "my-rule" {
- secure = false
- port = 123
-}
-`,
- assertLength: 1,
- },
{
name: "ignore by nested attribute",
- inputOptions: `
-// trivy:ignore:*[secure_settings.enabled=false]
-resource "bad" "my-rule" {
- secure_settings {
+ source: `// %s:ignore:*[versioning.enabled=false]
+resource "aws_s3_bucket" "test" {
+ versioning {
enabled = false
}
-}
-`,
+}`,
assertLength: 0,
},
{
name: "ignore by nested attribute of another type",
- inputOptions: `
-// trivy:ignore:*[secure_settings.enabled=1]
-resource "bad" "my-rule" {
- secure_settings {
+ source: `// %s:ignore:*[versioning.enabled=1]
+resource "aws_s3_bucket" "test" {
+ versioning {
enabled = false
}
-}
-`,
+}`,
assertLength: 1,
},
{
name: "ignore by non-existent nested attribute",
- inputOptions: `
-// trivy:ignore:*[secure_settings.rule=myrule]
-resource "bad" "my-rule" {
- secure_settings {
+ source: `// %s:ignore:*[versioning.target=foo]
+resource "aws_s3_bucket" "test" {
+ versioning {
enabled = false
}
-}
-`,
+}`,
assertLength: 1,
},
{
name: "ignore resource with `for_each` meta-argument",
- inputOptions: `
-// trivy:ignore:*[secure=false]
-resource "bad" "my-rule" {
- for_each = toset(["false", "true", "false"])
- secure = each.key
-}
-`,
- assertLength: 0,
+ source: `// %s:ignore:*[acl=public]
+resource "aws_s3_bucket" "test" {
+ for_each = toset(["private", "public"])
+ acl = each.value
+}`,
+ assertLength: 1,
},
{
name: "ignore by dynamic block value",
- inputOptions: `
-// trivy:ignore:*[secure_settings.enabled=false]
-resource "bad" "my-rule" {
- dynamic "secure_settings" {
- for_each = ["false", "true"]
- content {
- enabled = secure_settings.value
- }
- }
-}
-`,
- assertLength: 0,
- },
- {
- name: "ignore by indexed dynamic block value",
- inputOptions: `
-// trivy:ignore:*[secure_settings.0.enabled=false]
-resource "bad" "my-rule" {
- dynamic "secure_settings" {
- for_each = ["false", "true"]
+ source: `// %s:ignore:*[versioning.enabled=false]
+resource "aws_s3_bucket" "test" {
+ dynamic "versioning" {
+ for_each = [{}]
content {
- enabled = secure_settings.value
+ enabled = false
}
}
-}
-`,
+}`,
assertLength: 0,
},
{
- name: "TrivyIgnoreLineStackedAboveTheBlock",
- inputOptions: `
-// trivy:ignore:*
-// trivy:ignore:a
-// trivy:ignore:b
-// trivy:ignore:c
-// trivy:ignore:d
-resource "bad" "my-rule" {
- secure = false
+ name: "ignore by each.value",
+ source: `locals {
+ acls = toset(["private", "public"])
}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreLineStackedAboveTheBlockWithoutMatch",
- inputOptions: `
-#trivy:ignore:*
-#trivy:ignore:x
-#trivy:ignore:a
-#trivy:ignore:b
-#trivy:ignore:c
-#trivy:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
-`,
- assertLength: 1,
- },
- {
- name: "TrivyIgnoreLineStackedAboveTheBlockWithHashesWithoutSpaces",
- inputOptions: `
-#trivy:ignore:*
-#trivy:ignore:a
-#trivy:ignore:b
-#trivy:ignore:c
-#trivy:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreLineStackedAboveTheBlockWithoutSpaces",
- inputOptions: `
-//trivy:ignore:*
-//trivy:ignore:a
-//trivy:ignore:b
-//trivy:ignore:c
-//trivy:ignore:d
-resource "bad" "my-rule" {
- secure = false
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreLineAboveTheLine",
- inputOptions: `
-resource "bad" "my-rule" {
- # trivy:ignore:aws-service-abc123
- secure = false
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreWithExpDateIfDateBreachedThenDontIgnore",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false # trivy:ignore:aws-service-abc123:exp:2000-01-02
-}
-`,
- assertLength: 1,
- },
- {
- name: "TrivyIgnoreWithExpDateIfDateNotBreachedThenIgnoreIgnore",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false # trivy:ignore:aws-service-abc123:exp:2221-01-02
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreWithExpDateIfDateInvalidThenDropTheIgnore",
- inputOptions: `
-resource "bad" "my-rule" {
- secure = false # trivy:ignore:aws-service-abc123:exp:2221-13-02
-}
-`,
+// %s:ignore:*[each.value=private]
+resource "aws_s3_bucket" "test" {
+ for_each = local.acls
+
+ acl = each.value
+}`,
assertLength: 1,
},
{
- name: "TrivyIgnoreAboveResourceBlockWithExpDateIfDateNotBreachedThenIgnoreIgnore",
- inputOptions: `
-#trivy:ignore:aws-service-abc123:exp:2221-01-02
-resource "bad" "my-rule" {
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreAboveResourceBlockWithExpDateAndMultipleIgnoresIfDateNotBreachedThenIgnoreIgnore",
- inputOptions: `
-# trivy:ignore:aws-service-abc123:exp:2221-01-02
-resource "bad" "my-rule" {
-
-}
-`,
- assertLength: 0,
- },
- {
- name: "TrivyIgnoreForImpliedIAMResource",
- inputOptions: `
-terraform {
- required_version = "~> 1.1.6"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = "~> 3.48"
+ name: "ignore by nested each.value",
+ source: `locals {
+ acls = {
+ private = {
+ permission = "private"
+ }
+ public = {
+ permission = "public"
}
}
}
-# Retrieve an IAM group defined outside of this Terraform config.
-
-# trivy:ignore:aws-iam-enforce-mfa
-data "aws_iam_group" "externally_defined_group" {
- group_name = "group-name" # trivy:ignore:aws-iam-enforce-mfa
-}
-
-# Create an IAM policy and attach it to the group.
-
-# trivy:ignore:aws-iam-enforce-mfa
-resource "aws_iam_policy" "test_policy" {
- name = "test-policy" # trivy:ignore:aws-iam-enforce-mfa
- policy = data.aws_iam_policy_document.test_policy.json # trivy:ignore:aws-iam-enforce-mfa
-}
-
-# trivy:ignore:aws-iam-enforce-mfa
-resource "aws_iam_group_policy_attachment" "test_policy_attachment" {
- group = data.aws_iam_group.externally_defined_group.group_name # trivy:ignore:aws-iam-enforce-mfa
- policy_arn = aws_iam_policy.test_policy.arn # trivy:ignore:aws-iam-enforce-mfa
-}
+// %s:ignore:*[each.value.permission=private]
+resource "aws_s3_bucket" "test" {
+ for_each = local.acls
-# trivy:ignore:aws-iam-enforce-mfa
-data "aws_iam_policy_document" "test_policy" {
- statement {
- sid = "PublishToCloudWatch" # trivy:ignore:aws-iam-enforce-mfa
- actions = [
- "cloudwatch:PutMetricData", # trivy:ignore:aws-iam-enforce-mfa
- ]
- resources = ["*"] # trivy:ignore:aws-iam-enforce-mfa
- }
-}
-`,
- assertLength: 0,
- },
- {
- name: "ignore by each.value",
- inputOptions: `
-// trivy:ignore:*[each.value=false]
-resource "bad" "my-rule" {
- for_each = toset(["false", "true", "false"])
- secure = each.value
-}
-`,
- assertLength: 0,
- },
- {
- name: "ignore by nested each.value",
- inputOptions: `
-locals {
- vms = [
- {
- ip_address = "10.0.0.1"
- name = "vm-1"
- },
- {
- ip_address = "10.0.0.2"
- name = "vm-2"
- }
- ]
-}
-// trivy:ignore:*[each.value.name=vm-2]
-resource "bad" "my-rule" {
- secure = false
- for_each = { for vm in local.vms : vm.name => vm }
- ip_address = each.value.ip_address
-}
-`,
+ acl = each.value.permission
+}`,
assertLength: 1,
},
{
name: "ignore resource with `count` meta-argument",
- inputOptions: `
-// trivy:ignore:*[count.index=1]
-resource "bad" "my-rule" {
+ source: `// %s:ignore:*[count.index=1]
+resource "aws_s3_bucket" "test" {
count = 2
- secure = false
-}
-`,
+}`,
assertLength: 1,
},
{
name: "invalid index when accessing blocks",
- inputOptions: `
-// trivy:ignore:*[ingress.99.port=9090]
-// trivy:ignore:*[ingress.-10.port=9090]
-resource "bad" "my-rule" {
- secure = false
+ source: `// %s:ignore:*[ingress.99.port=9090]
+// %s:ignore:*[ingress.-10.port=9090]
+resource "aws_s3_bucket" "test" {
dynamic "ingress" {
for_each = [8080, 9090]
content {
port = ingress.value
}
}
-}
-`,
+}`,
assertLength: 1,
},
{
name: "ignore by list value",
- inputOptions: `
-#trivy:ignore:*[someattr.1.Environment=dev]
-resource "bad" "my-rule" {
- secure = false
+ source: `#%s:ignore:*[someattr.1.Environment=dev]
+resource "aws_s3_bucket" "test" {
someattr = [
{
Environment = "prod"
@@ -700,16 +289,13 @@ resource "bad" "my-rule" {
Environment = "dev"
}
]
-}
-`,
+}`,
assertLength: 0,
},
{
name: "ignore by list value with invalid index",
- inputOptions: `
-#trivy:ignore:*[someattr.-2.Environment=dev]
-resource "bad" "my-rule" {
- secure = false
+ source: `#%s:ignore:*[someattr.-2.Environment=dev]
+resource "aws_s3_bucket" "test" {
someattr = [
{
Environment = "prod"
@@ -718,41 +304,34 @@ resource "bad" "my-rule" {
Environment = "dev"
}
]
-}
-`,
+}`,
assertLength: 1,
},
{
name: "ignore by object value",
- inputOptions: `
-#trivy:ignore:*[tags.Environment=dev]
-resource "bad" "my-rule" {
- secure = false
+ source: `#%s:ignore:*[tags.Environment=dev]
+resource "aws_s3_bucket" "test" {
tags = {
Environment = "dev"
}
-}
-`,
+}`,
assertLength: 0,
},
{
name: "ignore by object value in block",
- inputOptions: `
-#trivy:ignore:*[someblock.tags.Environment=dev]
-resource "bad" "my-rule" {
- secure = false
+ source: `#%s:ignore:*[someblock.tags.Environment=dev]
+resource "aws_s3_bucket" "test" {
someblock {
tags = {
Environment = "dev"
}
}
-}
-`,
+}`,
assertLength: 0,
},
{
name: "ignore by list value in map",
- inputOptions: `
+ source: `
variable "testvar" {
type = map(list(string))
default = {
@@ -761,9 +340,8 @@ variable "testvar" {
}
}
-#trivy:ignore:*[someblock.someattr.server1.1=dev]
-resource "bad" "my-rule" {
- secure = false
+#%s:ignore:*[someblock.someattr.server1.1=dev]
+resource "aws_s3_bucket" "test" {
someblock {
someattr = var.testvar
}
@@ -771,22 +349,158 @@ resource "bad" "my-rule" {
`,
assertLength: 0,
},
- }
+ {
+ name: "ignore by alias",
+ source: `#%s:ignore:my-alias
+resource "aws_s3_bucket" "test" {}`,
+ assertLength: 0,
+ },
+ {
+ name: "ignore by alias with trivy prefix",
+ source: `#%s:ignore:my-alias
+resource "aws_s3_bucket" "test" {}`,
+ assertLength: 0,
+ },
+ {
+ name: "ignore for implied IAM resource",
+ source: `# %s:ignore:aws-iam-enforce-mfa
+resource "aws_iam_group" "this" {
+ name = "group-name"
+}
+
+resource "aws_iam_policy" "this" {
+ name = "test-policy"
+ policy = data.aws_iam_policy_document.this.json
+}
+
+
+resource "aws_iam_group_policy_attachment" "this" {
+ group = aws_iam_group.this.name
+ policy_arn = aws_iam_policy.this.arn
+}
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
+data "aws_iam_policy_document" "this" {
+ statement {
+ sid = "PublishToCloudWatch"
+ actions = [
+ "cloudwatch:PutMetricData",
+ ]
+ resources = ["*"]
+ }
+}`,
+ assertLength: 0,
+ },
+ }
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
- results := scanHCL(t, tc.inputOptions)
- assert.Len(t, results.GetFailed(), tc.assertLength)
+ prefixes := []string{"tfsec", "trivy"}
+ for _, prefix := range prefixes {
+ t.Run(prefix, func(t *testing.T) {
+ results := scanHCL(
+ t, formatWithSingleValue(tc.source, prefix),
+ rego.WithPolicyReader(
+ strings.NewReader(emptyBucketCheck),
+ strings.NewReader(enforceGroupMfaCheck)),
+ rego.WithPolicyNamespaces("user"),
+ )
+ assert.Len(t, results.GetFailed(), tc.assertLength)
+ })
+ }
+ })
+ }
+}
+
+func formatWithSingleValue(format string, value any) string {
+ count := strings.Count(format, "%s")
+
+ args := make([]any, count)
+ for i := range args {
+ args[i] = value
+ }
+
+ return fmt.Sprintf(format, args...)
+}
+
+func Test_IgnoreByDynamicBlockValue(t *testing.T) {
+
+ check := `# METADATA
+# custom:
+# avd_id: USER-TEST-0124
+# short_code: test
+# provider: aws
+# service: ec2
+package user.test124
+
+import rego.v1
+
+deny contains res if {
+ some group in input.aws.ec2.securitygroups
+ some rule in group.ingressrules
+ rule.toport.value < 1024
+ res := result.new(
+ sprintf("Port below 1024 is not allowed, but got %s", [rule.toport.value]),
+ rule.toport,
+ )
+}
+`
+
+ tests := []struct {
+ name string
+ source string
+ expected int
+ }{
+ {
+ name: "by dynamic value",
+ source: `// trivy:ignore:*[ingress.from_port=80]
+resource "aws_security_group" "loadbalancer" {
+ name = "test"
+
+ dynamic "ingress" {
+ for_each = [80, 443]
+ content {
+ from_port = ingress.value
+ to_port = ingress.value
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ }
+}
+`,
+ expected: 0,
+ },
+ {
+ name: "access by index",
+ source: `// trivy:ignore:*[ingress.0.from_port=80]
+resource "aws_security_group" "loadbalancer" {
+ name = "test"
+
+ dynamic "ingress" {
+ for_each = [80, 443]
+ content {
+ from_port = ingress.value
+ to_port = ingress.value
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ }
+}
+`,
+ expected: 0,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ results := scanHCL(t, tt.source,
+ rego.WithPolicyReader(strings.NewReader(check)),
+ rego.WithPolicyNamespaces("user"))
+ require.Len(t, results.GetFailed(), tt.expected)
})
}
}
func Test_IgnoreByWorkspace(t *testing.T) {
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
tests := []struct {
name string
@@ -795,123 +509,79 @@ func Test_IgnoreByWorkspace(t *testing.T) {
}{
{
name: "with expiry and workspace",
- src: `# tfsec:ignore:aws-service-abc123:exp:2221-01-02:ws:testworkspace
-resource "bad" "my-rule" {}`,
+ src: `# tfsec:ignore:aws-s3-non-empty-bucket:exp:2221-01-02:ws:testworkspace
+resource "aws_s3_bucket" "test" {}`,
expectedFailed: 0,
},
{
name: "bad workspace",
- src: `# tfsec:ignore:aws-service-abc123:exp:2221-01-02:ws:otherworkspace
-resource "bad" "my-rule" {}`,
+ src: `# tfsec:ignore:aws-s3-non-empty-bucket:exp:2221-01-02:ws:otherworkspace
+resource "aws_s3_bucket" "test" {}`,
expectedFailed: 1,
},
{
name: "with expiry and workspace, trivy prefix",
- src: `# trivy:ignore:aws-service-abc123:exp:2221-01-02:ws:testworkspace
-resource "bad" "my-rule" {}`,
+ src: `# trivy:ignore:aws-s3-non-empty-bucket:exp:2221-01-02:ws:testworkspace
+resource "aws_s3_bucket" "test" {}`,
expectedFailed: 0,
},
{
name: "bad workspace, trivy prefix",
- src: `# trivy:ignore:aws-service-abc123:exp:2221-01-02:ws:otherworkspace
-resource "bad" "my-rule" {}`,
+ src: `# trivy:ignore:aws-s3-non-empty-bucket:exp:2221-01-02:ws:otherworkspace
+resource "aws_s3_bucket" "test" {}`,
expectedFailed: 1,
},
{
name: "workspace with wildcard",
src: `# tfsec:ignore:*:ws:test*
-resource "bad" "my-rule" {}`,
+resource "aws_s3_bucket" "test" {}`,
expectedFailed: 0,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- results := scanHCLWithWorkspace(t, tt.src, "testworkspace")
+ results := scanHCL(t, tt.src,
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
+ ScannerWithWorkspaceName("testworkspace"),
+ )
assert.Len(t, results.GetFailed(), tt.expectedFailed)
})
}
}
-func Test_IgnoreInline(t *testing.T) {
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
-
- results := scanHCL(t, fmt.Sprintf(`
- resource "bad" "sample" {
- secure = false # tfsec:ignore:%s
- }
- `, exampleRule.LongID()))
- assert.Empty(t, results.GetFailed())
-}
-
-func Test_IgnoreWithAliasCodeStillIgnored(t *testing.T) {
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
-
- results := scanHCLWithWorkspace(t, `
-# tfsec:ignore:aws-other-abc123
-resource "bad" "my-rule" {
-
-}
-`, "testworkspace")
- assert.Empty(t, results.GetFailed())
-}
-
-func Test_TrivyIgnoreWithAliasCodeStillIgnored(t *testing.T) {
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
-
- results := scanHCLWithWorkspace(t, `
-# trivy:ignore:aws-other-abc123
-resource "bad" "my-rule" {
-
-}
-`, "testworkspace")
- assert.Empty(t, results.GetFailed())
-}
-
-func Test_TrivyIgnoreInline(t *testing.T) {
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
-
- results := scanHCL(t, fmt.Sprintf(`
- resource "bad" "sample" {
- secure = false # trivy:ignore:%s
- }
- `, exampleRule.LongID()))
- assert.Empty(t, results.GetFailed())
-}
-
func Test_IgnoreInlineByAVDID(t *testing.T) {
testCases := []struct {
input string
}{
{
- input: `
- resource "bad" "sample" {
- secure = false # tfsec:ignore:%s
- }
+ input: `resource "aws_s3_bucket" "test" {
+ bucket = "" # tfsec:ignore:%s
+}
`,
},
{
- input: `
- resource "bad" "sample" {
- secure = false # trivy:ignore:%s
- }
+ input: `resource "aws_s3_bucket" "test" {
+ bucket = "" # trivy:ignore:%s
+}
`,
},
}
for _, tc := range testCases {
- tc := tc
- for _, id := range []string{exampleRule.AVDID, strings.ToLower(exampleRule.AVDID), exampleRule.ShortCode, exampleRule.LongID()} {
- id := id
- t.Run("", func(t *testing.T) {
- reg := rules.Register(exampleRule)
- defer rules.Deregister(reg)
- results := scanHCL(t, fmt.Sprintf(tc.input, id))
- assert.Empty(t, results.GetFailed())
+ ids := []string{
+ "USER-TEST-0123", strings.ToLower("user-test-0123"),
+ "non-empty-bucket", "aws-s3-non-empty-bucket",
+ }
+
+ for _, id := range ids {
+ t.Run(id, func(t *testing.T) {
+ results := scanHCL(t, fmt.Sprintf(tc.input, id),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
+ )
+ testutil.AssertRuleNotFailed(t, "aws-s3-non-empty-bucket", results, "")
})
}
}
@@ -935,37 +605,17 @@ func TestIgnoreRemoteTerraformResource(t *testing.T) {
}
`,
".terraform/modules/bucket/main.tf": `
-# trivy:ignore:test-0001
+# trivy:ignore:user-test-0123
resource "aws_s3_bucket" "test" {
bucket = ""
}
`,
})
- check := `# METADATA
-# title: Test
-# custom:
-# id: test-0001
-# avdid: test-0001
-
-package user.test0001
-
-deny[res] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == ""
- res := result.new("Empty bucket name!", bucket)
-}`
-
- localScanner := New(
- rego.WithEmbeddedPolicies(false),
- rego.WithEmbeddedLibraries(true),
- options.ScannerWithRegoOnly(true),
+ results, err := scanFS(fsys, ".",
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
rego.WithPolicyNamespaces("user"),
- rego.WithPolicyReader(strings.NewReader(check)),
- ScannerWithDownloadsAllowed(false),
- ScannerWithSkipCachedModules(true),
)
- results, err := localScanner.ScanFS(context.TODO(), fsys, ".")
require.NoError(t, err)
- assert.Empty(t, results.GetFailed())
+ testutil.AssertRuleNotFailed(t, "aws-s3-non-empty-bucket", results, "")
}
diff --git a/pkg/iac/scanners/terraform/json_test.go b/pkg/iac/scanners/terraform/json_test.go
index 835425265f17..aad2d9ac8c32 100644
--- a/pkg/iac/scanners/terraform/json_test.go
+++ b/pkg/iac/scanners/terraform/json_test.go
@@ -1,22 +1,19 @@
package terraform
import (
+ "strings"
"testing"
"github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
+ "github.com/aquasecurity/trivy/pkg/iac/rego"
)
func TestScanningJSON(t *testing.T) {
var tests = []struct {
- name string
- source string
- shouldFail bool
+ name string
+ source string
+ expected bool
}{
{
name: "check results are picked up in tf json configs",
@@ -29,16 +26,14 @@ func TestScanningJSON(t *testing.T) {
}
},
"resource": {
- "bad": {
- "thing": {
- "type": "ingress",
- "cidr_blocks": ["0.0.0.0/0"],
- "description": "testing"
+ "aws_s3_bucket": {
+ "test": {
+ "bucket": ""
}
}
}
}`,
- shouldFail: true,
+ expected: true,
},
{
name: "check attributes are checked in tf json configs",
@@ -51,52 +46,27 @@ func TestScanningJSON(t *testing.T) {
}
},
"resource": {
- "bad": {
- "or_not": {
- "secure": true
+ "aws_s3_bucket": {
+ "test": {
+ "bucket": "test"
}
}
}
}`,
- shouldFail: false,
+ expected: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
- r1 := scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc123",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredLabels: []string{"bad"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if resourceBlock.GetAttribute("secure").IsTrue() {
- return
- }
- results.Add("something", resourceBlock)
- return
- },
- },
- },
- }
- reg := rules.Register(r1)
- defer rules.Deregister(reg)
-
- results := scanJSON(t, test.source)
- var include, exclude string
- if test.shouldFail {
- include = r1.LongID()
+ results := scanJSON(t, test.source,
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
+ )
+ if test.expected {
+ testutil.AssertRuleFound(t, "aws-s3-non-empty-bucket", results, "false negative found")
} else {
- exclude = r1.LongID()
- }
- if include != "" {
- testutil.AssertRuleFound(t, include, results, "false negative found")
- }
- if exclude != "" {
- testutil.AssertRuleNotFound(t, exclude, results, "false positive found")
+ testutil.AssertRuleNotFound(t, "aws-s3-non-empty-bucket", results, "false positive found")
}
})
}
diff --git a/pkg/iac/scanners/terraform/module_test.go b/pkg/iac/scanners/terraform/module_test.go
index ec4291fd59e4..a70ec36582e1 100644
--- a/pkg/iac/scanners/terraform/module_test.go
+++ b/pkg/iac/scanners/terraform/module_test.go
@@ -1,52 +1,26 @@
package terraform
import (
- "context"
+ "strings"
"testing"
"github.com/stretchr/testify/require"
- "github.com/aquasecurity/trivy-checks/checks/cloud/aws/iam"
"github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
+ "github.com/aquasecurity/trivy/pkg/iac/rego"
)
-var badRule = scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc",
- Summary: "A stupid example check for a test.",
- Impact: "You will look stupid",
- Resolution: "Don't do stupid stuff",
- Explanation: "Bad should not be set.",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredTypes: []string{"resource"},
- RequiredLabels: []string{"problem"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if attr := resourceBlock.GetAttribute("bad"); attr.IsTrue() {
- results.Add("bad", attr)
- }
- return
- },
- },
- },
-}
-
-// IMPORTANT: if this test is failing, you probably need to set the version of go-cty in go.mod to the same version that hcl uses.
-func Test_GoCtyCompatibilityIssue(t *testing.T) {
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "/project/main.tf": `
+func Test_Modules(t *testing.T) {
+ tests := []struct {
+ name string
+ files map[string]string
+ expected bool
+ }{
+ {
+ // IMPORTANT: if this test is failing, you probably need to set the version of go-cty in go.mod to the same version that hcl uses.
+ name: "go-cty compatibility issue",
+ files: map[string]string{
+ "/project/main.tf": `
data "aws_vpc" "default" {
default = true
}
@@ -54,10 +28,8 @@ data "aws_vpc" "default" {
module "test" {
source = "../modules/problem/"
cidr_block = data.aws_vpc.default.cidr_block
-}
-`,
- "/modules/problem/main.tf": `
-variable "cidr_block" {}
+}`,
+ "/modules/problem/main.tf": `variable "cidr_block" {}
variable "open" {
default = false
@@ -76,589 +48,333 @@ resource "aws_security_group" "this" {
}
}
-resource "problem" "uhoh" {
- bad = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-}
-
-func Test_ProblemInModuleInSiblingDir(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "/project/main.tf": `
+resource "aws_s3_bucket" "test" {}`,
+ },
+ expected: true,
+ },
+ {
+ name: "misconfig in sibling directory module",
+ files: map[string]string{
+ "/project/main.tf": `
module "something" {
source = "../modules/problem"
}
`,
- "modules/problem/main.tf": `
-resource "problem" "uhoh" {
- bad = true
-}
-`},
- )
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-
-}
-
-func Test_ProblemInModuleIgnored(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "/project/main.tf": `
-#tfsec:ignore:aws-service-abc
+ "modules/problem/main.tf": `
+resource "aws_s3_bucket" "test" {}`,
+ },
+ expected: true,
+ },
+ {
+ name: "ignore misconfig in module",
+ files: map[string]string{
+ "/project/main.tf": `
+#tfsec:ignore:aws-s3-non-empty-bucket
module "something" {
source = "../modules/problem"
}
`,
- "modules/problem/main.tf": `
-resource "problem" "uhoh" {
- bad = true
-}
-`},
- )
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleNotFound(t, badRule.LongID(), results, "")
-
-}
-
-func Test_ProblemInModuleInSubdirectory(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+ "modules/problem/main.tf": `
+resource "aws_s3_bucket" "test" {}
+`,
+ },
+ expected: false,
+ },
+ {
+ name: "misconfig in subdirectory module",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "./modules/problem"
}
`,
- "project/modules/problem/main.tf": `
-resource "problem" "uhoh" {
- bad = true
-}
-`})
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-
-}
-
-func Test_ProblemInModuleInParentDir(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+ "project/modules/problem/main.tf": `
+resource "aws_s3_bucket" "test" {}
+`,
+ },
+ expected: true,
+ },
+ {
+ name: "misconfig in parent directory module",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "../problem"
}
`,
- "problem/main.tf": `
-resource "problem" "uhoh" {
- bad = true
-}
-`})
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-
-}
-
-func Test_ProblemInModuleReuse(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+ "problem/main.tf": `
+resource "aws_s3_bucket" "test" {}
+`},
+ expected: true,
+ },
+ {
+ name: "misconfig in reused module",
+ files: map[string]string{
+ "project/main.tf": `
module "something_good" {
source = "../modules/problem"
- bad = false
+ bucket = "test"
}
module "something_bad" {
source = "../modules/problem"
- bad = true
+ bucket = ""
}
`,
- "modules/problem/main.tf": `
-variable "bad" {
- default = false
-}
-resource "problem" "uhoh" {
- bad = var.bad
-}
-`})
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
+ "modules/problem/main.tf": `
+variable "bucket" {}
+resource "aws_s3_bucket" "test" {
+ bucket = var.bucket
}
-
-func Test_ProblemInNestedModule(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+`},
+ expected: true,
+ },
+ {
+ name: "misconfig in nested module",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "../modules/a"
}
`,
- "modules/a/main.tf": `
+ "modules/a/main.tf": `
module "something" {
source = "../../modules/b"
}
`,
- "modules/b/main.tf": `
+ "modules/b/main.tf": `
module "something" {
source = "../c"
}
`,
- "modules/c/main.tf": `
-resource "problem" "uhoh" {
- bad = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-
-}
-
-func Test_ProblemInReusedNestedModule(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+ "modules/c/main.tf": `resource "aws_s3_bucket" "test" {}`,
+ },
+ expected: true,
+ },
+ {
+ name: "misconfig in reused nested module",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "../modules/a"
- bad = false
+ bucket = "test"
}
module "something-bad" {
source = "../modules/a"
- bad = true
+ bucket = ""
}
`,
- "modules/a/main.tf": `
-variable "bad" {
- default = false
-}
+ "modules/a/main.tf": `
+variable "bucket" {}
+
module "something" {
source = "../../modules/b"
- bad = var.bad
+ bucket = var.bucket
}
`,
- "modules/b/main.tf": `
-variable "bad" {
- default = false
-}
+ "modules/b/main.tf": `
+variable "bucket" {}
+
module "something" {
source = "../c"
- bad = var.bad
-}
-`,
- "modules/c/main.tf": `
-variable "bad" {
- default = false
-}
-resource "problem" "uhoh" {
- bad = var.bad
+ bucket = var.bad
}
`,
- })
+ "modules/c/main.tf": `
+variable "bucket" {}
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
+resource "aws_s3_bucket" "test" {
+ bucket = var.bucket
}
-
-func Test_ProblemInInitialisedModule(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+`,
+ },
+ expected: true,
+ },
+ {
+ name: "misconfig in terraform cached module",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "../modules/somewhere"
- bad = false
+ bucket = "test"
}
`,
- "modules/somewhere/main.tf": `
+ "modules/somewhere/main.tf": `
module "something_nested" {
count = 1
source = "github.com/some/module.git"
- bad = true
+ bucket = ""
}
-variable "bad" {
- default = false
-}
+variable "bucket" {
+ default = ""
+}`,
+ "project/.terraform/modules/something.something_nested/main.tf": `
+variable "bucket" {}
-`,
- "project/.terraform/modules/something.something_nested/main.tf": `
-variable "bad" {
- default = false
-}
-resource "problem" "uhoh" {
- bad = var.bad
+resource "aws_s3_bucket" "test" {
+ bucket = var.bucket
}
`,
- "project/.terraform/modules/modules.json": `
+ "project/.terraform/modules/modules.json": `
{"Modules":[
{"Key":"something","Source":"../modules/somewhere","Version":"2.35.0","Dir":"../modules/somewhere"},
{"Key":"something.something_nested","Source":"git::https://github.com/some/module.git","Version":"2.35.0","Dir":".terraform/modules/something.something_nested"}
]}
`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-}
-
-func Test_ProblemInReusedInitialisedModule(t *testing.T) {
-
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+ },
+ expected: true,
+ },
+ {
+ name: "misconfig in reused terraform cached module",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "/nowhere"
- bad = false
+ bucket = ""
}
+
module "something2" {
source = "/nowhere"
- bad = true
+ bucket = ""
}
`,
- "project/.terraform/modules/a/main.tf": `
-variable "bad" {
- default = false
-}
-resource "problem" "uhoh" {
- bad = var.bad
+ "project/.terraform/modules/a/main.tf": `
+variable "bucket" {}
+
+resource "aws_s3_bucket" "test" {
+ bucket = var.bucket
}
`,
- "project/.terraform/modules/modules.json": `
+ "project/.terraform/modules/modules.json": `
{"Modules":[{"Key":"something","Source":"/nowhere","Version":"2.35.0","Dir":".terraform/modules/a"},{"Key":"something2","Source":"/nowhere","Version":"2.35.0","Dir":".terraform/modules/a"}]}
`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
-
-}
-
-func Test_ProblemInDuplicateModuleNameAndPath(t *testing.T) {
- registered := rules.Register(badRule)
- defer rules.Deregister(registered)
-
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+ },
+ expected: true,
+ },
+ {
+ name: "misconfig in nested modules with duplicate module names and paths",
+ files: map[string]string{
+ "project/main.tf": `
module "something" {
source = "../modules/a"
- bad = 0
+ s3_bucket_count = 0
}
module "something-bad" {
source = "../modules/a"
- bad = 1
+ s3_bucket_count = 1
}
`,
- "modules/a/main.tf": `
-variable "bad" {
+ "modules/a/main.tf": `
+variable "s3_bucket_count" {
default = 0
}
module "something" {
source = "../b"
- bad = var.bad
+ s3_bucket_count = var.s3_bucket_count
}
`,
- "modules/b/main.tf": `
-variable "bad" {
+ "modules/b/main.tf": `
+variable "s3_bucket_count" {
default = 0
}
module "something" {
source = "../c"
- bad = var.bad
+ s3_bucket_count = var.s3_bucket_count
}
`,
- "modules/c/main.tf": `
-variable "bad" {
+ "modules/c/main.tf": `
+variable "s3_bucket_count" {
default = 0
}
-resource "problem" "uhoh" {
- count = var.bad
- bad = true
-}
-`,
- })
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleFound(t, badRule.LongID(), results, "")
+resource "aws_s3_bucket" "test" {
+ count = var.s3_bucket_count
}
-
-func Test_Dynamic_Variables(t *testing.T) {
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+`,
+ },
+ expected: true,
+ },
+ {
+ name: "misconfigured attribute referencing to dynamic variable",
+ files: map[string]string{
+ "project/main.tf": `
resource "something" "this" {
-
dynamic "blah" {
for_each = ["a"]
-
content {
- ok = true
+ bucket = ""
}
}
}
-
-resource "bad" "thing" {
- secure = something.this.blah[0].ok
-}
-`})
-
- r1 := scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc123",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredLabels: []string{"bad"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if resourceBlock.GetAttribute("secure").IsTrue() {
- return
- }
- results.Add("example problem", resourceBlock)
- return
- },
- },
- },
- }
- reg := rules.Register(r1)
- defer rules.Deregister(reg)
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
- testutil.AssertRuleFound(t, r1.LongID(), results, "")
+resource "aws_s3_bucket" "test" {
+ secure = something.this.blah[0].bucket
}
-
-func Test_Dynamic_Variables_FalsePositive(t *testing.T) {
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
+`},
+ expected: true,
+ },
+ {
+ name: "attribute referencing to dynamic variable without index",
+ files: map[string]string{
+ "project/main.tf": `
resource "something" "else" {
- x = 1
dynamic "blah" {
- for_each = toset(["true"])
-
+ for_each = toset(["test"])
content {
- ok = blah.value
+ bucket = blah.value
}
}
}
-
-resource "bad" "thing" {
- secure = something.else.blah.ok
-}
-`})
- r1 := scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc123",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredLabels: []string{"bad"},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- if resourceBlock.GetAttribute("secure").IsTrue() {
- return
- }
- results.Add("example problem", resourceBlock)
- return
- },
- },
+resource "aws_s3_bucket" "test" {
+ bucket = something.else.blah.bucket
+}`},
+ expected: false,
},
- }
- reg := rules.Register(r1)
- defer rules.Deregister(reg)
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleNotFound(t, r1.LongID(), results, "")
-}
-
-func Test_ReferencesPassedToNestedModule(t *testing.T) {
+ {
+ name: "references passed to nested module",
+ files: map[string]string{
+ "project/main.tf": `
- fs := testutil.CreateFS(t, map[string]string{
- "project/main.tf": `
-
-resource "aws_iam_group" "developers" {
- name = "developers"
+resource "some_resource" "this" {
+ name = "test"
}
module "something" {
source = "../modules/a"
- group = aws_iam_group.developers.name
+ bucket = some_resource.this.name
}
`,
- "modules/a/main.tf": `
-variable "group" {
+ "modules/a/main.tf": `
+variable "bucket" {
type = string
}
-resource "aws_iam_group_policy" "mfa" {
- group = var.group
- policy = data.aws_iam_policy_document.policy.json
+resource "aws_s3_bucket" "test" {
+ bucket = var.bucket
}
+`},
+ expected: false,
+ },
+ }
-data "aws_iam_policy_document" "policy" {
- statement {
- sid = "main"
- effect = "Allow"
-
- actions = ["s3:*"]
- resources = ["*"]
- condition {
- test = "Bool"
- variable = "aws:MultiFactorAuthPresent"
- values = ["true"]
- }
- }
-}
-`})
-
- p := parser.New(fs, "", parser.OptionStopOnHCLError(true))
- err := p.ParseFS(context.TODO(), "project")
- require.NoError(t, err)
- modules, _, err := p.EvaluateAll(context.TODO())
- require.NoError(t, err)
-
- results, err := executor.New().Execute(modules)
- require.NoError(t, err)
-
- testutil.AssertRuleNotFound(t, iam.CheckEnforceGroupMFA.LongID(), results, "")
-
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ fsys := testutil.CreateFS(t, tt.files)
+ results, err := scanFS(fsys, "project",
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
+ )
+ require.NoError(t, err)
+ if tt.expected {
+ testutil.AssertRuleFound(t, "aws-s3-non-empty-bucket", results, "")
+ } else {
+ testutil.AssertRuleNotFailed(t, "aws-s3-non-empty-bucket", results, "")
+ }
+ })
+ }
}
diff --git a/pkg/iac/scanners/terraform/options.go b/pkg/iac/scanners/terraform/options.go
index 5a665a05638f..7547a19a8382 100644
--- a/pkg/iac/scanners/terraform/options.go
+++ b/pkg/iac/scanners/terraform/options.go
@@ -100,3 +100,11 @@ func ScannerWithSkipDirs(dirs []string) options.ScannerOption {
}
}
}
+
+func ScannerWithStopOnHCLError(stop bool) options.ScannerOption {
+ return func(s options.ConfigurableScanner) {
+ if tf, ok := s.(ConfigurableTerraformScanner); ok {
+ tf.AddParserOptions(parser.OptionStopOnHCLError(stop))
+ }
+ }
+}
diff --git a/pkg/iac/scanners/terraform/parser/evaluator.go b/pkg/iac/scanners/terraform/parser/evaluator.go
index 8e2e737b5d9b..93926645758d 100644
--- a/pkg/iac/scanners/terraform/parser/evaluator.go
+++ b/pkg/iac/scanners/terraform/parser/evaluator.go
@@ -266,7 +266,7 @@ func (e *evaluator) expandBlocks(blocks terraform.Blocks) terraform.Blocks {
func (e *evaluator) expandDynamicBlocks(blocks ...*terraform.Block) terraform.Blocks {
for _, b := range blocks {
if err := b.ExpandBlock(); err != nil {
- e.logger.Error(`Failed to expand dynamic block.`,
+ e.logger.Debug(`Failed to expand dynamic block.`,
log.String("block", b.FullName()), log.Err(err))
}
}
@@ -297,7 +297,7 @@ func (e *evaluator) expandBlockForEaches(blocks terraform.Blocks) terraform.Bloc
forEachVal := forEachAttr.Value()
if forEachVal.IsNull() || !forEachVal.IsKnown() || !forEachAttr.IsIterable() {
- e.logger.Error(`Failed to expand block. Invalid "for-each" argument. Must be known and iterable.`,
+ e.logger.Debug(`Failed to expand block. Invalid "for-each" argument. Must be known and iterable.`,
log.String("block", block.FullName()),
log.String("value", forEachVal.GoString()),
)
@@ -314,7 +314,7 @@ func (e *evaluator) expandBlockForEaches(blocks terraform.Blocks) terraform.Bloc
// instances are identified by a map key (or set member) from the value provided to for_each
idx, err := convert.Convert(key, cty.String)
if err != nil {
- e.logger.Error(
+ e.logger.Debug(
`Failed to expand block. Invalid "for-each" argument: map key (or set value) is not a string`,
log.String("block", block.FullName()),
log.String("key", key.GoString()),
@@ -331,7 +331,7 @@ func (e *evaluator) expandBlockForEaches(blocks terraform.Blocks) terraform.Bloc
!forEachVal.Type().IsMapType() {
stringVal, err := convert.Convert(val, cty.String)
if err != nil {
- e.logger.Error(
+ e.logger.Debug(
"Failed to expand block. Invalid 'for-each' argument: value is not a string",
log.String("block", block.FullName()),
log.String("key", idx.AsString()),
@@ -471,7 +471,7 @@ func (e *evaluator) evaluateVariable(b *terraform.Block) (cty.Value, error) {
var val cty.Value
- if override, exists := e.inputVars[b.Label()]; exists {
+ if override, exists := e.inputVars[b.Label()]; exists && override.Type() != cty.NilType {
val = override
} else if def, exists := attributes["default"]; exists {
val = def.NullableValue()
diff --git a/pkg/iac/scanners/terraform/parser/load_module.go b/pkg/iac/scanners/terraform/parser/load_module.go
index 78ebe3430b4e..968f73df0673 100644
--- a/pkg/iac/scanners/terraform/parser/load_module.go
+++ b/pkg/iac/scanners/terraform/parser/load_module.go
@@ -90,9 +90,9 @@ func (e *evaluator) loadModuleFromTerraformCache(ctx context.Context, b *terrafo
var modulePath string
if e.moduleMetadata != nil {
// if we have module metadata we can parse all the modules as they'll be cached locally!
- name := b.ModuleName()
+ moduleKey := b.ModuleKey()
for _, module := range e.moduleMetadata.Modules {
- if module.Key == name {
+ if module.Key == moduleKey {
modulePath = path.Clean(path.Join(e.projectRootPath, module.Dir))
break
}
diff --git a/pkg/iac/scanners/terraform/parser/parser.go b/pkg/iac/scanners/terraform/parser/parser.go
index 695cbee4fb25..48ed799155ea 100644
--- a/pkg/iac/scanners/terraform/parser/parser.go
+++ b/pkg/iac/scanners/terraform/parser/parser.go
@@ -1,8 +1,10 @@
package parser
import (
+ "bufio"
"context"
"errors"
+ "fmt"
"io"
"io/fs"
"os"
@@ -166,18 +168,69 @@ func (p *Parser) ParseFS(ctx context.Context, dir string) error {
}
sort.Strings(paths)
for _, path := range paths {
- if err := p.ParseFile(ctx, path); err != nil {
- if p.stopOnHCLError {
+ var err error
+ if err = p.ParseFile(ctx, path); err == nil {
+ continue
+ }
+
+ if p.stopOnHCLError {
+ return err
+ }
+ var diags hcl.Diagnostics
+ if errors.As(err, &diags) {
+ errc := p.showParseErrors(p.moduleFS, path, diags)
+ if errc == nil {
+ continue
+ }
+ p.logger.Error("Failed to get the causes of the parsing error", log.Err(errc))
+ }
+ p.logger.Error("Error parsing file", log.FilePath(path), log.Err(err))
+ continue
+ }
+
+ return nil
+}
+
+func (p *Parser) showParseErrors(fsys fs.FS, filePath string, diags hcl.Diagnostics) error {
+ file, err := fsys.Open(filePath)
+ if err != nil {
+ return fmt.Errorf("failed to read file: %w", err)
+ }
+ defer file.Close()
+
+ for _, diag := range diags {
+ if subj := diag.Subject; subj != nil {
+ lines, err := readLinesFromFile(file, subj.Start.Line, subj.End.Line)
+ if err != nil {
return err
}
- p.logger.Error("Error parsing file", log.FilePath(path), log.Err(err))
- continue
+
+ cause := strings.Join(lines, "\n")
+ p.logger.Error("Error parsing file", log.FilePath(filePath),
+ log.String("cause", cause), log.Err(diag))
}
}
return nil
}
+func readLinesFromFile(f io.Reader, from, to int) ([]string, error) {
+ scanner := bufio.NewScanner(f)
+ rawLines := make([]string, 0, to-from+1)
+
+ for lineNum := 0; scanner.Scan() && lineNum < to; lineNum++ {
+ if lineNum >= from-1 {
+ rawLines = append(rawLines, scanner.Text())
+ }
+ }
+
+ if err := scanner.Err(); err != nil {
+ return nil, fmt.Errorf("failed to scan file: %w", err)
+ }
+
+ return rawLines, nil
+}
+
var ErrNoFiles = errors.New("no files found")
func (p *Parser) Load(ctx context.Context) (*evaluator, error) {
@@ -217,6 +270,7 @@ func (p *Parser) Load(ctx context.Context) (*evaluator, error) {
"Variable values was not found in the environment or variable files. Evaluating may not work correctly.",
log.String("variables", strings.Join(missingVars, ", ")),
)
+ setNullMissingVariableValues(inputVars, missingVars)
}
}
@@ -268,6 +322,14 @@ func missingVariableValues(blocks terraform.Blocks, inputVars map[string]cty.Val
return missing
}
+// Set null values for missing variables, to allow expressions using them to be
+// still be possibly evaluated to a value different than null.
+func setNullMissingVariableValues(inputVars map[string]cty.Value, missingVars []string) {
+ for _, missingVar := range missingVars {
+ inputVars[missingVar] = cty.NullVal(cty.DynamicPseudoType)
+ }
+}
+
func (p *Parser) EvaluateAll(ctx context.Context) (terraform.Modules, cty.Value, error) {
e, err := p.Load(ctx)
diff --git a/pkg/iac/scanners/terraform/parser/parser_test.go b/pkg/iac/scanners/terraform/parser/parser_test.go
index 540338afb57f..e88dd017d2fa 100644
--- a/pkg/iac/scanners/terraform/parser/parser_test.go
+++ b/pkg/iac/scanners/terraform/parser/parser_test.go
@@ -3,6 +3,7 @@ package parser
import (
"bytes"
"context"
+ "io/fs"
"log/slog"
"os"
"path/filepath"
@@ -1801,6 +1802,36 @@ resource "test" "fileset-func" {
assert.Equal(t, []string{"a.py", "path/b.py"}, attr.GetRawValue())
}
+func TestExprWithMissingVar(t *testing.T) {
+ files := map[string]string{
+ "main.tf": `
+variable "v" {
+ type = string
+}
+
+resource "test" "values" {
+ s = "foo-${var.v}"
+ l1 = ["foo", var.v]
+ l2 = concat(["foo"], [var.v])
+ d1 = {foo = var.v}
+ d2 = merge({"foo": "bar"}, {"baz": var.v})
+}
+`,
+ }
+
+ resources := parse(t, files).GetResourcesByType("test")
+ require.Len(t, resources, 1)
+
+ s_attr := resources[0].GetAttribute("s")
+ require.NotNil(t, s_attr)
+ assert.Equal(t, "foo-", s_attr.GetRawValue())
+
+ for _, name := range []string{"l1", "l2", "d1", "d2"} {
+ attr := resources[0].GetAttribute(name)
+ require.NotNil(t, attr)
+ }
+}
+
func TestVarTypeShortcut(t *testing.T) {
files := map[string]string{
"main.tf": `
@@ -1978,3 +2009,155 @@ variable "baz" {}
assert.Contains(t, buf.String(), "Variable values was not found in the environment or variable files.")
assert.Contains(t, buf.String(), "variables=\"foo\"")
}
+
+func TestLoadChildModulesFromLocalCache(t *testing.T) {
+ var buf bytes.Buffer
+ slog.SetDefault(slog.New(log.NewHandler(&buf, &log.Options{Level: log.LevelDebug})))
+
+ fsys := fstest.MapFS{
+ "main.tf": &fstest.MapFile{Data: []byte(`module "level_1" {
+ source = "./modules/level_1"
+}`)},
+ "modules/level_1/main.tf": &fstest.MapFile{Data: []byte(`module "level_2" {
+ source = "../level_2"
+}`)},
+ "modules/level_2/main.tf": &fstest.MapFile{Data: []byte(`module "level_3" {
+ count = 2
+ source = "../level_3"
+}`)},
+ "modules/level_3/main.tf": &fstest.MapFile{Data: []byte(`resource "foo" "bar" {}`)},
+ ".terraform/modules/modules.json": &fstest.MapFile{Data: []byte(`{
+ "Modules": [
+ { "Key": "", "Source": "", "Dir": "." },
+ {
+ "Key": "level_1",
+ "Source": "./modules/level_1",
+ "Dir": "modules/level_1"
+ },
+ {
+ "Key": "level_1.level_2",
+ "Source": "../level_2",
+ "Dir": "modules/level_2"
+ },
+ {
+ "Key": "level_1.level_2.level_3",
+ "Source": "../level_3",
+ "Dir": "modules/level_3"
+ }
+ ]
+}`)},
+ }
+
+ parser := New(
+ fsys, "",
+ OptionStopOnHCLError(true),
+ )
+ require.NoError(t, parser.ParseFS(context.TODO(), "."))
+
+ modules, _, err := parser.EvaluateAll(context.TODO())
+ require.NoError(t, err)
+
+ assert.Len(t, modules, 5)
+
+ assert.Contains(t, buf.String(), "Using module from Terraform cache .terraform/modules\tsource=\"./modules/level_1\"")
+ assert.Contains(t, buf.String(), "Using module from Terraform cache .terraform/modules\tsource=\"../level_2\"")
+ assert.Contains(t, buf.String(), "Using module from Terraform cache .terraform/modules\tsource=\"../level_3\"")
+ assert.Contains(t, buf.String(), "Using module from Terraform cache .terraform/modules\tsource=\"../level_3\"")
+}
+
+func TestLogParseErrors(t *testing.T) {
+ var buf bytes.Buffer
+ slog.SetDefault(slog.New(log.NewHandler(&buf, nil)))
+
+ src := `resource "aws-s3-bucket" "name" {
+ bucket = <
+}`
+
+ fsys := fstest.MapFS{
+ "main.tf": &fstest.MapFile{
+ Data: []byte(src),
+ },
+ }
+
+ parser := New(fsys, "")
+ err := parser.ParseFS(context.TODO(), ".")
+ require.NoError(t, err)
+
+ assert.Contains(t, buf.String(), `cause=" bucket = <"`)
+}
+
+func Test_PassingNullToChildModule_DoesNotEraseType(t *testing.T) {
+ tests := []struct {
+ name string
+ fsys fs.FS
+ }{
+ {
+ name: "typed variable",
+ fsys: fstest.MapFS{
+ "main.tf": &fstest.MapFile{Data: []byte(`module "test" {
+ source = "./modules/test"
+ test_var = null
+}`)},
+ "modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {
+ type = number
+}
+
+resource "foo" "this" {
+ bar = var.test_var != null ? 1 : 2
+}`)},
+ },
+ },
+ {
+ name: "typed variable with default",
+ fsys: fstest.MapFS{
+ "main.tf": &fstest.MapFile{Data: []byte(`module "test" {
+ source = "./modules/test"
+ test_var = null
+}`)},
+ "modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {
+ type = number
+ default = null
+}
+
+resource "foo" "this" {
+ bar = var.test_var != null ? 1 : 2
+}`)},
+ },
+ },
+ {
+ name: "empty variable",
+ fsys: fstest.MapFS{
+ "main.tf": &fstest.MapFile{Data: []byte(`module "test" {
+ source = "./modules/test"
+ test_var = null
+}`)},
+ "modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {}
+
+resource "foo" "this" {
+ bar = var.test_var != null ? 1 : 2
+}`)},
+ },
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ parser := New(
+ tt.fsys, "",
+ OptionStopOnHCLError(true),
+ )
+ require.NoError(t, parser.ParseFS(context.TODO(), "."))
+
+ _, err := parser.Load(context.TODO())
+ require.NoError(t, err)
+
+ modules, _, err := parser.EvaluateAll(context.TODO())
+ require.NoError(t, err)
+
+ res := modules.GetResourcesByType("foo")[0]
+ attr := res.GetAttribute("bar")
+ val, _ := attr.Value().AsBigFloat().Int64()
+ assert.Equal(t, int64(2), val)
+ })
+ }
+}
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/cache_integration_test.go b/pkg/iac/scanners/terraform/parser/resolvers/cache_integration_test.go
index 43ad7f06b15b..6bfe812519bd 100644
--- a/pkg/iac/scanners/terraform/parser/resolvers/cache_integration_test.go
+++ b/pkg/iac/scanners/terraform/parser/resolvers/cache_integration_test.go
@@ -1,119 +1,172 @@
+//go:build unix
+
package resolvers_test
import (
"context"
+ "crypto/tls"
"io/fs"
+ "net/http"
+ "net/http/httptest"
+ "path"
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
+ "github.com/aquasecurity/trivy/internal/gittest"
"github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser/resolvers"
+ "github.com/aquasecurity/trivy/pkg/log"
)
type moduleResolver interface {
Resolve(context.Context, fs.FS, resolvers.Options) (fs.FS, string, string, bool, error)
}
-func TestResolveModuleFromCache(t *testing.T) {
- if testing.Short() {
- t.Skip("skipping integration test in short mode")
+func testOptions(t *testing.T, source string) resolvers.Options {
+ return resolvers.Options{
+ Source: source,
+ OriginalSource: source,
+ Version: "",
+ OriginalVersion: "",
+ AllowDownloads: true,
+ CacheDir: t.TempDir(),
+ Logger: log.WithPrefix("test"),
}
+}
+
+func newRegistry(repoURL string) *httptest.Server {
+ mux := http.NewServeMux()
+ mux.HandleFunc("/v1/modules/terraform-aws-modules/s3-bucket/aws/download", func(w http.ResponseWriter, r *http.Request) {
+ w.Header().Set("X-Terraform-Get", repoURL)
+ w.WriteHeader(http.StatusNoContent)
+ })
+
+ return httptest.NewTLSServer(mux)
+}
+
+func buildGitSource(repoURL string) string { return "git::" + repoURL }
+
+func TestResolveModuleFromCache(t *testing.T) {
+
+ repo := "terraform-aws-s3-bucket"
+ gs := gittest.NewServer(t, repo, "testdata/terraform-aws-s3-bucket")
+ defer gs.Close()
+
+ repoURL := gs.URL + "/" + repo + ".git"
+
+ registry := newRegistry(buildGitSource(repoURL))
+ defer registry.Close()
+
+ registryAddress := strings.TrimPrefix(registry.URL, "https://")
tests := []struct {
name string
opts resolvers.Options
firstResolver moduleResolver
expectedSubdir string
+ expectedString string
}{
{
name: "registry",
opts: resolvers.Options{
- Name: "bucket",
- Source: "terraform-aws-modules/s3-bucket/aws",
- Version: "4.1.2",
+ Source: registryAddress + "/terraform-aws-modules/s3-bucket/aws",
+ Client: &http.Client{
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
+ },
},
firstResolver: resolvers.Registry,
expectedSubdir: ".",
+ expectedString: "# AWS S3 bucket Terraform module",
},
{
name: "registry with subdir",
opts: resolvers.Options{
- Name: "object",
- Source: "terraform-aws-modules/s3-bucket/aws//modules/object",
- Version: "4.1.2",
+ Source: registryAddress + "/terraform-aws-modules/s3-bucket/aws//modules/object",
+ Client: &http.Client{
+ Transport: &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ },
+ },
},
firstResolver: resolvers.Registry,
expectedSubdir: "modules/object",
+ expectedString: "# S3 bucket object",
},
{
name: "remote",
opts: resolvers.Options{
- Name: "bucket",
- Source: "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git?ref=v4.1.2",
+ Source: buildGitSource(repoURL),
},
firstResolver: resolvers.Remote,
expectedSubdir: ".",
+ expectedString: "# AWS S3 bucket Terraform module",
},
{
name: "remote with subdir",
opts: resolvers.Options{
- Name: "object",
- Source: "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git//modules/object?ref=v4.1.2",
+ Source: buildGitSource(repoURL) + "//modules/object",
},
firstResolver: resolvers.Remote,
expectedSubdir: "modules/object",
+ expectedString: "# S3 bucket object",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- tt.opts.AllowDownloads = true
tt.opts.OriginalSource = tt.opts.Source
- tt.opts.OriginalVersion = tt.opts.Version
+ tt.opts.AllowDownloads = true
tt.opts.CacheDir = t.TempDir()
+ tt.opts.Logger = log.WithPrefix("test")
+
+ fsys, _, dir, _, err := tt.firstResolver.Resolve(context.Background(), nil, tt.opts)
+ require.NoError(t, err)
+ assert.Equal(t, tt.expectedSubdir, dir)
- fsys, _, _, applies, err := tt.firstResolver.Resolve(context.Background(), nil, tt.opts)
+ b, err := fs.ReadFile(fsys, path.Join(dir, "README.md"))
require.NoError(t, err)
- assert.True(t, applies)
+ assert.Equal(t, tt.expectedString, string(b))
- _, err = fs.Stat(fsys, "main.tf")
+ _, _, dir, _, err = resolvers.Cache.Resolve(context.Background(), fsys, tt.opts)
require.NoError(t, err)
+ assert.Equal(t, tt.expectedSubdir, dir)
- _, _, _, applies, err = resolvers.Cache.Resolve(context.Background(), fsys, tt.opts)
+ b, err = fs.ReadFile(fsys, path.Join(dir, "README.md"))
require.NoError(t, err)
- assert.True(t, applies)
+ assert.Equal(t, tt.expectedString, string(b))
})
}
}
func TestResolveModuleFromCacheWithDifferentSubdir(t *testing.T) {
- if testing.Short() {
- t.Skip("skipping integration test in short mode")
- }
+ repo := "terraform-aws-s3-bucket"
+ gs := gittest.NewServer(t, repo, "testdata/terraform-aws-s3-bucket")
+ defer gs.Close()
- cacheDir := t.TempDir()
+ repoURL := gs.URL + "/" + repo + ".git"
- fsys, _, _, applies, err := resolvers.Remote.Resolve(context.Background(), nil, resolvers.Options{
- Name: "object",
- Source: "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git//modules/object?ref=v4.1.2",
- OriginalSource: "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git//modules/object?ref=v4.1.2",
- AllowDownloads: true,
- CacheDir: cacheDir,
- })
+ fsys, _, dir, _, err := resolvers.Remote.Resolve(
+ context.Background(), nil,
+ testOptions(t, "git::"+repoURL+"//modules/object"),
+ )
require.NoError(t, err)
- assert.True(t, applies)
- _, err = fs.Stat(fsys, "main.tf")
+ b, err := fs.ReadFile(fsys, path.Join(dir, "README.md"))
require.NoError(t, err)
+ assert.Equal(t, "# S3 bucket object", string(b))
- _, _, _, applies, err = resolvers.Cache.Resolve(context.Background(), nil, resolvers.Options{
- Name: "notification",
- Source: "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git//modules/notification?ref=v4.1.2",
- OriginalSource: "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git//modules/notification?ref=v4.1.2",
- CacheDir: cacheDir,
- })
+ fsys, _, dir, _, err = resolvers.Remote.Resolve(
+ context.Background(), nil,
+ testOptions(t, "git::"+repoURL+"//modules/notification"),
+ )
+ require.NoError(t, err)
+
+ b, err = fs.ReadFile(fsys, path.Join(dir, "README.md"))
require.NoError(t, err)
- assert.True(t, applies)
+ assert.Equal(t, "# S3 bucket notification", string(b))
}
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/options.go b/pkg/iac/scanners/terraform/parser/resolvers/options.go
index 73fd39689e84..937f89709dc3 100644
--- a/pkg/iac/scanners/terraform/parser/resolvers/options.go
+++ b/pkg/iac/scanners/terraform/parser/resolvers/options.go
@@ -1,6 +1,7 @@
package resolvers
import (
+ "net/http"
"strings"
"github.com/aquasecurity/trivy/pkg/log"
@@ -13,6 +14,7 @@ type Options struct {
SkipCache bool
RelativePath string
CacheDir string
+ Client *http.Client
}
func (o *Options) hasPrefix(prefixes ...string) bool {
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/registry.go b/pkg/iac/scanners/terraform/parser/resolvers/registry.go
index 471416463cad..1af19f753209 100644
--- a/pkg/iac/scanners/terraform/parser/resolvers/registry.go
+++ b/pkg/iac/scanners/terraform/parser/resolvers/registry.go
@@ -41,12 +41,17 @@ const registryHostname = "registry.terraform.io"
// nolint
func (r *registryResolver) Resolve(ctx context.Context, target fs.FS, opt Options) (filesystem fs.FS, prefix string, downloadPath string, applies bool, err error) {
+ client := r.client
+ if opt.Client != nil {
+ client = opt.Client
+ }
+
if !opt.AllowDownloads {
return
}
inputVersion := opt.Version
- source, _ := splitPackageSubdirRaw(opt.Source)
+ source, _ := splitPackageSubdirRaw(opt.OriginalSource)
parts := strings.Split(source, "/")
if len(parts) < 3 || len(parts) > 4 {
return
@@ -81,7 +86,7 @@ func (r *registryResolver) Resolve(ctx context.Context, target fs.FS, opt Option
if token != "" {
req.Header.Set("Authorization", "Bearer "+token)
}
- resp, err := r.client.Do(req)
+ resp, err := client.Do(req)
if err != nil {
return nil, "", "", true, err
}
@@ -122,7 +127,7 @@ func (r *registryResolver) Resolve(ctx context.Context, target fs.FS, opt Option
req.Header.Set("X-Terraform-Version", opt.Version)
}
- resp, err := r.client.Do(req)
+ resp, err := client.Do(req)
if err != nil {
return nil, "", "", true, err
}
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/registry_integration_test.go b/pkg/iac/scanners/terraform/parser/resolvers/registry_integration_test.go
index e2d87104da2d..b8be4b10e0f2 100644
--- a/pkg/iac/scanners/terraform/parser/resolvers/registry_integration_test.go
+++ b/pkg/iac/scanners/terraform/parser/resolvers/registry_integration_test.go
@@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser/resolvers"
+ "github.com/aquasecurity/trivy/pkg/log"
)
func TestResolveModuleFromOpenTofuRegistry(t *testing.T) {
@@ -17,12 +18,15 @@ func TestResolveModuleFromOpenTofuRegistry(t *testing.T) {
}
fsys, _, path, _, err := resolvers.Registry.Resolve(context.Background(), nil, resolvers.Options{
- Source: "registry.opentofu.org/terraform-aws-modules/s3-bucket/aws",
- RelativePath: "test",
- Name: "bucket",
- Version: "4.1.2",
- AllowDownloads: true,
- SkipCache: true,
+ Source: "registry.opentofu.org/terraform-aws-modules/s3-bucket/aws",
+ OriginalSource: "registry.opentofu.org/terraform-aws-modules/s3-bucket/aws",
+ RelativePath: "test",
+ Name: "bucket",
+ Version: "4.1.2",
+ OriginalVersion: "4.1.2",
+ AllowDownloads: true,
+ SkipCache: true,
+ Logger: log.WithPrefix("test"),
})
require.NoError(t, err)
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/remote.go b/pkg/iac/scanners/terraform/parser/resolvers/remote.go
index 467f2cee6970..d70edde8c3b7 100644
--- a/pkg/iac/scanners/terraform/parser/resolvers/remote.go
+++ b/pkg/iac/scanners/terraform/parser/resolvers/remote.go
@@ -40,15 +40,20 @@ func (r *remoteResolver) Resolve(ctx context.Context, _ fs.FS, opt Options) (fil
return nil, "", "", false, nil
}
- src, subdir := splitPackageSubdirRaw(opt.OriginalSource)
- key := cacheKey(src, opt.OriginalVersion)
+ origSrc, subdir := splitPackageSubdirRaw(opt.OriginalSource)
+ key := cacheKey(origSrc, opt.OriginalVersion)
opt.Logger.Debug("Caching module", log.String("key", key))
baseCacheDir, err := locateCacheDir(opt.CacheDir)
if err != nil {
return nil, "", "", true, fmt.Errorf("failed to locate cache directory: %w", err)
}
+
cacheDir := filepath.Join(baseCacheDir, key)
+
+ src, _ := splitPackageSubdirRaw(opt.Source)
+
+ opt.Source = src
if err := r.download(ctx, opt, cacheDir); err != nil {
return nil, "", "", true, err
}
@@ -56,9 +61,9 @@ func (r *remoteResolver) Resolve(ctx context.Context, _ fs.FS, opt Options) (fil
r.incrementCount(opt)
opt.Logger.Debug("Successfully resolve module via remote download",
log.String("name", opt.Name),
- log.String("source", opt.Source),
+ log.String("source", opt.OriginalSource),
)
- return os.DirFS(cacheDir), opt.Source, subdir, true, nil
+ return os.DirFS(cacheDir), opt.OriginalSource, subdir, true, nil
}
func (r *remoteResolver) download(ctx context.Context, opt Options, dst string) error {
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/README.md b/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/README.md
new file mode 100644
index 000000000000..26e6186c9cbe
--- /dev/null
+++ b/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/README.md
@@ -0,0 +1 @@
+# AWS S3 bucket Terraform module
\ No newline at end of file
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/modules/notification/README.md b/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/modules/notification/README.md
new file mode 100644
index 000000000000..9f2f884a9586
--- /dev/null
+++ b/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/modules/notification/README.md
@@ -0,0 +1 @@
+# S3 bucket notification
\ No newline at end of file
diff --git a/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/modules/object/README.md b/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/modules/object/README.md
new file mode 100644
index 000000000000..a016e2bb23cb
--- /dev/null
+++ b/pkg/iac/scanners/terraform/parser/resolvers/testdata/terraform-aws-s3-bucket/modules/object/README.md
@@ -0,0 +1 @@
+# S3 bucket object
\ No newline at end of file
diff --git a/pkg/iac/scanners/terraform/performance_test.go b/pkg/iac/scanners/terraform/performance_test.go
index 9015aa25b076..7ef574e27858 100644
--- a/pkg/iac/scanners/terraform/performance_test.go
+++ b/pkg/iac/scanners/terraform/performance_test.go
@@ -29,7 +29,7 @@ func BenchmarkCalculate(b *testing.B) {
if err != nil {
b.Fatal(err)
}
- executor.New().Execute(modules)
+ executor.New().Execute(context.TODO(), modules, "project")
}
}
diff --git a/pkg/iac/scanners/terraform/scanner.go b/pkg/iac/scanners/terraform/scanner.go
index d574acdb2c4a..9ddb2f3ef861 100644
--- a/pkg/iac/scanners/terraform/scanner.go
+++ b/pkg/iac/scanners/terraform/scanner.go
@@ -10,7 +10,6 @@ import (
"strings"
"sync"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/scan"
"github.com/aquasecurity/trivy/pkg/iac/scanners"
@@ -38,18 +37,6 @@ type Scanner struct {
execLock sync.RWMutex
}
-func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
- s.executorOpt = append(s.executorOpt, executor.OptionWithIncludeDeprecatedChecks(b))
-}
-
-func (s *Scanner) SetRegoOnly(regoOnly bool) {
- s.executorOpt = append(s.executorOpt, executor.OptionWithRegoOnly(regoOnly))
-}
-
-func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
- s.executorOpt = append(s.executorOpt, executor.OptionWithFrameworks(frameworks...))
-}
-
func (s *Scanner) Name() string {
return "Terraform"
}
@@ -158,7 +145,7 @@ func (s *Scanner) ScanFS(ctx context.Context, target fs.FS, dir string) (scan.Re
s.execLock.RLock()
e := executor.New(s.executorOpt...)
s.execLock.RUnlock()
- results, err := e.Execute(module.childs)
+ results, err := e.Execute(ctx, module.childs, module.rootPath)
if err != nil {
return nil, err
}
diff --git a/pkg/iac/scanners/terraform/scanner_integration_test.go b/pkg/iac/scanners/terraform/scanner_integration_test.go
index 96c681e97553..3f3e0eb0e32d 100644
--- a/pkg/iac/scanners/terraform/scanner_integration_test.go
+++ b/pkg/iac/scanners/terraform/scanner_integration_test.go
@@ -2,6 +2,7 @@ package terraform
import (
"context"
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
@@ -9,7 +10,6 @@ import (
"github.com/aquasecurity/trivy/internal/testutil"
"github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/options"
)
func Test_ScanRemoteModule(t *testing.T) {
@@ -24,32 +24,13 @@ module "s3_bucket" {
bucket = "my-s3-bucket"
}
`,
- "/rules/bucket_name.rego": `
-# METADATA
-# schemas:
-# - input: schema.input
-# custom:
-# avd_id: AVD-AWS-0001
-# input:
-# selector:
-# - type: cloud
-# subtypes:
-# - service: s3
-# provider: aws
-package defsec.test.aws1
-deny[res] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == ""
- res := result.new("The name of the bucket must not be empty", bucket)
-}`,
})
scanner := New(
- rego.WithPolicyFilesystem(fs),
- rego.WithPolicyDirs("rules"),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
rego.WithEmbeddedPolicies(false),
rego.WithEmbeddedLibraries(false),
- options.ScannerWithRegoOnly(true),
ScannerWithAllDirectories(true),
ScannerWithSkipCachedModules(true),
)
@@ -81,32 +62,13 @@ module "s3_bucket" {
bucket = var.bucket
}
`,
- "rules/bucket_name.rego": `
-# METADATA
-# schemas:
-# - input: schema.input
-# custom:
-# avd_id: AVD-AWS-0001
-# input:
-# selector:
-# - type: cloud
-# subtypes:
-# - service: s3
-# provider: aws
-package defsec.test.aws1
-deny[res] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == ""
- res := result.new("The name of the bucket must not be empty", bucket)
-}`,
})
scanner := New(
- rego.WithPolicyFilesystem(fs),
- rego.WithPolicyDirs("rules"),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
rego.WithEmbeddedPolicies(false),
rego.WithEmbeddedLibraries(false),
- options.ScannerWithRegoOnly(true),
ScannerWithAllDirectories(true),
ScannerWithSkipCachedModules(true),
)
@@ -149,7 +111,6 @@ deny[cause] {
scanner := New(
ScannerWithSkipCachedModules(true),
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedPolicies(false),
rego.WithEmbeddedLibraries(true),
)
@@ -165,7 +126,6 @@ deny[cause] {
ScannerWithSkipDownloaded(true),
ScannerWithSkipCachedModules(true),
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedPolicies(false),
rego.WithEmbeddedLibraries(true),
)
@@ -219,7 +179,6 @@ deny[res] {
ScannerWithSkipDownloaded(true),
ScannerWithSkipCachedModules(true),
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(true),
rego.WithEmbeddedPolicies(false),
)
diff --git a/pkg/iac/scanners/terraform/scanner_test.go b/pkg/iac/scanners/terraform/scanner_test.go
index a7020b4ddd06..215ec796b45d 100644
--- a/pkg/iac/scanners/terraform/scanner_test.go
+++ b/pkg/iac/scanners/terraform/scanner_test.go
@@ -4,92 +4,36 @@ import (
"context"
"fmt"
"strconv"
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
"github.com/aquasecurity/trivy/pkg/iac/rego"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/options"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
- "github.com/aquasecurity/trivy/pkg/iac/types"
)
-const emptyBucketRule = `
-# METADATA
-# schemas:
-# - input: schema.input
-# custom:
-# avd_id: AVD-AWS-0001
-# input:
-# selector:
-# - type: cloud
-# subtypes:
-# - service: s3
-# provider: aws
-package defsec.test.aws1
-deny[res] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == ""
- res := result.new("The name of the bucket must not be empty", bucket)
-}
-`
-
func Test_OptionWithPolicyDirs(t *testing.T) {
- fs := testutil.CreateFS(t, map[string]string{
- "/code/main.tf": `
-resource "aws_s3_bucket" "my-bucket" {
- bucket = "evil"
-}
-`,
- "/rules/test.rego": `
-package defsec.abcdefg
-
-__rego_metadata__ := {
- "id": "TEST123",
- "avd_id": "AVD-TEST-0123",
- "title": "Buckets should not be evil",
- "short_code": "no-evil-buckets",
- "severity": "CRITICAL",
- "type": "DefSec Security Check",
- "description": "You should not allow buckets to be evil",
- "recommended_actions": "Use a good bucket instead",
- "url": "https://google.com/search?q=is+my+bucket+evil",
-}
-
-__rego_input__ := {
- "combine": false,
- "selector": [{"type": "defsec", "subtypes": [{"service": "s3", "provider": "aws"}]}],
-}
-
-deny[cause] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == "evil"
- cause := bucket.name
-}
-`,
+ fsys := testutil.CreateFS(t, map[string]string{
+ "/code/main.tf": `resource "aws_s3_bucket" "my-bucket" {}`,
+ "/rules/test.rego": emptyBucketCheck,
})
- scanner := New(
- rego.WithPolicyFilesystem(fs),
+ results, err := scanFS(fsys, "code",
+ rego.WithPolicyFilesystem(fsys),
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
+ rego.WithPolicyNamespaces("user"),
)
-
- results, err := scanner.ScanFS(context.TODO(), fs, "code")
require.NoError(t, err)
require.Len(t, results.GetFailed(), 1)
failure := results.GetFailed()[0]
- assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
+ assert.Equal(t, "USER-TEST-0123", failure.Rule().AVDID)
actualCode, err := failure.GetCode()
require.NoError(t, err)
@@ -98,28 +42,11 @@ deny[cause] {
}
assert.Equal(t, []scan.Line{
{
- Number: 2,
- Content: "resource \"aws_s3_bucket\" \"my-bucket\" {",
- IsCause: false,
- FirstCause: false,
- LastCause: false,
- Annotation: "",
- },
- {
- Number: 3,
- Content: "\tbucket = \"evil\"",
+ Number: 1,
+ Content: "resource \"aws_s3_bucket\" \"my-bucket\" {}",
IsCause: true,
FirstCause: true,
LastCause: true,
- Annotation: "",
- },
- {
- Number: 4,
- Content: "}",
- IsCause: false,
- FirstCause: false,
- LastCause: false,
- Annotation: "",
},
}, actualCode.Lines)
@@ -234,104 +161,6 @@ cause := bucket.name
}
-func Test_OptionWithRegoOnly(t *testing.T) {
-
- fs := testutil.CreateFS(t, map[string]string{
- "/code/main.tf": `
-resource "aws_s3_bucket" "my-bucket" {
- bucket = "evil"
-}
-`,
- "/rules/test.rego": `
-package defsec.abcdefg
-
-__rego_metadata__ := {
- "id": "TEST123",
- "avd_id": "AVD-TEST-0123",
- "title": "Buckets should not be evil",
- "short_code": "no-evil-buckets",
- "severity": "CRITICAL",
- "type": "DefSec Security Check",
- "description": "You should not allow buckets to be evil",
- "recommended_actions": "Use a good bucket instead",
- "url": "https://google.com/search?q=is+my+bucket+evil",
-}
-
-__rego_input__ := {
- "combine": false,
- "selector": [{"type": "defsec", "subtypes": [{"service": "s3", "provider": "aws"}]}],
-}
-
-deny[cause] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == "evil"
- cause := bucket.name
-}
-`,
- })
-
- scanner := New(
- rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
- )
-
- results, err := scanner.ScanFS(context.TODO(), fs, "code")
- require.NoError(t, err)
-
- require.Len(t, results.GetFailed(), 1)
- assert.Equal(t, "AVD-TEST-0123", results[0].Rule().AVDID)
-}
-
-func Test_OptionWithRegoOnly_CodeHighlighting(t *testing.T) {
-
- fs := testutil.CreateFS(t, map[string]string{
- "/code/main.tf": `
-resource "aws_s3_bucket" "my-bucket" {
- bucket = "evil"
-}
-`,
- "/rules/test.rego": `
-package defsec.abcdefg
-
-__rego_metadata__ := {
- "id": "TEST123",
- "avd_id": "AVD-TEST-0123",
- "title": "Buckets should not be evil",
- "short_code": "no-evil-buckets",
- "severity": "CRITICAL",
- "type": "DefSec Security Check",
- "description": "You should not allow buckets to be evil",
- "recommended_actions": "Use a good bucket instead",
- "url": "https://google.com/search?q=is+my+bucket+evil",
-}
-
-__rego_input__ := {
- "combine": false,
- "selector": [{"type": "defsec", "subtypes": [{"service": "s3", "provider": "aws"}]}],
-}
-
-deny[res] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == "evil"
- res := result.new("oh no", bucket.name)
-}
-`,
- })
-
- scanner := New(
- rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
- rego.WithEmbeddedLibraries(true),
- )
-
- results, err := scanner.ScanFS(context.TODO(), fs, "code")
- require.NoError(t, err)
-
- require.Len(t, results.GetFailed(), 1)
- assert.Equal(t, "AVD-TEST-0123", results[0].Rule().AVDID)
- assert.NotNil(t, results[0].Metadata().Range().GetFS())
-}
-
func Test_IAMPolicyRego(t *testing.T) {
fs := testutil.CreateFS(t, map[string]string{
"/code/main.tf": `
@@ -388,7 +217,6 @@ deny[res] {
scanner := New(
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(true),
)
@@ -410,7 +238,7 @@ resource "aws_ecs_task_definition" "test" {
[
{
"privileged": true,
- "cpu": 10,
+ "cpu": "10",
"command": ["sleep", "10"],
"entryPoint": ["/"],
"environment": [
@@ -418,7 +246,7 @@ resource "aws_ecs_task_definition" "test" {
],
"essential": true,
"image": "jenkins",
- "memory": 128,
+ "memory": "128",
"name": "jenkins",
"portMappings": [
{
@@ -472,7 +300,6 @@ deny[res] {
scanner := New(
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(true),
)
@@ -646,7 +473,6 @@ deny[res] {
scanner := New(
rego.WithPolicyFilesystem(fs),
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
)
results, err := scanner.ScanFS(context.TODO(), fs, "code")
@@ -709,7 +535,7 @@ resource "aws_s3_bucket" "main" {
bucket = var.bucket_name
}
`,
- "rules/bucket_name.rego": emptyBucketRule,
+ "rules/bucket_name.rego": emptyBucketCheck,
})
configsFS := testutil.CreateFS(t, map[string]string{
@@ -719,9 +545,9 @@ bucket_name = "test"
})
scanner := New(
+ rego.WithPolicyNamespaces("user"),
rego.WithPolicyDirs("rules"),
rego.WithPolicyFilesystem(fs),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(false),
rego.WithEmbeddedPolicies(false),
ScannerWithAllDirectories(true),
@@ -746,16 +572,16 @@ resource "aws_s3_bucket" "main" {
bucket = var.bucket_name
}
`,
- "rules/bucket_name.rego": emptyBucketRule,
+ "rules/bucket_name.rego": emptyBucketCheck,
"main.tfvars": `
bucket_name = "test"
`,
})
scanner := New(
+ rego.WithPolicyNamespaces("user"),
rego.WithPolicyDirs("rules"),
rego.WithPolicyFilesystem(fs),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(false),
rego.WithEmbeddedPolicies(false),
ScannerWithAllDirectories(true),
@@ -805,25 +631,7 @@ resource "aws_security_group" "main" {
description = var.security_group_description
}
`,
- "/rules/bucket_name.rego": `
-# METADATA
-# schemas:
-# - input: schema.input
-# custom:
-# avd_id: AVD-AWS-0001
-# input:
-# selector:
-# - type: cloud
-# subtypes:
-# - service: s3
-# provider: aws
-package defsec.test.aws1
-deny[res] {
- bucket := input.aws.s3.buckets[_]
- bucket.name.value == ""
- res := result.new("The name of the bucket must not be empty", bucket)
-}
-`,
+ "/rules/bucket_name.rego": emptyBucketCheck,
"/rules/sec_group_description.rego": `
# METADATA
# schemas:
@@ -846,11 +654,11 @@ deny[res] {
})
scanner := New(
+ rego.WithPolicyNamespaces("user"),
rego.WithPolicyFilesystem(fs),
rego.WithPolicyDirs("rules"),
rego.WithEmbeddedPolicies(false),
rego.WithEmbeddedLibraries(false),
- options.ScannerWithRegoOnly(true),
ScannerWithAllDirectories(true),
)
@@ -918,7 +726,6 @@ deny[res] {
scanner := New(
rego.WithPolicyDirs("rules"),
rego.WithPolicyFilesystem(fs),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(false),
rego.WithEmbeddedPolicies(false),
ScannerWithAllDirectories(true),
@@ -987,7 +794,6 @@ deny[res] {
scanner := New(
rego.WithPolicyDirs("rules"),
rego.WithPolicyFilesystem(fs),
- options.ScannerWithRegoOnly(true),
rego.WithEmbeddedLibraries(false),
rego.WithEmbeddedPolicies(false),
ScannerWithAllDirectories(true),
@@ -1051,7 +857,6 @@ deny[res] {
scanner := New(
rego.WithPolicyDirs("rules"),
rego.WithPolicyFilesystem(fs),
- options.ScannerWithRegoOnly(true),
rego.WithPolicyNamespaces("user"),
rego.WithEmbeddedLibraries(false),
rego.WithEmbeddedPolicies(false),
@@ -1072,55 +877,8 @@ deny[res] {
assert.Equal(t, "code/example/main.tf", occurrences[0].Filename)
}
-func TestSkipDeprecatedGoChecks(t *testing.T) {
-
- check := scan.Rule{
- Provider: providers.AWSProvider,
- Service: "service",
- ShortCode: "abc",
- Severity: severity.High,
- Check: func(s *state.State) (results scan.Results) {
- results.Add("Deny", types.NewTestMetadata())
- return
- },
- }
-
- fsys := testutil.CreateFS(t, map[string]string{
- "main.tf": `resource "foo" "bar" {}`,
- })
-
- scanner := New(
- rego.WithPolicyFilesystem(fsys),
- rego.WithEmbeddedLibraries(false),
- rego.WithEmbeddedPolicies(false),
- ScannerWithAllDirectories(true),
- )
-
- t.Run("deprecated", func(t *testing.T) {
- check.Deprecated = true
- reg := rules.Register(check)
- defer rules.Deregister(reg)
-
- results, err := scanner.ScanFS(context.TODO(), fsys, ".")
- require.NoError(t, err)
-
- require.Empty(t, results)
- })
-
- t.Run("not deprecated", func(t *testing.T) {
- check.Deprecated = false
- reg := rules.Register(check)
- defer rules.Deregister(reg)
-
- results, err := scanner.ScanFS(context.TODO(), fsys, ".")
- require.NoError(t, err)
-
- require.Len(t, results, 1)
- })
-}
-
func TestSkipDir(t *testing.T) {
- fs := testutil.CreateFS(t, map[string]string{
+ fsys := testutil.CreateFS(t, map[string]string{
"deployments/main.tf": `
module "use_bad_configuration" {
source = "../modules"
@@ -1130,50 +888,23 @@ module "use_bad_configuration_2" {
source = "../modules/modules2"
}
`,
- "modules/misconfig.tf": `data "aws_iam_policy_document" "bad" {
- statement {
- actions = [
- "apigateway:*",
- ]
-
- resources = [
- "*",
- ]
- }
-}
-
-resource "aws_iam_policy" "bad_configuration" {
- name_prefix = local.setup_role_name
- policy = data.aws_iam_policy_document.bad.json
-}
+ "modules/misconfig.tf": `
+resource "aws_s3_bucket" "test" {}
`,
- "modules/modules2/misconfig.tf": `data "aws_iam_policy_document" "bad" {
- statement {
- actions = [
- "apigateway:*",
- ]
-
- resources = [
- "*",
- ]
- }
-}
-
-resource "aws_iam_policy" "bad_configuration" {
- name_prefix = local.setup_role_name
- policy = data.aws_iam_policy_document.bad.json
-}
+ "modules/modules2/misconfig.tf": `
+resource "aws_s3_bucket" "test" {}
`,
})
t.Run("use skip-dir option", func(t *testing.T) {
scanner := New(
- options.ScannerWithIncludeDeprecatedChecks(true),
ScannerWithSkipDirs([]string{"**/modules/**"}),
ScannerWithAllDirectories(true),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
)
- results, err := scanner.ScanFS(context.TODO(), fs, "deployments")
+ results, err := scanner.ScanFS(context.TODO(), fsys, "deployments")
require.NoError(t, err)
assert.Empty(t, results)
@@ -1181,12 +912,13 @@ resource "aws_iam_policy" "bad_configuration" {
t.Run("use skip-files option", func(t *testing.T) {
scanner := New(
- options.ScannerWithIncludeDeprecatedChecks(true),
ScannerWithSkipFiles([]string{"**/modules/**/*.tf"}),
ScannerWithAllDirectories(true),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
)
- results, err := scanner.ScanFS(context.TODO(), fs, "deployments")
+ results, err := scanner.ScanFS(context.TODO(), fsys, "deployments")
require.NoError(t, err)
assert.Empty(t, results)
@@ -1194,26 +926,28 @@ resource "aws_iam_policy" "bad_configuration" {
t.Run("non existing value for skip-files option", func(t *testing.T) {
scanner := New(
- options.ScannerWithIncludeDeprecatedChecks(true),
ScannerWithSkipFiles([]string{"foo/bar*.tf"}),
ScannerWithAllDirectories(true),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
)
- results, err := scanner.ScanFS(context.TODO(), fs, "deployments")
+ results, err := scanner.ScanFS(context.TODO(), fsys, "deployments")
require.NoError(t, err)
- assert.Len(t, results, 4)
+ assert.Len(t, results, 2)
})
t.Run("empty skip-files option", func(t *testing.T) {
scanner := New(
- options.ScannerWithIncludeDeprecatedChecks(true),
ScannerWithAllDirectories(true),
+ rego.WithPolicyReader(strings.NewReader(emptyBucketCheck)),
+ rego.WithPolicyNamespaces("user"),
)
- results, err := scanner.ScanFS(context.TODO(), fs, "deployments")
+ results, err := scanner.ScanFS(context.TODO(), fsys, "deployments")
require.NoError(t, err)
- assert.Len(t, results, 4)
+ assert.Len(t, results, 2)
})
}
diff --git a/pkg/iac/scanners/terraform/setup_test.go b/pkg/iac/scanners/terraform/setup_test.go
index 5b98c438f9c1..4043fa7ba7b1 100644
--- a/pkg/iac/scanners/terraform/setup_test.go
+++ b/pkg/iac/scanners/terraform/setup_test.go
@@ -2,6 +2,7 @@ package terraform
import (
"context"
+ "io/fs"
"testing"
"github.com/stretchr/testify/require"
@@ -14,6 +15,68 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/terraform"
)
+var emptyBucketCheck = `# METADATA
+# schemas:
+# - input: schema.cloud
+# custom:
+# avd_id: USER-TEST-0123
+# short_code: non-empty-bucket
+# provider: aws
+# service: s3
+# aliases:
+# - my-alias
+# input:
+# selector:
+# - type: cloud
+# subtypes:
+# - service: s3
+# provider: aws
+package user.test123
+
+import rego.v1
+
+deny contains res if {
+ some bucket in input.aws.s3.buckets
+ bucket.name.value == ""
+ res := result.new("The bucket name cannot be empty.", bucket.name)
+}
+`
+
+var enforceGroupMfaCheck = `# METADATA
+# schemas:
+# - input: schema["cloud"]
+# custom:
+# id: USER-TEST-0124
+# aliases:
+# - aws-iam-enforce-mfa
+# provider: aws
+# service: iam
+# short_code: enforce-group-mfa
+# input:
+# selector:
+# - type: cloud
+# subtypes:
+# - service: iam
+# provider: aws
+package user.test124
+
+import rego.v1
+
+deny contains res if {
+ some group in input.aws.iam.groups
+ not is_group_mfa_enforced(group)
+ res := result.new("Multi-Factor authentication is not enforced for group", group)
+}
+
+is_group_mfa_enforced(group) if {
+ some policy in group.policies
+ value := json.unmarshal(policy.document.value)
+ some condition in value.Statement[_].Condition
+ some key, _ in condition
+ key == "aws:MultiFactorAuthPresent"
+}
+`
+
func createModulesFromSource(t *testing.T, source, ext string) terraform.Modules {
fs := testutil.CreateFS(t, map[string]string{
"source" + ext: source,
@@ -30,30 +93,39 @@ func createModulesFromSource(t *testing.T, source, ext string) terraform.Modules
return modules
}
-func scanHCLWithWorkspace(t *testing.T, source, workspace string) scan.Results {
- return scanHCL(t, source, ScannerWithWorkspaceName(workspace))
+func scanFS(fsys fs.FS, target string, opts ...options.ScannerOption) (scan.Results, error) {
+ s := New(append(
+ []options.ScannerOption{
+ rego.WithEmbeddedLibraries(true),
+ rego.WithRegoErrorLimits(0),
+ ScannerWithAllDirectories(true),
+ ScannerWithSkipCachedModules(true),
+ ScannerWithStopOnHCLError(true),
+ },
+ opts...,
+ )...,
+ )
+
+ return s.ScanFS(context.TODO(), fsys, target)
}
func scanHCL(t *testing.T, source string, opts ...options.ScannerOption) scan.Results {
- fs := testutil.CreateFS(t, map[string]string{
+ fsys := testutil.CreateFS(t, map[string]string{
"main.tf": source,
})
-
- localScanner := New(append(opts, rego.WithEmbeddedPolicies(false))...)
- results, err := localScanner.ScanFS(context.TODO(), fs, ".")
+ results, err := scanFS(fsys, ".", opts...)
require.NoError(t, err)
return results
}
-func scanJSON(t *testing.T, source string) scan.Results {
+func scanJSON(t *testing.T, source string, opts ...options.ScannerOption) scan.Results {
- fs := testutil.CreateFS(t, map[string]string{
+ fsys := testutil.CreateFS(t, map[string]string{
"main.tf.json": source,
})
- s := New(rego.WithEmbeddedPolicies(true), rego.WithEmbeddedLibraries(true))
- results, err := s.ScanFS(context.TODO(), fs, ".")
+ results, err := scanFS(fsys, ".", opts...)
require.NoError(t, err)
return results
}
diff --git a/pkg/iac/scanners/terraform/wildcard_test.go b/pkg/iac/scanners/terraform/wildcard_test.go
deleted file mode 100644
index 5de281e69be0..000000000000
--- a/pkg/iac/scanners/terraform/wildcard_test.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package terraform
-
-import (
- "fmt"
- "testing"
-
- "github.com/aquasecurity/trivy/internal/testutil"
- "github.com/aquasecurity/trivy/pkg/iac/rules"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/terraform"
-)
-
-func Test_WildcardMatchingOnRequiredLabels(t *testing.T) {
-
- tests := []struct {
- input string
- pattern string
- expectedFailure bool
- }{
- {
- pattern: "aws_*",
- input: `resource "aws_instance" "blah" {}`,
- expectedFailure: true,
- },
- {
- pattern: "gcp_*",
- input: `resource "aws_instance" "blah" {}`,
- expectedFailure: false,
- },
- {
- pattern: "x_aws_*",
- input: `resource "aws_instance" "blah" {}`,
- expectedFailure: false,
- },
- {
- pattern: "aws_security_group*",
- input: `resource "aws_security_group" "blah" {}`,
- expectedFailure: true,
- },
- {
- pattern: "aws_security_group*",
- input: `resource "aws_security_group_rule" "blah" {}`,
- expectedFailure: true,
- },
- }
-
- for i, test := range tests {
-
- code := fmt.Sprintf("wild%d", i)
-
- t.Run(code, func(t *testing.T) {
-
- rule := scan.Rule{
- Service: "service",
- ShortCode: code,
- Summary: "blah",
- Provider: "custom",
- Severity: severity.High,
- CustomChecks: scan.CustomChecks{
- Terraform: &scan.TerraformCustomCheck{
- RequiredTypes: []string{"resource"},
- RequiredLabels: []string{test.pattern},
- Check: func(resourceBlock *terraform.Block, _ *terraform.Module) (results scan.Results) {
- results.Add("Custom check failed for resource.", resourceBlock)
- return
- },
- },
- },
- }
- reg := rules.Register(rule)
- defer rules.Deregister(reg)
-
- results := scanHCL(t, test.input)
-
- if test.expectedFailure {
- testutil.AssertRuleFound(t, fmt.Sprintf("custom-service-%s", code), results, "")
- } else {
- testutil.AssertRuleNotFound(t, fmt.Sprintf("custom-service-%s", code), results, "")
- }
- })
- }
-
-}
diff --git a/pkg/iac/scanners/terraformplan/snapshot/scanner_test.go b/pkg/iac/scanners/terraformplan/snapshot/scanner_test.go
index 992bed5af809..4cb3b4d52816 100644
--- a/pkg/iac/scanners/terraformplan/snapshot/scanner_test.go
+++ b/pkg/iac/scanners/terraformplan/snapshot/scanner_test.go
@@ -24,7 +24,6 @@ func initScanner(opts ...options.ScannerOption) *Scanner {
rego.WithEmbeddedLibraries(true),
rego.WithPolicyNamespaces("user"),
rego.WithPolicyDirs("."),
- options.ScannerWithRegoOnly(true),
rego.WithRegoErrorLimits(0),
tfscanner.ScannerWithSkipCachedModules(true),
}
@@ -111,7 +110,6 @@ func Test_ScanFS(t *testing.T) {
scanner := New(
rego.WithPolicyDirs(path.Join(tc.dir, "checks")),
rego.WithPolicyFilesystem(fs),
- options.ScannerWithRegoOnly(true),
rego.WithPolicyNamespaces("user"),
rego.WithEmbeddedLibraries(false),
rego.WithEmbeddedPolicies(false),
diff --git a/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go b/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
index 9173c8046bb1..fedc90fef52f 100644
--- a/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
+++ b/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
@@ -53,7 +53,6 @@ func Test_TerraformScanner(t *testing.T) {
check: defaultCheck,
options: []options.ScannerOption{
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
},
},
{
@@ -62,7 +61,6 @@ func Test_TerraformScanner(t *testing.T) {
check: defaultCheck,
options: []options.ScannerOption{
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithPolicyNamespaces("user"),
},
},
@@ -92,7 +90,6 @@ deny[cause] {
`,
options: []options.ScannerOption{
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithPolicyNamespaces("user"),
},
},
@@ -102,7 +99,6 @@ deny[cause] {
check: defaultCheck,
options: []options.ScannerOption{
rego.WithPolicyDirs("rules"),
- options.ScannerWithRegoOnly(true),
rego.WithPolicyNamespaces("user"),
},
},
diff --git a/pkg/iac/terraform/block.go b/pkg/iac/terraform/block.go
index 348f938d4559..a6cd6ab1bbc4 100644
--- a/pkg/iac/terraform/block.go
+++ b/pkg/iac/terraform/block.go
@@ -480,22 +480,12 @@ func (b *Block) FullName() string {
return b.LocalName()
}
-func (b *Block) ModuleName() string {
- name := strings.TrimPrefix(b.LocalName(), "module.")
- if b.moduleBlock != nil {
- module := strings.TrimPrefix(b.moduleBlock.FullName(), "module.")
- name = fmt.Sprintf(
- "%s.%s",
- module,
- name,
- )
- }
- var parts []string
- for _, part := range strings.Split(name, ".") {
- part = strings.Split(part, "[")[0]
- parts = append(parts, part)
+func (b *Block) ModuleKey() string {
+ name := b.Reference().NameLabel()
+ if b.moduleBlock == nil {
+ return name
}
- return strings.Join(parts, ".")
+ return fmt.Sprintf("%s.%s", b.moduleBlock.ModuleKey(), name)
}
func (b *Block) UniqueName() string {
@@ -585,7 +575,7 @@ func (b *Block) Values() cty.Value {
if attribute.Name() == "for_each" {
continue
}
- values[attribute.Name()] = attribute.Value()
+ values[attribute.Name()] = attribute.NullableValue()
}
return cty.ObjectVal(postProcessValues(b, values))
}
@@ -643,7 +633,7 @@ func (b *Block) expandDynamic() ([]*Block, error) {
)
forEachVal.ForEachElement(func(key, val cty.Value) (stop bool) {
- if val.IsNull() {
+ if val.IsNull() || !val.IsKnown() {
return
}
diff --git a/pkg/javadb/client.go b/pkg/javadb/client.go
index 835730109b02..1655c3bc1fdd 100644
--- a/pkg/javadb/client.go
+++ b/pkg/javadb/client.go
@@ -29,6 +29,9 @@ const (
var (
// GitHub Container Registry
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-java-db", SchemaVersion)
+
+ // GCR mirrors
+ DefaultGCRRepository = fmt.Sprintf("%s:%d", "mirror.gcr.io/aquasec/trivy-java-db", SchemaVersion)
)
var updater *Updater
diff --git a/pkg/k8s/commands/run.go b/pkg/k8s/commands/run.go
index 6a20d04aee10..1650cfa1446f 100644
--- a/pkg/k8s/commands/run.go
+++ b/pkg/k8s/commands/run.go
@@ -86,6 +86,7 @@ func (r *runner) run(ctx context.Context, artifacts []*k8sArtifacts.Artifact) er
r.flagOpts.ScanOptions.Scanners = scanners
}
var rpt report.Report
+ log.Info("Scanning K8s...", log.String("K8s", r.cluster))
rpt, err = s.Scan(ctx, artifacts)
if err != nil {
return xerrors.Errorf("k8s scan error: %w", err)
diff --git a/pkg/k8s/report/report.go b/pkg/k8s/report/report.go
index 947d39de14b8..1f1c1ec50d93 100644
--- a/pkg/k8s/report/report.go
+++ b/pkg/k8s/report/report.go
@@ -280,7 +280,12 @@ func shouldAddToReport(scanners types.Scanners) bool {
}
func vulnerabilitiesOrSecretResource(resource Resource) bool {
- return len(resource.Results) > 0 && (len(resource.Results[0].Vulnerabilities) > 0 || len(resource.Results[0].Secrets) > 0)
+ for _, result := range resource.Results {
+ if len(result.Vulnerabilities) > 0 || len(resource.Results[0].Secrets) > 0 {
+ return true
+ }
+ }
+ return false
}
func misconfigsResource(resource Resource) bool {
diff --git a/pkg/k8s/report/report_test.go b/pkg/k8s/report/report_test.go
index 9ba663dc4783..61d382246cd0 100644
--- a/pkg/k8s/report/report_test.go
+++ b/pkg/k8s/report/report_test.go
@@ -118,6 +118,58 @@ var (
},
},
}
+ deployOrionWithThirdVulns = Resource{
+ Namespace: "default",
+ Kind: "Deploy",
+ Name: "orion",
+ Metadata: []types.Metadata{
+ {
+ ImageID: "123",
+ RepoTags: []string{
+ "alpine:3.14",
+ },
+ RepoDigests: []string{
+ "alpine:3.14@sha256:8fe1727132b2506c17ba0e1f6a6ed8a016bb1f5735e43b2738cd3fd1979b6260",
+ },
+ },
+ },
+ Results: types.Results{
+ {},
+ {},
+ {
+ Vulnerabilities: []types.DetectedVulnerability{
+ {
+ VulnerabilityID: "CVE-2022-1111",
+ Vulnerability: dbTypes.Vulnerability{Severity: "LOW"},
+ },
+ {
+ VulnerabilityID: "CVE-2022-2222",
+ Vulnerability: dbTypes.Vulnerability{Severity: "MEDIUM"},
+ },
+ {
+ VulnerabilityID: "CVE-2022-3333",
+ Vulnerability: dbTypes.Vulnerability{Severity: "HIGH"},
+ },
+ {
+ VulnerabilityID: "CVE-2022-4444",
+ Vulnerability: dbTypes.Vulnerability{Severity: "CRITICAL"},
+ },
+ {
+ VulnerabilityID: "CVE-2022-5555",
+ Vulnerability: dbTypes.Vulnerability{Severity: "UNKNOWN"},
+ },
+ {
+ VulnerabilityID: "CVE-2022-6666",
+ Vulnerability: dbTypes.Vulnerability{Severity: "CRITICAL"},
+ },
+ {
+ VulnerabilityID: "CVE-2022-7777",
+ Vulnerability: dbTypes.Vulnerability{Severity: "MEDIUM"},
+ },
+ },
+ },
+ },
+ }
orionDeployWithAnotherMisconfig = Resource{
Namespace: "default",
@@ -492,6 +544,17 @@ func TestReport_consolidate(t *testing.T) {
"default/cronjob/hello": cronjobHelloWithVulns,
},
},
+ {
+ name: "report with vulnerabilities in the third result",
+ report: Report{
+ Resources: []Resource{
+ deployOrionWithThirdVulns,
+ },
+ },
+ expectedFindings: map[string]Resource{
+ "default/deploy/orion": deployOrionWithThirdVulns,
+ },
+ },
{
name: "report with misconfigs in image and pod",
report: Report{
@@ -521,6 +584,11 @@ func TestReport_consolidate(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
consolidateReport := tt.report.consolidate()
+
+ if len(consolidateReport.Findings) != len(tt.expectedFindings) {
+ t.Errorf("expected %d findings, got %d", len(tt.expectedFindings), len(consolidateReport.Findings))
+ }
+
for _, f := range consolidateReport.Findings {
key := f.fullname()
diff --git a/pkg/k8s/scanner/scanner.go b/pkg/k8s/scanner/scanner.go
index 70debfe6a85f..0fdb48b9afe7 100644
--- a/pkg/k8s/scanner/scanner.go
+++ b/pkg/k8s/scanner/scanner.go
@@ -242,8 +242,9 @@ func (s *Scanner) scanK8sVulns(ctx context.Context, artifactsData []*artifacts.A
if err != nil {
return nil, err
}
+ cpcVersion := unifiedVersion(comp.Version)
- lang := k8sNamespace(comp.Version, nodeName)
+ lang := k8sNamespace(cpcVersion, nodeName)
results, _, err := k8sScanner.Scan(ctx, types.ScanTarget{
Applications: []ftypes.Application{
{
@@ -252,7 +253,7 @@ func (s *Scanner) scanK8sVulns(ctx context.Context, artifactsData []*artifacts.A
Packages: []ftypes.Package{
{
Name: comp.Name,
- Version: comp.Version,
+ Version: cpcVersion,
},
},
},
@@ -277,7 +278,7 @@ func (s *Scanner) scanK8sVulns(ctx context.Context, artifactsData []*artifacts.A
if err != nil {
return nil, err
}
- kubeletVersion := sanitizedVersion(nf.KubeletVersion)
+ kubeletVersion := unifiedVersion(nf.KubeletVersion)
lang := k8sNamespace(kubeletVersion, nodeName)
runtimeName, runtimeVersion := runtimeNameVersion(nf.ContainerRuntimeVersion)
results, _, err := k8sScanner.Scan(ctx, types.ScanTarget{
@@ -387,14 +388,15 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
if err := ms.Decode(artifact.RawResource, &comp); err != nil {
return nil, err
}
+ cVersion := unifiedVersion(comp.Version)
controlPlane := &core.Component{
Name: comp.Name,
- Version: comp.Version,
+ Version: cVersion,
Type: core.TypeApplication,
Properties: toProperties(comp.Properties, k8sCoreComponentNamespace),
PkgIdentifier: ftypes.PkgIdentifier{
- PURL: generatePURL(comp.Name, comp.Version, nodeName),
+ PURL: generatePURL(comp.Name, cVersion, nodeName),
},
}
coreComponents = append(coreComponents, controlPlane)
@@ -405,7 +407,7 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
if !strings.Contains(c.Digest, string(digest.SHA256)) {
cDigest = fmt.Sprintf("%s:%s", string(digest.SHA256), cDigest)
}
- ver := sanitizedVersion(c.Version)
+ ver := unifiedVersion(c.Version)
imagePURL, err := purl.New(purl.TypeOCI, types.Metadata{
RepoDigests: []string{
@@ -448,13 +450,15 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
if err := ms.Decode(artifact.RawResource, &cf); err != nil {
return nil, err
}
+ cVersion := unifiedVersion(cf.Version)
+
rootComponent = &core.Component{
Type: core.TypePlatform,
Name: cf.Name,
- Version: cf.Version,
+ Version: cVersion,
Properties: toProperties(cf.Properties, k8sCoreComponentNamespace),
PkgIdentifier: ftypes.PkgIdentifier{
- PURL: generatePURL(cf.Name, cf.Version, nodeName),
+ PURL: generatePURL(cf.Name, cVersion, nodeName),
},
Root: true,
}
@@ -474,7 +478,7 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
func (s *Scanner) nodeComponent(b *core.BOM, nf bom.NodeInfo) *core.Component {
osName, osVersion := osNameVersion(nf.OsImage)
runtimeName, runtimeVersion := runtimeNameVersion(nf.ContainerRuntimeVersion)
- kubeletVersion := sanitizedVersion(nf.KubeletVersion)
+ kubeletVersion := unifiedVersion(nf.KubeletVersion)
properties := toProperties(nf.Properties, "")
properties = append(properties, toProperties(map[string]string{
k8sComponentType: k8sComponentNode,
@@ -557,8 +561,11 @@ func (s *Scanner) nodeComponent(b *core.BOM, nf bom.NodeInfo) *core.Component {
return nodeComponent
}
-func sanitizedVersion(ver string) string {
- return strings.TrimPrefix(ver, "v")
+func unifiedVersion(ver string) string {
+ if strings.HasPrefix(ver, "v") || ver == "" {
+ return ver
+ }
+ return "v" + ver
}
func osNameVersion(name string) (string, string) {
@@ -592,7 +599,7 @@ func runtimeNameVersion(name string) (string, string) {
case "cri-dockerd":
name = "github.com/Mirantis/cri-dockerd"
}
- return name, ver
+ return name, unifiedVersion(ver)
}
func toProperties(props map[string]string, namespace string) []core.Property {
diff --git a/pkg/k8s/scanner/scanner_test.go b/pkg/k8s/scanner/scanner_test.go
index 3de4f0429ef5..fcf1c5f10a11 100644
--- a/pkg/k8s/scanner/scanner_test.go
+++ b/pkg/k8s/scanner/scanner_test.go
@@ -87,7 +87,7 @@ func TestScanner_Scan(t *testing.T) {
{
Type: core.TypeApplication,
Name: "github.com/containerd/containerd",
- Version: "1.5.2",
+ Version: "v1.5.2",
Properties: []core.Property{
{
Name: k8sComponentName,
@@ -104,29 +104,29 @@ func TestScanner_Scan(t *testing.T) {
PURL: &packageurl.PackageURL{
Type: "golang",
Name: "github.com/containerd/containerd",
- Version: "1.5.2",
+ Version: "v1.5.2",
Qualifiers: packageurl.Qualifiers{},
},
- BOMRef: "pkg:golang/github.com%2Fcontainerd%2Fcontainerd@1.5.2",
+ BOMRef: "pkg:golang/github.com%2Fcontainerd%2Fcontainerd@v1.5.2",
},
},
{
Type: core.TypeApplication,
Name: "k8s.io/apiserver",
- Version: "1.21.1",
+ Version: "v1.21.1",
PkgIdentifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: purl.TypeK8s,
Name: "k8s.io/apiserver",
- Version: "1.21.1",
+ Version: "v1.21.1",
},
- BOMRef: "pkg:k8s/k8s.io%2Fapiserver@1.21.1",
+ BOMRef: "pkg:k8s/k8s.io%2Fapiserver@v1.21.1",
},
},
{
Type: core.TypeApplication,
Name: "k8s.io/kubelet",
- Version: "1.21.1",
+ Version: "v1.21.1",
Properties: []core.Property{
{
Name: k8sComponentName,
@@ -143,9 +143,9 @@ func TestScanner_Scan(t *testing.T) {
PURL: &packageurl.PackageURL{
Type: "k8s",
Name: "k8s.io/kubelet",
- Version: "1.21.1",
+ Version: "v1.21.1",
},
- BOMRef: "pkg:k8s/k8s.io%2Fkubelet@1.21.1",
+ BOMRef: "pkg:k8s/k8s.io%2Fkubelet@v1.21.1",
},
},
{
@@ -176,7 +176,7 @@ func TestScanner_Scan(t *testing.T) {
Properties: []core.Property{
{
Name: core.PropertyPkgID,
- Value: "k8s.gcr.io/kube-apiserver:1.21.1",
+ Value: "k8s.gcr.io/kube-apiserver:v1.21.1",
},
{
Name: core.PropertyPkgType,
@@ -208,7 +208,7 @@ func TestScanner_Scan(t *testing.T) {
Type: core.TypePlatform,
Root: true,
Name: "k8s.io/kubernetes",
- Version: "1.21.1",
+ Version: "v1.21.1",
Properties: []core.Property{
{
Name: "Name",
@@ -225,9 +225,9 @@ func TestScanner_Scan(t *testing.T) {
PURL: &packageurl.PackageURL{
Type: purl.TypeK8s,
Name: "k8s.io/kubernetes",
- Version: "1.21.1",
+ Version: "v1.21.1",
},
- BOMRef: "pkg:k8s/k8s.io%2Fkubernetes@1.21.1",
+ BOMRef: "pkg:k8s/k8s.io%2Fkubernetes@v1.21.1",
},
},
{
@@ -464,19 +464,19 @@ func TestRuntimeVersion(t *testing.T) {
name: "containerd",
runtimeVersion: "containerd://1.5.2",
wantName: "github.com/containerd/containerd",
- wantVersion: "1.5.2",
+ wantVersion: "v1.5.2",
},
{
name: "cri-o",
runtimeVersion: "cri-o://1.5.2",
wantName: "github.com/cri-o/cri-o",
- wantVersion: "1.5.2",
+ wantVersion: "v1.5.2",
},
{
name: "cri-dockerd",
runtimeVersion: "cri-dockerd://1.5.2",
wantName: "github.com/Mirantis/cri-dockerd",
- wantVersion: "1.5.2",
+ wantVersion: "v1.5.2",
},
{
name: "na runtime",
diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
index 1aa2a5cd5c16..184b26d3fe93 100644
--- a/pkg/misconf/scanner.go
+++ b/pkg/misconf/scanner.go
@@ -58,7 +58,6 @@ type DisabledCheck struct {
type ScannerOption struct {
Trace bool
- RegoOnly bool
Namespaces []string
PolicyPaths []string
DataPaths []string
@@ -227,7 +226,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
opts := []options.ScannerOption{
rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
- options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
+ rego.WithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
rego.WithDisabledCheckIDs(disabledCheckIDs...),
}
@@ -258,10 +257,6 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
opts = append(opts, rego.WithPerResultTracing(true))
}
- if opt.RegoOnly {
- opts = append(opts, options.ScannerWithRegoOnly(true))
- }
-
if len(policyPaths) > 0 {
opts = append(opts, rego.WithPolicyDirs(policyPaths...))
}
diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go
index 670588868dcb..6b1d175e3115 100644
--- a/pkg/policy/policy.go
+++ b/pkg/policy/policy.go
@@ -19,7 +19,7 @@ import (
const (
BundleVersion = 1 // Latest released MAJOR version for trivy-checks
- BundleRepository = "ghcr.io/aquasecurity/trivy-checks"
+ BundleRepository = "mirror.gcr.io/aquasec/trivy-checks"
policyMediaType = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip"
updateInterval = 24 * time.Hour
)
diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go
index 3bc3344611e2..48578c70cea9 100644
--- a/pkg/report/sarif.go
+++ b/pkg/report/sarif.go
@@ -346,8 +346,44 @@ func ToPathUri(input string, resultClass types.ResultClass) string {
return clearURI(input)
}
+// clearURI clears URI for misconfigs
func clearURI(s string) string {
- return strings.ReplaceAll(strings.ReplaceAll(s, "\\", "/"), "git::https:/", "")
+ s = strings.ReplaceAll(s, "\\", "/")
+ // cf. https://developer.hashicorp.com/terraform/language/modules/sources
+ switch {
+ case strings.HasPrefix(s, "git@github.com:"):
+ // build GitHub url format
+ // e.g. `git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=v4.2.0/main.tf` -> `github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/v4.2.0/main.tf`
+ // cf. https://github.com/aquasecurity/trivy/issues/7897
+ s = strings.ReplaceAll(s, "git@github.com:", "github.com/")
+ s = strings.ReplaceAll(s, ".git", "")
+ s = strings.ReplaceAll(s, "?ref=", "/tree/")
+ case strings.HasPrefix(s, "git::https:/") && !strings.HasPrefix(s, "git::https://"):
+ s = strings.TrimPrefix(s, "git::https:/")
+ s = strings.ReplaceAll(s, ".git", "")
+ case strings.HasPrefix(s, "git::ssh://"):
+ // `"`git::ssh://username@example.com/storage.git` -> `example.com/storage.git`
+ if _, u, ok := strings.Cut(s, "@"); ok {
+ s = u
+ }
+ s = strings.ReplaceAll(s, ".git", "")
+ case strings.HasPrefix(s, "git::"):
+ // `git::https://example.com/vpc.git` -> `https://example.com/vpc`
+ s = strings.TrimPrefix(s, "git::")
+ s = strings.ReplaceAll(s, ".git", "")
+ case strings.HasPrefix(s, "hg::"):
+ // `hg::http://example.com/vpc.hg` -> `http://example.com/vpc`
+ s = strings.TrimPrefix(s, "hg::")
+ s = strings.ReplaceAll(s, ".hg", "")
+ case strings.HasPrefix(s, "s3::"):
+ // `s3::https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip` -> `https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip`
+ s = strings.TrimPrefix(s, "s3::")
+ case strings.HasPrefix(s, "gcs::"):
+ // `gcs::https://www.googleapis.com/storage/v1/modules/foomodule.zipp` -> `https://www.googleapis.com/storage/v1/modules/foomodule.zip`
+ s = strings.TrimPrefix(s, "gcs::")
+ }
+
+ return s
}
func toUri(str string) *url.URL {
diff --git a/pkg/report/sarif_private_test.go b/pkg/report/sarif_private_test.go
new file mode 100644
index 000000000000..b9384599f7b0
--- /dev/null
+++ b/pkg/report/sarif_private_test.go
@@ -0,0 +1,59 @@
+package report
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/require"
+)
+
+func Test_clearURI(t *testing.T) {
+ test := []struct {
+ name string
+ uri string
+ want string
+ }{
+ {
+ name: "https",
+ uri: "bitbucket.org/hashicorp/terraform-consul-aws",
+ want: "bitbucket.org/hashicorp/terraform-consul-aws",
+ },
+ {
+ name: "github",
+ uri: "git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=v4.2.0/main.tf",
+ want: "github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/v4.2.0/main.tf",
+ },
+ {
+ name: "git",
+ uri: "git::https://example.com/storage.git?ref=51d462976d84fdea54b47d80dcabbf680badcdb8",
+ want: "https://example.com/storage?ref=51d462976d84fdea54b47d80dcabbf680badcdb8",
+ },
+ {
+ name: "git ssh",
+ uri: "git::ssh://username@example.com/storage.git",
+ want: "example.com/storage",
+ },
+ {
+ name: "hg",
+ uri: "hg::http://example.com/vpc.hg?ref=v1.2.0",
+ want: "http://example.com/vpc?ref=v1.2.0",
+ },
+ {
+ name: "s3",
+ uri: "s3::https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip",
+ want: "https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip",
+ },
+ {
+ name: "gcs",
+ uri: "gcs::https://www.googleapis.com/storage/v1/modules/foomodule.zip",
+ want: "https://www.googleapis.com/storage/v1/modules/foomodule.zip",
+ },
+ }
+
+ for _, tt := range test {
+ t.Run(tt.name, func(t *testing.T) {
+ got := clearURI(tt.uri)
+ require.Equal(t, tt.want, got)
+ require.NotNil(t, toUri(got))
+ })
+ }
+}
diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go
index ce68fab06a8a..c3eebef5c254 100644
--- a/pkg/report/sarif_test.go
+++ b/pkg/report/sarif_test.go
@@ -588,6 +588,44 @@ func TestReportWriter_Sarif(t *testing.T) {
},
},
},
+ {
+ Target: "git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=v4.2.0/main.tf",
+ Class: types.ClassConfig,
+ Type: ftypes.Terraform,
+ Misconfigurations: []types.DetectedMisconfiguration{
+ {
+ Type: "Terraform Security Check",
+ ID: "AVD-GCP-0007",
+ AVDID: "AVD-GCP-0007",
+ Title: "Service accounts should not have roles assigned with excessive privileges",
+ Description: "Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.",
+ Message: "Service account is granted a privileged role.",
+ Query: "data..",
+ Resolution: "Limit service account access to minimal required set",
+ Severity: "HIGH",
+ PrimaryURL: "https://avd.aquasec.com/misconfig/avd-gcp-0007",
+ References: []string{
+ "https://cloud.google.com/iam/docs/understanding-roles",
+ "https://avd.aquasec.com/misconfig/avd-gcp-0007",
+ },
+ Status: "Fail",
+ CauseMetadata: ftypes.CauseMetadata{
+ StartLine: 91,
+ EndLine: 91,
+ Occurrences: []ftypes.Occurrence{
+ {
+ Resource: "google_project_iam_member.workload_identity_sa_bindings[\"roles/storage.admin\"]",
+ Filename: "git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=v4.2.0/main.tf",
+ Location: ftypes.Location{
+ StartLine: 87,
+ EndLine: 93,
+ },
+ },
+ },
+ },
+ },
+ },
+ },
},
},
want: &sarif.Report{
@@ -655,6 +693,32 @@ func TestReportWriter_Sarif(t *testing.T) {
},
},
},
+ {
+ RuleID: lo.ToPtr("AVD-GCP-0007"),
+ RuleIndex: lo.ToPtr(uint(0)),
+ Level: lo.ToPtr("error"),
+ Message: *sarif.NewTextMessage("Artifact: github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/v4.2.0/main.tf\nType: terraform\nVulnerability AVD-GCP-0007\nSeverity: HIGH\nMessage: Service account is granted a privileged role.\nLink: [AVD-GCP-0007](https://avd.aquasec.com/misconfig/avd-gcp-0007)"),
+ Locations: []*sarif.Location{
+ {
+ PhysicalLocation: sarif.NewPhysicalLocation().
+ WithArtifactLocation(
+ &sarif.ArtifactLocation{
+ URI: lo.ToPtr("github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/v4.2.0/main.tf"),
+ URIBaseId: lo.ToPtr("ROOTPATH"),
+ },
+ ).
+ WithRegion(
+ &sarif.Region{
+ StartLine: lo.ToPtr(91),
+ StartColumn: lo.ToPtr(1),
+ EndLine: lo.ToPtr(91),
+ EndColumn: lo.ToPtr(1),
+ },
+ ),
+ Message: sarif.NewTextMessage("github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/v4.2.0/main.tf"),
+ },
+ },
+ },
},
ColumnKind: "utf16CodeUnits",
OriginalUriBaseIDs: map[string]*sarif.ArtifactLocation{
diff --git a/pkg/result/ignore.go b/pkg/result/ignore.go
index dbd1cab83db9..4c17691f4e09 100644
--- a/pkg/result/ignore.go
+++ b/pkg/result/ignore.go
@@ -185,6 +185,7 @@ func ParseIgnoreFile(ctx context.Context, ignoreFile string) (IgnoreConfig, erro
var conf IgnoreConfig
if _, err := os.Stat(ignoreFile); errors.Is(err, fs.ErrNotExist) {
// .trivyignore doesn't necessarily exist
+ log.Debug("Specified ignore file does not exist", log.String("file", ignoreFile))
return IgnoreConfig{}, nil
} else if filepath.Ext(ignoreFile) == ".yml" || filepath.Ext(ignoreFile) == ".yaml" {
conf, err = parseIgnoreYAML(ignoreFile)
@@ -218,16 +219,17 @@ func ParseIgnoreFile(ctx context.Context, ignoreFile string) (IgnoreConfig, erro
func parseIgnoreYAML(ignoreFile string) (IgnoreConfig, error) {
// Read .trivyignore.yaml
- f, err := os.Open(ignoreFile)
+ b, err := os.ReadFile(ignoreFile)
if err != nil {
return IgnoreConfig{}, xerrors.Errorf("file open error: %w", err)
}
- defer f.Close()
log.Debug("Found an ignore yaml", log.FilePath(ignoreFile))
// Parse the YAML content
+ // We have to use Unmarshal() due to go-yaml returning an error with Decode()
+ // ref: https://github.com/go-yaml/yaml/issues/805
var ignoreConfig IgnoreConfig
- if err = yaml.NewDecoder(f).Decode(&ignoreConfig); err != nil {
+ if err = yaml.Unmarshal(b, &ignoreConfig); err != nil {
return IgnoreConfig{}, xerrors.Errorf("yaml decode error: %w", err)
}
return ignoreConfig, nil
diff --git a/pkg/result/ignore_test.go b/pkg/result/ignore_test.go
new file mode 100644
index 000000000000..68248d7e17b1
--- /dev/null
+++ b/pkg/result/ignore_test.go
@@ -0,0 +1,72 @@
+package result
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+func TestParseIgnoreFile(t *testing.T) {
+ t.Run("happy path valid config file", func(t *testing.T) {
+ got, err := ParseIgnoreFile(context.TODO(), "testdata/.trivyignore")
+ require.NoError(t, err)
+ assert.Equal(t, "testdata/.trivyignore", got.FilePath)
+
+ // IDs in .trivyignore are treated as IDs for all scanners
+ // as it is unclear which type of security issue they are
+ assert.Len(t, got.Vulnerabilities, 6)
+ assert.Len(t, got.Misconfigurations, 6)
+ assert.Len(t, got.Secrets, 6)
+ assert.Len(t, got.Licenses, 6)
+ })
+
+ t.Run("happy path valid YAML config file", func(t *testing.T) {
+ got, err := ParseIgnoreFile(context.TODO(), "testdata/.trivyignore.yaml")
+ require.NoError(t, err)
+ assert.Equal(t, "testdata/.trivyignore.yaml", got.FilePath)
+ assert.Len(t, got.Vulnerabilities, 5)
+ assert.Len(t, got.Misconfigurations, 3)
+ assert.Len(t, got.Secrets, 3)
+ assert.Len(t, got.Licenses, 1)
+ })
+
+ t.Run("empty YAML file passed", func(t *testing.T) {
+ f, err := os.CreateTemp("", "TestParseIgnoreFile-*.yaml")
+ require.NoError(t, err)
+ defer os.Remove(f.Name())
+
+ _, err = ParseIgnoreFile(context.TODO(), f.Name())
+ require.NoError(t, err)
+ })
+
+ t.Run("invalid YAML file passed", func(t *testing.T) {
+ f, err := os.CreateTemp("", "TestParseIgnoreFile-*.yaml")
+ require.NoError(t, err)
+ defer os.Remove(f.Name())
+ _, _ = f.WriteString("this file is not a yaml file")
+
+ got, err := ParseIgnoreFile(context.TODO(), f.Name())
+ assert.Contains(t, err.Error(), "yaml decode error")
+ assert.Empty(t, got)
+ })
+
+ t.Run("invalid file passed", func(t *testing.T) {
+ f, err := os.CreateTemp("", "TestParseIgnoreFile-*")
+ require.NoError(t, err)
+ defer os.Remove(f.Name())
+ _, _ = f.WriteString("this file is not a valid trivyignore file")
+
+ _, err = ParseIgnoreFile(context.TODO(), f.Name())
+ require.NoError(t, err) // TODO(simar7): We don't verify correctness, should we?
+ })
+
+ t.Run("non existing file passed", func(t *testing.T) {
+ got, err := ParseIgnoreFile(context.TODO(), "does-not-exist.yaml")
+ require.NoError(t, err)
+ assert.Empty(t, got)
+ })
+
+}
diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go
index 89097730111b..56429962a03f 100644
--- a/pkg/rpc/convert.go
+++ b/pkg/rpc/convert.go
@@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package {
DependsOn: pkg.DependsOn,
Digest: pkg.Digest.String(),
Indirect: pkg.Indirect,
+ Maintainer: pkg.Maintainer,
})
}
return rpcPkgs
@@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
DependsOn: pkg.DependsOn,
Digest: digest.Digest(pkg.Digest),
Indirect: pkg.Indirect,
+ Maintainer: pkg.Maintainer,
})
}
return pkgs
@@ -274,15 +276,17 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
cvssMap := make(map[string]*common.CVSS) // This is needed because protobuf generates a map[string]*CVSS type
for vendor, vendorSeverity := range vuln.CVSS {
cvssMap[string(vendor)] = &common.CVSS{
- V2Vector: vendorSeverity.V2Vector,
- V3Vector: vendorSeverity.V3Vector,
- V2Score: vendorSeverity.V2Score,
- V3Score: vendorSeverity.V3Score,
+ V2Vector: vendorSeverity.V2Vector,
+ V3Vector: vendorSeverity.V3Vector,
+ V40Vector: vendorSeverity.V40Vector,
+ V2Score: vendorSeverity.V2Score,
+ V3Score: vendorSeverity.V3Score,
+ V40Score: vendorSeverity.V40Score,
}
}
- vensorSeverityMap := make(map[string]common.Severity)
+ vendorSeverityMap := make(map[string]common.Severity)
for vendor, vendorSeverity := range vuln.VendorSeverity {
- vensorSeverityMap[string(vendor)] = common.Severity(vendorSeverity)
+ vendorSeverityMap[string(vendor)] = common.Severity(vendorSeverity)
}
var lastModifiedDate, publishedDate *timestamppb.Timestamp
@@ -315,7 +319,7 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
Title: vuln.Title,
Description: vuln.Description,
Severity: common.Severity(severity),
- VendorSeverity: vensorSeverityMap,
+ VendorSeverity: vendorSeverityMap,
References: vuln.References,
Layer: ConvertToRPCLayer(vuln.Layer),
Cvss: cvssMap,
@@ -569,15 +573,17 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
cvssMap := make(dbTypes.VendorCVSS) // This is needed because protobuf generates a map[string]*CVSS type
for vendor, vendorSeverity := range vuln.Cvss {
cvssMap[dbTypes.SourceID(vendor)] = dbTypes.CVSS{
- V2Vector: vendorSeverity.V2Vector,
- V3Vector: vendorSeverity.V3Vector,
- V2Score: vendorSeverity.V2Score,
- V3Score: vendorSeverity.V3Score,
+ V2Vector: vendorSeverity.V2Vector,
+ V3Vector: vendorSeverity.V3Vector,
+ V40Vector: vendorSeverity.V40Vector,
+ V2Score: vendorSeverity.V2Score,
+ V3Score: vendorSeverity.V3Score,
+ V40Score: vendorSeverity.V40Score,
}
}
- vensorSeverityMap := make(dbTypes.VendorSeverity)
+ vendorSeverityMap := make(dbTypes.VendorSeverity)
for vendor, vendorSeverity := range vuln.VendorSeverity {
- vensorSeverityMap[dbTypes.SourceID(vendor)] = dbTypes.Severity(vendorSeverity)
+ vendorSeverityMap[dbTypes.SourceID(vendor)] = dbTypes.Severity(vendorSeverity)
}
var lastModifiedDate, publishedDate *time.Time
@@ -608,7 +614,7 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
LastModifiedDate: lastModifiedDate,
PublishedDate: publishedDate,
Custom: vuln.CustomVulnData.AsInterface(),
- VendorSeverity: vensorSeverityMap,
+ VendorSeverity: vendorSeverityMap,
},
Layer: ConvertFromRPCLayer(vuln.Layer),
SeveritySource: dbTypes.SourceID(vuln.SeveritySource),
diff --git a/pkg/rpc/convert_test.go b/pkg/rpc/convert_test.go
index 6f90c3b5cc8e..039490d765eb 100644
--- a/pkg/rpc/convert_test.go
+++ b/pkg/rpc/convert_test.go
@@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) {
},
},
},
+ {
+ args: args{
+ rpcPkgs: []*common.Package{
+ {
+ Name: "binary",
+ Version: "4.2+dfsg",
+ Release: "0.1+deb7u4",
+ Epoch: 0,
+ Arch: "amd64",
+ SrcName: "bash",
+ SrcVersion: "4.2+dfsg",
+ SrcRelease: "0.1+deb7u4",
+ SrcEpoch: 0,
+ Licenses: []string{"GPL-3.0"},
+ Locations: []*common.Location{
+ {
+ StartLine: 10,
+ EndLine: 20,
+ },
+ {
+ StartLine: 22,
+ EndLine: 32,
+ },
+ },
+ Layer: &common.Layer{
+ Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+ DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+ },
+ Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+ Indirect: false,
+ Identifier: &common.PkgIdentifier{
+ Uid: "63f8bef824b960e3",
+ },
+ Maintainer: "alice@example.com",
+ },
+ },
+ },
+ want: []ftypes.Package{
+ {
+ Name: "binary",
+ Version: "4.2+dfsg",
+ Release: "0.1+deb7u4",
+ Epoch: 0,
+ Arch: "amd64",
+ SrcName: "bash",
+ SrcVersion: "4.2+dfsg",
+ SrcRelease: "0.1+deb7u4",
+ SrcEpoch: 0,
+ Licenses: []string{"GPL-3.0"},
+ Locations: []ftypes.Location{
+ {
+ StartLine: 10,
+ EndLine: 20,
+ },
+ {
+ StartLine: 22,
+ EndLine: 32,
+ },
+ },
+ Layer: ftypes.Layer{
+ Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+ DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+ },
+ Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+ Indirect: false,
+ Identifier: ftypes.PkgIdentifier{
+ UID: "63f8bef824b960e3",
+ },
+ Maintainer: "alice@example.com",
+ },
+ },
+ },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -227,6 +299,14 @@ func TestConvertToRpcVulns(t *testing.T) {
V2Score: 7.2,
V3Score: 7.8,
},
+ vulnerability.NVD: {
+ V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
+ V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+ V40Vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
+ V2Score: 7.2,
+ V3Score: 7.8,
+ V40Score: 8.7,
+ },
},
References: []string{"http://example.com"},
PublishedDate: &fixedPublishedDate,
@@ -263,6 +343,14 @@ func TestConvertToRpcVulns(t *testing.T) {
V2Score: 7.2,
V3Score: 7.8,
},
+ "nvd": {
+ V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
+ V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+ V40Vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
+ V2Score: 7.2,
+ V3Score: 7.8,
+ V40Score: 8.7,
+ },
},
References: []string{"http://example.com"},
Layer: &common.Layer{
diff --git a/pkg/vex/csaf.go b/pkg/vex/csaf.go
index 1f9c91fdd001..0c0f994db168 100644
--- a/pkg/vex/csaf.go
+++ b/pkg/vex/csaf.go
@@ -1,7 +1,7 @@
package vex
import (
- "github.com/csaf-poc/csaf_distribution/v3/csaf"
+ "github.com/gocsaf/csaf/v3/csaf"
"github.com/samber/lo"
"github.com/aquasecurity/trivy/pkg/log"
diff --git a/pkg/vex/document.go b/pkg/vex/document.go
index 7331bc26b93b..9dae8ec54732 100644
--- a/pkg/vex/document.go
+++ b/pkg/vex/document.go
@@ -5,7 +5,7 @@ import (
"io"
"os"
- "github.com/csaf-poc/csaf_distribution/v3/csaf"
+ "github.com/gocsaf/csaf/v3/csaf"
"github.com/hashicorp/go-multierror"
openvex "github.com/openvex/go-vex/pkg/vex"
"github.com/sirupsen/logrus"
diff --git a/pkg/vex/vex.go b/pkg/vex/vex.go
index e9ad15233b04..fa3f3151340e 100644
--- a/pkg/vex/vex.go
+++ b/pkg/vex/vex.go
@@ -177,9 +177,15 @@ func reachRoot(leaf *core.Component, components map[uuid.UUID]*core.Component, p
var dfs func(c *core.Component) bool
dfs = func(c *core.Component) bool {
// Call the function with the current component and the leaf component
- if notAffected(c, leaf) {
+ switch {
+ case notAffected(c, leaf):
return false
- } else if c.Root {
+ case c.Root:
+ return true
+ case len(parents[c.ID()]) == 0:
+ // Should never reach here as all components other than the root should have at least one parent.
+ // If it does, it means the component tree is not connected due to a bug in the SBOM generation.
+ // In this case, so as not to filter out all the vulnerabilities accidentally, return true for fail-safe.
return true
}
diff --git a/rpc/common/service.pb.go b/rpc/common/service.pb.go
index c8290cc52818..69f9aaaf7da9 100644
--- a/rpc/common/service.pb.go
+++ b/rpc/common/service.pb.go
@@ -465,6 +465,7 @@ type Package struct {
Digest string `protobuf:"bytes,16,opt,name=digest,proto3" json:"digest,omitempty"`
Dev bool `protobuf:"varint,17,opt,name=dev,proto3" json:"dev,omitempty"`
Indirect bool `protobuf:"varint,18,opt,name=indirect,proto3" json:"indirect,omitempty"`
+ Maintainer string `protobuf:"bytes,21,opt,name=maintainer,proto3" json:"maintainer,omitempty"`
}
func (x *Package) Reset() {
@@ -632,6 +633,13 @@ func (x *Package) GetIndirect() bool {
return false
}
+func (x *Package) GetMaintainer() string {
+ if x != nil {
+ return x.Maintainer
+ }
+ return ""
+}
+
type PkgIdentifier struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -1611,10 +1619,12 @@ type CVSS struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
- V2Vector string `protobuf:"bytes,1,opt,name=v2_vector,json=v2Vector,proto3" json:"v2_vector,omitempty"`
- V3Vector string `protobuf:"bytes,2,opt,name=v3_vector,json=v3Vector,proto3" json:"v3_vector,omitempty"`
- V2Score float64 `protobuf:"fixed64,3,opt,name=v2_score,json=v2Score,proto3" json:"v2_score,omitempty"`
- V3Score float64 `protobuf:"fixed64,4,opt,name=v3_score,json=v3Score,proto3" json:"v3_score,omitempty"`
+ V2Vector string `protobuf:"bytes,1,opt,name=v2_vector,json=v2Vector,proto3" json:"v2_vector,omitempty"`
+ V3Vector string `protobuf:"bytes,2,opt,name=v3_vector,json=v3Vector,proto3" json:"v3_vector,omitempty"`
+ V2Score float64 `protobuf:"fixed64,3,opt,name=v2_score,json=v2Score,proto3" json:"v2_score,omitempty"`
+ V3Score float64 `protobuf:"fixed64,4,opt,name=v3_score,json=v3Score,proto3" json:"v3_score,omitempty"`
+ V40Vector string `protobuf:"bytes,5,opt,name=v40_vector,json=v40Vector,proto3" json:"v40_vector,omitempty"`
+ V40Score float64 `protobuf:"fixed64,6,opt,name=v40_score,json=v40Score,proto3" json:"v40_score,omitempty"`
}
func (x *CVSS) Reset() {
@@ -1677,6 +1687,20 @@ func (x *CVSS) GetV3Score() float64 {
return 0
}
+func (x *CVSS) GetV40Vector() string {
+ if x != nil {
+ return x.V40Vector
+ }
+ return ""
+}
+
+func (x *CVSS) GetV40Score() float64 {
+ if x != nil {
+ return x.V40Score
+ }
+ return 0
+}
+
type CustomResource struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -2428,7 +2452,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x31, 0x0a, 0x08, 0x70, 0x61, 0x63, 0x6b,
0x61, 0x67, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x72, 0x69,
0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67,
- 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xc1, 0x04, 0x0a, 0x07,
+ 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xe1, 0x04, 0x0a, 0x07,
0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x0d, 0x20,
0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76,
@@ -2464,7 +2488,9 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x65, 0x73, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73,
0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x76, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03,
0x64, 0x65, 0x76, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18,
- 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22,
+ 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12,
+ 0x1e, 0x0a, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x18, 0x15, 0x20,
+ 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x22,
0x4e, 0x0a, 0x0d, 0x50, 0x6b, 0x67, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72,
0x12, 0x12, 0x0a, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
0x70, 0x75, 0x72, 0x6c, 0x12, 0x17, 0x0a, 0x07, 0x62, 0x6f, 0x6d, 0x5f, 0x72, 0x65, 0x66, 0x18,
@@ -2655,131 +2681,135 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x65, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18,
0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f,
0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x22,
- 0x76, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x32, 0x5f, 0x76, 0x65,
- 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x32, 0x56, 0x65,
- 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f,
- 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x33, 0x56, 0x65, 0x63, 0x74, 0x6f,
- 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x03, 0x20,
- 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x19, 0x0a, 0x08,
- 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07,
- 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x43, 0x75, 0x73, 0x74,
- 0x6f, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79,
- 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b,
- 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28,
- 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c,
- 0x61, 0x79, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69,
- 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52,
- 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04,
- 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
- 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x04, 0x64, 0x61,
- 0x74, 0x61, 0x22, 0xf3, 0x01, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6e,
- 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x6e, 0x75, 0x6d,
- 0x62, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02,
- 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, 0x19, 0x0a,
- 0x08, 0x69, 0x73, 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52,
- 0x07, 0x69, 0x73, 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6e, 0x6e, 0x6f,
- 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6e,
- 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x72, 0x75, 0x6e,
- 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x74, 0x72, 0x75,
- 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69,
- 0x67, 0x68, 0x74, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, 0x69, 0x67,
- 0x68, 0x6c, 0x69, 0x67, 0x68, 0x74, 0x65, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x69, 0x72, 0x73,
- 0x74, 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x66,
- 0x69, 0x72, 0x73, 0x74, 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6c, 0x61, 0x73,
- 0x74, 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6c,
- 0x61, 0x73, 0x74, 0x43, 0x61, 0x75, 0x73, 0x65, 0x22, 0x30, 0x0a, 0x04, 0x43, 0x6f, 0x64, 0x65,
- 0x12, 0x28, 0x0a, 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
- 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c,
- 0x69, 0x6e, 0x65, 0x52, 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x9f, 0x02, 0x0a, 0x0d, 0x53,
- 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x17, 0x0a, 0x07,
- 0x72, 0x75, 0x6c, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72,
- 0x75, 0x6c, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72,
- 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72,
- 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20,
- 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x14, 0x0a,
- 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x69,
- 0x74, 0x6c, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x6c, 0x69, 0x6e,
- 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x4c, 0x69,
- 0x6e, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x06,
- 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x65, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, 0x0a,
- 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72,
- 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52,
- 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x08,
- 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c,
- 0x61, 0x79, 0x65, 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69,
- 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52,
- 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0x5d, 0x0a, 0x06,
- 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61,
- 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61,
- 0x74, 0x68, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02,
- 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
- 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e,
- 0x67, 0x52, 0x08, 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x99, 0x02, 0x0a, 0x0f,
- 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x12,
- 0x32, 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28,
- 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
- 0x2e, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72,
- 0x69, 0x74, 0x79, 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18,
- 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f,
- 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65,
- 0x67, 0x6f, 0x72, 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67,
- 0x6f, 0x72, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18,
- 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1b,
- 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28,
- 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x6e,
- 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12,
- 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x06, 0x20,
- 0x01, 0x28, 0x02, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12,
- 0x12, 0x0a, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c,
- 0x69, 0x6e, 0x6b, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x65, 0x78, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28,
- 0x09, 0x52, 0x04, 0x74, 0x65, 0x78, 0x74, 0x22, 0xed, 0x01, 0x0a, 0x0b, 0x4c, 0x69, 0x63, 0x65,
- 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x6c, 0x69, 0x63, 0x65, 0x6e,
- 0x73, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1e, 0x2e,
- 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63,
- 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x0b, 0x6c,
- 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69,
- 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66,
- 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, 0x67, 0x5f, 0x6e,
- 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x4e, 0x61,
- 0x6d, 0x65, 0x12, 0x38, 0x0a, 0x08, 0x66, 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x04,
- 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
- 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6e, 0x64, 0x69,
- 0x6e, 0x67, 0x52, 0x08, 0x66, 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x29, 0x0a, 0x05,
- 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72,
- 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72,
- 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x4c, 0x69, 0x63, 0x65,
- 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61,
- 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74,
- 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65,
- 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d,
- 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
- 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e,
- 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01,
- 0x28, 0x02, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12,
- 0x0a, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c, 0x69,
- 0x6e, 0x6b, 0x22, 0x95, 0x01, 0x0a, 0x0f, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61,
- 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x22, 0x81, 0x01, 0x0a, 0x04, 0x45, 0x6e, 0x75, 0x6d, 0x12,
- 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
- 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x4f, 0x52, 0x42, 0x49, 0x44, 0x44, 0x45, 0x4e, 0x10, 0x01, 0x12,
- 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12,
- 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x43, 0x49, 0x50, 0x52, 0x4f, 0x43, 0x41, 0x4c, 0x10, 0x03, 0x12,
- 0x0a, 0x0a, 0x06, 0x4e, 0x4f, 0x54, 0x49, 0x43, 0x45, 0x10, 0x04, 0x12, 0x0e, 0x0a, 0x0a, 0x50,
- 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x05, 0x12, 0x10, 0x0a, 0x0c, 0x55,
- 0x4e, 0x45, 0x4e, 0x43, 0x55, 0x4d, 0x42, 0x45, 0x52, 0x45, 0x44, 0x10, 0x06, 0x12, 0x0b, 0x0a,
- 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x07, 0x22, 0x4e, 0x0a, 0x0b, 0x4c, 0x69,
- 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x22, 0x3f, 0x0a, 0x04, 0x45, 0x6e, 0x75,
- 0x6d, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44,
- 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x50, 0x4b, 0x47, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06,
- 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x49, 0x43, 0x45,
- 0x4e, 0x53, 0x45, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x03, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65,
- 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57,
- 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06,
- 0x4d, 0x45, 0x44, 0x49, 0x55, 0x4d, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48,
- 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x43, 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04,
- 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61,
- 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76,
- 0x79, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d,
- 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0xb2, 0x01, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x32, 0x5f, 0x76,
+ 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x32, 0x56,
+ 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33, 0x5f, 0x76, 0x65, 0x63, 0x74,
+ 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x33, 0x56, 0x65, 0x63, 0x74,
+ 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x03,
+ 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x19, 0x0a,
+ 0x08, 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52,
+ 0x07, 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x76, 0x34, 0x30, 0x5f,
+ 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x76, 0x34,
+ 0x30, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x34, 0x30, 0x5f, 0x73,
+ 0x63, 0x6f, 0x72, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x01, 0x52, 0x08, 0x76, 0x34, 0x30, 0x53,
+ 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x52,
+ 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18,
+ 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66,
+ 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
+ 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65,
+ 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61,
+ 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22,
+ 0xf3, 0x01, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62,
+ 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72,
+ 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
+ 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73,
+ 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73,
+ 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74,
+ 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74,
+ 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61,
+ 0x74, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69, 0x67, 0x68, 0x74,
+ 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69,
+ 0x67, 0x68, 0x74, 0x65, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x69, 0x72, 0x73, 0x74, 0x5f, 0x63,
+ 0x61, 0x75, 0x73, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x66, 0x69, 0x72, 0x73,
+ 0x74, 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x63,
+ 0x61, 0x75, 0x73, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6c, 0x61, 0x73, 0x74,
+ 0x43, 0x61, 0x75, 0x73, 0x65, 0x22, 0x30, 0x0a, 0x04, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x28, 0x0a,
+ 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74,
+ 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x6e, 0x65,
+ 0x52, 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x9f, 0x02, 0x0a, 0x0d, 0x53, 0x65, 0x63, 0x72,
+ 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x17, 0x0a, 0x07, 0x72, 0x75, 0x6c,
+ 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x75, 0x6c, 0x65,
+ 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x02,
+ 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x1a,
+ 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+ 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x69,
+ 0x74, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65,
+ 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x05,
+ 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x4c, 0x69, 0x6e, 0x65, 0x12,
+ 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28,
+ 0x05, 0x52, 0x07, 0x65, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x63, 0x6f,
+ 0x64, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x63, 0x6f,
+ 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28,
+ 0x09, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65,
+ 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61,
+ 0x79, 0x65, 0x72, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0x5d, 0x0a, 0x06, 0x53, 0x65, 0x63,
+ 0x72, 0x65, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61, 0x74, 0x68, 0x18,
+ 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61, 0x74, 0x68, 0x12,
+ 0x37, 0x0a, 0x08, 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+ 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+ 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x08,
+ 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x99, 0x02, 0x0a, 0x0f, 0x44, 0x65, 0x74,
+ 0x65, 0x63, 0x74, 0x65, 0x64, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x08,
+ 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16,
+ 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65,
+ 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79,
+ 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01,
+ 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,
+ 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72,
+ 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79,
+ 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01,
+ 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66,
+ 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
+ 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+ 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x0a,
+ 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x02,
+ 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04,
+ 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c, 0x69, 0x6e, 0x6b,
+ 0x12, 0x12, 0x0a, 0x04, 0x74, 0x65, 0x78, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+ 0x74, 0x65, 0x78, 0x74, 0x22, 0xed, 0x01, 0x0a, 0x0b, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65,
+ 0x46, 0x69, 0x6c, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x6c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x5f,
+ 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1e, 0x2e, 0x74, 0x72, 0x69,
+ 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73,
+ 0x65, 0x54, 0x79, 0x70, 0x65, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x0b, 0x6c, 0x69, 0x63, 0x65,
+ 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f,
+ 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65,
+ 0x50, 0x61, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
+ 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12,
+ 0x38, 0x0a, 0x08, 0x66, 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28,
+ 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+ 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52,
+ 0x08, 0x66, 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79,
+ 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c,
+ 0x61, 0x79, 0x65, 0x72, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65,
+ 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67,
+ 0x6f, 0x72, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74, 0x72, 0x69, 0x76,
+ 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65,
+ 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x08, 0x63,
+ 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+ 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x63,
+ 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x02, 0x52,
+ 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6c,
+ 0x69, 0x6e, 0x6b, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x22,
+ 0x95, 0x01, 0x0a, 0x0f, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67,
+ 0x6f, 0x72, 0x79, 0x22, 0x81, 0x01, 0x0a, 0x04, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x0f, 0x0a, 0x0b,
+ 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0d, 0x0a,
+ 0x09, 0x46, 0x4f, 0x52, 0x42, 0x49, 0x44, 0x44, 0x45, 0x4e, 0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a,
+ 0x52, 0x45, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a,
+ 0x52, 0x45, 0x43, 0x49, 0x50, 0x52, 0x4f, 0x43, 0x41, 0x4c, 0x10, 0x03, 0x12, 0x0a, 0x0a, 0x06,
+ 0x4e, 0x4f, 0x54, 0x49, 0x43, 0x45, 0x10, 0x04, 0x12, 0x0e, 0x0a, 0x0a, 0x50, 0x45, 0x52, 0x4d,
+ 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x05, 0x12, 0x10, 0x0a, 0x0c, 0x55, 0x4e, 0x45, 0x4e,
+ 0x43, 0x55, 0x4d, 0x42, 0x45, 0x52, 0x45, 0x44, 0x10, 0x06, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e,
+ 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x07, 0x22, 0x4e, 0x0a, 0x0b, 0x4c, 0x69, 0x63, 0x65, 0x6e,
+ 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x22, 0x3f, 0x0a, 0x04, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x0f,
+ 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12,
+ 0x08, 0x0a, 0x04, 0x44, 0x50, 0x4b, 0x47, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x45, 0x41,
+ 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45,
+ 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x03, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65, 0x72,
+ 0x69, 0x74, 0x79, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00,
+ 0x12, 0x07, 0x0a, 0x03, 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x45, 0x44,
+ 0x49, 0x55, 0x4d, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48, 0x10, 0x03, 0x12,
+ 0x0c, 0x0a, 0x08, 0x43, 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04, 0x42, 0x31, 0x5a,
+ 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x71, 0x75, 0x61,
+ 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2f, 0x72,
+ 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+ 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
diff --git a/rpc/common/service.proto b/rpc/common/service.proto
index e989738c285b..f9ab77df4e47 100644
--- a/rpc/common/service.proto
+++ b/rpc/common/service.proto
@@ -54,6 +54,7 @@ message Package {
string digest = 16;
bool dev = 17;
bool indirect = 18;
+ string maintainer = 21;
}
message PkgIdentifier {
@@ -68,11 +69,11 @@ message Location {
}
message Misconfiguration {
- string file_type = 1;
- string file_path = 2;
- repeated MisconfResult successes = 3;
- repeated MisconfResult warnings = 4;
- repeated MisconfResult failures = 5;
+ string file_type = 1;
+ string file_path = 2;
+ repeated MisconfResult successes = 3;
+ repeated MisconfResult warnings = 4;
+ repeated MisconfResult failures = 5;
reserved 6; // deprecated 'exceptions'
}
@@ -176,6 +177,8 @@ message CVSS {
string v3_vector = 2;
double v2_score = 3;
double v3_score = 4;
+ string v40_vector = 5;
+ double v40_score = 6;
}
message CustomResource {
+
+For a more complete introduction, check out the basic Trivy Demo: 
- 
+