v0.20.0 #1279
aqua-bot
announced in
Announcements
v0.20.0
#1279
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
💔 BREAKING CHANGES 💔
Migrate to new JSON schema of scan results
The old JSON schema is no longer generated from v0.20.0. Please migrate to the new JSON schema.
See here for the details.
#1050
Remove deprecated options
The following options cannot be used anymore.
-only-update
-refresh
-auto-refresh
🚀 What's new? 🚀
🥔 Add "rootfs" subcommand 🧅
fs
subcommand currently has two main targets.Trivy introduced individual package scannings such as gemspec and egg/wheel. It should be enabled for the rootfs scanning but should be disabled for scanning local projects. After all, we decided to split
fs
subcommand into two subcommand,fs
androotfs
.fs
subcommandrootfs
subcommandSee the following documents for details
NOTE: Please migrate from
fs
torootfs
command if you embed Trivy into Dockerfile or scan unpacked container image filesystem.🥚 Support egg and wheel packages (Python) ⚙️
Trivy used to look for
Pipfile.lock
andpoetry.lock
for Python scanning in container images. But it was migrated to egg and wheel packages.Pipfile.lock
andpoetry.lock
in container images will be no longer detected. Trivy detects actually installed Python packages through egg and wheel metadata. Even though the image doesn't have those lock files, Trivy can detect the installed packages accurately like the following example.It brings the better Python detection. On the other hand, the
fs
mode disablesegg
andwheel
scanning and enables the lock file scanning. See here for the detail.https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/detection/language/
💎 Support gemspec (Ruby) 💍
This is the same change as Python. Trivy used to look for
Gemfile.lock
for Ruby scanning in container images. Trivy migrated to*.gemspec
scanning.Gemfile.lock
in container images will be no longer detected, but Trivy detects installed gems in container images more accurately.On the other hand, the
fs
mode disablesgemspec
scanning and enablesGemfile.lock
scanning. See here for the detail.https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/detection/language/
🟢 Support package.json 🟩
This is the same change as Python. Trivy used to look for
package-lock.json
for Node.js scanning in container images. Trivy migrated topackage.json
scanning.package-lock.json
in container images will be no longer detected, but Trivy detects installed Node packages in container images more accurately.On the other hand, the
fs
mode disablespackage.json
scanning and enablespackage-lock.json
scanning. See here for the detail.https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/detection/language/
🍣 Support requirements.txt (Python) 🍤
Trivy scans requirements.txt for Python. Note that only the
==
specifier is supported at the moment. It means the other specifies like=>
are not supported. In the following example,Flask
will be scanned, whileMarkupSafe
will not be scanned.🍩 Support packages.config (.NET) 🎯
Trivy scans
packages.config
for NuGet.💳 Add License into the report
Trivy shows the license information of each package in the JSON report. Alpine and RHEL-based distributions are supported. Debian and Ubuntu are not supported at the moment. Python, Ruby and Node.js are also supported.
Improve -skip-files and -skip-dirs 🏂
--skip-files
and--skip-dirs
used to affect only vulnerability detection. Analyzing packages was performed regardless of these options. These options were improved and the analysis can be skipped now.Before
Even though you specify
--skip-dirs
, Trivy tries to look into the directory.After
The specified directories are actually skipped.
Disable library analyzer for OS only scan type
Language-specific analyzers will not be executed when you specify
--vuln-type os
.Thanks, @fawind
Aggregate JAR/WAR/EAR results in the table ☕
Before
After
All JAR files are aggregated into a single table. You can see the JAR path by
-f json
.Add image config
Add
ImageConfig
underMetadata
.Add end of service life field to OS metadata
You will find
EOSL
field underMetadata.OS
.Support Debian versions that reached EOL
Trivy used to not support Debian EOL versions. They are supported now.
🐞 Bug fixes 🐛
fix(oracle): use binary package name (#1203)
fix(plugin): resolve a closure (#1207)
fix(oracle): handle advisories contain ksplice versions (#1209)
fix(go/binary): improve debug messages (#1244)
fix: brew test command (#1253)
fix(gobinary): skip large files (#1259)
fix(scan/config): incompatible YAML with JSON (#1272)
Changelog
f12446d feat(report): add package path (#1274)
1c9ccb5 feat(command): add rootfs command (#1271)
a463e79 fix: update fanal (#1272)
e0ca5ef feat(commands): remove deprecated options (#1270)
1ebb329 Aggregate jar result for table (#1269)
b37f682 BREAKING(report): migrate to new json schema (#1265)
da90510 feat: improve --skip-dirs and --skip-files (#1249)
bd57b4f fix(gobinary): skip large files (#1259)
9027dc3 Disable library analyzer for OS only scan type (#1191)
5750cc2 chore: update trivy version (#1252)
bbcce9f refactor: move from io/ioutil to io and os package (#1245)
6bcb4af fix: brew test command (#1253)
8d13234 fix:added layer info in packages (#1248)
982f35b fix(go/binary): improve debug messages (#1244)
2e170cd Update db.go (#1199)
cc6c67d fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243)
669fd1f feat(debian): support the versions that reached EOL (#1237)
8cd7de2 feat(alpine): support unfixed vulnerabilities (#1235)
3bf3a46 feat(report): add image config (#1231)
8edcc62 feat(nodejs): support package.json (#1225)
31c45ff refactor: use testing DB instead of mock (#1234)
d8cc8b5 feat(ruby): support gemspec (#1224)
dbc7a83 feat(python): add packaging detector and respective hook (#1223)
19c0b70 feat(license): Added support to new License field of go-dep-parser's library (#1167)
9d61777 fix(oracle): handle advisories contain ksplice versions (#1209)
5d57dea fix(docs): remove OSVDB advisories (#1215)
b595559 docs: fix typos in CONTRIBUTING.md (#1181)
b1410b2 Update EOL of Debian 11 (#1180)
0e777d3 fix(plugin): resolve a closure (#1207)
b6d9c30 docs: fix typo (#1206)
5160a2e fix(detector): change an argument for trivy-db getter (#1203)
40ed227 chore(mod): update fanal (#1179)
2a4400c Add license info to package data (#1176)
82eb630 feat(nuget): support packages.config (#1095)
4a8db20 feat(python): add support for requirements.txt (#1169)
8db9b6a GitLab CI integration documentation (#1168)
c159501 chore(gorelease) change goreleaser config to include template examples (#1138)
76e63d1 chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153)
79b6684 chore(deps): bump actions/stale from 3 to 4 (#1152)
214fe82 feat(report): add end of service life flag to OS metadata (#1142)
c489e31 chore: set up Dependabot for github-actions and docker (#1128)
efd812c docs: fix typo (#1149)
3a920dc docs: add some external links (#1147)
7cb1598 chore (release): add ubuntu esm versions to deploy script (#1151)
6a88002 docs(troubleshooting) add urls which are required to download vuls db (#1137)
Docker images
docker pull aquasec/trivy:0.20.0
docker pull ghcr.io/aquasecurity/trivy:0.20.0
docker pull public.ecr.aws/aquasecurity/trivy:0.20.0
docker pull aquasec/trivy:latest
docker pull ghcr.io/aquasecurity/trivy:latest
docker pull public.ecr.aws/aquasecurity/trivy:latest
This discussion was created from the release v0.20.0.
Beta Was this translation helpful? Give feedback.
All reactions