v0.54.0

[aqua-bot]

📑 Table of Contents

• 🛫 Deprecation notice 🌆
  • 🐹 --vuln-type flag renamed into --pkg-types ✅
• 🚀 What's new? 🚀
  • 🕸️ VEX Hub Support 📡
  • 📄 VEX Attestations from OCI Registries 🌐
  • 📦 Package Relationships Filter 🔄
  • 🦎 Support for Tumbleweed OpenSUSE ✨
  • 🖥️ Support for Azure Linux 3.0 🦋
  • 📋 License Detection for pnpm-lock.yaml files 📜
  • 🔓 Vulnerability support for SPDX formats 📕
  • 🔖 Image labels in CycloneDX and SPDX formats 🏷️
  • 🪭 Private image scanning in the Azure China ☁️
• 👷‍♂️ Notable Fixes 🛠️

🛫 Deprecation notice 🌆

🐹 --vuln-type flag renamed to --pkg-types ✅

--vuln-type flag was added in one of the first versions of Trivy when Trivy was only a vulnerability scanner.
Over time, the main use cases became centered around SBOM and Packages, and so the purpose of this flag became more about package filtering. To reflect that, we are renaming --vuln-type flag to --pkg-types flag.
--vuln-type flag is now marked as deprecated and will be removed over time.

➜ trivy -d image --pkg-types os,library aquasec/trivy
...
2024-07-29T14:35:02+06:00       DEBUG   Package types   types=[os library]
...
aquasec/trivy (alpine 3.20.0)

Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 0, CRITICAL: 0)

usr/local/bin/trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

➜ trivy -d image --pkg-types os aquasec/trivy 
...
2024-07-29T14:35:31+06:00       DEBUG   Package types   types=[os]

aquasec/trivy (alpine 3.20.0)

Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 0, CRITICAL: 0)

🚀 What's new? 🚀

🕸️ VEX Hub Support 📡

This update introduces VEX Hub integration into Trivy using the --vex repo flag. Trivy can now automatically discover and apply VEX data during vulnerability scans, leveraging community-maintained VEX information to filter out non-exploitable vulnerabilities. This greatly helps to reduce noise in vulnerability scan results.

$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed

--vex repo creates the default configuration file in the first run. While the default config refers to VEX Hub, you can also use other VEX Repositories complying with VEX Repository Specification.

See here for more details.

For OSS maintainers: please consider publishing VEX.

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

📄 VEX Attestations from OCI Registries 🌐

Trivy can now automatically retrieve and apply VEX (Vulnerability Exploitability eXchange) attestations from OCI registries during container image vulnerability scans using the --vex oci flag. This feature leverages VEX data to filter out non-exploitable vulnerabilities more effectively.

$ trivy image --vex oci ghcr.io/aquasecurity/trivy:0.50.0 --show-suppressed

See here for more details.

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

📦 Package Relationships Filter 🔄

This update introduces the --pkg-relationships flag, allowing users to filter vulnerabilities by package relationships. This flag provides more refined vulnerability reporting by focusing on direct or indirect dependencies.

$ trivy repo --scanners vuln --pkg-relationships direct ./go.mod

Note: The --pkg-relationships flag cannot be used with --dependency-tree, --vex, or SBOM formats (spdx, spdx-json, cyclonedx, github).

Read more here.

🦎 Support for Tumbleweed OpenSUSE ✨

Trivy now supports package and vulnerability detection for Tumbleweed OpenSUSEю

➜ trivy image registry.opensuse.org/opensuse/bci/bci-init:latest
2024-07-03T16:48:59+02:00       INFO    Vulnerability scanning is enabled
2024-07-03T16:48:59+02:00       INFO    Secret scanning is enabled
2024-07-03T16:48:59+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-03T16:48:59+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-03T16:49:01+02:00       INFO    Detected OS     family="opensuse.tumbleweed" version="20240607"
2024-07-03T16:49:01+02:00       INFO    [opensuse.tumbleweed] Detecting vulnerabilities...      os_version="20240607" pkg_num=149
2024-07-03T16:49:01+02:00       INFO    Number of language-specific files       num=0

registry.opensuse.org/opensuse/bci/bci-init:latest (opensuse.tumbleweed 20240607)
=================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬──────────────────────────┬──────────┬────────┬───────────────────┬────────────────────┬────────────────────────────────────────┐
│   Library   │      Vulnerability       │ Severity │ Status │ Installed Version │   Fixed Version    │                 Title                  │
├─────────────┼──────────────────────────┼──────────┼────────┼───────────────────┼────────────────────┼────────────────────────────────────────┤
│ permissions │ openSUSE-SU-2024:11165-1 │ MEDIUM   │ fixed  │ 1699_20240522-1.1 │ 20210901.1550-29.2 │ chkstat-1550_20210901-29.2 on GA media │
└─────────────┴──────────────────────────┴──────────┴────────┴───────────────────┴────────────────────┴────────────────────────────────────────┘

Thanks to @msmeissn

🖥️ Support for Azure Linux 3.0 🦋

Now Trivy supports Azure Linux 3.0 (previously CBL-Mariner).

➜ trivy image azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0
2024-07-29T14:50:05+06:00       INFO    Vulnerability scanning is enabled
2024-07-29T14:50:05+06:00       INFO    Secret scanning is enabled
2024-07-29T14:50:05+06:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-29T14:50:05+06:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-29T14:50:10+06:00       INFO    Detected OS     family="azurelinux" version="3.0"
2024-07-29T14:50:10+06:00       INFO    [azurelinux] Detecting vulnerabilities...       os_version="3.0" pkg_num=14
2024-07-29T14:50:10+06:00       INFO    Number of language-specific files       num=0

azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0 (azurelinux 3.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

Thanks to @tofay

📋 License Detection for pnpm-lock.yaml files 📜

Trivy now parses package.json files from the node_modules directory to determine the licenses of installed packages.

pnpm-lock.yaml (license)

Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├─────────┼─────────┼────────────────┼──────────┤
│ jquery  │ MIT     │ Notice         │ LOW      │
├─────────┤         │                │          │
│ lodash  │         │                │          │
└─────────┴─────────┴────────────────┴──────────┘

Thanks to @oscarbc96

🔓 Vulnerability support for SPDX formats 📕

Trivy can now include detected vulnerabilities in SPDX reports. Vulnerabilities are added as externalRefs, as described in SPDX Spec Appendix K.
Note that vulnerability scanning is disabled by default for SBOM generation (when --format=SPDX/CycloneDX), but you can manually enable the vulnerability scanner using the --scanners vuln flag.

➜ trivy -d image -f spdx-json -o report.spdx.json ubuntu --scanners vuln
...
  {
      "name": "libssl3t64",
      "SPDXID": "SPDXRef-Package-ed46e6c8dd5adb2d",
      "versionInfo": "3.0.13-0ubuntu3.1",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-24.04"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-2511"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-4603"
        },
...

Thanks to @goneall

🔖 Image labels in CycloneDX and SPDX formats 🏷️

Trivy now adds information about the scanned container image in CycloneDX and SPDX reports. This includes the Tag, DiffID, ImageID, and Labels of the scanned image.

• metadata.component.properties field for CycloneDX.
• Packages.PackageAttributionTexts field for SPDX.

🪭 Private image scanning in the Azure China ☁️

You can now authenticate against Azure Container Registry in Azure China cloud, for scanning private images.

Thanks to @admanb

👷‍♂️ Notable Fixes 🛠️

• feat(logging): Add warning in case missing config file #7028
• feat(.NET): mark some deps from .deps.json files as Dev  #7079
• CycloneDX SBOM files generated by trivy contains duplicated entries with different version for the same jersey artifact #7086
• Report is not empty even if there are no findings: Part 2 #7147
• HuggingFace token detector not working properly (wrong number of characters) #6823
• fix(secret): add prefix to exclude 0-9a-zA-Z before secret #7176
• bug(secret): set limit for line length #6999
• Regression: segmentation violation when scanning a certain pom.xml #7241
• Trivy Node scan can't parse package.json when latest is used as a package version #6747
• 0.51: kubernetes scanner requires role permissions #6692
• bug(misconf): Panic observed in passing of --tf-vars #7084
• perf(debian): use bytes.Index in emptyLineSplit to cut allocation #7065
• fix: Add dependencyManagement exclusions to the child exclusions #6969