fix(license): add license handling to JUnit template #7409
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PreliminariesI've created a Java project to produce a suitable SBOM specimen (see psibre/java-app-vuln-license-sbom-mwe@df7dc92), which I'll attach here for convenience: Vulnerability scannerTable formatJUnit XML format<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuite tests="14" failures="14" name="Java" errors="0" skipped="0" time="">
<properties>
<property name="type" value="jar"></property>
</properties>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2021-22569" time="">
<failure message="protobuf-java: potential DoS in the parsing procedure for binary data" type="description">An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2021-22570" time="">
<failure message="protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference" type="description">Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2022-3509" time="">
<failure message="protobuf-java: Textformat parsing issue leads to DoS" type="description">A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2022-3510" time="">
<failure message="protobuf-java: Message-Type Extensions parsing issue leads to DoS" type="description">A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[MEDIUM] CVE-2022-3171" time="">
<failure message="protobuf-java: timeout in parser leads to DoS" type="description">A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</failure>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp-4.3.2" name="[CRITICAL] CVE-2021-44550" time="">
<failure message="Access Control vulnerability within CoreNLP" type="description">An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159).</failure>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp-4.3.2" name="[CRITICAL] CVE-2022-0239" time="">
<failure message="corenlp is vulnerable to Improper Restriction of XML External Entity Reference" type="description">corenlp is vulnerable to Improper Restriction of XML External Entity Reference</failure>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp-4.3.2" name="[MEDIUM] CVE-2022-0198" time="">
<failure message="XML External Entity Reference in edu.stanford.nlp:stanford-corenlp" type="description">corenlp is vulnerable to Improper Restriction of XML External Entity Reference</failure>
</testcase>
<testcase classname="xalan:xalan-2.7.2" name="[HIGH] CVE-2022-34169" time="">
<failure message="OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)" type="description">The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[HIGH] CVE-2012-0881" time="">
<failure message="xml: xerces-j2 hash table collisions CPU usage DoS (oCERT-2011-003)" type="description">Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[HIGH] CVE-2013-4002" time="">
<failure message="OpenJDK: XML parsing Denial of Service (JAXP, 8017298)" type="description">XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[MEDIUM] CVE-2009-2625" time="">
<failure message="JDK: XML parsing Denial-Of-Service (6845701)" type="description">XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[MEDIUM] CVE-2020-14338" time="">
<failure message="wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl" type="description">A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[MEDIUM] CVE-2022-23437" time="">
<failure message="xerces-j2: infinite loop when handling specially crafted XML document payloads" type="description">There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.</failure>
</testcase>
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
<properties>
<property name="type" value="jar"></property>
</properties>
</testsuite>
</testsuites>License scannerTable formatJUnit XML format (before)<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
</testsuites>JUnit XML format (after)<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="30" failures="30" name="Java" time="0">
<testcase classname="com.apple:AppleJavaExtensions" name="[UNKNOWN] Apple License">
<failure/>
</testcase>
<testcase classname="com.google.code.findbugs:jsr305" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java" name="[LOW] BSD-3-Clause">
<failure/>
</testcase>
<testcase classname="com.sun.xml.bind:jaxb-core" name="[MEDIUM] CDDL-1.1">
<failure/>
</testcase>
<testcase classname="com.sun.xml.bind:jaxb-impl" name="[MEDIUM] CDDL-1.1">
<failure/>
</testcase>
<testcase classname="de.jollyday:jollyday" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp" name="[UNKNOWN] GNU General Public License Version 3">
<failure/>
</testcase>
<testcase classname="javax.xml.bind:jaxb-api" name="[MEDIUM] CDDL-1.1">
<failure/>
</testcase>
<testcase classname="javax.xml.bind:jaxb-api" name="[HIGH] GPL-2.0-with-classpath-exception">
<failure/>
</testcase>
<testcase classname="joda-time:joda-time" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.commons:commons-lang3" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-analyzers-common" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-core" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-queries" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-queryparser" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-sandbox" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-cdense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-core" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-ddense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-dsparse" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-fdense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-fsparse" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-simple" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-zdense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.slf4j:slf4j-api" name="[LOW] MIT">
<failure/>
</testcase>
<testcase classname="xalan:serializer" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xalan:xalan" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xerces:xercesImpl" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xml-apis:xml-apis" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xom:xom" name="[UNKNOWN] The GNU Lesser General Public License, Version 2.1">
<failure/>
</testcase>
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
</testsuites> |
|
Perhaps it would be even more useful to add the |
|
@afdesk Can you please take a look? |
|
@psibre thanks a lot for your contribution! it's really nice. Should |
afdesk
requested changes
Aug 30, 2024
|
Also about JUnit template. but this logic is for all blocks... |
I based this pattern on the one already present in the Vulnerabilities portion of the template. Specifically, in junit.tpl#L12, there is Since that name attribute is typically part of the summary (e.g., in a GitLab test report), I think it's consistent with expected behavior of Trivy-generated JUnit XML reports to maintain that pattern for the licenses. |
i understand it. thanks! |
afdesk
approved these changes
Sep 2, 2024
fhielpos
added a commit
to giantswarm/trivy-upstream
that referenced
this pull request
Dec 20, 2024
* feat(vm): Support direct filesystem (aquasecurity#7058) Signed-off-by: yusuke.koyoshi <[email protected]> * feat(cli)!: delete deprecated SBOM flags (aquasecurity#7266) Signed-off-by: knqyf263 <[email protected]> * feat(vm): support the Ext2/Ext3 filesystems (aquasecurity#6983) * fix(plugin): do not call GitHub content API for releases and tags (aquasecurity#7274) Signed-off-by: knqyf263 <[email protected]> * fix(java): Return error when trying to find a remote pom to avoid segfault (aquasecurity#7275) Co-authored-by: DmitriyLewen <[email protected]> * fix(flag): incorrect behavior for deprected flag `--clear-cache` (aquasecurity#7281) * refactor(misconf): remove file filtering from parsers (aquasecurity#7289) Signed-off-by: nikpivkin <[email protected]> * feat(vuln): Add `--detection-priority` flag for accuracy tuning (aquasecurity#7288) Signed-off-by: knqyf263 <[email protected]> * docs: add auto-generated config (aquasecurity#7261) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * fix(terraform): add aws_region name to presets (aquasecurity#7184) * perf(misconf): do not convert contents of a YAML file to string (aquasecurity#7292) Signed-off-by: nikpivkin <[email protected]> * refactor(misconf): remove unused universal scanner (aquasecurity#7293) Signed-off-by: nikpivkin <[email protected]> * perf(misconf): use json.Valid to check validity of JSON (aquasecurity#7308) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): load only submodule if it is specified in source (aquasecurity#7112) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): support for policy and bucket grants (aquasecurity#7284) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): do not set default value for default_cache_behavior (aquasecurity#7234) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): iterator argument support for dynamic blocks (aquasecurity#7236) Signed-off-by: nikpivkin <[email protected]> Co-authored-by: simar7 <[email protected]> * chore(deps): bump the common group across 1 directory with 7 updates (aquasecurity#7305) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: update client/server docs for misconf and license scanning (aquasecurity#7277) Signed-off-by: nikpivkin <[email protected]> Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * docs: update links to packaging.python.org (aquasecurity#7318) Signed-off-by: nikpivkin <[email protected]> * perf(misconf): optimize work with context (aquasecurity#6968) Signed-off-by: nikpivkin <[email protected]> * refactor: replace ftypes.Gradle with packageurl.TypeGradle (aquasecurity#7323) Signed-off-by: nikpivkin <[email protected]> * docs: update air-gapped docs (aquasecurity#7160) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * docs(misconf): Update callsites to use correct naming (aquasecurity#7335) * chore(deps): bump the common group with 9 updates (aquasecurity#7333) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(misconf): change default TLS values for the Azure storage account (aquasecurity#7345) Signed-off-by: nikpivkin <[email protected]> * refactor(misconf): highlight only affected rows (aquasecurity#7310) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): wrap Azure PortRange in iac types (aquasecurity#7357) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): scanning support for YAML and JSON (aquasecurity#7311) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): variable support for Terraform Plan (aquasecurity#7228) Signed-off-by: nikpivkin <[email protected]> * fix: safely check if the directory exists (aquasecurity#7353) Signed-off-by: nikpivkin <[email protected]> * chore(deps): bump the aws group across 1 directory with 7 updates (aquasecurity#7358) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(server): add internal `--path-prefix` flag for client/server mode (aquasecurity#7321) Signed-off-by: knqyf263 <[email protected]> * chore(deps): bump trivy-checks (aquasecurity#7350) Signed-off-by: nikpivkin <[email protected]> * refactor(misconf): use slog (aquasecurity#7295) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): ignore duplicate checks (aquasecurity#7317) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): init frameworks before updating them (aquasecurity#7376) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): support deprecating for Go checks (aquasecurity#7377) Signed-off-by: nikpivkin <[email protected]> * feat(python): use minimum version for pip packages (aquasecurity#7348) * docs: add pkg flags to config file page (aquasecurity#7370) * feat(misconf): Add support for using spec from on-disk bundle (aquasecurity#7179) * fix(report): escape `Message` field in `asff.tpl` template (aquasecurity#7401) * fix(misconf): use module to log when metadata retrieval fails (aquasecurity#7405) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): support for ignore by nested attributes (aquasecurity#7205) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): do not filter Terraform plan JSON by name (aquasecurity#7406) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): port and protocol support for EC2 networks (aquasecurity#7146) Signed-off-by: nikpivkin <[email protected]> * chore: fix allow rule of ignoring test files to make it case insensitive (aquasecurity#7415) * fix(secret): use only line with secret for long secret lines (aquasecurity#7412) * chore: update CODEOWNERS (aquasecurity#7398) Signed-off-by: knqyf263 <[email protected]> * feat(server): Make Trivy Server Multiplexer Exported (aquasecurity#7389) * feat(report): export modified findings in JSON (aquasecurity#7383) Signed-off-by: knqyf263 <[email protected]> * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (aquasecurity#7403) * fix(misconf): do not register Rego libs in checks registry (aquasecurity#7420) Signed-off-by: nikpivkin <[email protected]> * chore(deps): Bump trivy-checks (aquasecurity#7417) Signed-off-by: nikpivkin <[email protected]> Co-authored-by: nikpivkin <[email protected]> * fix(misconf): do not recreate filesystem map (aquasecurity#7416) Signed-off-by: nikpivkin <[email protected]> * fix(secret): use `.eyJ` keyword for JWT secret (aquasecurity#7410) * fix(misconf): fix infer type for null value (aquasecurity#7424) Signed-off-by: nikpivkin <[email protected]> * fix(aws): handle ECR repositories in different regions (aquasecurity#6217) Signed-off-by: Kevin Conner <[email protected]> * fix: logger initialization before flags parsing (aquasecurity#7372) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (aquasecurity#7387) * test: add integration plugin tests (aquasecurity#7299) * feat(sbom): set User-Agent header on requests to Rekor (aquasecurity#7396) Signed-off-by: Bob Callaway <[email protected]> * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (aquasecurity#7362) * chore(deps): Bump trivy-checks and pin OPA (aquasecurity#7427) Signed-off-by: nikpivkin <[email protected]> Co-authored-by: nikpivkin <[email protected]> * feat(java): add `test` scope support for `pom.xml` files (aquasecurity#7414) * fix(license): add license handling to JUnit template (aquasecurity#7409) * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (aquasecurity#7163) * release: v0.55.0 [main] (aquasecurity#7271) * fix(license): stop spliting a long license text (aquasecurity#7336) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (aquasecurity#7451) * chore(helm): bump up Trivy Helm chart (aquasecurity#7441) * chore(deps): bump the common group across 1 directory with 19 updates (aquasecurity#7436) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: knqyf263 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: knqyf263 <[email protected]> * chore(deps): bump the aws group with 6 updates (aquasecurity#7468) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(oracle): Update EOL date for Oracle 7 (aquasecurity#7480) * fix(report): change a receiver of MarshalJSON (aquasecurity#7483) Signed-off-by: knqyf263 <[email protected]> * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (aquasecurity#7463) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (aquasecurity#7449) * feat(license): improve license normalization (aquasecurity#7131) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: DmitriyLewen <[email protected]> Co-authored-by: knqyf263 <[email protected]> * docs(db): add a manifest example (aquasecurity#7485) Signed-off-by: knqyf263 <[email protected]> * revert(java): stop supporting of `test` scope for `pom.xml` files (aquasecurity#7488) * docs: refine go docs (aquasecurity#7442) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * chore(vex): suppress openssl vulnerabilities (aquasecurity#7500) Signed-off-by: knqyf263 <[email protected]> * chore(deps): bump alpine from 3.20.0 to 3.20.3 (aquasecurity#7508) * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (aquasecurity#7510) * fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (aquasecurity#7497) * refactor: split `.egg` and `packaging` analyzers (aquasecurity#7514) * feat(misconf): Register checks only when needed (aquasecurity#7435) * fix(misconf): Fix logging typo (aquasecurity#7473) * chore(deps): bump go-ebs-file (aquasecurity#7513) Signed-off-by: nikpivkin <[email protected]> * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (aquasecurity#7527) * refactor(misconf): pass options to Rego scanner as is (aquasecurity#7529) Signed-off-by: nikpivkin <[email protected]> * fix(sbom): export bom-ref when converting a package to a component (aquasecurity#7340) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: amf <[email protected]> Co-authored-by: knqyf263 <[email protected]> * perf(misconf): use port ranges instead of enumeration (aquasecurity#7549) Signed-off-by: nikpivkin <[email protected]> * fix(misconf): Fixed scope for China Cloud (aquasecurity#7560) * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (aquasecurity#7458) * chore(deps): remove broken replaces for opa and discovery (aquasecurity#7600) * ci: cache test images for `integration`, `VM` and `module` tests (aquasecurity#7599) * ci: add `workflow_dispatch` trigger for test workflow. (aquasecurity#7606) * chore(deps): bump the common group across 1 directory with 20 updates (aquasecurity#7604) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: knqyf263 <[email protected]> * fix(db): check `DownloadedAt` for `trivy-java-db` (aquasecurity#7592) * fix: allow access to '..' in mapfs (aquasecurity#7575) Signed-off-by: nikpivkin <[email protected]> * test: use a local registry for remote scanning (aquasecurity#7607) Signed-off-by: knqyf263 <[email protected]> * fix(misconf): escape all special sequences (aquasecurity#7558) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): add ability to disable checks by ID (aquasecurity#7536) Signed-off-by: nikpivkin <[email protected]> Co-authored-by: Simar <[email protected]> * feat(suse): added SUSE Linux Enterprise Micro support (aquasecurity#7294) Signed-off-by: Marcus Meissner <[email protected]> Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * fix(misconf): disable DS016 check for image history analyzer (aquasecurity#7540) Signed-off-by: nikpivkin <[email protected]> * ci: split `save` and `restore` cache actions (aquasecurity#7614) * refactor: fix auth error handling (aquasecurity#7615) Signed-off-by: knqyf263 <[email protected]> * feat(secret): enhance secret scanning for python binary files (aquasecurity#7223) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]> * feat(java): add empty versions if `pom.xml` dependency versions can't be detected (aquasecurity#7520) Co-authored-by: Teppei Fukuda <[email protected]> * test: use loaded image names (aquasecurity#7617) Signed-off-by: knqyf263 <[email protected]> * ci: don't use cache for `setup-go` (aquasecurity#7622) * feat: support multiple DB repositories for vulnerability and Java DB (aquasecurity#7605) Signed-off-by: nikpivkin <[email protected]> * feat(misconf): Support `--skip-*` for all included modules (aquasecurity#7579) Signed-off-by: nikpivkin <[email protected]> Co-authored-by: nikpivkin <[email protected]> * chore: add prefixes to log messages (aquasecurity#7625) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: simar7 <[email protected]> * fix(misconf): Disable deprecated checks by default (aquasecurity#7632) * chore(deps): Bump trivy-checks to v1.1.0 (aquasecurity#7631) * fix(secret): change grafana token regex to find them without unquoted (aquasecurity#7627) * feat: support RPM archives (aquasecurity#7628) Signed-off-by: knqyf263 <[email protected]> * fix(misconf): not to warn about missing selectors of libraries (aquasecurity#7638) Signed-off-by: nikpivkin <[email protected]> * release: v0.56.0 [main] (aquasecurity#7447) * fix(db): fix javadb downloading error handling [backport: release/v0.56] (aquasecurity#7646) Signed-off-by: nikpivkin <[email protected]> Co-authored-by: Nikita Pivkin <[email protected]> * release: v0.56.1 [release/v0.56] (aquasecurity#7648) * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (aquasecurity#7691) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: Teppei Fukuda <[email protected]> * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (aquasecurity#7702) Signed-off-by: knqyf263 <[email protected]> Co-authored-by: Teppei Fukuda <[email protected]> * release: v0.56.2 [release/v0.56] (aquasecurity#7694) * Make liveness probe configurable (#3) --------- Signed-off-by: yusuke.koyoshi <[email protected]> Signed-off-by: knqyf263 <[email protected]> Signed-off-by: nikpivkin <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Kevin Conner <[email protected]> Signed-off-by: Bob Callaway <[email protected]> Signed-off-by: Marcus Meissner <[email protected]> Co-authored-by: yusuke-koyoshi <[email protected]> Co-authored-by: Teppei Fukuda <[email protected]> Co-authored-by: Aruneko <[email protected]> Co-authored-by: Colm O hEigeartaigh <[email protected]> Co-authored-by: DmitriyLewen <[email protected]> Co-authored-by: afdesk <[email protected]> Co-authored-by: Nikita Pivkin <[email protected]> Co-authored-by: Alberto Donato <[email protected]> Co-authored-by: simar7 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Itay Shakury <[email protected]> Co-authored-by: DmitriyLewen <[email protected]> Co-authored-by: aasish-r <[email protected]> Co-authored-by: Ori <[email protected]> Co-authored-by: Kevin Conner <[email protected]> Co-authored-by: Bob Callaway <[email protected]> Co-authored-by: vhash <[email protected]> Co-authored-by: psibre <[email protected]> Co-authored-by: Aqua Security automated builds <[email protected]> Co-authored-by: s-reddy1498 <[email protected]> Co-authored-by: Squiddim <[email protected]> Co-authored-by: Pierre Baumard <[email protected]> Co-authored-by: Lior Kaplan <[email protected]> Co-authored-by: amf <[email protected]> Co-authored-by: bloomadcariad <[email protected]> Co-authored-by: Sylvain Baubeau <[email protected]> Co-authored-by: Simar <[email protected]> Co-authored-by: Marcus Meissner <[email protected]> Co-authored-by: Samuel Gaist <[email protected]>
fhielpos
pushed a commit
to giantswarm/trivy-upstream
that referenced
this pull request
Dec 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Related issues
Checklist