From 8ed00286c136e611ae50c9f435e5d1e425448028 Mon Sep 17 00:00:00 2001 From: Saurabh Parekh Date: Tue, 15 Oct 2024 22:52:54 -0700 Subject: [PATCH] Upgrade trivy and harbor-scanner-trivy for harbor v2.11.1 --- UPSTREAM_PROJECTS.yaml | 6 +- .../harbor-scanner-trivy/ATTRIBUTION.txt | 62 ++++++++++++++----- .../harbor-scanner-trivy/CHECKSUMS | 4 +- .../aquasecurity/harbor-scanner-trivy/GIT_TAG | 2 +- .../harbor-scanner-trivy/GOLANG_VERSION | 2 +- .../harbor-scanner-trivy/README.md | 2 +- projects/aquasecurity/trivy/CHECKSUMS | 4 +- projects/aquasecurity/trivy/GIT_TAG | 2 +- projects/aquasecurity/trivy/README.md | 2 +- ...h-os-ext-with-kardianos-os-ext-modul.patch | 38 ------------ 10 files changed, 58 insertions(+), 66 deletions(-) delete mode 100644 projects/aquasecurity/trivy/patches/0001-Replace-mitchellh-os-ext-with-kardianos-os-ext-modul.patch diff --git a/UPSTREAM_PROJECTS.yaml b/UPSTREAM_PROJECTS.yaml index 273dee9bd6..37d83b9542 100644 --- a/UPSTREAM_PROJECTS.yaml +++ b/UPSTREAM_PROJECTS.yaml @@ -25,11 +25,11 @@ projects: repos: - name: harbor-scanner-trivy versions: - - tag: v0.31.2 - go_version: "1.21" + - tag: v0.31.4 + go_version: "1.22" - name: trivy versions: - - tag: v0.51.2 + - tag: v0.56.2 go_version: "1.22" - org: aws repos: diff --git a/projects/aquasecurity/harbor-scanner-trivy/ATTRIBUTION.txt b/projects/aquasecurity/harbor-scanner-trivy/ATTRIBUTION.txt index 648a0f52d3..3e78413d0e 100644 --- a/projects/aquasecurity/harbor-scanner-trivy/ATTRIBUTION.txt +++ b/projects/aquasecurity/harbor-scanner-trivy/ATTRIBUTION.txt @@ -1,5 +1,5 @@ -** github.com/aquasecurity/harbor-scanner-trivy; version v0.31.2 -- +** github.com/aquasecurity/harbor-scanner-trivy; version v0.31.4 -- https://github.com/aquasecurity/harbor-scanner-trivy ** github.com/containerd/stargz-snapshotter/estargz; version v0.14.3 -- @@ -11,13 +11,13 @@ https://github.com/docker/cli ** github.com/docker/distribution/registry/client/auth/challenge; version v2.8.2+incompatible -- https://github.com/distribution/distribution -** github.com/docker/docker/pkg/homedir; version v26.1.2+incompatible -- +** github.com/docker/docker/pkg/homedir; version v27.1.1+incompatible -- https://github.com/moby/moby ** github.com/knqyf263/go-containerregistry; version v0.16.2-0.20231101014841-fd95d0f749dd -- https://github.com/knqyf263/go-containerregistry -** github.com/klauspost/compress; version v1.16.5 -- +** github.com/klauspost/compress; version v1.17.4 -- https://github.com/klauspost/compress ** github.com/opencontainers/go-digest; version v1.0.0 -- @@ -375,7 +375,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/redis/go-redis/v9; version v9.5.1 -- +** github.com/redis/go-redis/v9; version v9.6.1 -- https://github.com/redis/go-redis/v9 Copyright (c) 2013 The github.com/redis/go-redis Authors. @@ -409,7 +409,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ** github.com/gorilla/mux; version v1.8.1 -- https://github.com/gorilla/mux -** github.com/gorilla/schema; version v1.3.0 -- +** github.com/gorilla/schema; version v1.4.1 -- https://github.com/gorilla/schema Copyright (c) 2023 The Gorilla Authors. All rights reserved. @@ -442,7 +442,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/klauspost/compress/internal/snapref; version v1.16.5 -- +** github.com/klauspost/compress/internal/snapref; version v1.17.4 -- https://github.com/klauspost/compress Copyright (c) 2011 The Snappy-Go Authors. All rights reserved. @@ -578,22 +578,52 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** golang.org/go; version go1.21.13 -- +** golang.org/go; version go1.22.8 -- https://github.com/golang/go -** golang.org/x/exp/constraints; version v0.0.0-20230510235704-dd950f8aeaea -- -https://golang.org/x/exp +Copyright (c) 2009 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +------ -** golang.org/x/net/context; version v0.25.0 -- +** golang.org/x/net/context; version v0.28.0 -- https://golang.org/x/net -** golang.org/x/sync/errgroup; version v0.3.0 -- +** golang.org/x/sync/errgroup; version v0.8.0 -- https://golang.org/x/sync -** golang.org/x/sys; version v0.20.0 -- +** golang.org/x/sys; version v0.23.0 -- https://golang.org/x/sys -Copyright (c) 2009 The Go Authors. All rights reserved. +** golang.org/x/text; version v0.17.0 -- +https://golang.org/x/text + +Copyright 2009 The Go Authors. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -605,7 +635,7 @@ notice, this list of conditions and the following disclaimer. copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - * Neither the name of Google Inc. nor the names of its + * Neither the name of Google LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. @@ -730,7 +760,7 @@ Copyright (c) 2017-2020 Damian Gryski https://github.com/docker/docker-credential-helpers Copyright (c) 2016 David Calavera -** github.com/klauspost/compress/zstd/internal/xxhash; version v1.16.5 -- +** github.com/klauspost/compress/zstd/internal/xxhash; version v1.17.4 -- https://github.com/klauspost/compress Copyright (c) 2016 Caleb Spare @@ -738,7 +768,7 @@ Copyright (c) 2016 Caleb Spare https://github.com/mitchellh/go-homedir Copyright (c) 2013 Mitchell Hashimoto -** github.com/samber/lo; version v1.39.0 -- +** github.com/samber/lo; version v1.47.0 -- https://github.com/samber/lo Copyright (c) 2022 Samuel Berthe diff --git a/projects/aquasecurity/harbor-scanner-trivy/CHECKSUMS b/projects/aquasecurity/harbor-scanner-trivy/CHECKSUMS index 658bda5d5e..7167d1f70e 100644 --- a/projects/aquasecurity/harbor-scanner-trivy/CHECKSUMS +++ b/projects/aquasecurity/harbor-scanner-trivy/CHECKSUMS @@ -1,2 +1,2 @@ -c2bd544ed3e7ba3e2031c85b5b35834a0e79fe93c20bdc0fe50948efb13efcd4 _output/bin/harbor-scanner-trivy/linux-amd64/scanner-trivy -712f237c2115cb30bdf3a3d6ad74382bb581a752170a09be5fb1a13bba90dae3 _output/bin/harbor-scanner-trivy/linux-arm64/scanner-trivy +5bf6a0db227da17c076edab99d467bfa78e9c9eea4e887d086133a0f7d8095e1 _output/bin/harbor-scanner-trivy/linux-amd64/scanner-trivy +edf2ce6e325e7c28e7e31fab128f4b9ee133847f03ed1d382ea7dd25fcdf538b _output/bin/harbor-scanner-trivy/linux-arm64/scanner-trivy diff --git a/projects/aquasecurity/harbor-scanner-trivy/GIT_TAG b/projects/aquasecurity/harbor-scanner-trivy/GIT_TAG index 2d64485d28..6a167009fb 100644 --- a/projects/aquasecurity/harbor-scanner-trivy/GIT_TAG +++ b/projects/aquasecurity/harbor-scanner-trivy/GIT_TAG @@ -1 +1 @@ -v0.31.2 \ No newline at end of file +v0.31.4 \ No newline at end of file diff --git a/projects/aquasecurity/harbor-scanner-trivy/GOLANG_VERSION b/projects/aquasecurity/harbor-scanner-trivy/GOLANG_VERSION index d2ab029d32..71f7f51df9 100644 --- a/projects/aquasecurity/harbor-scanner-trivy/GOLANG_VERSION +++ b/projects/aquasecurity/harbor-scanner-trivy/GOLANG_VERSION @@ -1 +1 @@ -1.21 +1.22 diff --git a/projects/aquasecurity/harbor-scanner-trivy/README.md b/projects/aquasecurity/harbor-scanner-trivy/README.md index ce46027cbe..762b802b83 100644 --- a/projects/aquasecurity/harbor-scanner-trivy/README.md +++ b/projects/aquasecurity/harbor-scanner-trivy/README.md @@ -1,5 +1,5 @@ ## **harbor-scanner-trivy** -![Version](https://img.shields.io/badge/version-v0.31.2-blue) +![Version](https://img.shields.io/badge/version-v0.31.4-blue) ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoieEpzUzBranRhT3NMMGdLU0lSVmh1S2RteDcyd1AwRU5LbVZFc2pnNlcvcWpaZHR4blQ3RktjbzllUmhwMmhma0pnZ2RWVEY0UEIzZ2NPc3pYQ2l1RFZvPSIsIml2UGFyYW1ldGVyU3BlYyI6IitiOTg2c2dOVW55cnVQREoiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main) The [Harbor Scanner Adapter for Trivy](https://github.com/aquasecurity/harbor-scanner-trivy) is a service that translates the Harbor scanning API into Trivy commands and allows Harbor to use Trivy for providing vulnerability reports on images stored in Harbor registry as part of its vulnerability scan feature. diff --git a/projects/aquasecurity/trivy/CHECKSUMS b/projects/aquasecurity/trivy/CHECKSUMS index edadffafd2..c9e0b78e30 100644 --- a/projects/aquasecurity/trivy/CHECKSUMS +++ b/projects/aquasecurity/trivy/CHECKSUMS @@ -1,2 +1,2 @@ -5b5e539d940a0eef4bebf6c070ae49d168823d8eddf546ea4f71f8b8b82d5c37 _output/bin/trivy/linux-amd64/trivy -b181a35ed3061257190aa3233ddee3f5cfdd50914316bb83530a64c44d3e5ac8 _output/bin/trivy/linux-arm64/trivy +3950cf180b19be14a90b925fffdd8ccdcec2c99441c07993f8fff0890735bb07 _output/bin/trivy/linux-amd64/trivy +f94426d0f695b288b2d6ae09df6d307e1e8091afa89ce4cd8ac3e14145ab6566 _output/bin/trivy/linux-arm64/trivy diff --git a/projects/aquasecurity/trivy/GIT_TAG b/projects/aquasecurity/trivy/GIT_TAG index c21fa7b369..df8473fbd1 100644 --- a/projects/aquasecurity/trivy/GIT_TAG +++ b/projects/aquasecurity/trivy/GIT_TAG @@ -1 +1 @@ -v0.51.2 \ No newline at end of file +v0.56.2 diff --git a/projects/aquasecurity/trivy/README.md b/projects/aquasecurity/trivy/README.md index f24f5fea32..4dfdc99bf6 100644 --- a/projects/aquasecurity/trivy/README.md +++ b/projects/aquasecurity/trivy/README.md @@ -1,5 +1,5 @@ ## **trivy** -![Version](https://img.shields.io/badge/version-v0.51.2-blue) +![Version](https://img.shields.io/badge/version-v0.56.2-blue) ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiMVBvZE5FTEtYaVpuWUJ3eGd2Tis1dHAxT0ZKcXBuWkNVUmpjL0pRVnduRUl2Qm1XZ29xbHBENU5wVGM3TzVTTXhFTS83VUtrWGdCVU9lVkVxSmFhUnBFPSIsIml2UGFyYW1ldGVyU3BlYyI6IkQzTU9tSEd0YWZDc0NVYkIiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main) [Trivy](https://github.com/aquasecurity/trivy/) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. Trivy also scans hardcoded secrets like passwords, API keys and tokens. diff --git a/projects/aquasecurity/trivy/patches/0001-Replace-mitchellh-os-ext-with-kardianos-os-ext-modul.patch b/projects/aquasecurity/trivy/patches/0001-Replace-mitchellh-os-ext-with-kardianos-os-ext-modul.patch deleted file mode 100644 index 2f08f888c2..0000000000 --- a/projects/aquasecurity/trivy/patches/0001-Replace-mitchellh-os-ext-with-kardianos-os-ext-modul.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f3d1ca8d9d05e3522f0d3376c01fc5e1a2471e24 Mon Sep 17 00:00:00 2001 -From: Jhaanvi Golani -Date: Wed, 12 Jun 2024 13:37:09 -0700 -Subject: [PATCH] Replace mitchellh os-ext with kardianos os-ext module - ---- - go.mod | 1 + - go.sum | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/go.mod b/go.mod -index 4227c73e1..c556b7f40 100644 ---- a/go.mod -+++ b/go.mod -@@ -140,6 +140,7 @@ require ( - golang.org/x/crypto v0.22.0 - sigs.k8s.io/yaml v1.4.0 - ) -+replace github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f => github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 - - require ( - cloud.google.com/go v0.112.1 // indirect -diff --git a/go.sum b/go.sum -index 83bdd09d6..842b8f73e 100644 ---- a/go.sum -+++ b/go.sum -@@ -1788,7 +1788,7 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh - github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= - github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= - github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= --github.aaakk.us.kg/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= -+github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8= - github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= - github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= - github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= --- -2.44.0 -