Skip to content

Commit

Permalink
Update Trivy to version 0.56.2 (#4)
Browse files Browse the repository at this point in the history
* feat(vm): Support direct filesystem (aquasecurity#7058)

Signed-off-by: yusuke.koyoshi <[email protected]>

* feat(cli)!: delete deprecated SBOM flags (aquasecurity#7266)

Signed-off-by: knqyf263 <[email protected]>

* feat(vm): support the Ext2/Ext3 filesystems (aquasecurity#6983)

* fix(plugin): do not call GitHub content API for releases and tags (aquasecurity#7274)

Signed-off-by: knqyf263 <[email protected]>

* fix(java): Return error when trying to find a remote pom to avoid segfault (aquasecurity#7275)

Co-authored-by: DmitriyLewen <[email protected]>

* fix(flag): incorrect behavior for deprected flag `--clear-cache` (aquasecurity#7281)

* refactor(misconf): remove file filtering from parsers (aquasecurity#7289)

Signed-off-by: nikpivkin <[email protected]>

* feat(vuln): Add `--detection-priority` flag for accuracy tuning (aquasecurity#7288)

Signed-off-by: knqyf263 <[email protected]>

* docs: add auto-generated config (aquasecurity#7261)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* fix(terraform): add aws_region name to presets (aquasecurity#7184)

* perf(misconf): do not convert contents of a YAML file to string (aquasecurity#7292)

Signed-off-by: nikpivkin <[email protected]>

* refactor(misconf): remove unused universal scanner (aquasecurity#7293)

Signed-off-by: nikpivkin <[email protected]>

* perf(misconf): use json.Valid to check validity of JSON (aquasecurity#7308)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): load only submodule if it is specified in source (aquasecurity#7112)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): support for policy and bucket grants (aquasecurity#7284)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): do not set default value for default_cache_behavior (aquasecurity#7234)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): iterator argument support for dynamic blocks (aquasecurity#7236)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: simar7 <[email protected]>

* chore(deps): bump the common group across 1 directory with 7 updates (aquasecurity#7305)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: update client/server docs for misconf and license scanning (aquasecurity#7277)

Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* docs: update links to packaging.python.org (aquasecurity#7318)

Signed-off-by: nikpivkin <[email protected]>

* perf(misconf): optimize work with context (aquasecurity#6968)

Signed-off-by: nikpivkin <[email protected]>

* refactor: replace ftypes.Gradle with packageurl.TypeGradle (aquasecurity#7323)

Signed-off-by: nikpivkin <[email protected]>

* docs: update air-gapped docs (aquasecurity#7160)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* docs(misconf): Update callsites to use correct naming (aquasecurity#7335)

* chore(deps): bump the common group with 9 updates (aquasecurity#7333)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(misconf): change default TLS values for the Azure storage account (aquasecurity#7345)

Signed-off-by: nikpivkin <[email protected]>

* refactor(misconf): highlight only affected rows (aquasecurity#7310)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): wrap Azure PortRange in iac types (aquasecurity#7357)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): scanning support for YAML and JSON (aquasecurity#7311)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): variable support for Terraform Plan (aquasecurity#7228)

Signed-off-by: nikpivkin <[email protected]>

* fix: safely check if the directory exists (aquasecurity#7353)

Signed-off-by: nikpivkin <[email protected]>

* chore(deps): bump the aws group across 1 directory with 7 updates (aquasecurity#7358)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(server): add internal `--path-prefix` flag for client/server mode (aquasecurity#7321)

Signed-off-by: knqyf263 <[email protected]>

* chore(deps): bump trivy-checks (aquasecurity#7350)

Signed-off-by: nikpivkin <[email protected]>

* refactor(misconf): use slog (aquasecurity#7295)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): ignore duplicate checks (aquasecurity#7317)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): init frameworks before updating them (aquasecurity#7376)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): support deprecating for Go checks (aquasecurity#7377)

Signed-off-by: nikpivkin <[email protected]>

* feat(python): use minimum version for pip packages (aquasecurity#7348)

* docs: add pkg flags to config file page (aquasecurity#7370)

* feat(misconf): Add support for using spec from on-disk bundle (aquasecurity#7179)

* fix(report): escape `Message` field in `asff.tpl` template (aquasecurity#7401)

* fix(misconf): use module to log when metadata retrieval fails (aquasecurity#7405)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): support for ignore by nested attributes (aquasecurity#7205)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): do not filter Terraform plan JSON by name (aquasecurity#7406)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): port and protocol support for EC2 networks (aquasecurity#7146)

Signed-off-by: nikpivkin <[email protected]>

* chore: fix allow rule of ignoring test files to make it case insensitive (aquasecurity#7415)

* fix(secret): use only line with secret for long secret lines (aquasecurity#7412)

* chore: update CODEOWNERS (aquasecurity#7398)

Signed-off-by: knqyf263 <[email protected]>

* feat(server): Make Trivy Server Multiplexer Exported (aquasecurity#7389)

* feat(report): export modified findings in JSON (aquasecurity#7383)

Signed-off-by: knqyf263 <[email protected]>

* fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (aquasecurity#7403)

* fix(misconf): do not register Rego libs in checks registry (aquasecurity#7420)

Signed-off-by: nikpivkin <[email protected]>

* chore(deps): Bump trivy-checks (aquasecurity#7417)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: nikpivkin <[email protected]>

* fix(misconf): do not recreate filesystem map (aquasecurity#7416)

Signed-off-by: nikpivkin <[email protected]>

* fix(secret): use `.eyJ` keyword for JWT secret (aquasecurity#7410)

* fix(misconf): fix infer type for null value (aquasecurity#7424)

Signed-off-by: nikpivkin <[email protected]>

* fix(aws): handle ECR repositories in different regions (aquasecurity#6217)

Signed-off-by: Kevin Conner <[email protected]>

* fix: logger initialization before flags parsing (aquasecurity#7372)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (aquasecurity#7387)

* test: add integration plugin tests (aquasecurity#7299)

* feat(sbom): set User-Agent header on requests to Rekor (aquasecurity#7396)

Signed-off-by: Bob Callaway <[email protected]>

* fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (aquasecurity#7362)

* chore(deps): Bump trivy-checks and pin OPA (aquasecurity#7427)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: nikpivkin <[email protected]>

* feat(java): add `test` scope support for `pom.xml` files (aquasecurity#7414)

* fix(license): add license handling to JUnit template (aquasecurity#7409)

* feat(go): use `toolchain` as `stdlib` version for `go.mod` files (aquasecurity#7163)

* release: v0.55.0 [main] (aquasecurity#7271)

* fix(license): stop spliting a long license text (aquasecurity#7336)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (aquasecurity#7451)

* chore(helm): bump up Trivy Helm chart (aquasecurity#7441)

* chore(deps): bump the common group across 1 directory with 19 updates (aquasecurity#7436)

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: knqyf263 <[email protected]>

* chore(deps): bump the aws group with 6 updates (aquasecurity#7468)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(oracle): Update EOL date for Oracle 7 (aquasecurity#7480)

* fix(report): change a receiver of MarshalJSON (aquasecurity#7483)

Signed-off-by: knqyf263 <[email protected]>

* fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (aquasecurity#7463)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (aquasecurity#7449)

* feat(license): improve license normalization (aquasecurity#7131)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* docs(db): add a manifest example (aquasecurity#7485)

Signed-off-by: knqyf263 <[email protected]>

* revert(java): stop supporting of `test` scope for `pom.xml` files (aquasecurity#7488)

* docs: refine go docs (aquasecurity#7442)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* chore(vex): suppress openssl vulnerabilities (aquasecurity#7500)

Signed-off-by: knqyf263 <[email protected]>

* chore(deps): bump alpine from 3.20.0 to 3.20.3 (aquasecurity#7508)

* chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (aquasecurity#7510)

* fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (aquasecurity#7497)

* refactor: split `.egg` and `packaging` analyzers (aquasecurity#7514)

* feat(misconf): Register checks only when needed (aquasecurity#7435)

* fix(misconf): Fix logging typo (aquasecurity#7473)

* chore(deps): bump go-ebs-file (aquasecurity#7513)

Signed-off-by: nikpivkin <[email protected]>

* fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (aquasecurity#7527)

* refactor(misconf): pass options to Rego scanner as is (aquasecurity#7529)

Signed-off-by: nikpivkin <[email protected]>

* fix(sbom): export bom-ref when converting a package to a component (aquasecurity#7340)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: amf <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* perf(misconf): use port ranges instead of enumeration (aquasecurity#7549)

Signed-off-by: nikpivkin <[email protected]>

* fix(misconf): Fixed scope for China Cloud (aquasecurity#7560)

* docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (aquasecurity#7458)

* chore(deps): remove broken replaces for opa and discovery (aquasecurity#7600)

* ci: cache test images for `integration`, `VM` and `module` tests (aquasecurity#7599)

* ci: add `workflow_dispatch` trigger for test workflow. (aquasecurity#7606)

* chore(deps): bump the common group across 1 directory with 20 updates (aquasecurity#7604)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: knqyf263 <[email protected]>

* fix(db): check `DownloadedAt` for `trivy-java-db` (aquasecurity#7592)

* fix: allow access to '..' in mapfs (aquasecurity#7575)

Signed-off-by: nikpivkin <[email protected]>

* test: use a local registry for remote scanning (aquasecurity#7607)

Signed-off-by: knqyf263 <[email protected]>

* fix(misconf): escape all special sequences (aquasecurity#7558)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): add ability to disable checks by ID (aquasecurity#7536)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: Simar <[email protected]>

* feat(suse): added SUSE Linux Enterprise Micro support (aquasecurity#7294)

Signed-off-by: Marcus Meissner <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* fix(misconf): disable DS016 check for image history analyzer (aquasecurity#7540)

Signed-off-by: nikpivkin <[email protected]>

* ci: split `save` and `restore` cache actions (aquasecurity#7614)

* refactor: fix auth error handling (aquasecurity#7615)

Signed-off-by: knqyf263 <[email protected]>

* feat(secret): enhance secret scanning for python binary files (aquasecurity#7223)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

* feat(java): add empty versions if `pom.xml` dependency versions can't be detected (aquasecurity#7520)

Co-authored-by: Teppei Fukuda <[email protected]>

* test: use loaded image names (aquasecurity#7617)

Signed-off-by: knqyf263 <[email protected]>

* ci: don't use cache for `setup-go` (aquasecurity#7622)

* feat: support multiple DB repositories for vulnerability and Java DB (aquasecurity#7605)

Signed-off-by: nikpivkin <[email protected]>

* feat(misconf): Support `--skip-*` for all included modules  (aquasecurity#7579)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: nikpivkin <[email protected]>

* chore: add prefixes to log messages (aquasecurity#7625)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: simar7 <[email protected]>

* fix(misconf): Disable deprecated checks by default (aquasecurity#7632)

* chore(deps): Bump trivy-checks to v1.1.0 (aquasecurity#7631)

* fix(secret): change grafana token regex to find them without unquoted (aquasecurity#7627)

* feat: support RPM archives (aquasecurity#7628)

Signed-off-by: knqyf263 <[email protected]>

* fix(misconf): not to warn about missing selectors of libraries (aquasecurity#7638)

Signed-off-by: nikpivkin <[email protected]>

* release: v0.56.0 [main] (aquasecurity#7447)

* fix(db): fix javadb downloading error handling [backport: release/v0.56] (aquasecurity#7646)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: Nikita Pivkin <[email protected]>

* release: v0.56.1 [release/v0.56] (aquasecurity#7648)

* fix(sbom): add options for DBs in private registries [backport: release/v0.56] (aquasecurity#7691)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: Teppei Fukuda <[email protected]>

* fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (aquasecurity#7702)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: Teppei Fukuda <[email protected]>

* release: v0.56.2 [release/v0.56] (aquasecurity#7694)

* Make liveness probe configurable (#3)

---------

Signed-off-by: yusuke.koyoshi <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: nikpivkin <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Kevin Conner <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Marcus Meissner <[email protected]>
Co-authored-by: yusuke-koyoshi <[email protected]>
Co-authored-by: Teppei Fukuda <[email protected]>
Co-authored-by: Aruneko <[email protected]>
Co-authored-by: Colm O hEigeartaigh <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: afdesk <[email protected]>
Co-authored-by: Nikita Pivkin <[email protected]>
Co-authored-by: Alberto Donato <[email protected]>
Co-authored-by: simar7 <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Itay Shakury <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: aasish-r <[email protected]>
Co-authored-by: Ori <[email protected]>
Co-authored-by: Kevin Conner <[email protected]>
Co-authored-by: Bob Callaway <[email protected]>
Co-authored-by: vhash <[email protected]>
Co-authored-by: psibre <[email protected]>
Co-authored-by: Aqua Security automated builds <[email protected]>
Co-authored-by: s-reddy1498 <[email protected]>
Co-authored-by: Squiddim <[email protected]>
Co-authored-by: Pierre Baumard <[email protected]>
Co-authored-by: Lior Kaplan <[email protected]>
Co-authored-by: amf <[email protected]>
Co-authored-by: bloomadcariad <[email protected]>
Co-authored-by: Sylvain Baubeau <[email protected]>
Co-authored-by: Simar <[email protected]>
Co-authored-by: Marcus Meissner <[email protected]>
Co-authored-by: Samuel Gaist <[email protected]>
  • Loading branch information
1 parent e6ed4dd commit f235523
Show file tree
Hide file tree
Showing 439 changed files with 13,960 additions and 6,886 deletions.
6 changes: 3 additions & 3 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ pkg/cloud/ @simar7 @nikpivkin
pkg/iac/ @simar7 @nikpivkin

# Helm chart
helm/trivy/ @chen-keinan
helm/trivy/ @afdesk

# Kubernetes scanning
pkg/k8s/ @chen-keinan
docs/docs/target/kubernetes.md @chen-keinan
pkg/k8s/ @afdesk
docs/docs/target/kubernetes.md @afdesk
1 change: 1 addition & 0 deletions .github/workflows/auto-update-labels.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
with:
# cf. https://github.com/aquasecurity/trivy/pull/6711
go-version: ${{ env.GO_VERSION }}
cache: false

- name: Install aqua tools
uses: aquaproj/[email protected]
Expand Down
86 changes: 86 additions & 0 deletions .github/workflows/cache-test-images.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: Cache test images
on:
schedule:
- cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
workflow_dispatch:

jobs:
test-images:
name: Cache test images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/[email protected]

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false

- name: Install tools
uses: aquaproj/[email protected]
with:
aqua_version: v1.25.0

- name: Generate image list digest
if: github.ref_name == 'main'
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test image cache only for main branch
- name: Restore and save test images cache
if: github.ref_name == 'main'
uses: actions/cache@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-

- name: Download test images
if: github.ref_name == 'main'
run: mage test:fixtureContainerImages

test-vm-images:
name: Cache test VM images
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/[email protected]

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false

- name: Install tools
uses: aquaproj/[email protected]
with:
aqua_version: v1.25.0

- name: Generate image list digest
if: github.ref_name == 'main'
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-vm-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
## We need to work with test VM image cache only for main branch
- name: Restore and save test VM images cache
if: github.ref_name == 'main'
uses: actions/cache@v4
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-

- name: Download test VM images
if: github.ref_name == 'main'
run: mage test:fixtureVMImages
56 changes: 56 additions & 0 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ on:
- 'LICENSE'
- '.release-please-manifest.json' ## don't run tests for release-please PRs
merge_group:
workflow_dispatch:

env:
GO_VERSION: '1.22'
jobs:
Expand All @@ -24,6 +26,8 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false

- name: go mod tidy
run: |
go mod tidy
Expand Down Expand Up @@ -76,12 +80,28 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false

- name: Install tools
uses: aquaproj/[email protected]
with:
aqua_version: v1.25.0

- name: Generate image list digest
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-

- name: Run integration tests
run: mage test:integration

Expand All @@ -96,6 +116,7 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false

- name: Install tools
uses: aquaproj/[email protected]
Expand All @@ -116,12 +137,28 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false

- name: Install tools
uses: aquaproj/[email protected]
with:
aqua_version: v1.25.0

- name: Generate image list digest
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test images from cache
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/images
key: cache-test-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-images-

- name: Run module integration tests
shell: bash
run: |
Expand All @@ -138,10 +175,28 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false

- name: Install tools
uses: aquaproj/[email protected]
with:
aqua_version: v1.25.0

- name: Generate image list digest
id: image-digest
run: |
IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-vm-images)
DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
- name: Restore test VM images from cache
uses: actions/cache/restore@v4
with:
path: integration/testdata/fixtures/vm-images
key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
restore-keys:
cache-test-vm-images-

- name: Run vm integration tests
run: |
mage test:vm
Expand All @@ -162,6 +217,7 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false

- name: Determine GoReleaser ID
id: goreleaser_id
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,6 @@ dist
# Signing
gpg.key
cmd/trivy/trivy

# RPM
*.rpm
2 changes: 1 addition & 1 deletion .release-please-manifest.json
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{".":"0.54.0"}
{".":"0.56.2"}
99 changes: 99 additions & 0 deletions .vex/oci.openvex.json
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,105 @@
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "awk is not used"
},
{
"vulnerability": {
"name": "CVE-2024-4741"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "openssl is not used"
},
{
"vulnerability": {
"name": "CVE-2024-5535"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"},
{"@id": "pkg:apk/alpine/ssl_client"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "openssl is not used"
},
{
"vulnerability": {
"name": "CVE-2024-6119"
},
"products": [
{
"@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"}
]
},
{
"@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
"subcomponents": [
{"@id": "pkg:apk/alpine/libcrypto3"},
{"@id": "pkg:apk/alpine/libssl3"}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
"impact_statement": "openssl is not used"
}
]
}
Loading

0 comments on commit f235523

Please sign in to comment.