v0.23.0

[aqua-bot]

💔 BREAKING CHANGES 💔

Migrate trivy to trivy image

See here for the detail.

Deprecate --light option

See here for the detail.

Deprecate sarif.tpl

See here for the detail.

Deprecate v0.22.0 or less

See here for the detail.

🚀 What's new? 🚀

🎨 Support for AlmaLinux

Trivy now scans AlmaLinux.

$ trivy image almalinux:8
2022-01-31T14:47:15.082+0200    INFO    Detected OS: alma
2022-01-31T14:47:15.082+0200    INFO    Detecting AlmaLinux vulnerabilities...
2022-01-31T14:47:15.096+0200    INFO    Number of language-specific files: 0

almalinux:8 (alma 8.5)
======================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

Note: Trivy doesn’t support modular packages such as nginx:1.18and nodejs:12 and in AlmaLinux at the moment because AlmaLinux has an issue with modularity packages. See here for the detail. Once AlmaLinux fixes the bug, Trivy will scan modular packages as well.

You may see the following warning:

2022-01-13T23:48:34.078+0900	INFO	Skipped detection of these packages: ["httpd" "httpd-filesystem"] because modular packages cannot be detected correctly due to a bug in AlmaLinux. See also: https://bugs.almalinux.org/view.php?id=173

Kudos to @MaineK00n

🟢  Support for Rocky Linux

Trivy now scans Rocky Linux.

$ trivy image rockylinux:8
2022-01-31T14:53:40.971+0200    INFO    Detected OS: rocky
2022-01-31T14:53:40.971+0200    INFO    Detecting Rocky Linux vulnerabilities...
2022-01-31T14:53:40.974+0200    INFO    Number of language-specific files: 1
2022-01-31T14:53:40.974+0200    INFO    Detecting python-pkg vulnerabilities...

rockylinux:8 (rocky 8.5)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+--------------+------------------+----------+-------------------+------------------+--------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                TITLE                 |
+--------------+------------------+----------+-------------------+------------------+--------------------------------------+
| openssl-libs | CVE-2021-3712    | MEDIUM   | 1:1.1.1k-4.el8    | 1:1.1.1k-5.el8_5 | openssl: Read buffer overruns        |
|              |                  |          |                   |                  | processing ASN.1 strings             |
|              |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+----------+-------------------+------------------+--------------------------------------+

Note: Trivy doesn’t support modular packages such as nginx:1.18and nodejs:12 and in Rocky Linux at the moment because Rocky Linux has an issue in their errata. See here for the detail. Once Rocky Linux fixes the bug, Trivy will scan modular packages as well.

You may see the following warning:

2022-01-13T23:48:34.078+0900	INFO	Skipped detection of these packages: ["httpd" "httpd-filesystem"] because modular packages cannot be detected correctly due to a bug in Rocky Linux Errata. See also: https://forums.rockylinux.org/t/some-errata-missing-in-comparison-with-rhel-and-almalinux/3843

Kudos to @MaineK00n

🇸🇲 Support for CBL-Mariner

Trivy now scans CBL-Mariner.

$ trivy image cblmariner.azurecr.io/base/core:1.0
2022-01-31T15:02:27.754+0200    INFO    Detected OS: cbl-mariner
2022-01-31T15:02:27.754+0200    INFO    Detecting CBL-Mariner vulnerabilities...
2022-01-31T15:02:27.757+0200    INFO    Number of language-specific files: 0

cblmariner.azurecr.io/base/core:1.0 (cbl-mariner 1.0.20220122)
==============================================================
Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 4, CRITICAL: 5) 

Kudos to @masahiro331

📖 Support for Open Source Vulnerability

We added new data sources from OSV - Open Source Vulnerability. More vulnerabilities can be detected now.

⛑️ Support for Red Hat platforms other than RHEL

Trivy supports Red Hat OVAL v2 and scans all the Red Hat platforms such as as Red Hat OpenStack Platform and Red Hat JBoss Enterprise Application Platform well as Red Hat Enterprise Linux.

$ trivy image --ignore-unfixed registry.access.redhat.com/openshift3/jenkins-agent-maven-35-rhel7:v3.11.570-1.g93d78c4
2022-01-31T16:08:06.352+0200    INFO    Detected OS: redhat
2022-01-31T16:08:06.352+0200    INFO    Detecting RHEL/CentOS vulnerabilities...
2022-01-31T16:08:06.441+0200    INFO    Number of language-specific files: 0

registry.access.redhat.com/openshift3/jenkins-agent-maven-35-rhel7:v3.11.570-1.g93d78c4 (redhat 7.9)
====================================================================================================
Total: 109 (UNKNOWN: 0, LOW: 2, MEDIUM: 95, HIGH: 12, CRITICAL: 0) 

👻 Trivy DB hosted on GHCR

Trivy CLI v0.22.0 and below use Trivy DB v1 hosted on GitHub Releases. v0.23.0 switched to Trivy DB v2 hosted on GHCR. Most people don’t have to care about it since the database will be pulled by Trivy CLI automatically. If Trivy is under your corporate proxy or firewall, see here.

©️ Trivy DB is available for commercial use

Trivy DB v1 depends on some datasources that don’t allow commercial use. Trivy CLI v0.23.0 switched to Trivy DB v2 and it is available for commercial use.

See the following issue for the context.

#491

🎵 Add data source

You will find DataSource in the JSON result.

$ trivy fs -f json [YOUR_PROJECT]
... 
        {
          "VulnerabilityID": "CVE-2020-28500",
          "PkgName": "lodash",
          "InstalledVersion": "4.17.4",
          "FixedVersion": "4.17.21",
          "SeveritySource": "ghsa",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Npm",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
        },

❤️‍🔥 Better support for Azure Container Registry

Trivy scans private images from Azure Container Registry (ACR) with service principal.

$ export AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
$ export AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
$ export AZURE_TENANT_ID=${AZURE_TENANT_ID}
$ trivy image your_special_project.azurecr.io/your_special_image:your_special_tag

🥻 Support for misconfiguration results in SARIF

$ trivy config --format sarif /path/to/conf_dir

🍒 Redis TLS support

$ trivy image --cache-backend redis://127.0.0.1:6379 \
--redis-ca ca-cert.pem \
--redis-cert redis-cert.pem \
--redis-key redis-key.pem \
nginx

See here for the detail.

🎤 Scan a single file

Trivy used to support directories only, but it can specify a single file now.

$ trivy fs /path/to/your_file

☕ Support for PAR files

$ trivy fs /path/to/log4j.par

🐞 Bug fixes 🐛

• Update example Rego files and docs (fix: update example Rego files and docs #1628)
• Do not ignore installed files via third-party rpm (fix(rpm): do not ignore installed files via third-party rpm #1594)
• Supress git clone output (feat(repo): supress git clone output #1590)
• Add fingerprint field to codequality template (fix: add fingerprint option to codequality template #1541)
• Correct handling of uncompressed layers (fix(image): correct handling of uncompressed layers #1544)

Docker images

• docker pull aquasec/trivy:0.23.0
• docker pull ghcr.io/aquasecurity/trivy:0.23.0
• docker pull public.ecr.aws/aquasecurity/trivy:0.23.0

---

This discussion was created from the release v0.23.0.

[dan-gaspari-ef]

Hi there - any reason the major version # wasn't bumped as part of this release (1.0.0 instead of 0.23.0)? There are some breaking changes, after all...

[knqyf263]

That is the reason. We're still adding many features at high speed, including breaking changes. We cannot say it is stable enough.

You can see thought leaders with ZeroVer.
https://0ver.org/

[afdesk]

ZeroVer is joke )

[marinpurgar]

Unfortunately the global flags (--debug, --quiet and --cache-dir) stopped working with commands (which are mandatory now).
E.g. the trivy image --quiet ubuntu:latest will return FATAL flag provided but not defined: -quiet.

[LeoK80]

Any prospects towards fixing the global flags to work with the commands?

[knqyf263]

#1686

[pmuz]

Hi, since trivy v0.23.0 I have noticed changes in severity of vulnerabilities returned by trivy.

For example scanning node:16-alpine3.15 with:

trivy:0.22.0 returns one vulnerability CVE-2021-3807 of severity HIGH
trivy:0.23.0 returns one vulnerability CVE-2021-3807 of severity MEDIUM

what is the reason behind this difference? Is it because of additional OSV source?