v0.34.0

[aqua-bot]

This is a special release that includes a feature that is relevant to the imminent openSSL vulnerability.

🌲 OS packages in dependency origin ⛓

Now you can use the --dependency-tree flag to find the origin or a vulnerable package installed through OS package manger. The dependency origin feature isn't new but did not support OS packages until now.

🏎 Performance improvement in Debian image scanning 🪪

When scanning Debian images, Trivy will try and detect licenses without the full fledged license classifier by default, which is resource intensive. It can be reenabled using the --license-full flag.

👾 Support containerd namespace 📛

Containerd allows you to specify namespaces using the CONTAINERD_NAMESPACE environment variable. Trivy now supports the environment variable.

Use case: scanning the images in the local containerd store on a kubernetes node. These images will be in the k8s.io containerd namespace.

Thanks to @pmengelbert

Changelog

• 7912f58 feat(vuln): support dependency graph for RHEL/CentOS (feat(vuln): support dependency graph for RHEL/CentOS #3094)
• 9468056 feat(vuln): support dependency graph for dpkg and apk (feat(vuln): support dependency graph for dpkg and apk #3093)
• 7cc83cc perf(license): enable license classifier only with "--license-full" (perf(license): enable license classifier only with "--license-full" #3086)
• 5b975de feat(report): add secret scanning to ASFF template (feat(report): add secret scanning to ASFF template #2860)
• b6cef12 feat: Allow override of containerd namespace (feat: Allow override of containerd namespace #3060)
• 0765148 fix(vuln): In alpine use Name as SrcName (fix: In alpine use Name to fetch advisories #3079)
• 9e649b8 fix(secret): Alibaba AccessKey ID (fix(secret): Alibaba AccessKey ID #3083)

---

This discussion was created from the release v0.34.0.