v0.50.0

[aqua-bot]

🚀 What's new? 🚀

🚫 PURL Support for .trivyignore.yaml 📝

Trivy now supports ignoring vulnerabilities by PURL (Package URL) in the .trivyignore.yaml file, enabling more precise control over scan results.

vulnerabilities:
  - id: CVE-2022-40897
    paths:
      - "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA"
    statement: Accept the risk
  - id: CVE-2023-3817
    purls:
      - "pkg:deb/debian/libssl1.1"

📝 Ignore by Rego enhancements 🛡️

You can now use Rego to filter out Licenses and Secrets findings. This is in addition to the existing support for filtering vulnerabilities and misconfiguration using Rego. https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#by-rego
Thanks to @kristyko for the contribution!

🌺 Report Suppressed Vulnerabilities 👻

Trivy's new --show-suppressed flag reveals suppressed vulnerabilities due to .trivyignore, Rego policies, or VEX declarations, improving transparency and context in security reports.

When the --show-suppressed flag is specified, it now displays suppressed vulnerabilities alongside the regular detected vulnerabilities as follows:

$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
...

Suppressed Vulnerabilities (Total: 9)
======================================
┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
├───────────────┤               │          │              │                                             │                   │
│ libblkid1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libmount1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libsmartcols1 │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libuuid1      │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ mount         │               │          │              │                                             │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │

🐘 Enhanced Gradle Support 🌿

Trivy has been updated to parse *.pom files from the Gradle cache directory, enhancing support for detecting licenses and the dependency tree in Java projects.

$ GRADLE_USER_HOME=./cache trivy repo ./gradle.lockfile --scanners vuln,license --dependency-tree
...
gradle.lockfile (gradle)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ junit:junit │ CVE-2020-15250 │ MEDIUM   │ fixed  │ 4.13              │ 4.13.1        │ TemporaryFolder is shared between all users across system │
│             │                │          │        │                   │               │ which could result in...                                  │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-15250                │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
gradle.lockfile
└── junit:junit:4.13, (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

gradle.lockfile (license)

Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────────────────┬────────────────┬──────────┐
│   Package   │          License           │ Classification │ Severity │
├─────────────┼────────────────────────────┼────────────────┼──────────┤
│ junit:junit │ Eclipse Public License 1.0 │ Non Standard   │ UNKNOWN  │
└─────────────┴────────────────────────────┴────────────────┴──────────┘

🦕 Custom Podman Host Support 🛃

Trivy now includes a --podman-host option for the image command, allowing users to specify a custom Podman host for image scanning.
Thanks to @parvez0 for the contribution!

☕ Maven Invoker Plugin Dependency Marking 👿

Trivy now marks dependencies from maven-invoker-plugin integration tests in **/[src|target]/it/*/pom.xml files as the development dependencies, enhancing Java project scans by allowing these dependencies to be included or skipped with the --include-dev-deps flag.

⎈ Rancher RKE2 Control Plane and Node components vulnerability scanning 💀

Trivy now supports the Rancher RKE2 control plane and node components (apiserver, controller-manager, kubelet, kube-proxy and etc) vulnerability scanning.

🍰Simplification of Misconfiguration codebase 🍄

We've integrated misconfiguration scanning better into Trivy by merging the "defsec" repository. As a result Trivy's architecture is simpler and better reflecting misconfiguration scanning as core scanner of Trivy. The checks are all defined within the trivy-policies repository. This should not have any implications on users, but might have for contributors/integrators.

🦆Improved support for Terraform Dynamic blocks 🧱

We've improved correctly evaluating dynamic blocks by not re-expanding them. This helps prevents false positives.

🪭Improved scanning support for Terraform Plan in JSON 🗃️

Scanning Terraform Plan files has been improved and now it's possible to scan both the Terraform Plan snapshots and their JSON representations.

$ terraform plan --out tfplan
trivy conf tfplan

Will generate and scan a terraform plan snapshot. We recommend saving the plan as a snapshot and scanning approach.

👷‍♂️ Notable Fixes 🛠️

• bug(amazonlinux): Trivy marks Amazon Linux version as EOL if */system-release file uses 2023.xxx.xxx format #6294
• feat(pom): don't ignore runtime scope #6207
• License image scan filtering doesn't seem to work when trivyignore is specified with `paths` #6117
• bug(misconf): False positives for ksv116 and ksv104 #4922
• feat(terraform): hyphen and non-ASCII support for domain names in credential extraction #6068 (thanks to @adam-carruthers)
• fix(terraform): modules with the count meta-argument are not ignored #5665
• bug(kubernetes): KSV001 FP #6232
• false positive AVD-AWS-0057 for actions that apply only to all resources #5040
• bug(misconf): Resolve attributes depending on conditions irrespective of placement  #5686