v0.55.0

[aqua-bot]

📑 Table of Contents

• 💔 Breaking Changes 💔
  • 🗑️ Removal of deprecated SBOM flags 🛠️
• 🚀 What's new? 🚀
  • 🎛️ Customize detection sensitivity 🕵️
  • 📝 Support test scope for pom.xml files 🧪
  • 🥣 Scanning generic YAML and JSON files 🛼
  • 🌰 Terraform scanning now supports iterator argument for dynamic blocks 🥂
  • 🎣 Terraform plan scanning now supports input variables 🏭
  • 🧳 Misconfiguration scanning now ignores duplicate checks 🍼
  • 🪨 Compliance specs are now included in the Trivy Checks bundle 🗿
  • 🏃🏻‍♀️Terraform now supports ignores on nested attributes 🪺
  • 💽 Virtual Machine scanning enhancements 🧩

💔 Breaking Changes 💔

🗑️ Removal of deprecated SBOM flags 🛠️

In this release, we've removed the deprecated --sbom-format and --artifact-type flags from the sbom subcommand. These flags were deprecated two years ago, and their removal is part of our ongoing effort to streamline the CLI and remove outdated options.

For more details, please refer to the announcement here.

🚀 What's new? 🚀

🎛️ Customize detection sensitivity 🕵️

This update introduces the --detection-priority flag to the vulnerability scanner, providing users with control over the scanner's accuracy and coverage. The flag allows you to select between precise mode, which focuses on reducing false positives, and comprehensive mode, which increases detection coverage at the risk of including some false positives. This feature is particularly useful in environments where either accuracy or comprehensive detection is critical.

$ trivy image registry.access.redhat.com/ubi8/ubi --detection-priority comprehensive --scanners vuln

See here for more details.

The following language-specific scenarios supports the new flag:

• go.mod: use specified Go version for stdlib vulnerability detection. See here for more details.
• requirements.txt: support >=,~= and a trailing .* matching. See here for more details.
• pubspec.lock: use minimum versions from sdks for SDK dependencies. See here for more details.

📝 Support test scope for pom.xml files 🧪

Trivy currently supports dependencies with test scope. To include these dependencies into result - use --include-dev-deps flag.

🥣 Scanning generic YAML and JSON files 🛼

Trivy now supports scanning any YAML or JSON files for misconfigurations. Note that Trivy doesn't ship with checks for files it doesn't recognize, but you can still author custom checks that will evaluate your generic yaml or json files.

For example:

$ cat iac/serverless.yaml
service: serverless-rest-api-with-pynamodb
frameworkVersion: ">=2.24.0"
plugins:
  - serverless-python-requirements
...

$ cat serverless.rego
# METADATA
# title: Serverless Framework service name not starting with "aws-"
# description: Ensure that Serverless Framework service names start with "aws-"
# schemas:
#   - input: schema["serverless-schema"]
# custom:
#   id: SF001
#   severity: LOW
package user.serverless001
deny[res] {
    not startswith(input.service, "aws-")
    res := result.new(
        sprintf("Service name %q is not allowed", [input.service]),
        input.service
    )
}

$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
serverless.yaml (yaml)
Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
═════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure that Serverless Framework service names start with "aws-"

You can also use the --config-file-schemas flag to provide schemas for generic json and yaml files. Trivy will use these schemas for file filtering and type checking in Rego checks. Find more details on this feature here

🌰 Terraform scanning now supports iterator argument for dynamic blocks 🥂

Trivy now supports the iterator argument for dynamic blocks. Previously this led to false positives while scanning terraform code:

resource "aws_s3_bucket" "this" {
  dynamic "versioning" {
    for_each = ["true"]
    iterator = ver

    content {
      enabled = ver.value
    }
  } 
}

🎣 Terraform plan scanning now supports input variables 🏭

Trivy now supports scanning of terraform plans that contain variables. As always the user can pass the variables in as such:

$ trivy config --tf-vars vars.tfvars  --misconfig-scanners "terraformplan-snapshot" tfplan

🧳 Misconfiguration scanning now ignores duplicate checks 🍼

Trivy now ignores any duplicated checks in the output by skipping them if they've already been evaluated. This helps prevent cases where a duplicated custom check might be accidentally supplied by the user.

🪨 Compliance specs are now included in the Trivy Checks bundle 🗿

Trivy Checks bundle now includes compliance specs. Previously, complience specs were embedded in the Trivy binary, and therefore were tied to it's release cycle. This means new or updated complience will be available for Trivy users immediately without having to upgrade or wait for a new Trivy version.

🏃🏻‍♀️Terraform now supports ignores on nested attributes 🪺

Previously it was not possible to ignore on special variables such as each and count that terraform offers, especially when working within dynamic blocks.
The following example shows how to ignore each.value with the name of vm-2:

locals {
  vms = [
    {
      ip_address = "10.0.0.1"
      name       = "vm-1"
    },
    {
      ip_address = "10.0.0.2"
      name       = "vm-2"
    }
  ]
}
// trivy:ignore:*[each.value.name=vm-2]
resource "bad" "my-rule" {
  secure = false
  for_each   = { for vm in local.vms : vm.name => vm }
  ip_address = each.value.ip_address
}

More info on this feature here

💽 Virtual Machine scanning enhancements 🧩

Virtual Machine scanning now supports scanning filesystems directly, even when there's no Master Boot Record (MBR) present.
Thanks to @yusuke-koyoshi.

In addition it now supports Ext2 and Ext3 filesystems.
Thanks to @aruneko.

👷‍♂️ Notable Fixes 🛠️

• fix(terraform): add aws_region name to presets #7184
• fix(misconf): support deprecating for Go checks #7377
• fix(misconf): Improve filtering of terraform JSON #7393
• bug(template): Message field not escaped in asff.tpl #7400
• Unknown license and download location information should be NOASSERTION instead of NONE in SPDX #7402
• bug(secret): long secrets with short line prefix/suffix contain characters from other lines  #7411
• JWT secret detector only works if "JWT" word is in scope #6802
• Trivy marks all dependencies of subdirectories as 'dev dependency' for PNPM #7386
• fix(aws): handle ECR repositories in different regions #6217
• fix(license): add license handling to JUnit template #7409