Releases: aquasecurity/trivy
v0.18.3
Changelog
85e45ca chore(ci): change to more granular tokens (#1014)
9fa512a chore(ci): add Go scanning and update dependencies (#1001)
349371b docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013)
Docker images
docker pull aquasec/trivy:0.18.3docker pull ghcr.io/aquasecurity/trivy:0.18.3docker pull public.ecr.aws/aquasecurity/trivy:0.18.3docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.18.2
Changelog
4446961 fix(image): disable go.sum scanning (#1007)
04473ad fix(gomod): handle go.sum with an empty line (#1006)
1b66b77 feat: prepare for config scanning (#1005)
8fc6ea6 Clarify that dev dependencies are excluded (#986)
Docker images
docker pull aquasec/trivy:0.18.2docker pull ghcr.io/aquasecurity/trivy:0.18.2docker pull public.ecr.aws/aquasecurity/trivy:0.18.2docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.18.1
Changelog
eaf2da2 Include target value in Sarif template ruleID (#991)
083c157 chore(mkdocs): allow workflow_dispatch (#989)
Docker images
docker pull aquasec/trivy:0.18.1docker pull ghcr.io/aquasecurity/trivy:0.18.1docker pull public.ecr.aws/aquasecurity/trivy:0.18.1docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.18.0
Release Note
Changelog
e26e39a fix(vuln) unique vulnerabilities from different data sources (#984)
04e7cca feat(go): added support of gomod analyzer (#978)
Docker images
docker pull aquasec/trivy:0.18.0docker pull ghcr.io/aquasecurity/trivy:0.18.0docker pull public.ecr.aws/aquasecurity/trivy:0.18.0docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.17.2
Changelog
415e1d8 fix: scan only regular files (#976)
3bb8852 docs: mention upx binaries (#974)
c0fddd9 chore: upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971)
Docker images
docker pull aquasec/trivy:0.17.2docker pull ghcr.io/aquasecurity/trivy:0.17.2docker pull public.ecr.aws/aquasecurity/trivy:0.17.2docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.17.1
Changelog
41c066d fix(fs): skip dirs (#969)
Docker images
docker pull aquasec/trivy:0.17.1docker pull ghcr.io/aquasecurity/trivy:0.17.1docker pull public.ecr.aws/aquasecurity/trivy:0.17.1docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.17.0
Release Note
Changelog
2316931 chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965)
77f3d55 chore(ci): clone trivy-repo after releasing binaries (#963)
b319579 docs: add golang support (#962)
0c0febe fix(table): skip zero vulnerabilities on java (#961)
d41736b chore(ci): create a release discussion (#959)
c88bbbd feat(go): support binary scan (#948)
d88b7cf feat(java): support GitLab Advisory Database (#917)
1385fa4 feat: show help message when the context's deadline passes (#955)
0346a10 chore(mkdocs): replace github token (#954)
60a4e7e Update SARIF report template (#935)
39ab6bd Update install docs to make commands consistent (#933)
0518d27 Docker multi-platform image build with buildx, using Goreleaser (#915)
a6b8ec3 Fix JUnit template for AWS CodeBuild compatibility (#904)
6d22387 break(cli): use StringSliceFlag for skip-dirs/files (#916)
7221579 docs: add white logo (#914)
ee29ffa add package name in ruleID (#913)
8935aa6 feat: gh-action for stale issues (#908)
288481f chore(triage): add lifecycle/active label (#909)
f961e99 feat: publish helm repository (#888)
0edf73b Fix Documentation Typo (#901)
f5b060a docs: migrate README to MkDocs (#884)
c26a3e4 refactor(internal): export internal packages (#887)
8b3b5d0 feat: support plugins (#878)
37edc66 chore(ci): deploy dev docs only for the main branch (#882)
becd508 add MkDocs implementation (#870)
e517bef docs(README): update ubuntu versions (#877)
da2b28a support Ubuntu 20.10 (#876)
965bb6d feat(cache): introduce versioned cache (#865)
0497286 chore: bump up Go to 1.16 (#861)
fcb9a93 fix: allow the latest tag (#864)
425eaf8 feat: disable analyzers (#846)
47ce996 chore(ci): push the official image to public ECR (#855)
e890ae0 chore(ci): migrate CircleCI to GitHub Actions (#850)
9bc3565 adds example with multistage build (#853)
a0cd5d7 remove SARIF helpUri if empty (#841) (#845)
3170dc3 Add Sprig to Template Engine (#832)
10ad2ed Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844)
c9f22f4 feat(java): support jar/war/ear (#837)
3047c52 fix(app): increase the default value of timeout (#842)
89e5295 Update README.md (#838)
Docker images
docker pull aquasec/trivy:0.17.0docker pull ghcr.io/aquasecurity/trivy:0.17.0docker pull public.ecr.aws/aquasecurity/trivy:0.17.0docker pull aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:latestdocker pull public.ecr.aws/aquasecurity/trivy:latest
v0.16.0
Features
Support Podman (#825)
[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
Scan your image in Podman (>=2.0) running locally. The remote Podman is not supported. Before performing Trivy commands, you must enable the podman.sock systemd service on your machine. For more details, see here
$ systemctl --user enable --now podman.socket
Then, you can scan your image in Podman.
$ cat Dockerfile
FROM alpine:3.12
RUN apk add --no-cache bash
$ podman build -t test .
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/test latest efc372d4e0de About a minute ago 7.94 MB
$ trivy image test
Support modular packages in RHEL 8/CentOS 8 (#790)
Trivy is able to scan RHEL 8/CentOS 8 more accurately now.
Add redis cache backend configuration options in the Helm chart (#784)
Trivy can be deployed to Kubernetes with Redis cache.
Thanks, @czunker!
Support PEP 440 (#816)
Trivy is able to scan Python vulnerabilities more accurately now.
Support alpine 3.13 (#819)
Trivy is able to scan Alpine Linux 3.13 now.
Fixes
- Fix compatibility for Jenkins xunit plugin (#820)
- Update EOL dates (#824)
- Parse redis backend url (#804)
- Fix errors in SARIF format (#801)
- Fix env variable for github token (#796)
- Set unknown severity for empty values (#793)
- Remove global flags from filesystem command (#772)
- Fix formatting of log message (#785)
Changelog
cdabe7f Fix compatibility for Jenkins xunit plugin (#820)
b0fe439 README: add Gitlab job that uses a container with trivy (#823)
6685cd4 feat: support Podman (#825)
7a683bd fix(eol): update EOL dates (#824)
6ed03a8 fix(python): follow PEP 440 (#816)
182cb80 Support alpine 3.13 (#819)
2acd1ca Changed the output string to "Using your github token". (#814)
dd35bfd Align comment with code (#812)
1f17e71 Parse redis backend url (#804)
0954f6b Update README.md (#810)
6b29bf1 Added nodeSelector, affinity and tolerations to helm chart (#803)
f6afdf0 Fix readme typo in policy flag (#805)
412847d Fix errors in SARIF format (#801)
5b27862 Fix env variable for github token (#796)
6ed25c1 fix(vulnerability): set unknown severity for empty values (#793)
e2c483f Remove global flags from filesystem command (#772)
5c5e0cb Add imagePullSecrets to helm Chart (#789)
b9b84cd Add redis cache backend configuration options (#784)
e517bcc Update README.md (#735)
7f5a6d4 feat(redhat): support modular packages (#790)
8de09dd Fix formatting of log message (#785)
e08ae8d chore(ci): migrate unit tests to GitHub Actions (#779)
a00d719 shifted: brews.github to brews.tap (#780)
Docker images
docker pull docker.io/aquasec/trivy:0.16.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.16.0docker pull ghcr.io/aquasecurity/trivy:latest
v0.15.0
Features
NuGet Scanner (#686)
Trivy now supports a lock file packages.lock.json of NuGet.
packages.lock.json
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| MessagePack | CVE-2020-5234 | MEDIUM | 1.9.10 | 2.1.90, 1.9.11 | Untrusted data can lead to DoS |
| | | | | | attack due to hash collisions and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-5234 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
Thanks to @Johannestegner
Redis support as the cache backend (#770)
For the detail, see here
$ docker run -d --name redis -p 6379:6379 redis:5.0
$ trivy server --cache-backend redis://localhost:6379
$ trivy client alpine:3.11
HTML template (#567)
$ trivy image -f template --template "@contrib/html.tpl" -o report.html alpine:3.12
Thanks to @irrandon
Helm chart (#751, #769)
For the detail, see here
$ cd helm/trivy
$ helm install my-release .
Thanks to @czunker
Fixes
redhat: skip modular packages (#776)
Thanks to @masahiro331
Make the table output less wide. (#763)
alpine:3.10 (alpine 3.10.5)
===========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2020-1971 | MEDIUM | 1.1.1g-r0 | 1.1.1i-r0 | openssl: EDIPARTYNAME |
| | | | | | NULL pointer de-reference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 |
+--------------+ + + + + +
| libssl1.1 | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+---------------+---------------------------------------+
| musl | CVE-2020-28928 | | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, |
| | | | | | wcsnrtombs mishandles particular |
| | | | | | combinations of destination buffer... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+ + + + + +
| musl-utils | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
Changelog
08ca1b0 Feat: NuGet Scanner (#686)
7b86f81 feat(cache): support Redis (#770)
8cd4afe fix(redhat): skip module packages (#776)
b606b62 chore: migrate from master to main (#778)
5c2b14b chore(circleci): remove gofmt (#777)
a19a023 chore(README): remove experimental (#775)
e6cef75 NVD: Add timestamps. (#761)
1371f72 (fix): Make the table output less wide. (#763)
8ecaa2f Add gitHubToken to prevent rate limit problems (#769)
8132174 Add helm chart to install trivy in server mode. (#751)
bcc2850 chore(docs): add nix install (#762)
cb36972 HTML template (#567)
Docker images
docker pull docker.io/aquasec/trivy:0.15.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.15.0docker pull ghcr.io/aquasecurity/trivy:latest
v0.14.0
Features
Add primary URLs (#752)
Trivy shows a primary URL in the result as follows.
alpine:3.10 (alpine 3.10.5)
===========================
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | URL |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| musl | CVE-2020-28928 | UNKNOWN | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, | avd.aquasec.com/nvd/cve-2020-28928 |
| | | | | | wcsnrtombs mishandles | |
| | | | | | particular combinations of | |
| | | | | | destination buffer... | |
+------------+ + + + + + +
| musl-utils | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
+------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
[
{
"Target": "alpine:3.10 (alpine 3.10.5)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-28928",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28928",
...
}
]
}
]
In these cases, you can see https://avd.aquasec.com/nvd/cve-2020-28928 as a primary URL.
Remove rpm dependency (#753)
Trivy no longer requires the rpm command on the host. You can scan a RHEL-based image without rpm.
$ rpm
bash: rpm: command not found
$ trivy image -o /dev/null centos:7
centos:7 (centos 7.9.2009)
==========================
Total: 601 (UNKNOWN: 0, LOW: 358, MEDIUM: 240, HIGH: 3, CRITICAL: 0)
Bug fixes
--light shows less results (#755)
There was a bug where vulnerabilities with unknown severity do not appear in the result when using the --light option.
Changelog
9bdbeab feat: remove rpm dependency (#753)
d85cb77 fix(vulnerability): make an empty severity UNKNOWN (#759)
1bee83c chore(README): add TRIVY_INSECURE (#760)
4d18943 feat(vulnerability): add primary URLs (#752)
Docker images
docker pull docker.io/aquasec/trivy:0.14.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.14.0docker pull ghcr.io/aquasecurity/trivy:latest