v0.37.2

💔Breaking Change💔

Java DB

Added breaking change to Trivy Java DB.
Users who are using Trivy v0.37.0 or v0.37.1 for Java scanning need to remove the local cached Java DB with trivy image --reset and update Trivy to v0.37.2.

Changelog

• 12b563b BREAKING: use normalized trivy-java-db (#3583)
• 72a14c6 fix(image): add timeout for remote images (#3582)
• 4c01d73 chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
• 10dd5d1 chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
• 439c541 fix(misconf): handle dot files better (#3550)
• 200e04a chore: bump Go to 1.19 (#3551)
• a533ca8 chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
• 4bccbe6 chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
• d056208 chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
• f5e6574 chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
• d3da459 chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)

v0.37.1

Changelog

• 7f8868b fix(sbom): download the Java DB when generating SBOM (#3539)
• 364379b fix: use cgo free sqlite driver (#3521)
• 0205475 ci: fix path to dist folder (#3527)

v0.37.0

Changelog

• e9d2af9 fix(image): close layers (#3517)
• b169424 refactor: db client changed (#3515)
• 7bf1e19 feat(java): use trivy-java-db to get GAV (#3484)
• 023e45b docs: add note about the limitation in Rekor (#3494)
• 0fe62a9 docs: aggregate targets (#3503)
• 0373e08 deps: updates wazero to 1.0.0-pre.8 (#3510)
• a2e21f9 docs: add alma 9 and rocky 9 to supported os (#3513)
• 7d778b7 chore(deps): bump defsec to v0.82.9 (#3512)
• 9e9dbea chore: add missing target labels (#3504)
• d99a7b8 docs: add java vulnerability page (#3429)
• cb5af0b feat(image): add support for Docker CIS Benchmark (#3496)
• 6eec9ac feat(image): secret scanning on container image config (#3495)
• 1eca973 chore(deps): Upgrade defsec to v0.82.8 (#3488)
• fb0d8f3 feat(image): scan misconfigurations in image config (#3437)
• 501d424 chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
• 475dc17 feat(k8s): add node info resource (#3482)
• ed173b8 perf(secret): optimize secret scanning memory usage (#3453)
• 1b368be feat: support aliases in CLI flag, env and config (#3481)
• 66a83d5 fix(k8s): migrate rbac k8s (#3459)
• 81bee0f feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
• e107608 refactor: rename security-checks to scanners (#3467)
• aaf845d chore: display the troubleshooting URL for the DB denial error (#3474)
• ed5bb0b docs: yaml tabs to spaces, auto create namespace (#3469)
• 3158bfe docs: adding show-and-tell template to GH discussions (#3391)
• 85b6c4a fix: Fix a temporary file leak in case of error (#3465)
• 60bddae fix(test): sort cyclonedx components (#3468)
• e0bb04c docs: fixing spelling mistakes (#3462)
• c25e826 ci: set paths triggering VM tests in PR (#3438)
• 07ddc85 docs: typo in --skip-files (#3454)
• e88507c feat(custom-forward): Extended advisory data (#3444)
• e2dfee2 docs: fix spelling error (#3436)
• c575d6f refactor(image): extend image config analyzer (#3434)
• 036d5a8 fix(nodejs): add ignore protocols to yarn parser (#3433)
• e6d7f15 fix(db): check proxy settings when using insecure flag (#3435)
• a1d4427 feat(misconf): Fetch policies from OCI registry (#3015)
• 682351a ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
• ff0c451 ci: store URLs to Github Releases in RPM repository (#3414)
• ee12442 feat(server): add support of skip-db-update flag for hot db update (#3416)
• 2033e05 chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411)
• 6bc564e fix(image): handle wrong empty layer detection (#3375)
• b3b8d4d test: fix integration tests for spdx and cycloneDX (#3412)
• b88bcca feat(python): Include Conda packages in SBOMs (#3379)
• fbd8a13 feat: add support pubspec.lock files for dart (#3344)
• 0f545cf fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
• 76c883d fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
• a8b671b feat(server): log errors on server side (#3397)
• a5919ca chore(deps): bump defsec to address helm vulnerabilities (#3399)
• 89016da docs: rewrite installation docs and general improvements (#3368)
• c3759c6 chore: update code owners (#3393)
• 044fb97 chore: test docs separately from code (#3392)
• ad2e648 docs: use the formula maintained by Homebrew (#3389)
• ad25a77 docs: add Security Management section with SonarQube plugin

v0.36.1

Changelog

• 9039df4 fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
• 60cf4fe feat(flag): early fail when the format is invalid (#3370)
• 9470e3c chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
• d274d15 docs(aws): fix broken links (#3374)
• 2a870f8 chore(deps): bump actions/stale from 6 to 7 (#3360)
• 5974023 chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
• 02aa8c2 chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
• 6e6171f chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
• 066f277 chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
• 8cc3284 chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
• 8d71346 chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
• 5b944d2 chore(go): updates wazero to v1.0.0-pre.7 (#3355)
• 9c645b9 chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
• e2cd782 chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)

v0.36.0

Changelog

• 4813cf5 docs: improve compliance docs (#3340)
• 025e509 feat(deps): add yarn lock dependency tree (#3348)
• 4d59a1e fix: compliance change id and title naming (#3349)
• eaa5bcf feat: add support for mix.lock files for elixir language (#3328)
• a888440 feat: add k8s cis bench (#3315)
• 62b369e test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
• c110c4e revert: cache merged layers (#3334)
• bc759ef feat(cyclonedx): add recommendation (#3336)
• fe3831e feat(ubuntu): added support ubuntu ESM versions (#1893)
• b0cebec fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
• a66d3fe chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
• 5190f95 feat: Adding support for Windows testing (#3037)
• b00f3c6 feat: add support for Alpine 3.17 (#3319)
• a70f885 docs: change PodFile.lock to Podfile.lock (#3318)
• 1ec1fe6 fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
• 68eda79 feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
• b95d435 chore(go): remove experimental FS API usage in Wasm (#3299)
• ac6b7c3 ci: add workflow to add issues to roadmap project (#3292)
• cfabdf9 fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
• 56e3d8d chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
• bbccb44 feat(sbom): better support for third-party SBOMs (#3262)
• e879b06 docs: add information about languages with support for dependency locations (#3306)
• e92266f feat(vm): add region option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
• 01c7fb1 chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
• 23d0613 fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
• 407c240 docs: remove comparisons (#3289)
• 93c5d2d feat: add support for Wolfi Linux (#3215)
• 2809794 ci: add go.mod to canary workflow (#3288)
• 08b55c3 feat(python): skip dev dependencies (#3282)
• 52300e6 chore: update ubuntu version for Github action runnners (#3257)
• a7ac6ac fix(go): skip dep without Path for go-binaries (#3254)
• 4436a20 feat(rust): add ID for cargo pgks (#3256)
• 34d505a chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
• ea95602 chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
• aea298b feat: add support for swift cocoapods lock files (#2956)
• c67fe17 fix(sbom): use proper constants (#3286)
• f907255 chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
• 8f95743 test(vm): import relevant analyzers (#3285)
• 8744534 feat: support scan remote repository (#3131)
• c278d86 docs: fix typo in fluxcd (#3268)
• fa2281f docs: fix broken "ecosystem" link in readme (#3280)
• a3eece4 feat(misconf): Add compliance check support (#3130)
• 7a6cf5a docs: Adding Concourse resource for trivy (#3224)
• dd26bd2 chore(deps): change golang from 1.19.2 to 1.19 (#3249)
• cbba6d1 fix(sbom): duplicate dependson (#3261)
• fa2e3ac chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
• 5c43475 chore(go): updates wazero to 1.0.0-pre.4 (#3242)
• d29b0ed feat(report): add dependency locations to sarif format (#3210)
• 967e32f fix(rpm): add rocky to osVendors (#3241)
• 9477416 docs: fix a typo (#3236)
• 97ce61e feat(dotnet): add dependency parsing for nuget lock files (#3222)
• 17e13c4 docs: add pre-commit hook to community tools (#3203)
• b1a2c4e feat(helm): pass arbitrary env vars to trivy (#3208)

v0.35.0

Changelog

• bd30e98 chore(vm): update xfs filesystem parser for change log (#3230)
• 22d92e4 feat: add virtual machine scan command (#2910)
• 531eaa8 docs: reorganize index and readme (#3026)
• 8569d43 fix: slowSizeThreshold should be less than defaultSizeThreshold (#3225)
• 604a73d feat: Export functions for trivy plugin (#3204)
• 7594b1f feat(image): add support wildcard for platform os (#3196)
• fd5cafb fix: load compliance report from file system (#3161)
• 6ab9380 fix(suse): use package name to get advisories (#3199)
• 4a5d643 docs(image): space issues during image scan (#3190)
• 2206e00 feat(containerd): scan image by digest (#3075)
• 861bc03 fix(vuln): add package name to title (#3183)
• f115895 fix: present control status instead of compliance percentage in compliance report (#3181)
• cc8cef1 perf(license): remove go-enry/go-license-detector. (#3187)
• a0033f6 fix: workdir command as empty layer (#3087)
• cb5744d docs: reorganize ecosystem section (#3025)
• 1ddd6d3 feat(dotnet): add support dependency location for dotnet-core files (#3095)
• 30c8d75 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174)
• 8e7b44f chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109)
• dfff371 feat(dotnet): add support dependency location for nuget lock files (#3032)
• eb571fd chore: update code owners for misconfigurations (#3176)
• 7571783 feat: add slow mode (#3084)
• 01df475 docs: fix typo in enable-builin-rules mentions (#3118)
• 6b3be15 feat: Add maintainer field to OS packages (#3149)
• 9ebdc51 docs: fix some typo (#3171)
• 42e81ad chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175)
• 55ec898 chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112)
• 0644ceb docs: fix links on Built-in Policies page (#3124)
• 50af7a2 chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117)
• c455d14 chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116)
• 8fb9d31 fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
• 8562b8c chore: use newline for semantic pr (#3172)
• aff9a3e chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107)
• 001671e chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106)
• 4e7ab48 chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105)
• a6091a7 chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104)
• 6da148c fix(spdx): rename describes field in spdx (#3102)
• df9cf88 chore: handle GOPATH with several paths in make file (#3092)
• 32fe108 docs(flag): add "rego" configuration file options (#3165)
• 8fcca9c chore(go): updates wazero to 1.0.0-pre.3 (#3090)
• 02f77bc chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108)
• aa3ff09 docs(license): fix typo inside quick start (#3134)
• f26b452 chore: update codeowners for docs (#3135)
• 3b6d7d8 fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
• e9a2549 fix: remove --security-checks none from image help (#3156)
• 3aa1912 fix: compliance flag description (#3160)
• fc82057 docs(k8s): fix a typo (#3163)
• 3a1f05e chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103)

v0.34.0

Changelog

• 7912f58 feat(vuln): support dependency graph for RHEL/CentOS (#3094)
• 9468056 feat(vuln): support dependency graph for dpkg and apk (#3093)
• 7cc83cc perf(license): enable license classifier only with "--license-full" (#3086)
• 5b975de feat(report): add secret scanning to ASFF template (#2860)
• b6cef12 feat: Allow override of containerd namespace (#3060)
• 0765148 fix(vuln): In alpine use Name as SrcName (#3079)
• 9e649b8 fix(secret): Alibaba AccessKey ID (#3083)

v0.33.0

Changelog

• af89249 refactor(k8s): custom reports (#3076)
• f4e970f fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
• 8ae4627 feat(image): add support for passing architecture and OS (#3012)
• 0501e70 test: disable containerd integration tests for non-amd64 arch (#3073)
• a377c8d feat(server): Add support for client/server mode to rootfs command (#3021)
• 02a73f0 feat(vuln): support non-packaged binaries (#3019)
• 18581f3 feat: compliance reports (#2951)
• 63b8e4d fix(flag): disable flag parsing for each plugin command (#3074)
• cbedd71 feat(nodejs): add support dependency location for yarn.lock files (#3016)
• b22e37e chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
• 9b0e979 feat: add k8s components (#2589)
• 5e25182 fix(secret): update the regex for secrets scanning (#2964)
• 9947e51 chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979)
• d2a15a7 fix: bump trivy-kubernetes (#3064)
• f2efc9c docs: fix missing 'image' subcommand (#3051)
• 34653c7 chore: Patch golang x/text vulnerability (#3046)
• e252ea8 chore: add licensed project logo (#3058)
• 439d216 feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
• 9f5113a refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
• c1e24d5 feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
• 212af07 docs(misconf): fix typo (#3043)
• 68f374a feat: add support for scanning azure ARM (#3011)
• d35c668 feat(report): add location.message to SARIF output (#3002) (#3003)
• 2150ffc chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980)
• ca434f7 feat(nodejs): add dependency line numbers for npm lock files (#2932)
• a8ff5f0 test(fs): add --skip-files, --skip-dirs (#2984)
• 561b2e7 docs: add Woodpecker CI integrations example (#2823)
• 4a3583d chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981)
• 4be9eeb chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976)
• a260d35 chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975)
• 558189f chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982)
• c2eb6ee fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
• 68f7952 fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
• be78da6 fix(sbom): use nuget purl type for dotnet-core (#2990)
• 92b5a19 perf: retrieve rekor entries in bulk (#2987)
• babd7e7 feat(aws): Custom rego policies for AWS scanning (#2994)
• 8ad9b8a docs: jq cli formatting (#2881)
• a78684c docs(repo): troubleshooting $TMPDIR customization (#2985)
• 7309ed0 chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969)
• 9515a5c chore(deps): bump actions/stale from 5 to 6 (#2970)
• 955aff6 chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971)
• db56d23 chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972)
• 05a7232 chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973)
• 2c39d47 chore: run go fmt (#2897)
• 16a7dc1 chore(go): updates wazero to 1.0.0-pre.2 (#2955)
• ce4ba7c fix(aws): Less function for slice sorting always returns false #2967
• 4ffe746 fix(java): fix unmarshal pom exclusions (#2936)

v0.32.1

Changelog

• 8b1cee8 fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
• f5cbbb3 chore: expat lib and go binary deps vulns (#2940)
• 6882bdf wasm: Removes accidentally exported memory (#2950)
• 6ea9a61 fix(sbom): fix package name separation for gradle (#2906)
• 3ee4c96 docs(readme.md): fix broken integrations link (#2931)
• 5745961 fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
• e01253d fix(cli): split env values with ',' for slice flags (#2926)
• 0c1a42d fix(cli): config/helm: also take into account files with .yml (#2928)
• 237b8dc fix(flag): add file-patterns flag for config subcommand (#2925)
• 047a0b3 chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)

v0.32.0

Changelog

• 585985e docs: add Rekor SBOM attestation scanning (#2893)
• d30fa00 chore: narrow the owner scope (#2894)
• 38c1513 fix: remove a patch number from the recommendation link (#2891)
• ba29ce6 fix: enable parsing of UUID-only rekor entry ID (#2887)
• 018eda6 docs(sbom): add SPDX scanning (#2885)
• 20f1e59 docs: restructure docs and add tutorials (#2883)
• 192fd78 feat(sbom): scan sbom attestation in the rekor record (#2699)
• 597836c feat(k8s): support outdated-api (#2877)
• 6c7bd67 chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815)
• 4127043 fix(c): support revisions in Conan parser (#2878)
• b677d7e feat: dynamic links support for scan results (#2838)
• 8e03bbb chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818)
• 27005c7 docs: update archlinux commands (#2876)
• b6e394d feat(secret): add line from dockerfile where secret was added to secret result (#2780)
• 9f6680a feat(sbom): Add unmarshal for spdx (#2868)
• db0aaf1 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827)
• bb3220c fix: revert asff arn and add documentation (#2852)
• c51f2b8 docs: batch-import-findings limit (#2851)
• 552732b chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872)
• 3165c37 feat(sbom): Add marshal for spdx (#2867)
• dac2b4a build: checkout before setting up Go (#2873)
• 39f83af chore: bump Go to 1.19 (#2861)
• 0ce9583 docs: azure doc and trivy (#2869)
• 2f37961 fix: Scan tarr'd dependencies (#2857)
• db14ef3 chore(helm): helm test with ingress (#2630)
• acb65d5 feat(report): add secrets to sarif format (#2820)
• a18cd7c chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807)
• 2de903c refactor: add a new interface for initializing analyzers (#2835)
• 63c3b8e chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840)
• 6717665 fix: update ProductArn with account id (#2782)
• 41a8496 feat(helm): make cache TTL configurable (#2798)
• 0f1f2c1 build(): Sign releaser artifacts, not only container manifests (#2789)
• b389a6f chore: improve doc about azure devops (#2795)
• 9ef9fce chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804)
• 7b3225d chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828)
• 37733ed chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825)
• 44d7e8d docs: don't push patch versions (#2824)
• 4839075 feat: add support for conan.lock file (#2779)
• 6b4ddaa feat: cache merged layers
• a18f398 chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805)
• 4dcce14 chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806)
• db45447 chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811)
• a246d0f chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810)
• 1800017 chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808)
• 218e41a chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814)
• a000ade feat: add support for gradle.lockfile (#2759)
• 43113bc chore(mod): updates wazero to 1.0.0-pre.1 #2791
• 5f0bf14 feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
• 2580ea1 Fix url validaton failures (#2783)
• 2473b2c fix(image): add logic to detect empty layers (#2790)
• 9d018d4 feat(rust): add dependency graph from Rust binaries (#2771)