Prepare for v0.30.0

[knqyf263]

The release note of v0.30.0

💔 BREAKING CHANGES 💔

Change trivy sbom to scan SBOM for vulnerabilities

Please replace trivy sbom with --format cyclonedx, --format spdx, etc.

Before

$ trivy sbom --sbom-format cyclonedx --artifact-type image alpine:3.15

After

$ trivy image --format cyclonedx alpine:3.15

See here for the detail.

🚀 What's new? 🚀

🎊 Config file support (trivy.yaml) 🦖

Trivy loads trivy.yaml if it exists in the current directory. You can change the config path via --config.

$ cat << EOS > trivy.yaml
timeout: 20m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
  - HIGH
  - CRITICAL
scan:
  skip-dirs:
    - /lib64
    - /lib
    - /usr/lib
    - /usr/include

  security-checks:
    - vuln
    - secret
vulnerability:
  type:
    - os
    - library
  ignore-unfixed: true
EOS
$ trivy image YOUR_IMAGE

Trivy uses the following precedence order. Each item takes precedence over the item below it:

• flag
• env
• config

See the doc for more details.

👮 License scanning 📄

Trivy scans any container image for licenses and offers an opinionated view on the risk associated with the license. License are classified using the Google License Classification

To enable license scanning, you can pass --security-checks license.

$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2022-07-13T17:28:39.526+0300    INFO    License scanning is enabled

OS Packages (license)
=====================
Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)

┌───────────────────┬─────────┬────────────────┬──────────┐
│      Package      │ License │ Classification │ Severity │
├───────────────────┼─────────┼────────────────┼──────────┤
│ alpine-baselayout │ GPL-2.0 │ Restricted     │ HIGH     │
├───────────────────┤         │                │          │
│ apk-tools         │         │                │          │
├───────────────────┤         │                │          │
│ busybox           │         │                │          │
├───────────────────┤         │                │          │
│ musl-utils        │         │                │          │
├───────────────────┤         │                │          │
│ scanelf           │         │                │          │
├───────────────────┤         │                │          │
│ ssl_client        │         │                │          │
└───────────────────┴─────────┴────────────────┴──────────┘

You can also customize the classification through trivy.yaml. See here for more details.

🌀 Scan CycloneDX for vulnerabilities 🌀

Trivy can take a CycloneDX JSON as input to scan for vulnerabilities.

$ trivy image --format cyclonedx --output cyclonedx.json alpine:3.15
$ trivy sbom cyclonedx.json

cyclonedx.json (alpine 3.7.1)
=========================
Total: 3 (CRITICAL: 3)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl        │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0         │ 7.61.1-r0     │ curl: NTLM password overflow via integer overflow            │
│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-14618                   │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2      │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457  │ CRITICAL │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Note: SPDX is not yet supported.

📦 pnpm support 🟨

Trivy added support for pnpm. It scans pnpm-lock.yaml for vulnerabilities.

$ trivy fs pnpm-lock.yaml
2022-07-13T15:57:53.598+0300    INFO    Vulnerability scanning is enabled
...
2022-07-13T15:57:53.642+0300    INFO    Number of language-specific files: 1
2022-07-13T15:57:53.642+0300    INFO    Detecting pnpm vulnerabilities...

pnpm-lock.yaml (pnpm)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 5, HIGH: 3, CRITICAL: 1)

Note: Image scanning doesn't look for pnpm-lock.yaml

🐦 Amazon Linux 2022 🥈🥈

$ trivy image --severith HIGH public.ecr.aws/amazonlinux/amazonlinux:2022.0.20220308.1
2022-06-30T17:37:25.120+0600    INFO    Vulnerability scanning is enabled
...
2022-06-30T17:37:26.855+0600    INFO    Detected OS: amazon
2022-06-30T17:37:26.855+0600    INFO    Detecting Amazon Linux vulnerabilities...

public.ecr.aws/amazonlinux/amazonlinux:2022.0.20220308.1 (amazon 2022 (Amazon Linux))
=====================================================================================
Total: 2 (HIGH: 2)

┌──────────────┬───────────────┬──────────┬─────────────────────┬────────────────────────┬───────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │  Installed Version  │     Fixed Version      │                           Title                           │
├──────────────┼───────────────┼──────────┼─────────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ openssl-libs │ CVE-2022-0778 │ HIGH     │ 1:1.1.1l-2.amzn2022 │ 1:3.0.0-1.amzn2022.0.1 │ Package updates are available for Amazon Linux 2 that fix │
│              │               │          │                     │                        │ the following...                                          │
│              │               │          │                     │                        │ https://avd.aquasec.com/nvd/cve-2022-0778                 │
├──────────────┼───────────────┤          ├─────────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ xz-libs      │ CVE-2022-1271 │          │ 5.2.5-5.amzn2022    │ 5.2.5-9.amzn2022       │ Package updates are available for Amazon Linux 2 that fix │
│              │               │          │                     │                        │ the following...                                          │
│              │               │          │                     │                        │ https://avd.aquasec.com/nvd/cve-2022-1271                 │
└──────────────┴───────────────┴──────────┴─────────────────────┴────────────────────────┴───────────────────────────────────────────────────────────┘

🕸️ Support for .Net core .deps.json 🎤

.Net core generates a [appname].deps.json alongside the executable which contains the dependencies of that executable. Trivy now scans .deps.json for vulnerabilities.

$ trivy image mcr.microsoft.com/dotnet/sdk:6.0
...

usr/share/dotnet/sdk/6.0.301/datacollector.deps.json (dotnet-core)
==================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                       Title                       │
├─────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ Newtonsoft.Json │ GHSA-5crp-9r3c-p9vr │ HIGH     │ 9.0.1             │ 13.0.1        │ Improper Handling of Exceptional Conditions in    │
│                 │                     │          │                   │               │ Newtonsoft.Json                                   │
│                 │                     │          │                   │               │ https://github.com/advisories/GHSA-5crp-9r3c-p9vr │
└─────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

📦 dpkg license 📃

Trivy detects licenses in Debian packages.

$ trivy --format spdx debian:9
...
2022-07-13T16:15:02.604+0300    INFO    Vulnerability scanning is enabled
2022-07-13T16:15:06.291+0300    INFO    Detected OS: debian
2022-07-13T16:15:06.292+0300    INFO    Detecting Debian vulnerabilities...
...

PackageName: sysvinit-utils
SPDXID: SPDXRef-e37e9adce1d141fa
PackageVersion: 2.88dsf-59.9
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2
PackageLicenseDeclared: GPL-2

##### Package: zlib1g

PackageName: zlib1g
SPDXID: SPDXRef-e4efc8cbc0a152e5
PackageVersion: 1:1.2.8.dfsg-5
FilesAnalyzed: false
PackageLicenseConcluded: Zlib
PackageLicenseDeclared: Zlib

🚀 RBAC Assessment Table

A new and designated table view for Rbac assessment has been introduce :

$ trivy k8s --report summary cluster
...

Summary Report for rancher-desktop
┌─────────────┬─────────────────────────────────────────────────────┬───────────────────┐
│  Namespace  │                      Resource                       │  RBAC Assessment  │
│             │                                                     ├───┬───┬───┬───┬───┤
│             │                                                     │ C │ H │ M │ L │ U │
├─────────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤
│ kube-system │ Role/system:controller:token-cleaner                │ 1 │   │   │   │   │
│ kube-system │ Role/system::leader-locking-kube-controller-manager │   │   │ 1 │   │   │
│ kube-system │ Role/system:controller:bootstrap-signer             │ 1 │   │   │   │   │
│ kube-system │ Role/system:controller:cloud-provider               │   │   │ 1 │   │   │
│ kube-system │ Role/system::leader-locking-kube-scheduler          │   │   │ 1 │   │   │
└─────────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

[chen-keinan]

🚀 RBAC Assessment new Table view

A new and designated table view for Rbac assessment has been introduce :

trivy k8s --report summary cluster

Summary Report for rancher-desktop
┌─────────────┬─────────────────────────────────────────────────────┬───────────────────┐
│  Namespace  │                      Resource                       │  RBAC Assessment  │
│             │                                                     ├───┬───┬───┬───┬───┤
│             │                                                     │ C │ H │ M │ L │ U │
├─────────────┼─────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤
│ kube-system │ Role/system:controller:token-cleaner                │ 1 │   │   │   │   │
│ kube-system │ Role/system::leader-locking-kube-controller-manager │   │   │ 1 │   │   │
│ kube-system │ Role/system:controller:bootstrap-signer             │ 1 │   │   │   │   │
│ kube-system │ Role/system:controller:cloud-provider               │   │   │ 1 │   │   │
│ kube-system │ Role/system::leader-locking-kube-scheduler          │   │   │ 1 │   │   │
└─────────────┴─────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN