Prepare for v0.37.0

[knqyf263]

Draft to collaborate on v0.37.0 release announcement

🛫 Deprecation 🌆

--security-checks flag

--security-checks was renamed to --scanners.

Before

$ trivy image --security-checks vuln [YOUR_IMAGE_NAME]

After

$ trivy image --scanners vuln [YOUR_IMAGE_NAME]

🚀 What's new? 🚀

🧾 Complete CIS Kubernetes Benchmark (include host-level checks ) ⎈

This release provides the complete CIS Kubernetes Benchmark report including "host-level checks" which bring Trivy compatible with kube-bench.

$ trivy k8s --report summary cluster --compliance k8s-cis
161 / 161 [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s

Summary Report for compliance: CIS Kubernetes Benchmarks v1.23
┌────────┬──────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬────────┐
│   ID   │ Severity │                                                  Control Name                                                   │ Status │ Issues │
├────────┼──────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼────────┤
│ 1.1.1  │ HIGH     │        Ensure that the API server pod specification file permissions are set to 600 or more restrictive         │  PASS  │   0    │
│ 1.1.2  │ HIGH     │                 Ensure that the API server pod specification file ownership is set to root:root                 │  FAIL  │   1    │
│ 1.1.3  │ HIGH     │    Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive     │  PASS  │   0    │
│ 1.1.4  │ HIGH     │             Ensure that the controller manager pod specification file ownership is set to root:root             │  PASS  │   0    │
│ 1.1.5  │ HIGH     │         Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive         │  FAIL  │   1    │
│ 1.1.6  │ HIGH     │                 Ensure that the scheduler pod specification file ownership is set to root:root                  │  PASS  │   0    │
│ 1.1.7  │ HIGH     │           Ensure that the etcd pod specification file permissions are set to 600 or more restrictive            │  PASS  │   0    │
│ 1.1.8  │ HIGH     │                    Ensure that the etcd pod specification file ownership is set to root:root                    │  PASS  │   0    │
│ 1.1.9  │ HIGH     │         Ensure that the Container Network Interface file permissions are set to 600 or more restrictive         │  FAIL  │   1    │
│ 1.1.10 │ HIGH     │                 Ensure that the Container Network Interface file ownership is set to root:root                  │  PASS  │   0    │
│ 1.1.11 │ HIGH     │               Ensure that the etcd data directory permissions are set to 700 or more restrictive                │  PASS  │   0    │
│ 1.1.12 │ LOW      │                        Ensure that the etcd data directory ownership is set to etcd:etcd                        │  FAIL  │   1    │
│ 1.1.13 │ CRITICAL │                           Ensure that the admin.conf file permissions are set to 600                            │  PASS  │   0    │
│ 1.1.14 │ CRITICAL │                          Ensure that the admin.conf file ownership is set to root:root                          │  PASS  │   0    │

🐳 Docker CIS Benchmark 📝

Trivy support Docker CIS Benchmark. You can enable it with --compliance docker-cis. It detects issues on container images.

bash-3.2$ trivy image --compliance docker-cis vuln-image
2023-02-01T12:43:43.905+0900	INFO	Container image config scanners: ["config"]
2023-02-01T12:43:43.905+0900	INFO	Misconfiguration scanning is enabled
2023-02-01T12:43:44.071+0900	INFO	Detected config files: 1

Summary Report for compliance: CIS Docker Community Edition Benchmark v1.1.0
┌──────┬──────────┬────────────────────────────────────────────────────────────────────────────┬────────┬────────┐
│  ID  │ Severity │                                Control Name                                │ Status │ Issues │
├──────┼──────────┼────────────────────────────────────────────────────────────────────────────┼────────┼────────┤
│ 4.1  │   HIGH   │ Ensure a user for the container has been created                           │  FAIL  │   1    │
│ 4.2  │   HIGH   │ Ensure that containers use trusted base images (Manual)                    │   -    │   -    │
│ 4.3  │   HIGH   │ Ensure unnecessary packages are not installed in the container (Manual)    │   -    │   -    │
│ 4.4  │ CRITICAL │ Ensure images are scanned and rebuilt to include security patches (Manual) │   -    │   -    │
│ 4.5  │   LOW    │ Ensure Content trust for Docker is Enabled (Manual)                        │   -    │   -    │
│ 4.6  │   LOW    │ Ensure HEALTHCHECK instructions have been added to the container image     │  FAIL  │   1    │
│ 4.7  │   HIGH   │ Ensure update instructions are not use alone in the Dockerfile             │  PASS  │   0    │
│ 4.8  │   HIGH   │ Ensure setuid and setgid permissions are removed in the images (Manual)    │   -    │   -    │
│ 4.9  │   LOW    │ Ensure COPY is used instead of ADD in Dockerfile                           │  FAIL  │   1    │
│ 4.10 │ CRITICAL │ Ensure secrets are not stored in Dockerfiles (Manual)                      │   -    │   -    │
│ 4.11 │  MEDIUM  │ Ensure verified packages are only Installed (Manual)                       │   -    │   -    │
└──────┴──────────┴────────────────────────────────────────────────────────────────────────────┴────────┴────────┘

Note: Some checkes are not supported at the moment. It will be coming soon.

👮‍♂️ Misconfiguration scanning on container image config 🤘

Trivy now detects misconfigurations on image configuration. --image-config-scanners config enables this feature. Trivy tries to restore the original Dockerfile from the configuration and scan against it. You can see the history with docker history [YOUR_IMAGE_NAME].

bash-3.2$ trivy image --scanners none --image-config-scanners config vuln-image
2023-02-01T12:45:49.030+0900	INFO	Container image config scanners: ["config"]
2023-02-01T12:45:49.030+0900	INFO	Misconfiguration scanning is enabled
2023-02-01T12:45:49.161+0900	INFO	Detected config files: 1

vuln-image (dockerfile)
=======================
Tests: 24 (SUCCESSES: 21, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Consider using 'COPY file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /' command instead of 'ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /'
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.

See https://avd.aquasec.com/misconfig/ds005
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 vuln-image:1
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

The above example passes --scanners none so it can disable scanners on files inside the container image, but you can also enable it like trivy --scanners vuln --image-config-scanners config [YOUR_IMAGE_NAME].

🔒 Secret scanning on container image config ㊙️

Trivy now detects secrets on image configuration. --image-config-scanners secret enables this feature. It is especially useful to detect credentials in environmental variables. You can see the environmental variables of your image with docker inspect [YOUR_IMAGE_NAME].

bash-3.2$ trivy image --scanners none --image-config-scanners secret vuln-image
2023-02-01T12:47:09.047+0900	INFO	Container image config scanners: ["secret"]

vuln-image (secrets)
====================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

CRITICAL: GitHub (github-pat)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Personal Access Token
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 vuln-image:16
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  14     {
  15     "created": "2023-01-09T17:05:20Z",
  16 [   "created_by": "ENV secret=****************************************",
  17     "comment": "buildkit.dockerfile.v0",
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: GitHub (github-pat)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Personal Access Token
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 vuln-image:34
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  32     "Env": [
  33     "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  34 [   "secret=****************************************"
  35     ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

The above example passes --scanners none so it can disable scanners on files inside the container image, but you can also enable it like trivy --scanners vuln --image-config-scanners secret [YOUR_IMAGE_NAME].

🐍 Conda support for SBOM

Trivy looks for conda packages in container images (and root fileysystem), extract the information and put them into SBOM.

$ trivy image --format cyclonedx conda-image
2023-02-01T13:22:20.432+0900	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:6c699245-c372-4552-928e-1dea0bc3a150",
  "version": 1,
  "metadata": {
    "timestamp": "2023-02-01T04:22:20+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "dev"
      }
    ],
    "component": {
    ...
          {
      "bom-ref": "pkg:conda/[email protected]?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fpip-22.2.2-py38h06a4308_0.json",
      "type": "library",
      "name": "pip",
      "version": "22.2.2",
      "licenses": [
        {
          "expression": "MIT"
        }
      ],
      "purl": "pkg:conda/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "conda-pkg"
        },
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:9711caaf174f8bcf1b897b9f788299edf77fc301d1bd11a8e81fad690a949167"
        }
      ]
    }
    ...

Note: Vulnerability detection in conda packages is not supported. The conda packages are included in SBOM.

🎯 Dart (pubspec.lock) support for vulnerability detection

Trivy now scans pubspec.lock for vulnerabilities.

bash-3.2$ trivy fs ./pubspec.lock
2023-02-01T13:35:32.649+0900	INFO	Vulnerability scanning is enabled
2023-02-01T13:35:32.707+0900	INFO	Number of language-specific files: 1
2023-02-01T13:35:32.707+0900	INFO	Detecting pub vulnerabilities...

pubspec.lock (pub)
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                       Title                       │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ http    │ CVE-2020-35669 │ MEDIUM   │ 0.13.2            │ 0.13.3        │ http before 0.13.3 vulnerable to header injection │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-35669        │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

☕ Java Index Database 🍡

Trivy used to rely on the third-party API for JAR (Java) scanning. It was leading to slow and unstable scanning. See here for the detail. The --offline-scan flag mitigates the issues, but the result accuracy gets worse.
After all, we decided to build the Java index database and distribute it [on GitHub(https://github.com/aquasecurity/trivy-java-db). When Trivy finds JAR files while scanning, it downloads the Java database and use it for JAR scanning. It means you can get accurate results even under air-gapped environment if you download the Java database and put it in advance.

$ trivy image --scanners vuln jenkins:2.60.3-alpine --severity CRITICAL --timeout 10m
2023-02-01T17:19:40.156+0900    INFO    Vulnerability scanning is enabled
2023-02-01T17:19:43.883+0900    INFO    JAR files found
2023-02-01T17:19:43.886+0900    INFO    Downloading the Java DB...
351.07 MiB / 351.07 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 9.20 MiB p/s 38s
2023-02-01T17:20:23.723+0900    INFO    The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-02-01T17:20:23.727+0900    INFO    Analyzing JAR files takes a while...

--download-java-db-only and --skip-java-db-update flags like the vulnerability database were also added.

See here for more details.

📈 Automatic policy bundle fetching

This release adds the ability for Trivy to fetch newly published polices, when needed, automatically as a bundle.

$ trivy conf <path/to/scan>
2023-01-31T15:59:10.522-0800    INFO    Misconfiguration scanning is enabled
2023-01-31T15:59:14.748-0800    INFO    Need to update the built-in policies
2023-01-31T15:59:14.748-0800    INFO    Downloading the built-in policies...
37.92 KiB / 37.92 KiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2023-01-31T15:59:15.996-0800    DEBUG   Policies successfully loaded from disk

Yo can disable this behaviour with the --skip-policy-update flag. In this case Trivy will use embedded polices as it does today.

🧩 Improved schema support for policies

This release enables support for Rego schema input via Rego Metadata as per the OPA convention

$ trivy conf --config-policy=/Users/simar/repos/foo   /Users/simar/repos/defsec/test/testdata/dockerfile/DS005 
2023-01-31T16:02:33.635-0800    INFO    Misconfiguration scanning is enabled
2023-01-31T16:02:34.383-0800    INFO    Detected config files: 2

LOW: Consider using 'COPY "/target/app.jar" "app.jar"' command instead of 'ADD "/target/app.jar" "app.jar"'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
This is a custom policy that does the same as AVD-DS-0005

See https://avd.aquasec.com/misconfig/ds999
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile.denied:4
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   4 [ ADD "/target/app.jar" "app.jar"
───────────────────────────────────────

Where the foo directory holds a custom user defined schema

 tree /Users/simar/repos/foo
/Users/simar/repos/foo
├── add_instead_of_copy.rego
└── schemas
    └── myfancydockerfile.json