Prepare for v0.39.0

[knqyf263]

Draft to collaborate on v0.39.0 release announcement

🚀 What's new? 🚀

🌐 Amazon Linux 2023 🛡️

Trivy now supports vulnerability scanning for Amazon Linux 2023.

$ trivy image amazonlinux:2023
2023-03-31T23:10:33.173+0300    INFO    Vulnerability scanning is enabled
...
2023-03-31T23:10:37.859+0300    INFO    Detected OS: amazon
2023-03-31T23:10:37.859+0300    INFO    Detecting Amazon Linux vulnerabilities...
2023-03-31T23:10:37.860+0300    INFO    Number of language-specific files: 0

amazonlinux:2023 (amazon 2023 (Amazon Linux))
=============================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────┬────────────────┬──────────┬───────────────────────┬───────────────────────┬────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │   Installed Version   │     Fixed Version     │                           Title                            │
├───────────┼────────────────┼──────────┼───────────────────────┼───────────────────────┼────────────────────────────────────────────────────────────┤
│ libgcc    │ CVE-2022-27943 │ MEDIUM   │ 11.3.1-4.amzn2023.0.2 │ 11.3.1-4.amzn2023.0.3 │ binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows │
│           │                │          │                       │                       │ stack exhaustion in demangle_const                         │
│           │                │          │                       │                       │ https://avd.aquasec.com/nvd/cve-2022-27943                 │
├───────────┤                │          │                       │                       │                                                            │
│ libgomp   │                │          │                       │                       │                                                            │
│           │                │          │                       │                       │                                                            │
│           │                │          │                       │                       │                                                            │
├───────────┤                │          │                       │                       │                                                            │
│ libstdc++ │                │          │                       │                       │                                                            │
│           │                │          │                       │                       │                                                            │
│           │                │          │                       │                       │                                                            │
└───────────┴────────────────┴──────────┴───────────────────────┴───────────────────────┴────────────────────────────────────────────────────────────┘

📦 npm (Node.js) lock file v3 🔒

Trivy now supports npm's package-lock.json v3 for SBOM generation and vulnerability detection. For more details about package-lock.json v3, please refer to the following document:
https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json?v=true#lockfileversion

📚 npm (Node.js) license 📄

Previously, Trivy was unable to detect the licenses of npm dependencies, as package-lock.json does not contain license information. Starting with this version, Trivy now scans the node_modules folder located alongside package-lock.json to identify license information. Please note that you need to run npm install beforehand to generate the node_modules folder.

$ ls
node_modules/  package-lock.json
$ trivy fs --format spdx ./

##### Package: react-is

PackageName: react-is
SPDXID: SPDXRef-Package-525b656ac9706dc4
PackageVersion: 16.8.6
PackageDownloadLocation: NONE
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
...

The above example shows the license of react-js is MIT.

🧶 Exclude development dependencies in Yarn 🚫

Previously, yarn.lock files Trivy scans don't include devDependencies information, resulting in the detection of vulnerabilities in devDependencies as well. For more details, please check this Issue.

Starting with this version, by scanning package.json next to yarn.lock simultaneously, devDependencies are now detected and their vulnerabilities are no longer reported.

🎼 Composer (PHP) license and dependency tree 🌳

Support for Composer, the PHP package manager, has been improved, enabling the detection of licenses and the display of the dependency tree. For an accurate dependency tree, both composer.json and composer.lock files must be present.

$ trivy fs ./ --dependency-tree
...

composer.lock (composer)
====================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ guzzlehttp/guzzle │ CVE-2022-31090 │ HIGH     │ 7.4.4             │ 7.4.5, 6.5.8  │ Guzzle, an extensible PHP HTTP client. `Authorization`     │
│                   │                │          │                   │               │ headers on requ ...                                        │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31090                 │
│                   ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31091 │          │                   │               │ Guzzle, an extensible PHP HTTP client. `Authorization` and │
│                   │                │          │                   │               │ `Cookie` he ...                                            │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31091                 │
├───────────────────┼────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ guzzlehttp/psr7   │ CVE-2022-24775 │          │ 1.8.3             │ 1.8.4, 2.1.1  │ guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions  │
│                   │                │          │                   │               │ prior to 1.8 ......                                        │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24775                 │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
composer.lock
├── guzzlehttp/[email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
└── guzzlehttp/[email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    └── guzzlehttp/[email protected]

🌳 Cargo (Rust) dependency tree 🦀

Displaying the dependency tree for Cargo, the package manager for Rust, is now possible. For an accurate dependency tree, both Cargo.toml and Cargo.lock files must be present.

For more details, please check this document.

🔐 Registry authentication 🔑

For private container image authentication, TRIVY_USERNAME and TRIVY_PASSWORD were available, but now it is also possible to pass them using CLI flags such as --username and --password. Please note that TRIVY_PASSWORD is recommended for security reasons.

Registry Flags
      --password strings        password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
      --registry-token string   registry token
      --username strings        username. Comma-separated usernames allowed.

Additionally, these authentication credentials are now also used for downloading the vulnerability database and other OCI artifacts. This is useful when you want to host the database in your own private OCI registry. For more details, please check here.

⎈ Faster Kubernetes cluster scanning 🏎️

Scanning an entire Kubernetes clusters can be an intensive job, especially on large clusters. This change accelerates Kubernetes scans by running multiple tasks in parallel. You can also control the degree of parallelism with a new flag:
--parallel (default value: 5)

⎈ Kubernetes node toleration support 🚩

When scanning Kubernetes clusters for CIS benchmark compliance, Trivy would spin up a job on nodes to collect more information from inside the cluster. The new flag --tolerations allows addressing node taints for the node-collector job:

trivy k8s cluster --report summary --tolerations key1=value1:NoSchedule

✳️ Skip by glob pattern ⏭

The --skip-files and --skip-dirs flags, which were used to exclude specific content from being scanned, now support glob patterns for more flexible configuration (glob patterns allow including * and other advanced syntax).

$ trivy image --skip-files "./foo/*/bar" .

Will skip any file named bar in the subdirectories of foo.

The flag also works similarly with --skip-dirs as well.

⛅️ Support for NIFCLOUD 🇯🇵

Trivy now supports misconfiguration scanning for NIFCLOUD
Special thanks to @fuku2014