Prepare for v0.43.0 #4717

knqyf263 · 2023-06-27T07:41:27Z

knqyf263
Jun 27, 2023
Maintainer

🚀 What's new? 🚀

⎈ KBOM - Kubernetes bill of materials 🖥️

Trivy now supports the generation of Kubernetes Bill of Materials (KBOM) for kubernetes cluster control plane components, node components and addons in cyclonedx format

$ trivy k8s cluster --format cyclonedx

Output

{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:049ea19f-edbc-478f-a39d-a84c2d7d63ff",
  "version": 1,
  "metadata": {
    "timestamp": "2023-06-25T05:46:22+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "dev"
      }
    ],
    "component": {
      "bom-ref": "d2e2a084-a854-40df-84dc-1a7a6f523030",
      "type": "platform",
      "name": "kind-kind",
      "properties": []
    }
  },
  "components": [
    {
      "bom-ref": "000ff0c6-9aa5-4592-a3c2-a10eacfc037d",
      "type": "operating-system",
      "name": "ubuntu",
      "version": "21.04",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "ubuntu"
        }
      ]
    },
    {
      "bom-ref": "35b3b3d5-0569-4b01-9785-717b569d5298",
      "type": "application",
      "name": "kube-apiserver-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kube-apiserver"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "ControlPlane"
        }
      ]
    },
    {
      "bom-ref": "5078a6ed-44e6-484b-b6ae-723aae5e0ca9",
      "type": "application",
      "name": "coredns-558bd4d5db-kkrn9",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kube-dns"
        }
      ]
    },
    {
      "bom-ref": "603d1d36-08be-436d-9627-c370a9256a2b",
      "type": "application",
      "name": "etcd-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "etcd"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "ControlPlane"
        }
      ]
    },
    {
      "bom-ref": "7c1b20c2-10ce-439e-ba98-667cfc78c546",
      "type": "platform",
      "name": "kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:Architecture",
          "value": "arm64"
        },
        {
          "name": "aquasecurity:trivy:HostName",
          "value": "kind-control-plane"
        },
        {
          "name": "aquasecurity:trivy:KernelVersion",
          "value": "6.3.6-200.fc38.aarch64"
        },
        {
          "name": "aquasecurity:trivy:NodeRole",
          "value": "master"
        },
        {
          "name": "aquasecurity:trivy:OperatingSystem",
          "value": "linux"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kind-control-plane"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "9200f061-dbf6-42ba-8f44-aa50315499fc",
      "type": "application",
      "name": "kube-scheduler-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kube-scheduler"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "ControlPlane"
        }
      ]
    },
    {
      "bom-ref": "d6cbc351-d693-407e-b0de-3d2fd045e5f2",
      "type": "application",
      "name": "kindnet-vqpk7",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kindnet"
        }
      ]
    },
    {
      "bom-ref": "d7198858-924a-4337-a96d-7010ef7d556f",
      "type": "application",
      "name": "kube-proxy-8svpz",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kube-proxy"
        }
      ]
    },
    {
      "bom-ref": "dfbc591b-485c-4dfd-aedf-f9e82ee3e5cd",
      "type": "application",
      "name": "coredns-558bd4d5db-vdjwp",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kube-dns"
        }
      ]
    },
    {
      "bom-ref": "e66df66e-4ac9-4546-871b-9f94d0e4fa35",
      "type": "application",
      "name": "node-core-components",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "golang"
        }
      ]
    },
    {
      "bom-ref": "f5533807-0a2f-44e3-969c-96f0738173f3",
      "type": "application",
      "name": "kube-controller-manager-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "kube-controller-manager"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "ControlPlane"
        }
      ]
    },
    {
      "bom-ref": "pkg:golang/github.com%2Fcontainerd%[email protected]",
      "type": "library",
      "name": "github.com/containerd/containerd",
      "version": "1.5.2",
      "purl": "pkg:golang/github.com%2Fcontainerd%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "golang"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "github.com/containerd/containerd"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "pkg:golang/k8s.io%[email protected]",
      "type": "library",
      "name": "k8s.io/kubelet",
      "version": "1.21.1",
      "purl": "pkg:golang/k8s.io%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "golang"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Name",
          "value": "k8s.io/kubelet"
        },
        {
          "name": "aquasecurity:trivy:k8s:component:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns\u0026arch=",
      "type": "container",
      "name": "k8s.gcr.io/coredns/coredns",
      "version": "sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8",
      "purl": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/coredns/coredns:1.8.0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd\u0026arch=",
      "type": "container",
      "name": "k8s.gcr.io/etcd",
      "version": "sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28",
      "purl": "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/etcd:3.4.13-0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd\u0026arch=",
      "type": "container",
      "name": "index.docker.io/kindest/kindnetd",
      "version": "sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301",
      "purl": "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "index.docker.io/kindest/kindnetd:20210326-1e038dc5"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver\u0026arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-apiserver",
      "version": "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f",
      "purl": "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-apiserver:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager\u0026arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-controller-manager",
      "version": "sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc",
      "purl": "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-controller-manager:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy\u0026arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-proxy",
      "version": "sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21",
      "purl": "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-proxy:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler\u0026arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-scheduler",
      "version": "sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87",
      "purl": "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler\u0026arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-scheduler:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "000ff0c6-9aa5-4592-a3c2-a10eacfc037d",
      "dependsOn": []
    },
    {
      "ref": "35b3b3d5-0569-4b01-9785-717b569d5298",
      "dependsOn": [
        "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver\u0026arch="
      ]
    },
    {
      "ref": "5078a6ed-44e6-484b-b6ae-723aae5e0ca9",
      "dependsOn": [
        "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns\u0026arch="
      ]
    },
    {
      "ref": "603d1d36-08be-436d-9627-c370a9256a2b",
      "dependsOn": [
        "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd\u0026arch="
      ]
    },
    {
      "ref": "7c1b20c2-10ce-439e-ba98-667cfc78c546",
      "dependsOn": [
        "000ff0c6-9aa5-4592-a3c2-a10eacfc037d",
        "e66df66e-4ac9-4546-871b-9f94d0e4fa35"
      ]
    },
    {
      "ref": "9200f061-dbf6-42ba-8f44-aa50315499fc",
      "dependsOn": [
        "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler\u0026arch="
      ]
    },
    {
      "ref": "d2e2a084-a854-40df-84dc-1a7a6f523030",
      "dependsOn": [
        "35b3b3d5-0569-4b01-9785-717b569d5298",
        "5078a6ed-44e6-484b-b6ae-723aae5e0ca9",
        "603d1d36-08be-436d-9627-c370a9256a2b",
        "7c1b20c2-10ce-439e-ba98-667cfc78c546",
        "9200f061-dbf6-42ba-8f44-aa50315499fc",
        "d6cbc351-d693-407e-b0de-3d2fd045e5f2",
        "d7198858-924a-4337-a96d-7010ef7d556f",
        "dfbc591b-485c-4dfd-aedf-f9e82ee3e5cd",
        "f5533807-0a2f-44e3-969c-96f0738173f3"
      ]
    },
    {
      "ref": "d6cbc351-d693-407e-b0de-3d2fd045e5f2",
      "dependsOn": [
        "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd\u0026arch="
      ]
    },
    {
      "ref": "d7198858-924a-4337-a96d-7010ef7d556f",
      "dependsOn": [
        "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy\u0026arch="
      ]
    },
    {
      "ref": "dfbc591b-485c-4dfd-aedf-f9e82ee3e5cd",
      "dependsOn": [
        "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns\u0026arch="
      ]
    },
    {
      "ref": "e66df66e-4ac9-4546-871b-9f94d0e4fa35",
      "dependsOn": [
        "pkg:golang/github.com%2Fcontainerd%[email protected]",
        "pkg:golang/k8s.io%[email protected]"
      ]
    },
    {
      "ref": "f5533807-0a2f-44e3-969c-96f0738173f3",
      "dependsOn": [
        "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager\u0026arch="
      ]
    },
    {
      "ref": "pkg:golang/github.com%2Fcontainerd%[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:golang/k8s.io%[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns\u0026arch=",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd\u0026arch=",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd\u0026arch=",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver\u0026arch=",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager\u0026arch=",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy\u0026arch=",
      "dependsOn": []
    },
    {
      "ref": "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler\u0026arch=",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

for more details click here

⎈ Kubernetes - private registries support 🚩

Trivy k8s now support authentication for cluster images stored in private registries.

Usage:

trivy k8s cluster --report summary --username myuser --password 1234

📚 Capture Licenses from pom.xml 📝

Trivy has now added the ability to parse licenses specified in pom.xml for Java projects. This enhancement allows Trivy to capture more comprehensive license information for Java dependencies.

$ trivy fs -f cyclonedx pom.xml
...
    {
      "bom-ref": "pkg:maven/com.example/[email protected]",
      "type": "library",
      "name": "com.example:example",
      "version": "1.0-SNAPSHOT",
      "licenses": [
        {
          "expression": "Apache-2.0"
        }
      ],
      "purl": "pkg:maven/com.example/[email protected]",
    }

🧶 Support for Yarn Workspaces 📦

Trivy now supports Yarn workspaces. When using workspaces, Yarn creates a yarn.lock file only in the root of the mono repository. Since the package.json of the mono repository does not contain information about dependencies in workspaces, they were previously skipped. This enhancement allows Trivy to capture all the dependencies from the package.json of workspaces.

$ cat package.json
{
    "name": "yarn-workspace-test",
    "version": "1.0.0",
    "packageManager": "[email protected]",
    "private": true,
    "workspaces": [
        "packages/**",
        "c"
    ],
    "devDependencies": {
        "prettier": "^2.8.8"
    }
}

🛠️ Add `--include-dev-deps` Flag 🚩

Trivy now includes an --include-dev-deps flag. The --include-dev-deps flag allows users to include these dev dependencies in their scan results and detect vulnerabilities in these dependencies.

Note Currently, these changes are only supported for npm.

See here for the detail.

⏭ Skipping Services in Cloud scanning ☁

It's now possible to skip selective services in Cloud scanning. Can specify multiple services using --skip-service A --skip-service B or using a comma separated list such as --skip-service=A,B

Usage:

trivy aws --skip-service=iam,s3

Will scan everything except iam and s3.

It is also possible to specify both --skip-service and --service together.

♍️ Include success in JSON output 🔣

You can now optionally include successes in cloud scanning within the JSON output. This can be enabled by using --include-non-failures flag.

🎗Support new `import` and `check` blocks for Terraform scanning 📐

Trivy will now be able to scan terraform config files that have import and check. You can find more info on how to use these new blocks here and here.

Thanks to @nishigori for the help.

👷‍♂️ Notable Fixes 🛠️

Pass the secret scanner option to scan the img config (fix(image): pass the secret scanner option to scan the img config #4735)
Pull OCI artifacts from HTTP registries (fix(oci): Http registry oci pull #4701)
Disable the terraform plan analyzer for other scanners (fix(misconf): disable the terraform plan analyzer for other scanners #4714)
Fix scanning SBOM generated by Maven/Gradle CycloneDX plugins (feat(sbom): use group field for jar in cyclonedx #4674)
Fix pnpm scanning (fix(nodejs): remove unused fields for the pnpm lockfile #4630)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Prepare for v0.43.0 #4717

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Prepare for v0.43.0 #4717

Uh oh!

Uh oh!

knqyf263 Jun 27, 2023 Maintainer

🚀 What's new? 🚀

⎈ KBOM - Kubernetes bill of materials 🖥️

⎈ Kubernetes - private registries support 🚩

📚 Capture Licenses from pom.xml 📝

🧶 Support for Yarn Workspaces 📦

🛠️ Add --include-dev-deps Flag 🚩

⏭ Skipping Services in Cloud scanning ☁

♍️ Include success in JSON output 🔣

🎗Support new import and check blocks for Terraform scanning 📐

👷‍♂️ Notable Fixes 🛠️

Replies: 0 comments

knqyf263
Jun 27, 2023
Maintainer

🛠️ Add `--include-dev-deps` Flag 🚩

🎗Support new `import` and `check` blocks for Terraform scanning 📐