Prepare for v0.54.0

[DmitriyLewen]

Draft to collaborate on v0.54.0

📑 Table of Contents

• 🛫 Deprecation 🌆
  • 🐹 --vuln-type flag has now been renamed into --pkg-types ✅
• 🚀 What's new? 🚀
  • 🕸️ VEX Hub Support 📡
  • 📄 VEX Attestations from OCI Registries 🌐
  • 📦 Package Relationships Filter 🔄
  • 🦎 Support for detection and scanning of Tumbleweed OpenSUSE ✨
  • 🖥️ Azure Linux 3.0 support 🦋
  • 📋 Support for License Detection for pnpm-lock.yaml files 📜
  • 🔓 Vulnerability support for SPDX formats 📕
  • 🪭 Support of ACRs in the Azure China Cloud ☁️
  • 🔖 CycloneDX and SPDX formats contain image labels 🏷️
• 👷‍♂️ Notable Fixes 🛠️

🛫 Deprecation 🌆

🐹 --vuln-type flag has now been renamed into --pkg-types ✅

--vuln-type flag was added in one of the first versions of Trivy.
Now more and more users use SBOM, and this flag works with Packages, not Vulnerabilities.
To match our functionality, we are renaming --vuln-type flag to --pkg-types flag.
--vuln-type flag is now marked as deprecated and will be removed over time.

➜ trivy -d image --pkg-types os,library aquasec/trivy
...
2024-07-29T14:35:02+06:00       DEBUG   Package types   types=[os library]
...
aquasec/trivy (alpine 3.20.0)

Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 0, CRITICAL: 0)

usr/local/bin/trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

➜ trivy -d image --pkg-types os aquasec/trivy 
...
2024-07-29T14:35:31+06:00       DEBUG   Package types   types=[os]

aquasec/trivy (alpine 3.20.0)

Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 0, CRITICAL: 0)

🚀 What's new? 🚀

🕸️ VEX Hub Support 📡

This update introduces VEX Hub integration into Trivy. Users can now automatically discover and apply VEX data during vulnerability scans, leveraging community-maintained VEX information to filter out non-exploitable vulnerabilities. This greatly helps to reduce noise in vulnerability scan results.

$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed

--vex repo creates the default configuration file in the first run. While the default config refers to VEX Hub, you can also use other repositories complying with VEX Repository Specification.

See here for more details.

For OSS maintainers: please consider publishing VEX.

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

📄 VEX Attestations from OCI Registries 🌐

Trivy now automatically retrieves and applies VEX (Vulnerability Exploitability eXchange) attestations from OCI registries during vulnerability scans. This feature leverages VEX data to filter out non-exploitable vulnerabilities more effectively.

$ trivy image --vex oci ghcr.io/aquasecurity/trivy:0.50.0 --show-suppressed

See here for more details.

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

📦 Package Relationships Filter 🔄

This update introduces the --pkg-relationships flag, allowing users to filter vulnerabilities by package relationships. This flag provides more refined vulnerability reporting by focusing on direct or indirect dependencies.

$ trivy repo --scanners vuln --pkg-relationships direct ./go.mod

Note: The --pkg-relationships flag cannot be used with --dependency-tree, --vex, or SBOM formats (spdx, spdx-json, cyclonedx, github).

Read more here.

🦎 Support for detection and scanning of Tumbleweed OpenSUSE ✨

Trivy now supports package and vulnerability detection for Tumbleweed OpenSUSEю

➜ trivy image registry.opensuse.org/opensuse/bci/bci-init:latest
2024-07-03T16:48:59+02:00       INFO    Vulnerability scanning is enabled
2024-07-03T16:48:59+02:00       INFO    Secret scanning is enabled
2024-07-03T16:48:59+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-03T16:48:59+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-03T16:49:01+02:00       INFO    Detected OS     family="opensuse.tumbleweed" version="20240607"
2024-07-03T16:49:01+02:00       INFO    [opensuse.tumbleweed] Detecting vulnerabilities...      os_version="20240607" pkg_num=149
2024-07-03T16:49:01+02:00       INFO    Number of language-specific files       num=0

registry.opensuse.org/opensuse/bci/bci-init:latest (opensuse.tumbleweed 20240607)
=================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬──────────────────────────┬──────────┬────────┬───────────────────┬────────────────────┬────────────────────────────────────────┐
│   Library   │      Vulnerability       │ Severity │ Status │ Installed Version │   Fixed Version    │                 Title                  │
├─────────────┼──────────────────────────┼──────────┼────────┼───────────────────┼────────────────────┼────────────────────────────────────────┤
│ permissions │ openSUSE-SU-2024:11165-1 │ MEDIUM   │ fixed  │ 1699_20240522-1.1 │ 20210901.1550-29.2 │ chkstat-1550_20210901-29.2 on GA media │
└─────────────┴──────────────────────────┴──────────┴────────┴───────────────────┴────────────────────┴────────────────────────────────────────┘

Thanks to @msmeissn

🖥️ Azure Linux 3.0 support 🦋

Now Trivy supports Azure Linux 3.0 (previously CBL-Mariner).

➜ trivy image azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0
2024-07-29T14:50:05+06:00       INFO    Vulnerability scanning is enabled
2024-07-29T14:50:05+06:00       INFO    Secret scanning is enabled
2024-07-29T14:50:05+06:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-29T14:50:05+06:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-07-29T14:50:10+06:00       INFO    Detected OS     family="azurelinux" version="3.0"
2024-07-29T14:50:10+06:00       INFO    [azurelinux] Detecting vulnerabilities...       os_version="3.0" pkg_num=14
2024-07-29T14:50:10+06:00       INFO    Number of language-specific files       num=0

azurelinuxpreview.azurecr.io/public/azurelinux/distroless/base:3.0 (azurelinux 3.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

Thanks to @tofay

📋 Support for License Detection for pnpm-lock.yaml files 📜

Trivy currently parses package.json files from the node_module directory to determine the licenses of installed packages.

pnpm-lock.yaml (license)

Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├─────────┼─────────┼────────────────┼──────────┤
│ jquery  │ MIT     │ Notice         │ LOW      │
├─────────┤         │                │          │
│ lodash  │         │                │          │
└─────────┴─────────┴────────────────┴──────────┘

Thanks to @oscarbc96

🔓 Vulnerability support for SPDX formats 📕

Trivy can now include vulnerabilities in externalRefs to add link to the advisory.
See Appendix K for more details.
Don't forget to use --scanners vuln to enable advisories.

➜ trivy -d image -f spdx-json -o report.spdx.json ubuntu --scanners vuln
...
  {
      "name": "libssl3t64",
      "SPDXID": "SPDXRef-Package-ed46e6c8dd5adb2d",
      "versionInfo": "3.0.13-0ubuntu3.1",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-24.04"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-2511"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-4603"
        },
...

Thanks to @goneall

🪭 Support of ACRs in the Azure China Cloud ☁️

Added configuration to support ACRs in the Azure China Cloud.

Thanks to @admanb

🔖 CycloneDX and SPDX formats contain image labels 🏷️

Currently you can find image labels in CycloneDX and SPDX reports:

• metadata.component.properties field for CycloneDX reports.
• Packages.PackageAttributionTexts field for SPDX reports.

👷‍♂️ Notable Fixes 🛠️

• feat(logging): Add warning in case missing config file #7028
• feat(.NET): don't include non-runtime libraries into report for *.deps.json files #7079
• CycloneDX SBOM files generated by trivy contains duplicated entries with different version for the same jersey artifact #7086
• Report is not empty even if there are no findings: Part 2 #7147
• HuggingFace token detector not working properly (wrong number of characters) #6823
• fix(secret): add prefix to exclude 0-9a-zA-Z before secret #7176
• bug(secret): set limit for line length #6999
• Regression: segmentation violation when scanning a certain pom.xml #7241
• Trivy Node scan can't parse package.json when latest is used as a package version #6747
• 0.51: kubernetes scanner requires role permissions #6692
• bug(misconf): Panic observed in passing of --tf-vars #7084
• perf(debian): use bytes.Index in emptyLineSplit to cut allocation #7065
• fix: Add dependencyManagement exclusions to the child exclusions #6969