Prepare for v0.65.0

[nikpivkin]

Draft to collaborate on v0.65.0

📑 Table of Contents

• 🚀 What's new? 🚀

  • 🐧 AlmaLinux 10 Support 🔟
  • 📦 Package Type Filtering for License Scanning 🔍
  • 🐳 Docker Context Resolution Support 🔌
  • 🔖 Git Repository Metadata in Reports 📊
  • 🔐 SHA-512 Hash Support for CycloneDX SBOM 🛡️
  • 🪛 CVSS vectors for sarif report 📈
  • 🛑 Graceful Shutdown Support 🔄

• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🐧 AlmaLinux 10 Support 🔟

Trivy now supports vulnerability scanning for AlmaLinux 10, the latest major release of this enterprise Linux distribution.

Simply scan AlmaLinux 10 images as you would any other supported distribution:

# Scan AlmaLinux 10 container image
$ trivy image almalinux:10

Trivy will automatically detect AlmaLinux 10 and check for vulnerabilities using the AlmaLinux security advisory database, providing the same security analysis available for other AlmaLinux versions.

Thanks to @wololowarrior

📦 Package Type Filtering for License Scanning 🔍

The --pkg-types flag now works with license scanning, allowing you to filter license detection by package type. This brings consistency with the vulnerability scanner and enables more focused license compliance checks for either OS packages or application dependencies.

Usage

# Scan only OS package licenses (apk, apt, rpm, etc.)
$ trivy image --scanners license --pkg-types os alpine:3.19

# Scan only application dependency licenses (npm, pip, gem, go modules, etc.)
$ trivy image --scanners license --pkg-types library node:20

The same --pkg-types values (os and library) that work with vulnerability scanning now apply consistently to license scanning.

Thanks to @mastacheata

🐳 Docker Context Resolution Support 🔌

Trivy now automatically detects and uses your active Docker context when scanning images with the docker source. This enhancement ensures seamless integration with different Docker environments, including Docker Desktop, Colima, Podman, and other Docker-compatible runtimes.

Usage

# Uses the current Docker context automatically
$ trivy image --image-src docker nginx:alpine

# Specify a context via environment variable
$ DOCKER_CONTEXT=colima trivy image --image-src docker nginx:alpine

# Override with DOCKER_HOST (takes precedence over DOCKER_CONTEXT)
$ DOCKER_HOST=tcp://192.168.1.100:2376 trivy image --image-src docker nginx:alpine

# Use --docker-host flag for highest priority
$ trivy image --docker-host tcp://192.168.1.100:2376 --image-src docker nginx:alpine

The resolution priority is:

1. --docker-host flag (highest priority)
2. DOCKER_HOST environment variable
3. DOCKER_CONTEXT environment variable
4. Current Docker context from docker context ls

🔖 Git Repository Metadata in Reports 📊

Trivy now automatically extracts and includes git repository metadata in scan reports when scanning git repositories. This provides valuable context about the codebase being scanned, including commit details, authorship, branch information, and tags.

Usage

When scanning a git repository (local or remote), Trivy automatically includes git metadata:

# Scan a remote repository
$ trivy repo --format json https://github.com/org/repo

# Scan a local git directory
$ trivy fs --format json /path/to/git/repo

Example JSON output:

$ trivy repo --format json github.com/aquasecurity/trivy-db
{
  "Metadata": {
    "RepoURL": "https://github.com/aquasecurity/trivy-db",
    "Branch": "main",
    "Tags": ["v0.2.0", "latest"],
    "Commit": "378cf9606fe23bdb47639e29a4fb525ed7645e09",
    "CommitMsg": "Migrate logging to structured logging with slog...",
    "Author": "knqyf263 <[email protected]>",
    "Committer": "knqyf263 <[email protected]>"
  }
}

This feature works automatically for any git repository - whether using trivy repo for remote/local repositories or trivy fs for local git directories.

🔐 SHA-512 Hash Support for CycloneDX SBOM 🛡️

Trivy now supports SHA-512 hashes in CycloneDX Software Bill of Materials (SBOM) format, enhancing cryptographic hash capabilities for improved security and compliance. This addition complements the existing hash algorithms already supported in CycloneDX SBOMs.

Usage

When generating or processing CycloneDX SBOMs, SHA-512 hashes are now automatically included and recognized:

# Scan an existing CycloneDX SBOM containing SHA-512 hashes
$ trivy sbom cyclonedx-sbom-with-sha512.json

Thanks to @attiand

🪛 CVSS vectors for sarif report 📈

Trivy now includes CVSS metrics in sarif reports.
You can see them in the property field:

"properties": {
  "cvss": {
    "cvssv2_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
    "cvssv3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "cvssv2_score": 5,
    "cvssv3_baseScore": 5.3
  },
  "precision": "very-high",
  "security-severity": "5.3",
  "tags": [
    "vulnerability",
    "security",
    "MEDIUM"
  ]
}

Thanks to @axidex

🛑 Graceful Shutdown Support 🔄

Trivy now handles interruption signals (SIGINT/SIGTERM) gracefully, allowing ongoing operations to complete before shutting down. Press Ctrl+C once to initiate graceful shutdown, or twice to force immediate termination.

Usage

When you press Ctrl+C during a scan:

$ trivy image alpine:3.19
^C
INFO    Attempting graceful shutdown... Press Ctrl+C again to force exit
INFO    Shutting down...

In server mode, active requests are given time to complete:

$ trivy server --listen localhost:8080
^C
INFO    Shutting down server...
INFO    Waiting for active requests to complete...
INFO    Server exited

👷‍♂️ Notable Fixes 🛠️

• Epochs never read from /var/lib/rpmmanifest/container-manifest-2. #9100 (Thanks to @tofay)
• fix: also check filepath when removing duplicate packages #9142
• fix(license): add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping #9116
• bug(apk): Trivy incorrectly separates licenses that contain the WITH operator #9230
• feat(dpkg): check /var/lib/dpkg/*/<package>.md5sums to find list of system files #9046
• bug(npm): Trivy incorrect checks versions with pre-release suffix #9144
• bug(rootio): Trivy doesn't detect root.io provider when looking in dpkg #9118
• bug(rootio): Trivy doesn't use severity from BaseOS for vulnerabilities #9178
• Out-of-graph OS packages are excluded when mixed with in-graph packages in SBOM #9193
• bug(cyclonedx): incorrect field for licenses #9042
• Secret scanner fails with UTF-8 marshalling error when scanning files with invalid UTF-8 content #9254
• bug(secret): Trivy incurrect detects line numbers for multi-line secrets #9086
• bug(python): add support for .egg-info/METADATA #9171 (Thanks to @amitverse)
• fix(misconf): skip rewriting expr if attr is nil #9113
• refactor: remove aws flag helper message #9080
• fix(misconf): correctly adapt azure storage account #9138
• fix(misconf): correctly parse empty port ranges in google_compute_firewall #9237