v0.20.0

[aqua-bot]

💔 BREAKING CHANGES 💔

Migrate to new JSON schema of scan results

The old JSON schema is no longer generated from v0.20.0. Please migrate to the new JSON schema.

See here for the details.
#1050

Remove deprecated options

The following options cannot be used anymore.

• -only-update
• -refresh
• -auto-refresh

🚀 What's new? 🚀

🥔 Add "rootfs" subcommand 🧅

fs subcommand currently has two main targets.

• Local project
  • Scan lock files such as Gemfile.lock
• Rootfs
  • Scan filesystem from inside containers
    • https://aquasecurity.github.io/trivy/v0.19.2/advanced/container/embed-in-dockerfile/
  • Scan unpacked container image filesystem
    • https://aquasecurity.github.io/trivy/v0.19.2/advanced/container/unpacked-filesystem/

Trivy introduced individual package scannings such as gemspec and egg/wheel. It should be enabled for the rootfs scanning but should be disabled for scanning local projects. After all, we decided to split fs subcommand into two subcommand, fs and rootfs.

• fs subcommand
  • Scan local projects
• rootfs subcommand
  • Scan filesystem from inside containers
  • Scan unpacked container image filesystem

See the following documents for details

• https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/scanning/filesystem/
• https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/scanning/rootfs/

NOTE: Please migrate from fs to rootfs command if you embed Trivy into Dockerfile or scan unpacked container image filesystem.

🥚 Support egg and wheel packages (Python) ⚙️

Trivy used to look for Pipfile.lock and poetry.lock for Python scanning in container images. But it was migrated to egg and wheel packages. Pipfile.lock and poetry.lock in container images will be no longer detected. Trivy detects actually installed Python packages through egg and wheel metadata. Even though the image doesn't have those lock files, Trivy can detect the installed packages accurately like the following example.

$ docker run --rm -it django bash
root@2d8f71d82e29:/# find / -name Pipfile.lock
root@2d8f71d82e29:/# find / -name poetry.lock
root@2d8f71d82e29:/# exit

$ trivy image --vuln-type library --severity CRITICAL django
2021-10-06T11:13:04.999+0300    INFO    Number of language-specific files: 1
2021-10-06T11:13:05.000+0300    INFO    Detecting python-pkg vulnerabilities...

Python (python-pkg)
===================
Total: 2 (CRITICAL: 2)

+---------+------------------+----------+-------------------+------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |                 TITLE                 |
+---------+------------------+----------+-------------------+------------------------+---------------------------------------+
| Django  | CVE-2019-19844   | CRITICAL | 1.10.4            | 3.0.1, 2.2.9, 1.11.27  | Django: crafted email address         |
|         |                  |          |                   |                        | allows account takeover               |
|         |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2019-19844 |
+         +------------------+          +                   +------------------------+---------------------------------------+
|         | CVE-2020-7471    |          |                   | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection       |
|         |                  |          |                   |                        | via StringAgg(delimiter)              |
|         |                  |          |                   |                        | -->avd.aquasec.com/nvd/cve-2020-7471  |
+---------+------------------+----------+-------------------+------------------------+---------------------------------------+

It brings the better Python detection. On the other hand, the fs mode disables egg and wheel scanning and enables the lock file scanning. See here for the detail.

https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/detection/language/

💎 Support gemspec (Ruby) 💍

This is the same change as Python. Trivy used to look for Gemfile.lock for Ruby scanning in container images. Trivy migrated to *.gemspec scanning. Gemfile.lock in container images will be no longer detected, but Trivy detects installed gems in container images more accurately.

$ trivy image --vuln-type library quay.io/fluentd_elasticsearch/fluentd:v2.9.0
2021-10-06T11:22:28.645+0300    INFO    Number of language-specific files: 1
2021-10-06T11:22:28.645+0300    INFO    Detecting gemspec vulnerabilities...

Ruby (gemspec)
==============
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

+---------------+------------------+----------+-------------------+------------------+---------------------------------------+
|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                 TITLE                 |
+---------------+------------------+----------+-------------------+------------------+---------------------------------------+
| activesupport | CVE-2020-8165    | CRITICAL | 6.0.2.1           | 6.0.3.1, 5.2.4.3 | rubygem-activesupport: potentially    |
|               |                  |          |                   |                  | unintended unmarshalling              |
|               |                  |          |                   |                  | of user-provided objects in           |
|               |                  |          |                   |                  | MemCacheStore and RedisCacheStore     |
|               |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2020-8165  |
+---------------+------------------+----------+-------------------+------------------+---------------------------------------+
| addressable   | CVE-2021-32740   | HIGH     | 2.7.0             | 2.8.0            | rubygem-addressable:                  |
|               |                  |          |                   |                  | ReDoS in templates                    |
|               |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-32740 |
+---------------+------------------+----------+-------------------+------------------+---------------------------------------+

On the other hand, the fs mode disables gemspec scanning and enables Gemfile.lock scanning. See here for the detail.

https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/detection/language/

🟢 Support package.json 🟩

This is the same change as Python. Trivy used to look for package-lock.json for Node.js scanning in container images. Trivy migrated to package.json scanning. package-lock.json in container images will be no longer detected, but Trivy detects installed Node packages in container images more accurately.

$ trivy image --vuln-type library --severity HIGH,CRITICAL mongo-express
2021-10-06T11:35:46.070+0300    INFO    Number of language-specific files: 1
2021-10-06T11:35:46.070+0300    INFO    Detecting node-pkg vulnerabilities...

Node.js (node-pkg)
==================
Total: 4 (HIGH: 3, CRITICAL: 1)

+--------------------+------------------+----------+-------------------+---------------+--------------------------------------+
|      LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex         | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | node-ansi-regex: inefficient         |
|                    |                  |          |                   |               | regular expression                   |
|                    |                  |          |                   |               | complexity allows for a crash        |
|                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+                    +                  +          +-------------------+               +                                      +
|                    |                  |          | 4.1.0             |               |                                      |
|                    |                  |          |                   |               |                                      |
|                    |                  |          |                   |               |                                      |
|                    |                  |          |                   |               |                                      |
+--------------------+------------------+          +-------------------+---------------+--------------------------------------+
| dot-prop           | CVE-2020-8116    |          | 3.0.0             | 5.1.1, 4.2.1  | nodejs-dot-prop: prototype pollution |
|                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-8116 |
+--------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| express-fileupload | CVE-2020-7699    | CRITICAL | 0.4.0             | 1.1.9         | Prototype Pollution                  |
|                    |                  |          |                   |               | in express-fileupload                |
|                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7699 |
+--------------------+------------------+----------+-------------------+---------------+--------------------------------------+

On the other hand, the fs mode disables package.json scanning and enables package-lock.json scanning. See here for the detail.

https://aquasecurity.github.io/trivy/v0.20.0/vulnerability/detection/language/

🍣 Support requirements.txt (Python) 🍤

Trivy scans requirements.txt for Python. Note that only the == specifier is supported at the moment. It means the other specifies like => are not supported. In the following example, Flask will be scanned, while MarkupSafe will not be scanned.

$ cat /path/to/projet/requirements.txt
Flask==0.12.5
MarkupSafe>2.0.0

$ ./trivy fs /path/to/project
2021-10-06T10:32:53.749+0300    INFO    Number of language-specific files: 1
2021-10-06T10:32:53.749+0300    INFO    Detecting pip vulnerabilities...

requirements.txt (pip)
======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+---------+------------------+----------+-------------------+---------------+-----------------------------------------+
| Flask   | CVE-2019-1010083 | HIGH     | 0.12.5            | 1.0.0         | python-flask: unexpected                |
|         |                  |          |                   |               | memory usage can lead to denial         |
|         |                  |          |                   |               | of service via crafted...               |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010083 |
+---------+------------------+----------+-------------------+---------------+-----------------------------------------+

🍩 Support packages.config (.NET) 🎯

Trivy scans packages.config for NuGet.

$ cat /path/to/project/packages.config
<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Microsoft.AspNet.WebApi" version="5.2.2" targetFramework="net45" />
  <package id="MessagePack" version="2.1.89" targetFramework="net45" />
</packages>

$ trivy fs /tmp/nuget
2021-10-06T11:01:00.196+0300    INFO    Number of language-specific files: 1
2021-10-06T11:01:00.196+0300    INFO    Detecting nuget vulnerabilities...

packages.config (nuget)
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                TITLE                 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+
| MessagePack | CVE-2020-5234    | MEDIUM   | 2.1.89            | 2.1.90, 1.9.11 | Untrusted data can lead to DoS       |
|             |                  |          |                   |                | attack due to hash collisions and... |
|             |                  |          |                   |                | -->avd.aquasec.com/nvd/cve-2020-5234 |
+-------------+------------------+----------+-------------------+----------------+--------------------------------------+

💳 Add License into the report

Trivy shows the license information of each package in the JSON report. Alpine and RHEL-based distributions are supported. Debian and Ubuntu are not supported at the moment. Python, Ruby and Node.js are also supported.

$ trivy -f json --list-all-pkgs alpine:3.11
...
"Results": [
    {
      "Target": "alpine:3.11 (alpine 3.11.12)",
      "Class": "os-pkgs",
      "Type": "alpine",
      "Packages": [
        {
          "Name": "alpine-baselayout",
          "Version": "3.2.0-r3",
          "SrcName": "alpine-baselayout",
          "SrcVersion": "3.2.0-r3",
          "License": "GPL-2.0-only"
        },
        {
          "Name": "alpine-keys",
          "Version": "2.1-r2",
          "SrcName": "alpine-keys",
          "SrcVersion": "2.1-r2",
          "License": "MIT",
        },
...

Improve -skip-files and -skip-dirs 🏂

--skip-files and --skip-dirs used to affect only vulnerability detection. Analyzing packages was performed regardless of these options. These options were improved and the analysis can be skipped now.

Before

Even though you specify --skip-dirs, Trivy tries to look into the directory.

$ trivy fs --skip-dirs=/var/lib/ntp /
2020-12-03T16:41:13.750+0100    FATAL   error in fs scan:
    github.com/aquasecurity/trivy/internal/artifact.run
        /home/circleci/project/internal/artifact/run.go:90
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/circleci/project/pkg/scanner/scan.go:97
  - unknown error with //var/lib/ntp/proc/18679:
    github.com/aquasecurity/fanal/walker.WalkDir.func2
        /go/pkg/mod/github.com/aquasecurity/[email protected]/walker/fs.go:36
  - unknown error with //var/lib/ntp/proc/18679/net:
    github.com/aquasecurity/fanal/walker.WalkDir.func2
        /go/pkg/mod/github.com/aquasecurity/[email protected]/walker/fs.go:36
  - invalid argument

After

The specified directories are actually skipped.

$ trivy fs --skip-dirs=/var/lib/ntp /
web (alpine 3.10.2)
============================
Total: 28 (UNKNOWN: 0, LOW: 4, MEDIUM: 14, HIGH: 9, CRITICAL: 1)

...

Disable library analyzer for OS only scan type

Language-specific analyzers will not be executed when you specify --vuln-type os.

Thanks, @fawind

Aggregate JAR/WAR/EAR results in the table ☕

Before

$ trivy image -timeout 10m --severity HIGH sequenceiq/hadoop-docker:2.7.0
...

usr/local/hadoop-2.7.0/share/hadoop/yarn/lib/jackson-mapper-asl-1.9.13.jar (jar)
================================================================================
Total: 1 (HIGH: 1)

+-----------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|                 LIBRARY                 | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.codehaus.jackson:jackson-mapper-asl | CVE-2019-10172   | HIGH     | 1.9.13            |               | jackson-mapper-asl: XML external      |
|                                         |                  |          |                   |               | entity similar to CVE-2016-3720       |
|                                         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-10172 |
+-----------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/local/hadoop-2.7.0/share/hadoop/yarn/lib/netty-3.6.2.Final.jar (jar)
========================================================================
Total: 1 (HIGH: 1)

+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
|    LIBRARY     | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| io.netty:netty | CVE-2019-16869   | HIGH     | 3.6.2.Final       | 4.1.42.Final  | netty: HTTP request smuggling         |
|                |                  |          |                   |               | by mishandled whitespace              |
|                |                  |          |                   |               | before the colon in HTTP...           |
|                |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-16869 |
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+

After

All JAR files are aggregated into a single table. You can see the JAR path by -f json.

Java (jar)
==========
Total: 45 (HIGH: 45)

+---------------------------------------------+------------------+----------+--------------------+-----------------------------+---------------------------------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION  |        FIXED VERSION        |                             TITLE                             |
+---------------------------------------------+------------------+----------+--------------------+-----------------------------+---------------------------------------------------------------+
| io.netty:netty                              | CVE-2019-16869   |   HIGH   | 3.6.2.Final        | 4.1.42.Final                | netty: HTTP request smuggling                                 |
|                                             |                  |          |                    |                             | by mishandled whitespace                                      |
|                                             |                  |          |                    |                             | before the colon in HTTP...                                   |
|                                             |                  |          |                    |                             | -->avd.aquasec.com/nvd/cve-2019-16869                         |
+---------------------------------------------+------------------+          +--------------------+-----------------------------+---------------------------------------------------------------+
| org.codehaus.jackson:jackson-mapper-asl     | CVE-2019-10172   |          | 1.9.13             |                             | jackson-mapper-asl: XML external                              |
|                                             |                  |          |                    |                             | entity similar to CVE-2016-3720                               |
|                                             |                  |          |                    |                             | -->avd.aquasec.com/nvd/cve-2019-10172                         |
+---------------------------------------------+------------------+----------+--------------------+-----------------------------+---------------------------------------------------------------+
...

Add image config

Add ImageConfig under Metadata.

$ trivy image -f json alpine:3.10
{
  "SchemaVersion": 2,
  ...
  "Metadata": {
    ...
    "ImageConfig": {
      "architecture": "amd64",
      "container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
      "created": "2021-04-14T19:20:05.338397761Z",
      "docker_version": "19.03.12",
      "history": [
        {
          "created": "2021-04-14T19:20:04.987219124Z",
          "created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
        },
        {
          "created": "2021-04-14T19:20:05.338397761Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
        ]
      },
      "config": {
        "Cmd": [
          "/bin/sh"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
      }
    }
  },
 

Add end of service life field to OS metadata

You will find EOSL field under Metadata.OS.

$ trivy image -f json alpine:3.10
...
{
  "SchemaVersion": 2,
  "ArtifactName": "alpine:3.10",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.10.9",
      "EOSL": true
    },
...

Support Debian versions that reached EOL

Trivy used to not support Debian EOL versions. They are supported now.

🐞 Bug fixes 🐛

fix(oracle): use binary package name (#1203)

fix(plugin): resolve a closure (#1207)

fix(oracle): handle advisories contain ksplice versions (#1209)

fix(go/binary): improve debug messages (#1244)

fix: brew test command (#1253)

fix(gobinary): skip large files (#1259)

fix(scan/config): incompatible YAML with JSON (#1272)

Changelog

f12446d feat(report): add package path (#1274)
1c9ccb5 feat(command): add rootfs command (#1271)
a463e79 fix: update fanal (#1272)
e0ca5ef feat(commands): remove deprecated options (#1270)
1ebb329 Aggregate jar result for table (#1269)
b37f682 BREAKING(report): migrate to new json schema (#1265)
da90510 feat: improve --skip-dirs and --skip-files (#1249)
bd57b4f fix(gobinary): skip large files (#1259)
9027dc3 Disable library analyzer for OS only scan type (#1191)
5750cc2 chore: update trivy version (#1252)
bbcce9f refactor: move from io/ioutil to io and os package (#1245)
6bcb4af fix: brew test command (#1253)
8d13234 fix:added layer info in packages (#1248)
982f35b fix(go/binary): improve debug messages (#1244)
2e170cd Update db.go (#1199)
cc6c67d fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243)
669fd1f feat(debian): support the versions that reached EOL (#1237)
8cd7de2 feat(alpine): support unfixed vulnerabilities (#1235)
3bf3a46 feat(report): add image config (#1231)
8edcc62 feat(nodejs): support package.json (#1225)
31c45ff refactor: use testing DB instead of mock (#1234)
d8cc8b5 feat(ruby): support gemspec (#1224)
dbc7a83 feat(python): add packaging detector and respective hook (#1223)
19c0b70 feat(license): Added support to new License field of go-dep-parser's library (#1167)
9d61777 fix(oracle): handle advisories contain ksplice versions (#1209)
5d57dea fix(docs): remove OSVDB advisories (#1215)
b595559 docs: fix typos in CONTRIBUTING.md (#1181)
b1410b2 Update EOL of Debian 11 (#1180)
0e777d3 fix(plugin): resolve a closure (#1207)
b6d9c30 docs: fix typo (#1206)
5160a2e fix(detector): change an argument for trivy-db getter (#1203)
40ed227 chore(mod): update fanal (#1179)
2a4400c Add license info to package data (#1176)
82eb630 feat(nuget): support packages.config (#1095)
4a8db20 feat(python): add support for requirements.txt (#1169)
8db9b6a GitLab CI integration documentation (#1168)
c159501 chore(gorelease) change goreleaser config to include template examples (#1138)
76e63d1 chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153)
79b6684 chore(deps): bump actions/stale from 3 to 4 (#1152)
214fe82 feat(report): add end of service life flag to OS metadata (#1142)
c489e31 chore: set up Dependabot for github-actions and docker (#1128)
efd812c docs: fix typo (#1149)
3a920dc docs: add some external links (#1147)
7cb1598 chore (release): add ubuntu esm versions to deploy script (#1151)
6a88002 docs(troubleshooting) add urls which are required to download vuls db (#1137)

Docker images

• docker pull aquasec/trivy:0.20.0
• docker pull ghcr.io/aquasecurity/trivy:0.20.0
• docker pull public.ecr.aws/aquasecurity/trivy:0.20.0
• docker pull aquasec/trivy:latest
• docker pull ghcr.io/aquasecurity/trivy:latest
• docker pull public.ecr.aws/aquasecurity/trivy:latest

---

This discussion was created from the release v0.20.0.