v0.26.0

[aqua-bot]

🚀 What's new? 🚀

🦍 Scan go.mod in Go 1.17+

Trivy now scans go.mod in Go 1.17+ projects. It detects only transitively-imported packages and provides more accurate detection. It used to include all transitive packages that are actually not imported in Go 1.16 or less projects.

https://go.dev/doc/go1.17#go-command

If a module specifies go 1.17 or higher in its go.mod file, its go.mod file now contains an explicit require directive for every module that provides a transitively-imported package.

$ head -n 7 go.mod
module github.com/aquasecurity/trivy

go 1.18

require (
        github.com/CycloneDX/cyclonedx-go v0.5.0
        github.com/Masterminds/sprig/v3 v3.2.2

$ trivy fs ./go.mod
2022-04-14T14:45:15.768+0300    INFO    Number of language-specific files: 1
2022-04-14T14:45:15.768+0300    INFO    Detecting gomod vulnerabilities...

go.mod (gomod)
==============
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+----------------------------------+------------------+----------+--------------------+-----------------------+---------------------------------------+
|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION  |     FIXED VERSION     |                 TITLE                 |
+----------------------------------+------------------+----------+--------------------+-----------------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2022-23648   | HIGH     | 1.5.9              | 1.4.13, 1.5.10, 1.6.1 | containerd: insecure                  |
|                                  |                  |          |                    |                       | handling of image volumes             |
|                                  |                  |          |                    |                       | -->avd.aquasec.com/nvd/cve-2022-23648 |
+----------------------------------+------------------+----------+--------------------+-----------------------+---------------------------------------+

Note: Go 1.17+ must be specified in your go.mod, not your Go CLI version.

In Go 1.16 or less projects, Trivy takes direct dependencies from go.mod and indirect dependencies from go.sum.

For more detail, see here.

Kudos to @jerbob92

🦙 Support distroless images based on Alpine LInux

Trivy uses the repository version in /etc/apk/repositories so that it can scan distroless images based on Alpine Linux.

$ trivy image ghcr.io/distroless/git
2022-04-14T14:49:16.640+0300    INFO    Detected OS: alpine
2022-04-14T14:49:16.640+0300    INFO    This OS version is not on the EOL list: alpine 3.16
2022-04-14T14:49:16.640+0300    INFO    Detecting Alpine vulnerabilities...
2022-04-14T14:49:16.668+0300    INFO    Number of language-specific files: 1
2022-04-14T14:49:16.668+0300    INFO    Detecting gobinary vulnerabilities...

ghcr.io/distroless/git (alpine edge)
====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| git     | CVE-2022-24765   | MEDIUM   | 2.35.1-r2         | 2.35.2-r0     | Git for Windows is a                  |
|         |                  |          |                   |               | fork of Git containing                |
|         |                  |          |                   |               | Windows-specific patches. ...         |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-24765 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
...

🐞 Bug fixes 🐛

• Fixed panic when scanning .egg archive (fix(python): fixed panic when scan .egg archive #1992)

Changelog

• a0047a7 feat(alpine): warn mixing versions (feat(alpine): warn mixing versions #2000)
• d786655 Update ASFF template (fix(asff.tpl): Issues with importing/converting ASFF #1914)
• a02cf65 chore(deps): replace containerd/containerd version to fix CVE-2022-23648 (chore(deps): replace containerd/containerd version to fix CVE-2022-23648 #1994)
• 613e38c chore(deps): bump alpine from 3.15.3 to 3.15.4 (chore(deps): bump alpine from 3.15.3 to 3.15.4 #1993)
• 3b6d65b test(go): add integration tests for gomod (test(go): add integration tests for gomod #1989)
• 22f5b93 fix(python): fixed panic when scan .egg archive (fix(python): fixed panic when scan .egg archive #1992)
• 485637c fix(go): set correct go modules type (fix(go): set correct go modules type #1990)
• 6fdb554 feat(alpine): support apk repositories (feat(alpine): support apk repositories #1987)
• d9bddb9 docs: add CBL-Mariner (docs: add CBL-Mariner #1982)
• 1cf1873 docs(go): fix version (docs(go): fix version #1986)
• d77dbe8 feat(go): support go.mod in Go 1.17+ (feat(go): support go.mod in Go 1.17+ #1985)
• 32bd1e4 ci: fix URLs in the PR template (chore: fix URLs in the PR template #1972)
• 94a5a18 ci: add semantic pull requests check (ci: add semantic pull requests check #1968)
• 72d94b2 docs(issue): added docs for wrong detection issues (docs(issue): added docs for wrong detection issues #1961)

---

This discussion was created from the release v0.26.0.