v0.29.0

[aqua-bot]

💔 BREAKING CHANGES 💔

Change trivy k8s API

It requires cluster or all for cluster scanning.

# Root command shows help message, like other trivy subcommands
$ trivy k8s

# Scanning a full cluster (including cluster level resources)

$ trivy k8s --report=summary cluster

# Scanning namespaces

$ trivy k8s --report=summary all # scans the default namespace
$ trivy k8s --report=summary --namespace=kube-system all

See here for the detail.

Change to rego input schema for dockerfile custom policies

The rego input schema has changed to fix an issue with stage ordering in the Dockerfile parser.

Before:

type Dockerfile struct {
	Stages map[string][]Command
}

After:

type Dockerfile struct {
	Stages []Stage
}

type Stage struct {
	Name     string
	Commands []Command
}

🚀 What's new? 🚀

🧇 Extensibility using WebAssembly 🐯

Trivy has a new extensions model that allows you to customize the way vulnerabilities are detected and reported, powered by WebAssembly!
Most vulnerability scanners assume that the existence of a vulnerable package indicates your application is vulnerable, but in many cases the vulnerability may not actually affect your application - depending on the runtime version, middleware configuration, or other environmental conditions. The result is that vulnerability scanners sometimes show false positives.
For example, an application with Spring4Shell vulnerability (CVE-2022-22965) would be actually safe if it used JAR packaging and an old Java 8 version - even though your application depends on a vulnerable version of Spring Framework.

With the new extensibility model, a WebAsssembly module can inject custom detection into scanning results.
The following Trivy module for Spring4Shell detects the Tomcat and Java versions in addition to the version of Spring Framework. The module then lowers the severity because this image doesn't satisfy any of the vulnerability conditions and is not actually affected by this vulnerability.

$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
...
2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW

See here for the detail.

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

🌴 Show origins of vulnerable dependencies 🎄

Modern software development relies on the use of third-party libraries. Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph. In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree. To make this task simpler Trivy can show a dependency origin tree with the --dependency-tree flag. This flag is available with the --format table flag only. It supports only Node.js (package-lock.json) as of v0.29.0.

This tree is the reverse of the npm list command. However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

🎊 containerd support 🤓

When scanning container images, Trivy will try to use images from local image store before attempting to pull from registry. This local image scanning worked with Docker, and from today, it also works with contained.

$ sudo nerdctl images
REPOSITORY        TAG       IMAGE ID        CREATED               PLATFORM       SIZE         BLOB SIZE
knqyf263/nginx    latest    2bcabc23b454    57 seconds ago        linux/amd64    149.1 MiB    54.1 MiB
$ trivy image knqyf263/nginx

ℹ️ Rootless containerd is not yet supported.

⛵ Helm Chart scanning 🗺️

Trivy now supports scanning Helm Charts as directories or tarballs (tar, tgz, tar.gz).

Helm charts are rendered into the Kubernetes manifest files that will be applied and any configuration issues displayed for the manifest that would be used.

trivy fs --security-checks config consul.tar.gz 
2022-06-14T11:13:31.789+0100	INFO	Detected config files: 6

consul.tar.gz:templates/consul-statefulset.yaml (helm)

Tests: 34 (SUCCESSES: 22, FAILURES: 12, EXCEPTIONS: 0)
Failures: 12 (UNKNOWN: 0, LOW: 10, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

MEDIUM: Container 'consul' of StatefulSet 'consul' should set 'securityContext.allowPrivilegeEscalation' to false
═══════════════════════════════════════════════════════════════════════════════════════════════
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.

See https://avd.aquasec.com/misconfig/ksv001
───────────────────────────────────────────────────────────────────────────────────────────────
 consul.tar.gz:templates/consul-statefulset.yaml:45-107
───────────────────────────────────────────────────────────────────────────────────────────────
  45 ┌       - name: "consul"
  46 │         image: "consul:1.5.3"
  47 │         imagePullPolicy: "Always"
  48 │         ports:
  49 │         - name: http
  50 │           containerPort: 8500
  51 │         - name: rpc
  52 │           containerPort: 8400
  53 └         - name: serflan-tcp
  ..   
───────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'consul' of StatefulSet 'consul' should add 'ALL' to 'securityContext.capabilities.drop'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The container should drop all default capabilities and add only those that are needed for its execution.

See https://avd.aquasec.com/misconfig/ksv003
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 consul.tar.gz:templates/consul-statefulset.yaml:45-107
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  45 ┌       - name: "consul"
  46 │         image: "consul:1.5.3"
  47 │         imagePullPolicy: "Always"
  48 │         ports:
  49 │         - name: http
  50 │           containerPort: 8500
  51 │         - name: rpc
  52 │           containerPort: 8400
  53 └         - name: serflan-tcp
  ..   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
... results truncated ...

ℹ️ Support for injecting values files will be added in future releases.

🖌️ Kubernetes secret scanning 📟

trivy k8s now finds exposed secrets in container images.

$ trivy k8s --report=summary all
3 / 3 [------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s

Summary Report for minikube
┌───────────┬─────────────────┬─────────────────────┬────────────────────┬───────────────────┐
│ Namespace │    Resource     │   Vulnerabilities   │ Misconfigurations  │      Secrets      │
│           │                 ├───┬───┬────┬────┬───┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│           │                 │ C │ H │ M  │ L  │ U │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├───────────┼─────────────────┼───┼───┼────┼────┼───┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ default   │ Deployment/lua  │   │   │ 33 │ 50 │   │   │   │ 2 │ 10 │   │   │ 2 │   │   │   │
└───────────┴─────────────────┴───┴───┴────┴────┴───┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

🔥 RBAC scanning

Trivy now scans Kubernetes RBAC roles in filesystem and it will identify security issues such as permissive or risky role definitions or other RBAC related security best practices.

$ trivy fs --security-checks config /roles

shell_access_role.yaml (rbac)

Tests: 16 (SUCCESSES: 15, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Role permits getting shell on pods
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Check whether role permits getting shell on pods

See https://avd.aquasec.com/misconfig/ksv053
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 shell_access_role.yaml:8-13
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   8 ┌ - apiGroups:
   9 │   - "*"
  10 │   resources:
  11 │   - pods/exec
  12 │   verbs:
  13 └   - create
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

🐛 Bug fixes 🐞

• fix(flag): remove --clear-cache flag client mode (fix(flag): remove --clear-cache flag client mode #2301)
• fix(java): added check for looping for variable evaluation in pom file (fix(java): added check for looping for variable evaluation in pom file #2322)
• fix(kubernetes): do not exit if one resource is not found (fix: do not exit if one resource is not found #2311)
• fix(kubernetes): Support floats in manifest yaml (fix(kubernetes): Support floats in manifest yaml #2297)
• fix(cache): mask redis credentials when logging (fix: mask redis credentials when logging #2264)
• fix(cyclonedx): fixed incorrect CycloneDX output format (fix: fixed incorrect CycloneDX output format #2255)
• fix(k8s): timeout error logging (fix(k8s): timeout error logging #2179)
• fix(k8s): properly instantiate TableWriter (fix(k8s): properly instantiate TableWriter #2175)
• fix(report): fixed panic if all misconf reports were removed in filter (fix(report): fixed panic if all misconf reports were removed in filter #2188)
• fix(redhat): always use vulns with fixed version if there is one (fix(redhat): always use vulns with fixed version if there is one #2165)
• fix(misconf) misconfig start line for code quality tpl (fix(report): misconfig start line for code quality tpl #2181)

Changelog

• cb76acb fix(lang): fix dependency graph in client server mode (fix(lang): fix dependency graph in client server mode #2336)
• 3d2fc78 feat: allow expiration date for .trivyignore entries (feat: allow expiration date for .trivyignore entries #2332)
• 3e3c119 feat(lang): add dependency origin graph (feat(lang): add dependency origin graph #1970)
• 685a92e docs: update nix installation info (docs: update nix installation info #2331)
• 1e0b03d feat: add rbac scanning support (feat: add rbac scanning support #2328)
• c9f9a9c refactor: move WordPress module to another repository (refactor: move WordPress module to another repository #2329)
• bcc231d ci: add support for ppc64le (ci: add support for ppc64le #2281)
• 7cecade feat: add support for WASM modules (feat: add support for WASM modules #2195)
• a02c06b feat(secret): show recommendation for slow scanning (feat(secret): show recommendation for slow scanning #2051)
• e858812 fix(flag): remove --clear-cache flag client mode (fix(flag): remove --clear-cache flag client mode #2301)
• 276daae fix(java): added check for looping for variable evaluation in pom file (fix(java): added check for looping for variable evaluation in pom file #2322)
• 546e7bd BREAKING(k8s): change CLI API (BREAKING(k8s): change CLI API #2186)
• b69c4de feat(alpine): add Alpine Linux 3.16 (feat(alpine): add Alpine Linux 3.16 #2319)
• 33b8521 docs: bump trivy-operator to v0.0.7 (docs: bump trivy-operator to v0.0.7 #2320)
• 313ade3 ci: add go mod tidy check (ci: add go mod tidy check #2314)
• b331e77 chore: run go mod tidy (chore: run go mod tidy #2313)
• bfe5c6f fix: do not exit if one resource is not found (fix: do not exit if one resource is not found #2311)
• 363a3e4 feat(cli): use stderr for all log messages (resolve All info messages should be written to stderr instead of stdout #381) (feat(cli): use stderr for all log messages #2289)
• b213956 test: replace deprecated subcommand client in integration tests (test: replace deprecated subcommand client in integration tests #2308)
• efbc968 feat: add support for containerd (feat: add support for containerd #2305)
• 9a601d4 fix(kubernetes): Support floats in manifest yaml (fix(kubernetes): Support floats in manifest yaml #2297)
• a589353 docs(kubernetes): dead links (docs(kubernetes): dead links #2307)
• f38f8d6 chore: add license label (chore: add license label #2304)
• 2b1de93 feat(mariner): added support for CBL-Mariner Distroless v2.0 (feat(mariner): added support for CBL-Mariner Distroless v2.0 #2293)
• 5423196 feat(helm): add pod annotations (feat(helm): add pod annotations #2272)
• 6fb4770 refactor: do not import defsec in fanal types package (refactor: do not import defsec in fanal types package #2292)
• 4d382a0 feat(report): Add misconfiguration support to ASFF report template (feat(report): Add misconfiguration support to ASFF report template #2285)
• f1c6af3 test: use images in GHCR (test: use images in GHCR #2275)
• 0977dfc feat(helm): support pod annotations (feat(helm): support pod annotations #2265)
• 6b2cd7e feat(misconf): Helm chart scanning (feat(misconf): Helm chart scanning #2269)
• 3912768 docs: Update custom rego policy docs to reflect latest defsec/fanal changes (docs: Update custom rego policy docs #2267)
• a17c3ee fix: mask redis credentials when logging (fix: mask redis credentials when logging #2264)
• d8b59ef refactor: extract commands Runner interface (refactor: extract commands Runner interface #2147)
• 60a81fc chore(deps): bump alpine from 3.15.4 to 3.16.0 (chore(deps): bump alpine from 3.15.4 to 3.16.0 #2234)
• c73650d chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.2 to 0.6.0 (chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.2 to 0.6.0 #2245)
• 6cfdffd docs: update operator release (docs: update operator release #2263)
• 510ce1a chore(deps): bump github.com/urfave/cli/v2 from 2.6.0 to 2.8.1 (chore(deps): bump github.com/urfave/cli/v2 from 2.6.0 to 2.8.1 #2243)
• 92c0452 feat(redhat): added architecture check (feat(redhat): added architecture check #2172)
• 1eb73f3 docs: updating links in the docs to work again (docs: updating links in the docs to work again #2256)
• 270dc73 docs: fix readme (docs: fix readme #2251)
• a6ff0d1 fix: fixed incorrect CycloneDX output format (fix: fixed incorrect CycloneDX output format #2255)
• 67d9477 chore(deps): bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.3 (chore(deps): bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.3 #2241)
• 3e6dc37 chore(deps): bump github.com/samber/lo from 1.19.0 to 1.21.0 (chore(deps): bump github.com/samber/lo from 1.19.0 to 1.21.0 #2242)
• 2dc5c91 chore(deps): bump goreleaser/goreleaser-action from 2 to 3 (chore(deps): bump goreleaser/goreleaser-action from 2 to 3 #2240)
• 6daf62e chore(deps): bump docker/setup-buildx-action from 1 to 2 (chore(deps): bump docker/setup-buildx-action from 1 to 2 #2238)
• f9ee494 chore(deps): bump docker/setup-qemu-action from 1 to 2 (chore(deps): bump docker/setup-qemu-action from 1 to 2 #2236)
• c3e227b chore(deps): bump golang from 1.18.1 to 1.18.2 (chore(deps): bump golang from 1.18.1 to 1.18.2 #2235)
• ca39041 chore(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (chore(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 #2237)
• c676361 chore(deps): bump docker/login-action from 1 to 2 (chore(deps): bump docker/login-action from 1 to 2 #2239)
• 126fe0a chore(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (chore(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 #2246)
• f7d0253 refactor(deps): move dependencies to package (refactor(deps): move dependencies to package #2189)
• f982167 fix(report): change github format version to required (fix(report): change github format version to required #2229)
• d3a73e4 docs: update readme (docs: update readme #2110)
• 5d5b93e docs: added information about choosing advisory database (docs: added information about choosing advisory database #2212)
• 3649850 chore: update trivy-kubernetes (chore: update trivy-kubernetes #2224)
• 3c0e354 docs: clarifying parts of the k8s docs and updating links (docs: clarifying parts of the k8s docs and updating links #2222)
• af5882b fix(k8s): timeout error logging (fix(k8s): timeout error logging #2179)
• 3d29213 chore(deps): updated fanal after fix AsymmetricPrivateKeys (fix(secret): asymmetric private keys use only base64 characters #2214)
• e18f38a feat(k8s): add --context flag (feat(k8s): add --context flag #2171)
• 0e937b5 fix(k8s): properly instantiate TableWriter (fix(k8s): properly instantiate TableWriter #2175)
• 911c5e9 test: fixed integration tests after updating testcontainers to v0.13.0 (test: fixed integration tests after updating testcontainers to v0.13.0 #2208)
• 6fd1887 chore: update labels (chore: update labels #2197)
• 4059e94 fix(report): fixed panic if all misconf reports were removed in filter (fix(report): fixed panic if all misconf reports were removed in filter #2188)
• 84af32a feat(k8s): scan secrets (feat(k8s): scan secrets #2178)
• 4ab696e feat(report): GitHub Dependency Snapshots support (feat(report): GitHub Dependency Snapshots support #1522)
• b7ec642 feat(db): added insecure skip tls verify to download trivy db (feat(db): added insecure skip tls verify to download trivy db #2140)
• 1e1ccbe fix(redhat): always use vulns with fixed version if there is one (fix(redhat): always use vulns with fixed version if there is one #2165)
• 4ceae2a chore(redhat): Add support for Red Hat UBI 9. (chore(redhat): Add support for Red Hat UBI 9. #2183)
• 4e7e842 fix(k8s): update trivy-kubernetes (fix(k8s): update trivy-kubernetes #2163)
• 089d34e fix misconfig start line for code quality tpl (fix(report): misconfig start line for code quality tpl #2181)
• bfb0f2a fix: update docker/distribution from 2.8.0 to 2.8.1 (fix(deps): update docker/distribution from 2.8.0 to 2.8.1 #2176)

---

This discussion was created from the release v0.29.0.

[isuftin]

This one is huge, boys. ❤️