v0.32.0 #2899

aqua-bot · 2022-09-16T14:16:01Z

aqua-bot
Sep 16, 2022
Maintainer

🚀 What's new? 🚀

👽 C/C++ Conan support 👨‍🦰

Trivy now scans C/C++ dependencies installed using the Conan package manager 🕵️

$ trivy fs ./conan.lock 
2022-09-16T16:02:17.501+0300    INFO    Vulnerability scanning is enabled
2022-09-16T16:02:17.578+0300    INFO    Number of language-specific files: 1
2022-09-16T16:02:17.578+0300    INFO    Detecting conan vulnerabilities...

conan.lock (conanlock)
======================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├─────────┼───────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ openssl │ CVE-2022-0778 │ HIGH     │ 1.1.1k            │ 1.1.1n, 3.0.2 │ openssl: Infinite loop in BN_mod_sqrt() reachable when  │
│         │               │          │                   │               │ parsing certificates                                    │
│         │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0778               │
│         ├───────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────┤
│         │ CVE-2021-4160 │ MEDIUM   │                   │ 1.1.1m, 3.0.3 │ openssl: Carry propagation bug in the MIPS32 and MIPS64 │
│         │               │          │                   │               │ squaring procedure                                      │
│         │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-4160               │
└─────────┴───────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

🐘 Java Gradle support ☕️

Trivy now scans Java dependencies installed using the Gradle build system.

$ trivy fs ./integration/testdata/fixtures/fs/gradle/gradle.lockfile
2022-09-16T15:59:50.034+0300    INFO    Vulnerability scanning is enabled
2022-09-16T15:59:50.450+0300    INFO    Number of language-specific files: 1
2022-09-16T15:59:50.466+0300    INFO    Detecting gradle vulnerabilities...

gradle.lockfile (gradle)
========================
Total: 66 (UNKNOWN: 1, LOW: 0, MEDIUM: 3, HIGH: 38, CRITICAL: 24)

🆒 SBOM attestation scanning from sigstore/rekor 🌐

Trivy could already scan SBOM and SBOM attestations instead of a full image scan, but now trivy can automatically discover the SBOM attestation for the target image in sigstore's Rekor transparency log! This new feature is enabled using the --sbom-attestation flag on the image target.

$ trivy image --debug --sbom-sources rekor otms61/alpine:3.7.3
2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided

otms61/alpine:3.7.3 (alpine 3.7.3)
==================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
│            │                │          │                   │               │ adjustment im ......                                     │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
├────────────┤                │          │                   │               │                                                          │
│ musl-utils │                │          │                   │               │                                                          │
│            │                │          │                   │               │                                                          │
│            │                │          │                   │               │                                                          │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

See here for the detail.

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

📜 SPDX SBOM scanning 🔍

This release adds support for scan SBOM documents in SPDX format. (This feature joins trivy's existing support for scanning SBOM in CycloneDX format).

$ trivy image --format spdx-json --output spdx.json alpine:3.10.2
$ trivy sbom ./spdx.json
2022-09-15T12:50:15.463+0300    INFO    Vulnerability scanning is enabled
2022-09-15T12:50:15.464+0300    INFO    Detected SBOM format: spdx-json
2022-09-15T12:50:15.506+0300    INFO    Detected OS: alpine
2022-09-15T12:50:15.506+0300    INFO    Detecting Alpine vulnerabilities...
2022-09-15T12:50:15.506+0300    INFO    Number of language-specific files: 0

spdx.json (alpine 3.10.2)
=========================
Total: 1 (CRITICAL: 1)

┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.4-r2         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
│           │                │          │                   │               │ other products, mishandles...                               │
│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

See here for the detail.

🧅 Identify layer of detected secrets 👈

When Trivy scans for secrets in container images, it will now show which layer introduced that secret. For convenience, the layer is presented as the Dockerfile line that created it. This is especially useful when finding detected secrets originate in deleted layers.

Note: Detecting deleted secrets was introduced in v0.31.0, but it had an issue. It shows the layer command instead of indicating the secret is deleted or not.

/secret.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-access-key-id)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Access Key ID
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /secret.txt:1 (added by 'echo "AWS_ACCESS_KEY_ID=AKIA0123456789ABCDEF" > secret.txt')
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ AWS_ACCESS_KEY_ID=********************
   2   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

🐆 Support file patterns for package scanning *️⃣

You can now specify file patterns Trivy should consider in vulnerability scanning using the --file-patterns flag. Previously this flag only worked for misconfiguration scanning. For example trivy image myimage --file-patterns "pip:requirements-.*\.txt" will enable trivy to scan the file requirements-something.txt for python pip vulnerabilityes.

See here for the detail.

Thanks to @jerbob92 for the contribution: #2539

✍️ Sign released artifacts 📦

Beginning with this release, all release artifacts will be cryptographically signed using sigstore/cosign. This allows users to verify the integrity of artifacts before using them.

Thanks to @JAORMX for the contribution: #2789

🌲 Show dependency graph of Rust binaries 🦀

In the previous release Trivy gained support for scanning binaries built with Rust and cargo-auditable. This release adds support for identifying the origin of Rust dependencies with the --dependency-tree.

$ trivy image --dependency-tree your-image-including-rust-binaries
...
Dependency Origin Tree
======================
rustpython
├── [email protected], (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
│   └── [email protected]
│       └── [email protected]
├── [email protected], (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
│   └── [email protected]
│       ├── [email protected]
│       └── [email protected]
│           └── [email protected]
├── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
│   └── [email protected]
│       └── [email protected]
│           ├── [email protected]
│           └── [email protected]
│               └── [email protected]
└── [email protected], (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    └── [email protected]
        └── [email protected]

⎈ Kubernetes resources for deprecated and removal APIs 💀

When Trivy scans Kubernetes resources it can now alert when the resource is using a deprecated (or about to be) API, and will also suggest the recommended newer version.

$ trivy fs ./scanjob.yaml

scanjob.yaml (kubernetes)

Tests: 79 (SUCCESSES: 66, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (UNKNOWN: 0, LOW: 10, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

HIGH: apiVersion 'batch/v1beta1' and kind ‘CronJob' should be replaced with the new API ‘batch.v1.CronJob'
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
apiVersion 'batch/v1beta1' and kind 'CronJob' has been deprecated on: 'v1.21' and planned for removal on:'v1.25'

See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/api/batch/v1beta1/zz_generated.prerelease-lifecycle.go
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 scanjob.yaml:1-5
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ apiVersion: batch/v1beta1
   2 │ kind: CronJob
   3 │ metadata:
   4 │   name: hello
   5 └ spec:
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

🐛 Bug fixes 🐞

Scan tarred dependencies (fix: Scan tarred helm dependencies #2857)
Fix url validaton failures (fix: url validaton failures #2783)
Add logic to detect empty layers (fix(image): add logic to detect empty layers #2790)

This discussion was created from the release v0.32.0.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.32.0 #2899

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

v0.32.0 #2899

aqua-bot Sep 16, 2022 Maintainer

🚀 What's new? 🚀

👽 C/C++ Conan support 👨‍🦰

🐘 Java Gradle support ☕️

🆒 SBOM attestation scanning from sigstore/rekor 🌐

📜 SPDX SBOM scanning 🔍

🧅 Identify layer of detected secrets 👈

🐆 Support file patterns for package scanning *️⃣

✍️ Sign released artifacts 📦

🌲 Show dependency graph of Rust binaries 🦀

⎈ Kubernetes resources for deprecated and removal APIs 💀

🐛 Bug fixes 🐞

Replies: 0 comments

aqua-bot
Sep 16, 2022
Maintainer