v0.45.0

[aqua-bot]

🚀 What's new? 🚀

🌳 Dependency graph support for pom.xml 🕸️

Trivy has introduced graph support for pom.xml, enhancing its existing capabilities to identify origin of vulnerable package. This feature allows users to view the reversed dependency origin tree for their Java projects, providing a clearer understanding of the dependencies and their associated vulnerabilities.

Usage:

$ trivy fs --dependency-tree .
...

pom.xml
├── net.minidev:json-smart:2.4.7, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
│ └── com.nimbusds:nimbus-jose-jwt:4.41
└── org.yaml:snakeyaml:1.29, (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)
 └── ...(omitted)...
 └── org.springframework.boot:spring-boot-starter-amqp:2.1.9.RELEASE

See here for more details.

🍎 Vulnerability Detection for CocoaPods 🛡️

Trivy has expanded its support to include vulnerability detection for CocoaPods, a dependency manager for Swift and Objective-C. With this update, users can now scan their Podfile.lock to identify and address potential vulnerabilities in their projects.

Example of Vulnerability Detection:

$ trivy fs ./Podfile.lock 
2023-08-25T12:17:43.021+0600 INFO Vulnerability scanning is enabled
...
Podfile.lock (cocoapods)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                         Title                          │
├────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ _NIODataStructures │ CVE-2022-3215 │ MEDIUM   │ fixed  │ 2.41.0            │ 2.29.1, 2.39.1, 2.42.0 │ SwiftNIO vulnerable to Improper Neutralization of CRLF │
│                    │               │          │        │                   │                        │ Sequences in HTTP Headers ('HTTP...                    │
│                    │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-3215              │
└────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────┘

See here for more details.

📦 Swift Package Manager Support 🐦

Trivy now offers support for Swift's Package.resolved files. This enhancement ensures that users can scan their Swift projects' resolved packages for SBOM and vulnerabilities. The update provides a detailed view of the vulnerabilities associated with each package, enhancing the security overview for Swift projects.

Example of Vulnerability Detection:

$ trivy fs Package.resolved
2023-08-23T15:44:40.465+0600 INFO Vulnerability scanning is enabled
...

Package.resolved (swift)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                         Title                          │
├────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ github.com/apple/swift-nio │ CVE-2022-3215 │ MEDIUM   │ fixed  │ 2.41.0            │ 2.29.1, 2.39.1, 2.42.0 │ SwiftNIO vulnerable to Improper Neutralization of CRLF │
│                            │               │          │        │                   │                        │ Sequences in HTTP Headers ('HTTP...                    │
│                            │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-3215              │
└────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────┘

See here for more details.

🧶 License support for Yarn Projects 📜

Trivy has enhanced its capabilities by introducing license parsing for projects that use the Yarn package manager. Previously, dependency licenses in Yarn projects were not parsed. With this update, Trivy can now scan licenses for packages from the cache folders .yarn (for Yarn 2+) and node_modules (Yarn classic).

See here for more details.

📄 Enhanced .trivyignore support 📁

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Trivy now supports a structured ignore file format with .trivyignore.yaml. This enhancement allows users to specify vulnerabilities and other security findings to ignore in a more structured manner.

Example of .trivyignore.yaml:

vulnerabilities:
 - id: CVE-2023-30861
   paths:
   - "pkg/fanal/analyzer/language/python/poetry/testdata/happy/poetry.lock"
   - "pkg/fanal/analyzer/language/python/pip/testdata/requirements.txt"
   statement: Accept the risk
 - id: CVE-2023-37920
 - id: GHSA-5crp-9r3c-p9vr
   expired_at: 2023-09-01
misconfigurations:
 - id: AVD-DS-0001
 - id: AVD-DS-0002
   paths:
   - docs/Dockerfile
   statement: The container image needs root privileges

Users can specify paths and other attributes. This feature is still experimental, and users need to explicitly specify the file path to enable this feature. If the file extension is .yml or .yaml, Trivy will parse it in the YAML format. Otherwise, it will be treated as the legacy .trivyignore.

Usage:

$ trivy repo --ignorefile .trivyignore.yaml .

See here for more details.

📦 Bitnami components scanning enhancement 🚢

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Trivy has expanded its scanning capabilities by adding support for scanning Bitnami applications. With this update, When scanning an image packaged by Bitnami, Trivy will automatically detect embedded Bitnami SPDX SBOM files and scan them using the Bitnami vulnerability database. This ensures a comprehensive vulnerability assessment for projects that utilize Bitnami components.

Example:

$ trivy image bitnami/node:20.4.0
...

opt/bitnami/node (bitnami)
==========================
Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────┬───────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │      Fixed Version       │                         Title                         │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────┼───────────────────────────────────────────────────────┤
│ node    │ CVE-2023-32002 │ CRITICAL │ fixed  │ 20.4.0            │ 16.20.1, 18.17.0, 20.5.0 │ Permissions policies can be bypassed via Module._load │
│         │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2023-32002            │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────┴───────────────────────────────────────────────────────┘

See here for more details.

Thanks to @juan131

📁 Add location details for Conan 📍

With this update, Trivy enhances its capability to pinpoint the location of dependencies within the conan.lock file used by the Conan package manager.

See here for more details.

🛠️ Version Endpoint for Trivy Server 📊

Trivy Server has introduced a new endpoint to retrieve the versions of Trivy and its database. This enhancement provides users with an easy way to check the current version of Trivy and the associated database versions. By accessing this endpoint, users can obtain detailed version information, including the next update time and the time of the last update.

Example of Version Endpoint Output:

$ curl -s 0.0.0.0:8080/version | jq
{
 "Version": "dev",
 "VulnerabilityDB": {
   "Version": 2,
   "NextUpdate": "2023-07-25T14:15:29.876639806Z",
   "UpdatedAt": "2023-07-25T08:15:29.876640206Z",
   "DownloadedAt": "2023-07-25T09:36:25.599004Z"
 },
 "JavaDB": {
   "Version": 1,
   "NextUpdate": "2023-07-28T01:03:52.169192565Z",
   "UpdatedAt": "2023-07-25T01:03:52.169192765Z",
   "DownloadedAt": "2023-07-25T09:37:48.906152Z"
 },
 "PolicyBundle": {
   "Digest": "sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43",
   "DownloadedAt": "2023-07-23T11:40:33.122462Z"
 }
}

⎈ Kubernetes - Exclude owner reference objects 🚩

Trivy k8s now support exclusion of Kubernetes objects that have an owner reference.
It is very useful when a user want to filter out resources that are managed or owned by other objects.

Usage:

trivy k8s cluster --exclude-owned  --report summary 

Thanks @thapabishwa for the contribution

🐿️ Support scanning .tf.json files 🍄

Trivy now supports scanning terraform files in JSON format for example:

{
    "resource": {
        "aws_instance": {
            "example": {
                "instance_type": "t2.micro",
                "ami": "ami-abc123"
            }
        }
    }
}

🎮 Show Terraform resource name in scan results 🐬

Trivy now shows more context around a terraform scan result by mentioning the resource name that was found. This is helpful when you have multiple resources of the same kind.

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 terraform-aws-modules/security-group/aws/main.tf:197-204
  via aws-security-groups.tf:1-13 (module.aws-security-groups["db1"])  // <-- added
────────────────────────────────────────
 191   resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
 ...   
 197 ┌   cidr_blocks = split(
 198 │     ",",
 199 │     lookup(
 200 │       var.ingress_with_cidr_blocks[count.index],
 201 │       "cidr_blocks",
 202 │       join(",", var.ingress_cidr_blocks),
 203 └     ),
 ...   
────────────────────────────────────────

🦾 Misconfiguration scanning updates 🔖

The following improvements have been made to IaC misconfiguration checks:

• feat(aws): Adding wildcard support for cloud watch actions #5010
• fix(terraform): do not check the network policy if enable_autopilot is true #4961
• fix(misconf): Incorrect link to the bucket logging rule #4975
• bug: s3 bucket logging warnings being flagged when ignored #5004
• fix(terraform): AVD-AWS-017 false positive #4963

👷‍♂️ Notable Fixes 🛠️

• fix(terraform): panic when referring to a resource instance with a non-existent var #4983
• fix(sbom): cyclonedx advisory should omit null value #5041
• fix(java): add licenses for pom.xml dependencies #5071