v0.57.0 #7857

aqua-bot · 2024-11-02T03:37:25Z

aqua-bot
Nov 2, 2024
Maintainer

📑 Table of Contents

💔 Breaking Changes 💔
- 🚫 Error Out When Specified Ignore File is Missing 📂
- 🐾 Dropping support for "Exceptions" in misconfiguration scanning ⚠️
- ☸ Kubernetes Pod report supports multiple containers 📦
🚀 What's new? 🚀
- 🔐 New trivy registry Command for Authentication 🔑
- 🧩 Enhanced CycloneDX Reports with File Checksums 🔗
- 🏴󠁩󠁤󠁪󠁷󠁿 Trivy now supports trimming whitespace in pom.xml file fields 👾
- 📜 Gitlab template supports operating_system field for OS packages ✂️
- 🐦 Ubuntu 24.10 is now supported 🟠
- 🔍 Show misconfig ID in table output 🏷️
- 🌐 Handle publicNetworkAccess for Azure Storage Account 🔒
- 🕵️‍♂️ Detect secrets leaks in Dockerfile 🐳

💔 Breaking Changes 💔

🚫 Error Out When Specified Ignore File is Missing 📂

This update introduces a check for the --ignorefile option, ensuring that if the specified ignore file is missing, Trivy will now display an error. This change enhances usability by notifying users of missing custom ignore files, though the default ignore file behavior remains unaffected.

Thanks to @sgaist.

🐾 Dropping support for "Exceptions" in misconfiguration scanning ⚠️

We have previously announced intention to deprecate conftest style Exceptions. In this release we have removed Exceptions from misconfiguration scanning report.

Before

main.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 1)
Failures: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls

After

main.tf (terraform)

Tests: 7 (SUCCESSES: 0, FAILURES: 7)
Failures: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls

NB Ignores are still listed as part of the regular log output

2024-10-23T13:46:30-06:00       INFO    [terraform executor] Ignore finding     rule="aws-s3-encryption-customer-key" range="main.tf:13-21"

☸ Kubernetes Pod report supports multiple containers 📦

This release adds support for scanning multi-container Kubernetes Pods. In order to aggregate findings from multiple containers in the same report, the Findings[].Metadata field for Pods, which used to be an object describing a single pod, has changed to an array of objects each describing a pod. See example output in the feature announcement below.

Report before change

{
  "ClusterName": "",
  "Findings": [
    {
      "Namespace": "default",
      "Kind": "Pod",
      "Name": "nginx-fluentd-pod",
      "Metadata": {
        "OS": {
          "Family": "debian",
          "Name": "12.6"
        },
          "RepoTags": [
            "nginx:latest"
          ],
          "DiffIDs": []
      },
      "Results": [
        {
          "Target": "nginx:latest (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "fluent/fluentd:v1.17-armhf-debian (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "Ruby",
          "Class": "lang-pkgs",
          "Type": "gemspec",
          "Packages": [],
          "Vulnerabilities": []
        }
      ]
    }
  ]
}

Report after change

{
  "ClusterName": "",
  "Findings": [
    {
      "Namespace": "default",
      "Kind": "Pod",
      "Name": "nginx-fluentd-pod",
      "Metadata": [
        {
          "OS": {
            "Family": "debian",
            "Name": "12.6"
          },
          "RepoTags": [
            "nginx:latest"
          ],
          "DiffIDs": []
        },
        {
          "OS": {
            "Family": "debian",
            "Name": "12.6"
          },
          "RepoTags": [
            "fluent/fluentd:v1.17-armhf-debian"
          ],
          "DiffIDs": []
        }
      ],
      "Results": [
        {
          "Target": "nginx:latest (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "fluent/fluentd:v1.17-armhf-debian (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "Ruby",
          "Class": "lang-pkgs",
          "Type": "gemspec",
          "Packages": [],
          "Vulnerabilities": []
        }
      ]
    }
  ]
}

Thanks @smtan-gl

🚀 What's new? 🚀

🔐 New `trivy registry` Command for Authentication 🔑

This release introduces the trivy registry command, providing an alternative to docker login and docker logout for environments without container runtimes like Docker. Now, you can authenticate directly with Trivy to access private container registries.

$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io
$ trivy image ghcr.io/your/private_image
$ trivy registry logout ghcr.io

For more details, please refer to the document

🧩 Enhanced CycloneDX Reports with File Checksums 🔗

This update enriches CycloneDX SBOMs by adding file checksums (such as SHA-1), a feature previously exclusive to SPDX reports. Now, JAR files and other relevant files in CycloneDX reports include checksums, boosting traceability and ensuring integrity verification across software components.

Thanks to @Churro for implementing this change.

🏴󠁩󠁤󠁪󠁷󠁿 Trimming whitespace in `pom.xml` file fields 👾

Trivy now correctly followed Maven (mnv) behavior of trimming leading and trailing whitespace for pom.xmlfields (ArtifactID, GroupID, etc).

Thanks @sgaist

📜 GitLab template supports `operating_system` field for OS packages ✂️

Trivy now populates the operating_system field for OS package vulnerabilities.

Thanks @aarongoldenthal

🐦 Ubuntu 24.10 is now supported 🟠

Trivy correctly detects vulnerabilities for Ubuntu 24.10.

Thanks @itsdean

🔍 Show misconfig ID in table output 🏷️

Trivy now includes misconfiguration IDs directly in the table output, making it easier to reference or ignore specific issues.

AVD-XYZ-0123 (HIGH): Oh no, a bad config.
════════════════════════════════════════
Your config file is not good.

See https://google.com/search?q=bad%20config
────────────────────────────────────────
 my-file
────────────────────────────────────────
   1   
   2 [ bad: true
   3   
────────────────────────────────────────

🌐 Handle `publicNetworkAccess` for Azure Storage Account 🔒

Added a check for public network access to storage accounts. By default, storage accounts allow connections from any network, potentially exposing sensitive data. This update ensures that public access is appropriately restricted where needed.

🕵️‍♂️ Detect secrets leaks in Dockerfile 🐳

Added a check for potential secrets leakage in Dockerfiles. This check is triggered in the following cases:

Using secret environment variables in ARG or ENV instructions.

ARG GITHUB_TOKEN

Copying secret files (e.g., AWS credentials) into the image with COPY.

ENV AWS_CONFIG_FILE=/.aws/config
COPY ./config $AWS_CONFIG_FILE

Setting credentials via the RUN command.

RUN aws configure set aws_access_key_id test-id && \
    aws configure set aws_secret_access_key test-key

This check can accept custom environment variables:

❯ cat my-envs.yaml
ds031:
  included_envs: ["MY_SECRET"]

❯ cat Dockerfile.custom
from alpine

arg MY_SECRET

❯ trivy conf -d Dockerfile.custom --config-data my-envs.yaml
CRITICAL: Possible exposure of secret env "MY_SECRET" in ARG
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile.custom:3
───────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ arg MY_SECRET
───────────────────────────────────────────────────────────────────────────────────────────────────────────

These measures help prevent the accidental exposure of sensitive information during the build process.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.57.0 #7857

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

v0.57.0 #7857

aqua-bot Nov 2, 2024 Maintainer

📑 Table of Contents

💔 Breaking Changes 💔

🚫 Error Out When Specified Ignore File is Missing 📂

🐾 Dropping support for "Exceptions" in misconfiguration scanning ⚠️

Before

After

☸ Kubernetes Pod report supports multiple containers 📦

🚀 What's new? 🚀

🔐 New trivy registry Command for Authentication 🔑

🧩 Enhanced CycloneDX Reports with File Checksums 🔗

🏴󠁩󠁤󠁪󠁷󠁿 Trimming whitespace in pom.xml file fields 👾

📜 GitLab template supports operating_system field for OS packages ✂️

🐦 Ubuntu 24.10 is now supported 🟠

🔍 Show misconfig ID in table output 🏷️

🌐 Handle publicNetworkAccess for Azure Storage Account 🔒

🕵️‍♂️ Detect secrets leaks in Dockerfile 🐳

👷‍♂️ Notable Fixes 🛠️

Replies: 0 comments

aqua-bot
Nov 2, 2024
Maintainer

🔐 New `trivy registry` Command for Authentication 🔑

🏴󠁩󠁤󠁪󠁷󠁿 Trimming whitespace in `pom.xml` file fields 👾

📜 GitLab template supports `operating_system` field for OS packages ✂️

🌐 Handle `publicNetworkAccess` for Azure Storage Account 🔒