From a7b7117fe2c9608e990b42e702cc83675c48f888 Mon Sep 17 00:00:00 2001
From: Aqua Security automated builds
 <54269356+aqua-bot@users.noreply.github.com>
Date: Wed, 31 Jul 2024 15:14:03 +0300
Subject: [PATCH 01/20] fix(plugin): do not call GitHub content API for
 releases and tags [backport: release/v0.54] (#7279)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
---
 pkg/downloader/download.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/downloader/download.go b/pkg/downloader/download.go
index 63b130a667fd..96fd3ce49008 100644
--- a/pkg/downloader/download.go
+++ b/pkg/downloader/download.go
@@ -154,7 +154,8 @@ func (t *CustomTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 func NewGitHubTransport(u *url.URL, insecure bool, token string) http.RoundTripper {
 	client := newGitHubClient(insecure, token)
 	ss := strings.SplitN(u.Path, "/", 4)
-	if len(ss) < 4 || strings.HasPrefix(ss[3], "archive/") {
+	if len(ss) < 4 || strings.HasPrefix(ss[3], "archive/") || strings.HasPrefix(ss[3], "releases/") ||
+		strings.HasPrefix(ss[3], "tags/") {
 		// Use the default transport from go-github for authentication
 		return client.Client().Transport
 	}

From f61725c28b56d80fb46395479842a2ab0c517c5f Mon Sep 17 00:00:00 2001
From: Aqua Security automated builds
 <54269356+aqua-bot@users.noreply.github.com>
Date: Wed, 31 Jul 2024 15:56:18 +0300
Subject: [PATCH 02/20] fix(java): Return error when trying to find a remote
 pom to avoid segfault [backport: release/v0.54] (#7283)

Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
---
 pkg/dependency/parser/java/pom/parse.go | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/pkg/dependency/parser/java/pom/parse.go b/pkg/dependency/parser/java/pom/parse.go
index 550c5761c6ee..cbd7bf47db17 100644
--- a/pkg/dependency/parser/java/pom/parse.go
+++ b/pkg/dependency/parser/java/pom/parse.go
@@ -13,7 +13,7 @@ import (
 	"sort"
 	"strings"
 
-	multierror "github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/xerrors"
@@ -680,18 +680,15 @@ func (p *Parser) fetchPOMFromRemoteRepositories(paths []string, snapshot bool) (
 func (p *Parser) remoteRepoRequest(repo string, paths []string) (*http.Request, error) {
 	repoURL, err := url.Parse(repo)
 	if err != nil {
-		p.logger.Error("URL parse error", log.String("repo", repo))
-		return nil, nil
+		return nil, xerrors.Errorf("unable to parse URL: %w", err)
 	}
 
 	paths = append([]string{repoURL.Path}, paths...)
 	repoURL.Path = path.Join(paths...)
 
-	logger := p.logger.With(log.String("host", repoURL.Host), log.String("path", repoURL.Path))
 	req, err := http.NewRequest("GET", repoURL.String(), http.NoBody)
 	if err != nil {
-		logger.Debug("HTTP request failed")
-		return nil, nil
+		return nil, xerrors.Errorf("unable to create HTTP request: %w", err)
 	}
 	if repoURL.User != nil {
 		password, _ := repoURL.User.Password()
@@ -709,7 +706,8 @@ func (p *Parser) fetchPomFileNameFromMavenMetadata(repo string, paths []string)
 
 	req, err := p.remoteRepoRequest(repo, mavenMetadataPaths)
 	if err != nil {
-		return "", xerrors.Errorf("unable to create request for maven-metadata.xml file")
+		p.logger.Debug("Unable to create request", log.String("repo", repo), log.Err(err))
+		return "", nil
 	}
 
 	client := &http.Client{}
@@ -739,7 +737,8 @@ func (p *Parser) fetchPomFileNameFromMavenMetadata(repo string, paths []string)
 func (p *Parser) fetchPOMFromRemoteRepository(repo string, paths []string) (*pom, error) {
 	req, err := p.remoteRepoRequest(repo, paths)
 	if err != nil {
-		return nil, xerrors.Errorf("unable to create request for pom file")
+		p.logger.Debug("Unable to create request", log.String("repo", repo), log.Err(err))
+		return nil, nil
 	}
 
 	client := &http.Client{}

From 334a1c293bb3d490af2a6d80732f399efaac22f7 Mon Sep 17 00:00:00 2001
From: Aqua Security automated builds
 <54269356+aqua-bot@users.noreply.github.com>
Date: Wed, 31 Jul 2024 17:00:38 +0300
Subject: [PATCH 03/20] fix(flag): incorrect behavior for deprected flag
 `--clear-cache` [backport: release/v0.54] (#7285)

Co-authored-by: afdesk <work@afdesk.com>
---
 pkg/flag/cache_flags.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/flag/cache_flags.go b/pkg/flag/cache_flags.go
index 074953c2ea44..9cf8403a1e56 100644
--- a/pkg/flag/cache_flags.go
+++ b/pkg/flag/cache_flags.go
@@ -80,6 +80,7 @@ type CacheOptions struct {
 // NewCacheFlagGroup returns a default CacheFlagGroup
 func NewCacheFlagGroup() *CacheFlagGroup {
 	return &CacheFlagGroup{
+		ClearCache:   ClearCacheFlag.Clone(),
 		CacheBackend: CacheBackendFlag.Clone(),
 		CacheTTL:     CacheTTLFlag.Clone(),
 		RedisTLS:     RedisTLSFlag.Clone(),

From 854c61d34a550a9fcbab3bc59e55b868c15d1962 Mon Sep 17 00:00:00 2001
From: Aqua Security automated builds
 <54269356+aqua-bot@users.noreply.github.com>
Date: Wed, 31 Jul 2024 18:52:50 +0300
Subject: [PATCH 04/20] release: v0.54.1 [release/v0.54] (#7282)

---
 .release-please-manifest.json | 2 +-
 CHANGELOG.md                  | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index 8f1dfd40939e..72245abf2f9d 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1 +1 @@
-{".":"0.54.0"}
+{".":"0.54.1"}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 04a57a25147e..5ffb38bd5cf4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## [0.54.1](https://github.com/aquasecurity/trivy/compare/v0.54.0...v0.54.1) (2024-07-31)
+
+
+### Bug Fixes
+
+* **flag:** incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] ([#7285](https://github.com/aquasecurity/trivy/issues/7285)) ([334a1c2](https://github.com/aquasecurity/trivy/commit/334a1c293bb3d490af2a6d80732f399efaac22f7))
+* **java:** Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] ([#7283](https://github.com/aquasecurity/trivy/issues/7283)) ([f61725c](https://github.com/aquasecurity/trivy/commit/f61725c28b56d80fb46395479842a2ab0c517c5f))
+* **plugin:** do not call GitHub content API for releases and tags [backport: release/v0.54] ([#7279](https://github.com/aquasecurity/trivy/issues/7279)) ([a7b7117](https://github.com/aquasecurity/trivy/commit/a7b7117fe2c9608e990b42e702cc83675c48f888))
+
 ## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
 
 

From fcb0414e41769eaadb3e5fc3ec8b832158506017 Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 14 Apr 2023 14:20:17 -0600
Subject: [PATCH 05/20] Added Secrets to the HTML report

---
 contrib/html.tpl | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/contrib/html.tpl b/contrib/html.tpl
index e92b1b1cf7f5..0cfe85412ddc 100644
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -137,6 +137,28 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Secrets ) 0) }}
+      <tr><th colspan="6">No Secrets found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Category</th>
+        <th>Rule ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Match</th>
+      </tr>
+        {{- range .Secrets }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="secrets-category">{{ .Category }}</td>
+        <td>{{ escapeXML .RuleID }}</td>
+        <td class="secrets-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td style="overflow-wrap: anywhere; white-space:normal;">
+          {{ escapeXML .Match }}
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

From e850523eddac12718a08fee79a8dd66e72a081fc Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 14 Apr 2023 16:00:43 -0600
Subject: [PATCH 06/20] Added targets

---
 contrib/html.tpl | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/contrib/html.tpl b/contrib/html.tpl
index 0cfe85412ddc..76c840e02f3c 100644
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -25,6 +25,9 @@
       table {
         margin: 0 auto;
       }
+      .pkg-path {
+          overflow-wrap: anywhere
+      }
       .severity {
         text-align: center;
         font-weight: bold;
@@ -52,7 +55,9 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
+    <title>
+      Trivy Report - {{ now }}
+    </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,12 +87,14 @@
     </script>
   </head>
   <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
+    <h1>Trivy Report - {{ now }}</h1>
     <table>
     {{- range . }}
-      <tr class="group-header"><th colspan="6">{{ .Type | toString | escapeXML }}</th></tr>
+    <tr class="group-header">
+      <th colspan="7">Target: {{ escapeXML .Target }} &mdash; Type: {{ escapeXML .Type }}</th>
+    </tr>
       {{- if (eq (len .Vulnerabilities) 0) }}
-      <tr><th colspan="6">No Vulnerabilities found</th></tr>
+      <tr><th colspan="7">No Vulnerabilities found</th></tr>
       {{- else }}
       <tr class="sub-header">
         <th>Package</th>
@@ -95,6 +102,7 @@
         <th>Severity</th>
         <th>Installed Version</th>
         <th>Fixed Version</th>
+        <th>Package Path</th>
         <th>Links</th>
       </tr>
         {{- range .Vulnerabilities }}
@@ -104,16 +112,17 @@
         <td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
         <td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
         <td>{{ escapeXML .FixedVersion }}</td>
+        <td class="pkg-path">{{ escapeXML .PkgPath }}</td>
         <td class="links" data-more-links="off">
           {{- range .Vulnerability.References }}
-          <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
+          <a href={{ escapeXML . | printf "%q" }}>{{ abbrev 50 . | escapeXML }}</a>
           {{- end }}
         </td>
       </tr>
         {{- end }}
       {{- end }}
       {{- if (eq (len .Misconfigurations ) 0) }}
-      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      <tr><th colspan="7">No Misconfigurations found</th></tr>
       {{- else }}
       <tr class="sub-header">
         <th>Type</th>

From 58ce809358d3e85fb8e6e9fee10c6d26548e07ad Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 14 Apr 2023 16:39:41 -0600
Subject: [PATCH 07/20] Added Target and Package Path to HTML Report

---
 contrib/html.tpl | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/contrib/html.tpl b/contrib/html.tpl
index 76c840e02f3c..8c31ddce4214 100644
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -26,7 +26,7 @@
         margin: 0 auto;
       }
       .pkg-path {
-          overflow-wrap: anywhere
+        white-space: normal;
       }
       .severity {
         text-align: center;
@@ -55,9 +55,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>
-      Trivy Report - {{ now }}
-    </title>
+    <title>Trivy Report - {{ now }}</title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -115,7 +113,7 @@
         <td class="pkg-path">{{ escapeXML .PkgPath }}</td>
         <td class="links" data-more-links="off">
           {{- range .Vulnerability.References }}
-          <a href={{ escapeXML . | printf "%q" }}>{{ abbrev 50 . | escapeXML }}</a>
+          <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
           {{- end }}
         </td>
       </tr>

From 1bb3ba40b79cfed35194ea6c5fe623dbcbe70c7e Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 14 Apr 2023 16:53:07 -0600
Subject: [PATCH 08/20] Improved JUnit Template with Secrets

---
 contrib/junit.tpl | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/contrib/junit.tpl b/contrib/junit.tpl
index 08e649b9eb00..a26cbfa6938a 100644
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -2,15 +2,19 @@
 <testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
-    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
     {{- if not (eq .Type "") }}
         <properties>
             <property name="type" value="{{ .Type }}"></property>
         </properties>
         {{- end -}}
         {{ range .Vulnerabilities }}
-        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
-            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        <testcase classname="{{ .PkgName | replace "/" "." }}-{{ .InstalledVersion }}" file="{{ .PkgName }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
+          <failure message="{{ escapeXML .Title }}" type="description">
+            Severity: {{ .Severity }}
+            Package Path (if available): {{ .PkgPath }}
+            Description: {{ escapeXML .Description }}
+          </failure>
         </testcase>
     {{- end }}
     </testsuite>
@@ -33,5 +37,19 @@
         </testcase>
     {{- end }}
     </testsuite>
+{{- $failures := len .Secrets }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ $Path := .Target }}
+        {{ range .Secrets }}
+        <testcase file="{{ escapeXML $Path }}" classname="{{ .Category }}" name="[{{ .Severity }}] {{ .RuleID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Match }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
 {{- end }}
 </testsuites>

From 7f427d9ec1f335aeab563a0a65606fcbda9bb395 Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 14 Apr 2023 18:33:45 -0600
Subject: [PATCH 09/20] Added a CSV template for vulnerabilities

---
 contrib/csv.tpl | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 contrib/csv.tpl

diff --git a/contrib/csv.tpl b/contrib/csv.tpl
new file mode 100644
index 000000000000..bd1406b1be72
--- /dev/null
+++ b/contrib/csv.tpl
@@ -0,0 +1,8 @@
+Target,PackageName,VulnerabilityID,Severity,InstalledVersion,FixedVersion,PackagePath
+{{- range . }}
+{{- $target := .Target -}}
+{{- if (gt (len .Vulnerabilities) 0) }}
+{{- range .Vulnerabilities }}
+"{{- $target | replace "\"" "\"\"" }}","{{- .PkgName | replace "\"" "\"\""}}","{{- .VulnerabilityID | replace "\"" "\"\"" }}","{{- .Vulnerability.Severity | replace "\"" "\"\"" }}","{{- .InstalledVersion | replace "\"" "\"\"" }}","{{- .FixedVersion | replace "\"" "\"\"" }}","{{- .PkgPath | replace "\"" "\"\"" }}",{{- end }}
+{{- end -}}
+{{- end }}

From 5c84af29e33b8b8d5f2442dce08f95d83bd839f0 Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Tue, 18 Apr 2023 08:31:06 -0600
Subject: [PATCH 10/20] Changed column order based on user feedback

---
 contrib/csv.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/csv.tpl b/contrib/csv.tpl
index bd1406b1be72..ac070531751d 100644
--- a/contrib/csv.tpl
+++ b/contrib/csv.tpl
@@ -1,8 +1,8 @@
-Target,PackageName,VulnerabilityID,Severity,InstalledVersion,FixedVersion,PackagePath
+VulnerabilityID,Severity,PackageName,InstalledVersion,FixedVersion,PackagePath,Target
 {{- range . }}
 {{- $target := .Target -}}
 {{- if (gt (len .Vulnerabilities) 0) }}
 {{- range .Vulnerabilities }}
-"{{- $target | replace "\"" "\"\"" }}","{{- .PkgName | replace "\"" "\"\""}}","{{- .VulnerabilityID | replace "\"" "\"\"" }}","{{- .Vulnerability.Severity | replace "\"" "\"\"" }}","{{- .InstalledVersion | replace "\"" "\"\"" }}","{{- .FixedVersion | replace "\"" "\"\"" }}","{{- .PkgPath | replace "\"" "\"\"" }}",{{- end }}
+"{{- .VulnerabilityID | replace "\"" "\"\"" }}","{{- .Vulnerability.Severity | replace "\"" "\"\"" }}","{{- .PkgName | replace "\"" "\"\""}}","{{- .InstalledVersion | replace "\"" "\"\"" }}","{{- .FixedVersion | replace "\"" "\"\"" }}","{{- .PkgPath | replace "\"" "\"\"" }}","{{- $target | replace "\"" "\"\"" }}",{{- end }}
 {{- end -}}
 {{- end }}

From 8813106b0c7d95c0a6356a324e893195cf897a04 Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 29 Dec 2023 10:11:15 -0700
Subject: [PATCH 11/20] Added datarobot forked releaser

---
 goreleaser-datarobot.yml | 90 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 goreleaser-datarobot.yml

diff --git a/goreleaser-datarobot.yml b/goreleaser-datarobot.yml
new file mode 100644
index 000000000000..c9e3cf5f37dc
--- /dev/null
+++ b/goreleaser-datarobot.yml
@@ -0,0 +1,90 @@
+project_name: trivy
+builds:
+  - id: build-linux
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - 386
+      - arm
+      - amd64
+      - arm64
+    goarm:
+      - 7
+  - id: build-macos
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    goarm:
+      - 7
+
+dockers:
+  - image_templates:
+      - "docker.io/datarobotdev/trivy:{{ .Version }}-amd64"
+      - "docker.io/datarobotdev/trivy:latest-amd64"
+    use: buildx
+    goos: linux
+    goarch: amd64
+    ids:
+      - build-linux
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--platform=linux/amd64"
+    extra_files:
+    - contrib/
+  - image_templates:
+      - "docker.io/datarobotdev/trivy:{{ .Version }}-arm64"
+      - "docker.io/datarobotdev/trivy:latest-arm64"
+    use: buildx
+    goos: linux
+    goarch: arm64
+    ids:
+      - build-linux
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--platform=linux/arm64"
+    extra_files:
+    - contrib/
+
+docker_manifests:
+  - name_template: 'datarobotdev/trivy:{{ .Version }}'
+    image_templates:
+    - 'datarobotdev/trivy:{{ .Version }}-amd64'
+    - 'datarobotdev/trivy:{{ .Version }}-arm64'
+  - name_template: 'datarobotdev/trivy:latest'
+    image_templates:
+    - 'aquasec/trivy:{{ .Version }}-amd64'
+    - 'aquasec/trivy:{{ .Version }}-arm64'

From e87c3a44a22db17e40b3c2e6578556e3a847ef6d Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 29 Dec 2023 11:11:23 -0700
Subject: [PATCH 12/20] Corrected latest manifest

---
 goreleaser-datarobot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/goreleaser-datarobot.yml b/goreleaser-datarobot.yml
index c9e3cf5f37dc..7331998d483a 100644
--- a/goreleaser-datarobot.yml
+++ b/goreleaser-datarobot.yml
@@ -86,5 +86,5 @@ docker_manifests:
     - 'datarobotdev/trivy:{{ .Version }}-arm64'
   - name_template: 'datarobotdev/trivy:latest'
     image_templates:
-    - 'aquasec/trivy:{{ .Version }}-amd64'
-    - 'aquasec/trivy:{{ .Version }}-arm64'
+    - 'datarobotdev/trivy:{{ .Version }}-amd64'
+    - 'datarobotdev/trivy:{{ .Version }}-arm64'

From aa01e2a4460859762ea22ac869e8e4b7d0c57dfc Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Fri, 29 Dec 2023 18:58:59 -0500
Subject: [PATCH 13/20] Update html.tpl

Upstream dropped Type from report data
---
 contrib/html.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/html.tpl b/contrib/html.tpl
index 8c31ddce4214..bd718507d4a9 100644
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -89,7 +89,7 @@
     <table>
     {{- range . }}
     <tr class="group-header">
-      <th colspan="7">Target: {{ escapeXML .Target }} &mdash; Type: {{ escapeXML .Type }}</th>
+      <th colspan="7">Target: {{ escapeXML .Target }} &mdash;</th>
     </tr>
       {{- if (eq (len .Vulnerabilities) 0) }}
       <tr><th colspan="7">No Vulnerabilities found</th></tr>

From ca37fe08f6dde2c1cc7ea382b9eb2f0ac2f26f75 Mon Sep 17 00:00:00 2001
From: Dmytro Strelbytskyi <dmytro.strelbytskyi@datarobot.com>
Date: Wed, 14 Feb 2024 19:41:01 +0200
Subject: [PATCH 14/20] Ignore policies from a folder

---
 pkg/flag/report_flags.go |  5 +++++
 pkg/result/filter.go     | 41 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/pkg/flag/report_flags.go b/pkg/flag/report_flags.go
index ce833cc1b13e..16cbeeecc703 100644
--- a/pkg/flag/report_flags.go
+++ b/pkg/flag/report_flags.go
@@ -65,7 +65,12 @@ var (
 	IgnorePolicyFlag = Flag[string]{
 		Name:       "ignore-policy",
 		ConfigName: "ignore-policy",
+<<<<<<< HEAD
 		Usage:      "specify the Rego file path to evaluate each vulnerability",
+=======
+		Default:    "",
+		Usage:      "specify the Rego file path (or dir path with Rego files) to evaluate each vulnerability",
+>>>>>>> e5b8598a6 (Ignore policies from a folder)
 	}
 	ExitCodeFlag = Flag[int]{
 		Name:       "exit-code",
diff --git a/pkg/result/filter.go b/pkg/result/filter.go
index e1f0e632197e..124d48f3b273 100644
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -3,11 +3,13 @@ package result
 import (
 	"context"
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"slices"
 	"sort"
 
+	"github.com/open-policy-agent/opa/bundle"
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
@@ -70,8 +72,25 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	filterLicenses(result, severities, opt.IgnoreLicenses, ignoreConf)
 
 	if opt.PolicyFile != "" {
-		if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
-			return xerrors.Errorf("failed to apply the policy: %w", err)
+		// If the PolicyFile option is a dir find and apply rego files in it
+		var policyFiles []string
+		fi, err := os.Stat(opt.PolicyFile)
+		if err != nil {
+			return xerrors.Errorf("file %q stat error: %w", opt.PolicyFile, err)
+		}
+		if fi.IsDir() {
+			policyFiles, err = findPolicyFiles(opt.PolicyFile)
+			if err != nil {
+				return xerrors.Errorf("failed to find policy files: %w", err)
+			}
+		} else {
+			policyFiles = append(policyFiles, opt.PolicyFile)
+		}
+
+		for _, policyFile := range policyFiles {
+			if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
+			    return xerrors.Errorf("failed to apply the policy: %w", err)
+		    }
 		}
 	}
 	sort.Sort(types.BySeverity(result.Vulnerabilities))
@@ -215,6 +234,24 @@ func summarize(status types.MisconfStatus, summary *types.MisconfSummary) {
 	}
 }
 
+func findPolicyFiles(policiesDir string) ([]string, error) {
+	var files []string
+	err := filepath.WalkDir(policiesDir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.IsDir() && filepath.Ext(path) == bundle.RegoExt {
+			files = append(files, path)
+		}
+		return nil
+	})
+	if err != nil {
+		return files, xerrors.Errorf("walk error %w", err)
+	}
+
+	return files, nil
+}
+
 func applyPolicy(ctx context.Context, result *types.Result, policyFile string) error {
 	policy, err := os.ReadFile(policyFile)
 	if err != nil {

From 0a55f40362e82af1f8369690913921f919a64350 Mon Sep 17 00:00:00 2001
From: Dmytro Strelbytskyi <dmytro.strelbytskyi@datarobot.com>
Date: Thu, 15 Feb 2024 14:13:53 +0200
Subject: [PATCH 15/20] Updated error messages.

---
 pkg/result/filter.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
index 124d48f3b273..4dec4353854e 100644
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -76,12 +76,12 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 		var policyFiles []string
 		fi, err := os.Stat(opt.PolicyFile)
 		if err != nil {
-			return xerrors.Errorf("file %q stat error: %w", opt.PolicyFile, err)
+			return xerrors.Errorf("failed to analyze ignore policy %s: %w", opt.PolicyFile, err)
 		}
 		if fi.IsDir() {
 			policyFiles, err = findPolicyFiles(opt.PolicyFile)
 			if err != nil {
-				return xerrors.Errorf("failed to find policy files: %w", err)
+				return xerrors.Errorf("failed to find policy files in %s: %w", opt.PolicyFile, err)
 			}
 		} else {
 			policyFiles = append(policyFiles, opt.PolicyFile)
@@ -89,7 +89,7 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 
 		for _, policyFile := range policyFiles {
 			if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
-			    return xerrors.Errorf("failed to apply the policy: %w", err)
+			    return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
 		    }
 		}
 	}

From 1de0a03f8d69b440339e607db09c5609dbc9a9ea Mon Sep 17 00:00:00 2001
From: Dmytro Strelbytskyi <dmytro.strelbytskyi@datarobot.com>
Date: Thu, 15 Feb 2024 14:23:10 +0200
Subject: [PATCH 16/20] Added debug logging & merge conflict fix

---
 pkg/flag/report_flags.go |  5 -----
 pkg/result/filter.go     | 12 +++++++++++-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/pkg/flag/report_flags.go b/pkg/flag/report_flags.go
index 16cbeeecc703..b48087a0df7b 100644
--- a/pkg/flag/report_flags.go
+++ b/pkg/flag/report_flags.go
@@ -65,12 +65,7 @@ var (
 	IgnorePolicyFlag = Flag[string]{
 		Name:       "ignore-policy",
 		ConfigName: "ignore-policy",
-<<<<<<< HEAD
-		Usage:      "specify the Rego file path to evaluate each vulnerability",
-=======
-		Default:    "",
 		Usage:      "specify the Rego file path (or dir path with Rego files) to evaluate each vulnerability",
->>>>>>> e5b8598a6 (Ignore policies from a folder)
 	}
 	ExitCodeFlag = Flag[int]{
 		Name:       "exit-code",
diff --git a/pkg/result/filter.go b/pkg/result/filter.go
index 4dec4353854e..0b92d2af5803 100644
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -15,6 +15,9 @@ import (
 	"golang.org/x/xerrors"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/sbom/core"
+	sbomio "github.com/aquasecurity/trivy/pkg/sbom/io"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vex"
 )
@@ -71,7 +74,10 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	filterSecrets(result, severities, ignoreConf)
 	filterLicenses(result, severities, opt.IgnoreLicenses, ignoreConf)
 
-	if opt.PolicyFile != "" {
+
+	if opt.PolicyFile != "" && len(result.Vulnerabilities)+len(result.Misconfigurations)+len(result.Secrets)+len(result.Licenses) > 0 {
+		log.Logger.Debugf("Filtering result with ignore policies, type: %s, path: %s", result.Type, result.Target)
+
 		// If the PolicyFile option is a dir find and apply rego files in it
 		var policyFiles []string
 		fi, err := os.Stat(opt.PolicyFile)
@@ -83,11 +89,15 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 			if err != nil {
 				return xerrors.Errorf("failed to find policy files in %s: %w", opt.PolicyFile, err)
 			}
+			if len(policyFiles) == 0 {
+				log.Logger.Warnf("No ignore policies found in %s", opt.PolicyFile)
+			}
 		} else {
 			policyFiles = append(policyFiles, opt.PolicyFile)
 		}
 
 		for _, policyFile := range policyFiles {
+            log.Logger.Debugf("Applying ignore policy: %s", policyFile)
 			if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
 			    return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
 		    }

From e0aed22d696d7964e8bdb05f10a2cde675a487c2 Mon Sep 17 00:00:00 2001
From: Carson Gee <carson.gee@datarobot.com>
Date: Thu, 15 Feb 2024 12:31:32 -0700
Subject: [PATCH 17/20] Added release instructions for DataRobot

---
 DATAROBOT_RELEASE.md | 53 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 DATAROBOT_RELEASE.md

diff --git a/DATAROBOT_RELEASE.md b/DATAROBOT_RELEASE.md
new file mode 100644
index 000000000000..a0a595e3972f
--- /dev/null
+++ b/DATAROBOT_RELEASE.md
@@ -0,0 +1,53 @@
+## How to release our fork
+
+It uses goreleaser: https://goreleaser.com/customization/release/#github
+
+What you need to release?
+
+`GITHUB_TOKEN` set to a GitHub API token that has release permissions
+
+Logged into Docker Hub with a user that has permission to write images to datarobotdev/trivy
+
+Make a tag that represents the version we are "forking".
+
+I typically pick the latest release from the upstream, for example v0.48.3
+
+I would do
+
+```
+git checkout v0.48.3
+git checkout -b u/v0.48.3
+git checkout main_datarobot
+git rebase u/v0.48.3
+git push -f
+git tag v0.48.3-dr1
+git push origin v0.48.3-dr1
+```
+then I'm ready to run the releaser that will build and push everything
+
+To try out the release and make sure it should work:
+
+https://goreleaser.com/quick-start/?h=dry+run#dry-run
+
+
+```
+goreleaser -f goreleaser-datarobot.yml build --clean
+```
+
+Make sure that works then:
+
+```
+goreleaser -f goreleaser-datarobot.yml release --clean
+
+```
+
+You probably will have some docker error:
+
+```
+docker context use default
+```
+should fix it, then run again
+
+
+To update the drone-trivy plugin, just run the main branch build from the harness ui.
+It is built from the latest tag of our forked trivy repo

From f664d3155bc3591f7e3b0280f566b7f0cd3579f2 Mon Sep 17 00:00:00 2001
From: Kristina Trotsko <kristina.trotsko@datarobot.com>
Date: Thu, 15 Feb 2024 23:22:43 +0100
Subject: [PATCH 18/20] fix those stupid indents again

---
 pkg/result/filter.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
index 0b92d2af5803..b4c649c6082c 100644
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -97,10 +97,10 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 		}
 
 		for _, policyFile := range policyFiles {
-            log.Logger.Debugf("Applying ignore policy: %s", policyFile)
+			log.Logger.Debugf("Applying ignore policy: %s", policyFile)
 			if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
-			    return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
-		    }
+				return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
+			}
 		}
 	}
 	sort.Sort(types.BySeverity(result.Vulnerabilities))

From 004625c16d9f0f6dbbe4a8c8b5458ff7251ca5e2 Mon Sep 17 00:00:00 2001
From: Dmytro Strelbytskyi <dmytro.strelbytskyi@datarobot.com>
Date: Fri, 16 Feb 2024 12:17:31 +0200
Subject: [PATCH 19/20] Simplify ignore policies from dir

---
 pkg/result/filter.go | 54 ++++++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
index b4c649c6082c..5bdea9c7db8e 100644
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -74,31 +74,18 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	filterSecrets(result, severities, ignoreConf)
 	filterLicenses(result, severities, opt.IgnoreLicenses, ignoreConf)
 
-
-	if opt.PolicyFile != "" && len(result.Vulnerabilities)+len(result.Misconfigurations)+len(result.Secrets)+len(result.Licenses) > 0 {
+	if opt.PolicyFile != "" {
 		log.Logger.Debugf("Filtering result with ignore policies, type: %s, path: %s", result.Type, result.Target)
 
-		// If the PolicyFile option is a dir find and apply rego files in it
-		var policyFiles []string
-		fi, err := os.Stat(opt.PolicyFile)
+		// Get ignore policy files from the input path (either file or files in dir)
+		policyFiles, err := findPolicyFiles(opt.PolicyFile)
 		if err != nil {
-			return xerrors.Errorf("failed to analyze ignore policy %s: %w", opt.PolicyFile, err)
-		}
-		if fi.IsDir() {
-			policyFiles, err = findPolicyFiles(opt.PolicyFile)
-			if err != nil {
-				return xerrors.Errorf("failed to find policy files in %s: %w", opt.PolicyFile, err)
-			}
-			if len(policyFiles) == 0 {
-				log.Logger.Warnf("No ignore policies found in %s", opt.PolicyFile)
-			}
-		} else {
-			policyFiles = append(policyFiles, opt.PolicyFile)
+			return err
 		}
 
 		for _, policyFile := range policyFiles {
 			log.Logger.Debugf("Applying ignore policy: %s", policyFile)
-			if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
+			if err := applyPolicy(ctx, result, policyFile); err != nil {
 				return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
 			}
 		}
@@ -244,19 +231,32 @@ func summarize(status types.MisconfStatus, summary *types.MisconfSummary) {
 	}
 }
 
-func findPolicyFiles(policiesDir string) ([]string, error) {
+func findPolicyFiles(policiesPath string) ([]string, error) {
 	var files []string
-	err := filepath.WalkDir(policiesDir, func(path string, d fs.DirEntry, err error) error {
+	fi, err := os.Stat(policiesPath)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to analyze ignore policy %q: %w", policiesPath, err)
+	}
+	// If the ignore policy option is a dir find and apply rego files in it
+	if fi.IsDir() {
+		err := filepath.WalkDir(policiesPath, func(path string, d fs.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			if !d.IsDir() && filepath.Ext(path) == bundle.RegoExt {
+				files = append(files, path)
+			}
+			return nil
+		})
 		if err != nil {
-			return err
+			return nil, xerrors.Errorf("failed to find policy files in %q: %w", policiesPath, err)
 		}
-		if !d.IsDir() && filepath.Ext(path) == bundle.RegoExt {
-			files = append(files, path)
+
+		if len(files) == 0 {
+			log.Logger.Warnf("No ignore policies found in %q", policiesPath)
 		}
-		return nil
-	})
-	if err != nil {
-		return files, xerrors.Errorf("walk error %w", err)
+	} else {
+		files = append(files, policiesPath)
 	}
 
 	return files, nil

From d4590db577389e1d25ffab27b28c122907a39215 Mon Sep 17 00:00:00 2001
From: kristyko <kristina.trotsko@datarobot.com>
Date: Wed, 14 Aug 2024 01:31:43 +0200
Subject: [PATCH 20/20] fix imports and logging after fork update

---
 pkg/result/filter.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
index 5bdea9c7db8e..18fe75bf0c51 100644
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -16,8 +16,6 @@ import (
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/sbom/core"
-	sbomio "github.com/aquasecurity/trivy/pkg/sbom/io"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vex"
 )
@@ -75,7 +73,7 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	filterLicenses(result, severities, opt.IgnoreLicenses, ignoreConf)
 
 	if opt.PolicyFile != "" {
-		log.Logger.Debugf("Filtering result with ignore policies, type: %s, path: %s", result.Type, result.Target)
+		log.Debugf("Filtering result with ignore policies, type: %s, path: %s", result.Type, result.Target)
 
 		// Get ignore policy files from the input path (either file or files in dir)
 		policyFiles, err := findPolicyFiles(opt.PolicyFile)
@@ -84,7 +82,7 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 		}
 
 		for _, policyFile := range policyFiles {
-			log.Logger.Debugf("Applying ignore policy: %s", policyFile)
+			log.Debugf("Applying ignore policy: %s", policyFile)
 			if err := applyPolicy(ctx, result, policyFile); err != nil {
 				return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
 			}
@@ -253,7 +251,7 @@ func findPolicyFiles(policiesPath string) ([]string, error) {
 		}
 
 		if len(files) == 0 {
-			log.Logger.Warnf("No ignore policies found in %q", policiesPath)
+			log.Warnf("No ignore policies found in %q", policiesPath)
 		}
 	} else {
 		files = append(files, policiesPath)