Do Not Merge ... Lib difs

.github/dependabot.yml

@@ -1,15 +1,10 @@
 version: 2
 updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: monthly
-  - package-ecosystem: docker
-    directory: /
-    schedule:
-      interval: monthly
-  - package-ecosystem: gomod
-    open-pull-requests-limit: 10
-    directory: /
-    schedule:
-      interval: monthly
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: daily
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily

.github/workflows/mkdocs-dev.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v2
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v2
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -31,12 +31,12 @@ jobs:
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
+        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
       - name: Setup Kubernetes cluster (KIND)
         uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
         with:
@@ -46,7 +46,7 @@ jobs:
         run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
       - name: Run chart-testing (Ingress enabled)
         run: |
-          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
   publish-chart:

.github/workflows/release.yaml

@@ -4,24 +4,19 @@ on:
     tags:
       - "v*"
 env:
-  GO_VERSION: "1.18"
+  GO_VERSION: "1.17"
   GH_USER: "aqua-bot"
 jobs:
   release:
     name: Release
     runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
-    permissions:
-      id-token: write # For cosign
-      packages: write # For GHCR
-      contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Install dependencies
         run: |
           sudo apt-get -y update
           sudo apt-get -y install rpm reprepro createrepo distro-info
-      - uses: sigstore/cosign-installer@51f8e5c6fce54e46006ae97d73b2b6315f518752 # [email protected]
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
@@ -69,7 +64,7 @@ jobs:
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v1.4.1
+          version: v0.183.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/scan.yaml

@@ -1,23 +1,25 @@
-name: Scan vulnerabilities
-on:
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch:
-
+name: Scan
+on: [push, pull_request]
 jobs:
   build:
     name: Scan Go vulnerabilities
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-18.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
 
-      - name: Run Trivy vulnerability scanner and create GitHub issues
-        uses: knqyf263/[email protected]
+      - name: Run Trivy vulnerability scanner to scan for Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          exit-code: '1'
+          severity: 'CRITICAL'
+          skip-dirs: integration
+
+      - name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
+        uses: aquasecurity/trivy-action@master
         with:
-          assignee: knqyf263
-          severity: CRITICAL
-          skip-dirs: integration,examples
-          label: vulnerability
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          scan-type: 'fs'
+          exit-code: '0'
+          severity: 'HIGH,MEDIUM'
+          skip-dirs: integration

.github/workflows/test.yaml

@@ -10,7 +10,7 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.18"
+  GO_VERSION: "1.17"
 jobs:
   test:
     name: Test
@@ -24,9 +24,9 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v3.1.0
+        uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.45
+          version: v1.41
           args: --deadline=30m
 
       - name: Run unit tests
@@ -75,7 +75,7 @@ jobs:
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
-        version: v1.4.1
+        version: v0.183.0
         args: release --snapshot --rm-dist --skip-publish
 
   build-documents:
@@ -87,7 +87,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v2
       with:
         python-version: 3.x
     - name: Install dependencies

.gitignore

@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-/trivy
+trivy
 
 ## chart release
 .cr-release-packages

.golangci.yaml

@@ -9,7 +9,7 @@ linters-settings:
   revive:
     ignore-generated-header: true
   gocyclo:
-    min-complexity: 20
+    min-complexity: 10
   dupl:
     threshold: 100
   goconst:
@@ -19,10 +19,6 @@ linters-settings:
     locale: US
   goimports:
     local-prefixes: github.com/aquasecurity
-  gosec:
-    excludes:
-      - G204
-      - G402
 
 linters:
   disable-all: true
@@ -44,7 +40,6 @@ linters:
     - misspell
 
 run:
-  go: 1.18
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"
@@ -58,6 +53,9 @@ issues:
     - linters:
         - gosec
       text: "Deferring unsafe method"
+    - linters:
+        - gosec
+      text: "G204: Subprocess launched with variable"
     - linters:
         - errcheck
       text: "Close` is not checked"

CONTRIBUTING.md

@@ -9,89 +9,14 @@ Thank you for taking interest in contributing to Trivy!
 ## Pull Requests
 
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-4. Please add the associated Issue link in the PR description.
-2. Your PR is more likely to be accepted if it focuses on just one change.
-5. There's no need to add or tag reviewers.
-6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-7. Please include a comment with the results before and after your change.
-8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
-
-### Title
-It is not that strict, but we use the title conventions in this repository.
-Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
-
-#### Format of the title
-
-```
-<type>(<scope>): <subject>
-```
-
-The `type` and `scope` should always be lowercase as shown below.
-
-**Allowed `<type>` values:**
-  - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
-  - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
-  - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
-  - **docs** for changes to the documentation.
-  - **style** for formatting changes, missing semicolons, etc.
-  - **refactor** for refactoring production code, e.g. renaming a variable.
-  - **test** for adding missing tests, refactoring tests; no production code change.
-  - **build** for updating build configuration, development tools or other changes irrelevant to the user.
-  - **chore** for updates that do not apply to the above, such as dependency updates.
-
-**Example `<scope>` values:**
-- alpine
-- redhat
-- ruby
-- python
-- terraform
-- report
-- etc.
-
-The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
-
-#### Example titles
-
-```
-feat(alma): add support for AlmaLinux
-```
-
-```
-fix(oracle): handle advisories with ksplice versions
-```
-
-```
-docs(misconf): add comparison with Conftest and TFsec
-```
-
-```
-chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
-```
-
-**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
-The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
-
-### Unit tests
-Your PR must pass all the unit tests. You can test it as below.
-
-```
-$ make test
-```
-
-### Integration tests
-Your PR must pass all the integration tests. You can test it as below.
-
-```
-$ make test-integration
-```
-
-### Documentation
-You can build the documents as below and view it at http://localhost:8000.
-
-```
-$ make mkdocs-serve
-```
+1. Your PR is more likely to be accepted if it focuses on just one change.
+1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
+1. Please add the associated Issue in the PR description.
+1. There's no need to add or tag reviewers.
+1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+1. Please include a comment with the results before and after your change.
+1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
 
 ## Understand where your pull request belongs
 
@@ -100,5 +25,4 @@ Trivy is composed of several different repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
-- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
 - [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.

Makefile

@@ -54,13 +54,7 @@ build:
 
 .PHONY: protoc
 protoc:
-	docker build -t trivy-protoc - < Dockerfile.protoc
-	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
-
-_protoc:
-	for path in `find ./rpc/ -name "*.proto" -type f`; do \
-		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
-	done
+	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
 
 .PHONY: install
 install:

README.md

@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Features
 
 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
   - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Misconfiguration detection (IaC scanning) 
   - A wide variety of built-in policies are provided **out of the box**
@@ -185,8 +185,6 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
   - **Suitable for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
 - Support multiple targets
   - container image, local filesystem and remote git repository
-- Supply chain security (SBOM support)
-  - Support CycloneDX
 
 # Integrations
 - [GitHub Actions][action]