CHANGELOG.md

Changelog

0.57.0 (2024-10-31)

⚠ BREAKING CHANGES

• k8s: support k8s multi container (#7444)

Features

• add end of life date for Ubuntu 24.10 (#7787) (ad3c09e)
• cli: add trivy auth (#7664) (27117f8)
• cli: error out when ignore file cannot be found (#7624) (cb0b3a9)
• cli: rename trivy auth to trivy registry (#7727) (633a7ab)
• cyclonedx: add file checksums to CycloneDX reports (#7507) (c225883)
• db: append errors (#7843) (5e78b6c)
• misconf: export unresolvable field of IaC types to Rego (#7765) (9514148)
• misconf: public network support for Azure Storage Account (#7601) (ad91412)
• misconf: Show misconfig ID in output (#7762) (f75c0d1)
• misconf: ssl_mode support for GCP SQL DB instance (#7564) (2eaa17e)
• parser: ignore white space in pom.xml files (#7747) (a7baa93)
• report: update gitlab template to populate operating_system value (#7735) (c0d79fa)

Bug Fixes

• cli: clean --all deletes only relevant dirs (#7704) (672e886)
• cli: add config name to skip-policy-update alias (#7820) (b661d68)
• db: fix javadb downloading error handling (#7642) (2c87f0c)
• enable usestdlibvars linter (#7770) (57e24aa)
• go: Do not trim v prefix from versions in Go Mod Analyzer (#7733) (e872ec0)
• helm: properly handle multiple archived dependencies (#7782) (6fab88d)
• java: correctly inherit version and scope from upper/root depManagement and dependencies into parents (#7541) (778df82)
• k8s: skip resources without misconfigs (#7797) (7882776)
• k8s: support k8s multi container (#7444) (c434775)
• k8s: support kubernetes v1.31 (#7810) (7a4f4d8)
• license: fix license normalization for Universal Permissive License (#7766) (f6acdf7)
• misconf: change default ACL of digitalocean_spaces_bucket to private (#7577) (9da84f5)
• misconf: check if property is not nil before conversion (#7578) (c8c14d3)
• misconf: fix for Azure Storage Account network acls adaptation (#7602) (35fd018)
• misconf: properly expand dynamic blocks (#7612) (8d5dbc9)
• redhat: include arch in PURL qualifiers (#7654) (a585e95)
• repo: git clone output to Stderr (#7561) (fdf203c)
• report: Fix invalid URI in SARIF report (#7645) (015bb88)
• sbom: add options for DBs in private registries (#7660) (1f2e91b)
• sbom: use Annotation instead of AttributionTexts for SPDX formats (#7811) (f2bb9c6)

0.56.0 (2024-10-03)

Features

• java: add empty versions if pom.xml dependency versions can't be detected (#7520) (b836232)
• license: improve license normalization (#7131) (6472e3c)
• misconf: add ability to disable checks by ID (#7536) (ef0a27d)
• misconf: Register checks only when needed (#7435) (f768d3a)
• misconf: Support --skip-* for all included modules (#7579) (c0e8da3)
• secret: enhance secret scanning for python binary files (#7223) (60725f8)
• support multiple DB repositories for vulnerability and Java DB (#7605) (3562529)
• support RPM archives (#7628) (69bf7e0)
• suse: added SUSE Linux Enterprise Micro support (#7294) (efdb68d)

Bug Fixes

• allow access to '..' in mapfs (#7575) (a8fbe46)
• db: check DownloadedAt for trivy-java-db (#7592) (13ef3e7)
• java: use dependencyManagement from root/child pom's for dependencies from parents (#7497) (5442949)
• license: stop spliting a long license text (#7336) (4926da7)
• misconf: Disable deprecated checks by default (#7632) (82e2adc)
• misconf: disable DS016 check for image history analyzer (#7540) (de40df9)
• misconf: escape all special sequences (#7558) (ea0cf03)
• misconf: Fix logging typo (#7473) (56db43c)
• misconf: Fixed scope for China Cloud (#7560) (37d549e)
• misconf: not to warn about missing selectors of libraries (#7638) (fcaea74)
• oracle: Update EOL date for Oracle 7 (#7480) (dd0a64a)
• report: change a receiver of MarshalJSON (#7483) (927c6e0)
• report: fix error with unmarshal of ExperimentalModifiedFindings (#7463) (7ff9aff)
• sbom: export bom-ref when converting a package to a component (#7340) (5dd94eb)
• sbom: parse type framework as library when unmarshalling CycloneDX files (#7527) (aeb7039)
• secret: change grafana token regex to find them without unquoted (#7627) (3e1fa21)

Performance Improvements

• misconf: use port ranges instead of enumeration (#7549) (1f9fc13)

Reverts

• java: stop supporting of test scope for pom.xml files (#7488) (b0222fe)

0.55.0 (2024-09-03)

⚠ BREAKING CHANGES

• cli: delete deprecated SBOM flags (#7266)

Features

• cli: delete deprecated SBOM flags (#7266) (7024572)
• go: use toolchain as stdlib version for go.mod files (#7163) (2d80769)
• java: add test scope support for pom.xml files (#7414) (2d97700)
• misconf: Add support for using spec from on-disk bundle (#7179) (be86126)
• misconf: ignore duplicate checks (#7317) (9ef05fc)
• misconf: iterator argument support for dynamic blocks (#7236) (fe92072)
• misconf: port and protocol support for EC2 networks (#7146) (98e136e)
• misconf: scanning support for YAML and JSON (#7311) (efdbd8f)
• misconf: support for ignore by nested attributes (#7205) (44e4686)
• misconf: support for policy and bucket grants (#7284) (a817fae)
• misconf: variable support for Terraform Plan (#7228) (db2c955)
• python: use minimum version for pip packages (#7348) (e9b43f8)
• report: export modified findings in JSON (#7383) (7aea79d)
• sbom: set User-Agent header on requests to Rekor (#7396) (af1d257)
• server: add internal --path-prefix flag for client/server mode (#7321) (24a4563)
• server: Make Trivy Server Multiplexer Exported (#7389) (4c6e8ca)
• vm: Support direct filesystem (#7058) (45b3f34)
• vm: support the Ext2/Ext3 filesystems (#6983) (35c60f0)
• vuln: Add --detection-priority flag for accuracy tuning (#7288) (fd8348d)

Bug Fixes

• aws: handle ECR repositories in different regions (#6217) (feaef96)
• flag: incorrect behavior for deprected flag --clear-cache (#7281) (2a0e529)
• helm: explicitly define kind and apiVersion of volumeClaimTemplate element (#7362) (da4ebfa)
• java: Return error when trying to find a remote pom to avoid segfault (#7275) (49d5270)
• license: add license handling to JUnit template (#7409) (f80183c)
• logger initialization before flags parsing (#7372) (c929290)
• misconf: change default TLS values for the Azure storage account (#7345) (aadb090)
• misconf: do not filter Terraform plan JSON by name (#7406) (9d7264a)
• misconf: do not recreate filesystem map (#7416) (3a5d091)
• misconf: do not register Rego libs in checks registry (#7420) (a5aa63e)
• misconf: do not set default value for default_cache_behavior (#7234) (f0ed5e4)
• misconf: fix infer type for null value (#7424) (0cac3ac)
• misconf: init frameworks before updating them (#7376) (b65b32d)
• misconf: load only submodule if it is specified in source (#7112) (a4180bd)
• misconf: support deprecating for Go checks (#7377) (2a6c7ab)
• misconf: use module to log when metadata retrieval fails (#7405) (0799770)
• misconf: wrap Azure PortRange in iac types (#7357) (c5c62d5)
• nodejs: check all importers to detect dev deps from pnpm-lock.yaml file (#7387) (fd9ed3a)
• plugin: do not call GitHub content API for releases and tags (#7274) (b3ee6da)
• report: escape Message field in asff.tpl template (#7401) (dd9733e)
• safely check if the directory exists (#7353) (05a8297)
• sbom: use NOASSERTION for licenses fields in SPDX formats (#7403) (c96dcdd)
• secret: use .eyJ keyword for JWT secret (#7410) (bf64003)
• secret: use only line with secret for long secret lines (#7412) (391448a)
• terraform: add aws_region name to presets (#7184) (bb2e26a)

Performance Improvements

• misconf: do not convert contents of a YAML file to string (#7292) (85dadf5)
• misconf: optimize work with context (#6968) (2b6d8d9)
• misconf: use json.Valid to check validity of JSON (#7308) (c766831)

0.54.0 (2024-07-30)

Features

• add log.FilePath() function for logger (#7080) (1f5f348)
• add openSUSE tumbleweed detection and scanning (#6965) (17b5dbf)
• cli: rename --vuln-type flag to --pkg-types flag (#7104) (7cbdb0a)
• mariner: Add support for Azure Linux (#7186) (5cbc452)
• misconf: enabled China configuration for ACRs (#7156) (d1ec89d)
• nodejs: add license parser to pnpm analyser (#7036) (03ac93d)
• sbom: add image labels into SPDX and CycloneDX reports (#7257) (4a2f492)
• sbom: add vulnerability support for SPDX formats (#7213) (efb1f69)
• share build-in rules (#7207) (bff317c)
• vex: retrieve VEX attestations from OCI registries (#7249) (c2fd2e0)
• vex: VEX Repository support (#7206) (88ba460)
• vuln: add --pkg-relationships (#7237) (5c37361)

Bug Fixes

• Add dependencyManagement exclusions to the child exclusions (#6969) (dc68a66)
• add missing platform and type to spec (#7149) (c8a7abd)
• cli: error on missing config file (#7154) (7fa5e7d)
• close file when failed to open gzip (#7164) (2a577a7)
• dotnet: don't include non-runtime libraries into report for *.deps.json files (#7039) (5bc662b)
• dotnet: show nuget package dir not found log only when checking nuget packages (#7194) (d76feba)
• ignore nodes when listing permission is not allowed (#7107) (25f8143)
• java: avoid panic if deps from pom in it dir are not found (#7245) (4e54a7e)
• java: use go-mvn-version to remove Package duplicates (#7088) (a7a304d)
• misconf: do not evaluate TF when a load error occurs (#7109) (f27c236)
• nodejs: detect direct dependencies when using latest version for files yarn.lock + package.json (#7110) (54bb8bd)
• report: hide empty table when all secrets/license/misconfigs are ignored (#7171) (c3036de)
• secret: skip regular strings contain secret patterns (#7182) (174b1e3)
• secret: trim excessively long lines (#7192) (92b13be)
• secret: update length of hugging-face-access-token (#7216) (8c87194)
• server: pass license categories to options (#7203) (9d52018)

Performance Improvements

• debian: use bytes.Index in emptyLineSplit to cut allocation (#7065) (acbec05)

0.53.0 (2024-07-01)

⚠ BREAKING CHANGES

• k8s: node-collector dynamic commands support (#6861)
• add clean subcommand (#6993)
• aws: Remove aws subcommand (#6995)

Features

• add clean subcommand (#6993) (8d0ae1f)
• Add local ImageID to SARIF metadata (#6522) (f144e91)
• add memory cache backend (#7048) (55ccd06)
• aws: Remove aws subcommand (#6995) (979e118)
• conda: add licenses support for environment.yml files (#6953) (654217a)
• dart: use first version of constraint for dependencies using SDK version (#6239) (042d6b0)
• image: Set User-Agent header for Trivy container registry requests (#6868) (9b31697)
• java: add support for maven-metadata.xml files for remote snapshot repositories. (#6950) (1f8fca1)
• java: add support for sbt projects using sbt-dependency-lock (#6882) (f18d035)
• k8s: node-collector dynamic commands support (#6861) (8d618e4)
• misconf: add metadata to Cloud schema (#6831) (02d5404)
• misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) (55fa610)
• misconf: API Gateway V1 support for CloudFormation (#6874) (8491469)
• misconf: support of selectors for all providers for Rego (#6905) (bc3741a)
• php: add installed.json file support (#4865) (edc556b)
• plugin: add support for nested archives (#6845) (622c67b)
• sbom: migrate to CycloneDX v1.6 (#6903) (09e50ce)

Bug Fixes

• c: don't skip conan files from file-patterns and scan .conan2 cache dir (#6949) (38b35dd)
• cli: show info message only when --scanners is available (#7032) (e9fc3e3)
• cyclonedx: trim non-URL info for advisory.url (#6952) (417212e)
• debian: take installed files from the origin layer (#6849) (089b953)
• image: parse image.inspect.Created field only for non-empty values (#6948) (0af5730)
• license: return license separation using separators ,, or, etc. (#6916) (52f7aa5)
• misconf: fix caching of modules in subdirectories (#6814) (0bcfedb)
• misconf: fix parsing of engine links and frameworks (#6937) (ec68c9a)
• misconf: handle source prefix to ignore (#6945) (c3192f0)
• misconf: parsing numbers without fraction as int (#6834) (8141a13)
• nodejs: fix infinite loop when package link from package-lock.json file is broken (#6858) (cf5aa33)
• nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (7d083bc)
• plugin: respect --insecure (#7022) (3d02a31)
• purl: add missed os types (#6955) (2d85a00)
• python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852) (faa9d92)
• sbom: don't overwrite srcEpoch when decoding SBOM files (#6866) (04af59c)
• sbom: fix panic when scanning SBOM file without root component into SBOM format (#7051) (3d4ae8b)
• sbom: take pkg name from purl for maven pkgs (#7008) (a76e328)
• sbom: use purl for bitnami pkg names (#6982) (7eabb92)
• sbom: use package UIDs for uniqueness (#7042) (14d71ba)
• secret: Asymmetric Private Key shouldn't start with space (#6867) (bb26445)
• suse: Add SLES 15.6 and Leap 15.6 (#6964) (5ee4e9d)
• use embedded when command path not found (#7037) (137c916)

0.52.0 (2024-06-03)

Features

• Add Julia language analyzer support (#5635) (fecafb1)
• add support for plugin index (#6674) (26faf8f)
• misconf: Add support for deprecating a check (#6664) (88702cf)
• misconf: add Terraform 'removed' block to schema (#6640) (b7a0a13)
• misconf: register builtin Rego funcs from trivy-checks (#6616) (7c22ee3)
• misconf: resolve tf module from OpenTofu compatible registry (#6743) (ac74520)
• misconf: support for VPC resources for inbound/outbound rules (#6779) (349caf9)
• misconf: support symlinks inside of Helm archives (#6621) (4eae37c)
• nodejs: add v9 pnpm lock file support (#6617) (1e08648)
• plugin: specify plugin version (#6683) (d6dc567)
• python: add license support for requirement.txt files (#6782) (29615be)
• python: add line number support for requirement.txt files (#6729) (2bc54ad)
• report: Include licenses and secrets filtered by rego to ModifiedFindings (#6483) (fa3cf99)
• vex: improve relationship support in CSAF VEX (#6735) (a447f6b)
• vex: support non-root components for products in OpenVEX (#6728) (9515695)

Bug Fixes

• clean up golangci lint configuration (#6797) (62de6f3)
• cli: always output fatal errors to stderr (#6827) (c2b9132)
• close APKINDEX archive file (#6672) (5caf437)
• close settings.xml (#6768) (9c3e895)
• close testfile (#6830) (aa0c413)
• conda: add support pip deps for environment.yml files (#6675) (150a773)
• go: add only non-empty root modules for gobinaries (#6710) (c96f2a5)
• go: include only .version|.ver (no prefixes) ldflags for gobinaries (#6705) (afb4f9d)
• Golang version parsing from binaries w/GOEXPERIMENT (#6696) (696f2ae)
• include packages unless it is not needed (#6765) (56dbe1f)
• misconf: don't shift ignore rule related to code (#6708) (39a746c)
• misconf: skip Rego errors with a nil location (#6638) (a2c522d)
• misconf: skip Rego errors with a nil location (#6666) (a126e10)
• node-collector high and critical cves (#6707) (ff32deb)
• plugin: initialize logger (#6836) (728e77a)
• python: add package name and version validation for requirements.txt files. (#6804) (ea3a124)
• report: hide empty tables if all vulns has been filtered (#6352) (3d388d8)
• sbom: fix panic for convert mode when scanning json file derived from sbom file (#6808) (f92ea09)
• use of specified context to obtain cluster name (#6645) (39ebed4)

Performance Improvements

• misconf: parse rego input once (#6615) (67c6b1d)