v0.17.0

[aqua-bot]

💔 BREAKING CHANGES 💔

Change the way --skip-dirs and --skip-files are specified

Before: comma-separated

trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge

After: repeat options

trivy image --skip-dirs /usr/lib/ruby/gems --skip-dirs "/etc" fluent/fluentd:edge

🚀 What's new? 🚀

Support JAR/WAR/EAR files ☕

Trivy looks for all Java archives such as JAR, WAR, and EAR on container images and filesystems to detect vulnerabilities. Be aware that Trivy may be calling HTTP API to detect artifactId and groupId from those files. In other words, it doesn't work under air-gapped environment.Also, they take time, and as a result, your scan may time out. In that case, increase the value of the --timeout option.

$ trivy image --timeout 10m --vuln-type library --severity CRITICAL jenkins:2.60.3-alpine
2021-04-30T03:27:54.165+0900    INFO    Detecting jar vulnerabilities...

usr/share/jenkins/jenkins.war
=============================
Total: 6 (CRITICAL: 6)

+---------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
|                LIBRARY                | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                  TITLE                  |
+---------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
| commons-fileupload:commons-fileupload | CVE-2016-1000031 | CRITICAL | 1.3.1-jenkins-1   | 1.3.3                          | Apache Commons FileUpload:              |
|                                       |                  |          |                   |                                | DiskFileItem file manipulation          |
|                                       |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-1000031 |
+---------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------+
| org.eclipse.jetty:jetty-client        | CVE-2017-7657    |          | 9.2.15.v20160210  | 9.2.26.v20180806,              | jetty: HTTP request smuggling           |
|                                       |                  |          |                   | 9.3.24.v20180605,              | -->avd.aquasec.com/nvd/cve-2017-7657    |
|                                       |                  |          |                   | 9.4.11.v20180605               |                                         |
+---------------------------------------+                  +          +                   +--------------------------------+                                         +
| org.eclipse.jetty:jetty-server        |                  |          |                   | 9.3.24.v20180605,              |                                         |
|                                       |                  |          |                   | 9.2.25.v20180606               |                                         |
+                                       +------------------+          +                   +--------------------------------+-----------------------------------------+
|                                       | CVE-2017-7658    |          |                   | 9.4.11.v20180605,              | jetty: Incorrect header handling        |
|                                       |                  |          |                   | 9.3.24.v20180605,              | -->avd.aquasec.com/nvd/cve-2017-7658    |
|                                       |                  |          |                   | 9.2.25.v20180606               |                                         |
+---------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------+
| org.springframework:spring-core       | CVE-2018-1270    |          | 2.5.6.SEC03       | 4.3.16, 5.0.5                  | spring-framework: Possible              |
|                                       |                  |          |                   |                                | RCE via spring messaging                |
|                                       |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1270    |
+                                       +------------------+          +                   +--------------------------------+-----------------------------------------+
|                                       | CVE-2018-1275    |          |                   | 5.0.5, 4.3.16                  | spring-framework: Address               |
|                                       |                  |          |                   |                                | partial fix for CVE-2018-1270           |
|                                       |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1275    |
+---------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+

Currently, even if the --skip-dirs or --skip-files option is specified, all Java archives are detected. If your scan target has a lot of JAR/WAR/EAR files, it will take a long time. --skip-dirs and --skip-files will be improved in the near future.

Support Go binaries 🦍

Trivy looks for all binaries built by Go on container images and filesystems to detect known vulnerabilities. It works properly even if your image is built on scratch and go.sum is not present in the container image.

$ docker build -t test-image - <<EOF
FROM golang:1.13 as builder
RUN curl -sL https://github.com/aquasecurity/trivy/archive/refs/tags/v0.9.0.tar.gz | tar zx -C ./
RUN cd trivy-0.9.0 &&  CGO_ENABLED=0 go build -o trivy cmd/trivy/main.go

FROM scratch
COPY --from=builder /go/trivy-0.9.0/trivy /usr/local/bin/trivy
ENTRYPOINT ["trivy"]
EOF
...
Successfully built b79da5579cfd
Successfully tagged test-image:latest

$ trivy image test-image
2021-04-30T04:57:06.245+0900    INFO    Detecting gobinary vulnerabilities...

usr/local/bin/trivy
===================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2020-14040   | HIGH     | v0.3.2            | v0.3.3        | golang.org/x/text: possibility        |
|                   |                  |          |                   |               | to trigger an infinite loop in        |
|                   |                  |          |                   |               | encoding/unicode could lead to...     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14040 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+

go.sum will be also supported shortly.

Go scanning currently depends on GitLab Community Advisories. After integrating The Go Vulnerability Database into Trivy DB, the accuracy would be even better. Watch this issue.

Support plugins 🔌

Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.

$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL

You will find an example here.

For more detail: https://aquasecurity.github.io/trivy/v0.17.0/plugins/

Support Sprig functions in template

Sprig functions can be used in custom templates.

$ trivy image --format template --template '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if  eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if  eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}' golang:1.12-alpine

For more detai: https://aquasecurity.github.io/trivy/v0.17.0/examples/report/#custom-template

Publish official images in ECR Public Gallery

Official images are available in ECR Public Gallery now.

https://gallery.ecr.aws/aquasecurity/trivy

Publish arm64 images

In addition to amd64 images, arm64 images are published now.

• Docker Hub
• ECR Public Gallery
• GitHub Container Registry

Publish Apple M1 binary 🍎

trivy_0.17.0_macOS-ARM64.tar.gz is available now.

Publish Helm Chart ☸️

helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
helm repo update
helm search repo trivy
helm install my-trivy aquasecurity/trivy

For more detail: https://aquasecurity.github.io/trivy/v0.17.0/installation/#helm

Release the document site 📝

https://aquasecurity.github.io/trivy/latest/

🐞 Bug fixes 🐛

Fix compatibility for Jenkins xunit plugin (#820)

Remove SARIF helpUri if empty (#845)

Allow the latest tag (#864)

Add package name in ruleID (#913)

Fix JUnit template for AWS CodeBuild compatibility (#904)

Changelog

https://github.com/aquasecurity/trivy/releases/tag/v0.17.0

Docker images

• docker pull aquasec/trivy:0.17.0
• docker pull ghcr.io/aquasecurity/trivy:0.17.0
• docker pull public.ecr.aws/aquasecurity/trivy:0.17.0
• docker pull aquasec/trivy:latest
• docker pull ghcr.io/aquasecurity/trivy:latest
• docker pull public.ecr.aws/aquasecurity/trivy:latest

---

This discussion was created from the release v0.17.0.

[knqyf263]

I hope you enjoy this release! ⚡️

[malanvaneck]

Thanks @knqyf263, Tested the docker image scan, and it's super!
Would the scanning of Java repositories follow soon after?

[knqyf263]

Do you mean pom.xml scanning?

[malanvaneck]

Yes,
Like the examples on the Wiki page:
trivy repo https://Git_repo/Project_with_Pom/

[knqyf263]

I'm sorry for the late reply. It will be supported soon.

[malanvaneck]

Thanks a million Sir

[Johannestegner]

Very nice! The go binary detection, does it handle stripped binaries as well or is the metadata required? :)

[knqyf263]

Yes, it works even if you apply strip. It also works with -ldflags '-w -s'. On the other hand, it doesn't work with upx.

[Johannestegner]

That is awesome, will remember to run the scan before upx in the cases where I use it! :)

Good job with the release, nice one :)

[tao12345666333]

Great! 👍