v0.63.0

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🏷️ Check for updates and telemetry 🆔
  • 🏝️ Detect licenses in Go vendored modules 🏴‍☠️
  • 🍶 Bottlerocket OS support 🚀
  • 🎚️ Echo OS support 🧩
  • 💽 MinimOS OS support ⛏️
  • 🍔 Bun support ↕️
  • 📜 Composite licenses classification 📝
  • 🗃️ Free-text license classification 📃
  • 🛰️ Checks can declare compatible Trivy version 🧑🏽‍🎤
  • 📦 Terraform raw scanning 🔍
  • 🛠️ Misconfiguration details in JUnit format 🧪
  • 🗂️ New trusted registries check 🧹
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🏷️ Check for updates and telemetry 🆔

Trivy now checks for updates which includes newer versions, breaking changes, deprecation notices, and other important information. Messages are displayed along with scan results.
Trivy also now collects telemetry in order to improve the product experience.
Both new features can be disabled using the flags: --disable-telemetry, --skip-version-check.
More background and context in the following discussions: #8675 #8645

🏝️ Detect licenses in Go vendored modules 🏴‍☠️

Trivy now scans the vendor directory in Go projects to detect licenses for modules vendored via go mod vendor, ensuring license detection even when modules are not in the default cache directory.

Thanks to @oneum20

🍶 Bottlerocket OS support 🚀

Trivy now supports Bottlerocket operating system. Currently, only SBOM generation is supported without vulnerability scanning. See here for more details.

Thanks to @0intro

🎚️ Echo OS support 🧩

Trivy now supports Echo operating system. See here for more details.

Thanks to @orizerah

💽 MinimOS OS support ⛏️

Trivy now supports MinimOS operating system. See here for more details.

Thanks to @Daniel-Wachter

🍔 Bun support ↕️

Trivy now supports scanning Javascript projects managed with Bun package manger. See here for more details.

Thanks to @sneaky-potato

📜 Composite licenses classification 📝

Trivy now correctly identifies license category and severity for compound licenses (e.g dual-licence).
Licenses composited with OR operator will be classified following the least severe license, while licenses composited with AND operator will be classified following the most severe license.

Thanks to @JonatanLindstrom

🗃️ Free-text license classification 📃

You can now classify licenses by matching a free-text expression or regular expression, using the new text:// prefix in the license classification configuration file.

For example:

license:
  permissive:
    - "text://Text of Apache Software Foundation License"
  forbidden:
    - "text://.* commercial .*"

See here for more details.

🛰️ Checks can declare compatible Trivy version 🧑🏽‍🎤

Trivy misconfiguration check authors can now declare the minimum required Trivy version for the check. Since checks are updated and distributed seperately from Trivy, it's possible that a newer check is evaluated by an older Trivy scanner, and this check might depend on newer input schema (i.e lookup an field which isn't there) which the older scanner doesn't support. Previously Trivy silentrly failed those checks, with this recent addition, Trivy will know to skip those checks which it cannot evaluate.

For example, the following check will be enabled only for Trivy versions 1.2.3 and above:

#  METADATA
# title: "some title"
# description: "some description"
# scope: package
# schemas:
# - input: schema["input"]
# custom:
#   minimum_trivy_version: "1.2.3"
package builtin.foo.ABC123
deny {
    input.evil
}

📦 Terraform raw scanning 🔍

Terraform misconfiguration checks now have access to the raw Terraform code, enabling more flexible and powerful checks.
This feature is disabled by default, and can be enabled with the new --raw-config-scanners=terraform flag, and specifying the terraform-raw input selector in the check metadata. When enabled, the raw terraform code is available under the input document which follows the schema: https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/terraform-raw.json

Example check:

# METADATA
# title: Use write-only arguments
# related_resources:
# - https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments
# schemas:
# - input: schema["terraform-raw"]
# custom:
#   id: TF_003
#   short_code: wo-arguments
#   severity: HIGH
#   input:
#     selector:
#     - type: terraform-raw
package user.tf_wo_args

import rego.v1

resources_to_check := {
	"aws_db_instance": ["password", "password_wo"],
	"aws_docdb_cluster": ["master_password", "master_password_wo"],
}

deny contains res if {
	some block in input.modules[_].blocks
	block.kind == "resource"
	[original, alternative] := resources_to_check[block.type]
	attr := block.attributes[original]
	res := result.new(
		sprintf("%q is not a write-only argument. Use the write-only alternative %q", [original, alternative]),
		attr,
	)
}

Example config:

variable "password" {}

resource "aws_db_instance" "test" {
  instance_class       = "db.t3.micro"
  password             = var.password
}

Output:

❯ ./trivy conf main.tf --check-namespaces user --config-check write-only-args.rego --raw-config-scanners terraform -q

Report Summary

┌─────────┬───────────┬───────────────────┐
│ Target  │   Type    │ Misconfigurations │
├─────────┼───────────┼───────────────────┤
│ .       │ terraform │         0         │
├─────────┼───────────┼───────────────────┤
│ main.tf │ terraform │         5         │
└─────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


main.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

 (HIGH): "password" is not a write-only argument. Use the write-only alternative "password_wo"
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════


See https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5
   via main.tf:3-6 (aws_db_instance.test)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3   resource "aws_db_instance" "test" {
   4     instance_class       = "db.t3.micro"
   5 [   password             = var.password
   6   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
...

🛠️ Misconfiguration details in JUnit format 🧪

The JUnit format now includes enhanced details for each misconfiguration: the file path and location of the issue, a list of all occurrences, and a relevant code snippet.

Example:

🗂️ New trusted registries check 🧹

Checks KSV032, KSV033, KSV034, and KSV035, which validated image sources against trusted registries, have been deprecated and merged into a single check: KSV0125. The new check allows you to customize the list of trusted registries using Trivy data file:

ksv0125:
  trusted_registries:
    - docker.io
    ...
    - mycompany.io

👷‍♂️ Notable Fixes 🛠️

• fix(checks): Separate out unrestricted S3 checks trivy-checks#409
• feat(checks): Improve AVD-AWS-0345 #8752
• fix(checks): False positive for AVD-KSV-0033 and AVD-KSV-0035 when using Azure CR #8728
• fix(checks): AVD-AWS-0097 not triggered by "SQS:*" #8879
• fix(analyzer): enhance StaticPaths method for post-analyzers #8905
• bug(cli): unable to use custom compliance files with --compliance flag #8876
• fix(gradle): exclude development dependencies #8755 Thanks to @sneaky-potato
• fix: julia parser panicing #8883 Thanks to @SuperSandro2000
• bug(redhat): Trivy doesn't add contentSets for packages in fs/vm modes #8819
• fix(redhat): trim invalid suffix from content_sets in manifest parsing #8818
• bug(rpc): relationship field is missing #8871
• bug(vex): Panic on scanning images with absent vex attestations. #8857
• fix(secret): set minimal number of characters for AsymmetricPrivateKey #7700
• fix(redhat): Also try to find buildinfo in root layer (layer 0) #8924 Thanks to Romain-Geissler-1A
• feat(wolfi): support new APK database location in /usr/lib/apk #8936
• bug(julia): problem with SBOM relationships, because julia packages don't support Relationship field #8938

[rwe-dtroup]

With the new telemetry and version checks, are they only for specific tests or will telemetry be collected for any run? I've tried to use it for config, but it throws an error stating that this is not a flag. Very possible I'm missing something.

$ trivy config ./ --disable-telemetry
...
FATAL   Fatal error     unknown flag: --disable-telemetry

[knqyf263]

It was missing and fixed, but the new version has not been released yet.
#8950