Releases: aquasecurity/trivy
Releases · aquasecurity/trivy
v0.36.0
Changelog
- 4813cf5 docs: improve compliance docs (#3340)
- 025e509 feat(deps): add yarn lock dependency tree (#3348)
- 4d59a1e fix: compliance change id and title naming (#3349)
- eaa5bcf feat: add support for mix.lock files for elixir language (#3328)
- a888440 feat: add k8s cis bench (#3315)
- 62b369e test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
- c110c4e revert: cache merged layers (#3334)
- bc759ef feat(cyclonedx): add recommendation (#3336)
- fe3831e feat(ubuntu): added support ubuntu ESM versions (#1893)
- b0cebec fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
- a66d3fe chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
- 5190f95 feat: Adding support for Windows testing (#3037)
- b00f3c6 feat: add support for Alpine 3.17 (#3319)
- a70f885 docs: change PodFile.lock to Podfile.lock (#3318)
- 1ec1fe6 fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
- 68eda79 feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
- b95d435 chore(go): remove experimental FS API usage in Wasm (#3299)
- ac6b7c3 ci: add workflow to add issues to roadmap project (#3292)
- cfabdf9 fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
- 56e3d8d chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
- bbccb44 feat(sbom): better support for third-party SBOMs (#3262)
- e879b06 docs: add information about languages with support for dependency locations (#3306)
- e92266f feat(vm): add
region
option to vm scan to be able to scan any region's ami and ebs snapshots (#3284) - 01c7fb1 chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
- 23d0613 fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
- 407c240 docs: remove comparisons (#3289)
- 93c5d2d feat: add support for Wolfi Linux (#3215)
- 2809794 ci: add go.mod to canary workflow (#3288)
- 08b55c3 feat(python): skip dev dependencies (#3282)
- 52300e6 chore: update ubuntu version for Github action runnners (#3257)
- a7ac6ac fix(go): skip dep without Path for go-binaries (#3254)
- 4436a20 feat(rust): add ID for cargo pgks (#3256)
- 34d505a chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
- ea95602 chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
- aea298b feat: add support for swift cocoapods lock files (#2956)
- c67fe17 fix(sbom): use proper constants (#3286)
- f907255 chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
- 8f95743 test(vm): import relevant analyzers (#3285)
- 8744534 feat: support scan remote repository (#3131)
- c278d86 docs: fix typo in fluxcd (#3268)
- fa2281f docs: fix broken "ecosystem" link in readme (#3280)
- a3eece4 feat(misconf): Add compliance check support (#3130)
- 7a6cf5a docs: Adding Concourse resource for trivy (#3224)
- dd26bd2 chore(deps): change golang from 1.19.2 to 1.19 (#3249)
- cbba6d1 fix(sbom): duplicate dependson (#3261)
- fa2e3ac chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
- 5c43475 chore(go): updates wazero to 1.0.0-pre.4 (#3242)
- d29b0ed feat(report): add dependency locations to sarif format (#3210)
- 967e32f fix(rpm): add rocky to osVendors (#3241)
- 9477416 docs: fix a typo (#3236)
- 97ce61e feat(dotnet): add dependency parsing for nuget lock files (#3222)
- 17e13c4 docs: add pre-commit hook to community tools (#3203)
- b1a2c4e feat(helm): pass arbitrary env vars to trivy (#3208)
v0.35.0
Changelog
- bd30e98 chore(vm): update xfs filesystem parser for change log (#3230)
- 22d92e4 feat: add virtual machine scan command (#2910)
- 531eaa8 docs: reorganize index and readme (#3026)
- 8569d43 fix:
slowSizeThreshold
should be less thandefaultSizeThreshold
(#3225) - 604a73d feat: Export functions for trivy plugin (#3204)
- 7594b1f feat(image): add support wildcard for platform os (#3196)
- fd5cafb fix: load compliance report from file system (#3161)
- 6ab9380 fix(suse): use package name to get advisories (#3199)
- 4a5d643 docs(image): space issues during image scan (#3190)
- 2206e00 feat(containerd): scan image by digest (#3075)
- 861bc03 fix(vuln): add package name to title (#3183)
- f115895 fix: present control status instead of compliance percentage in compliance report (#3181)
- cc8cef1 perf(license): remove go-enry/go-license-detector. (#3187)
- a0033f6 fix: workdir command as empty layer (#3087)
- cb5744d docs: reorganize ecosystem section (#3025)
- 1ddd6d3 feat(dotnet): add support dependency location for dotnet-core files (#3095)
- 30c8d75 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174)
- 8e7b44f chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109)
- dfff371 feat(dotnet): add support dependency location for nuget lock files (#3032)
- eb571fd chore: update code owners for misconfigurations (#3176)
- 7571783 feat: add slow mode (#3084)
- 01df475 docs: fix typo in enable-builin-rules mentions (#3118)
- 6b3be15 feat: Add maintainer field to OS packages (#3149)
- 9ebdc51 docs: fix some typo (#3171)
- 42e81ad chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175)
- 55ec898 chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112)
- 0644ceb docs: fix links on Built-in Policies page (#3124)
- 50af7a2 chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117)
- c455d14 chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116)
- 8fb9d31 fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
- 8562b8c chore: use newline for semantic pr (#3172)
- aff9a3e chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107)
- 001671e chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106)
- 4e7ab48 chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105)
- a6091a7 chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104)
- 6da148c fix(spdx): rename describes field in spdx (#3102)
- df9cf88 chore: handle GOPATH with several paths in make file (#3092)
- 32fe108 docs(flag): add "rego" configuration file options (#3165)
- 8fcca9c chore(go): updates wazero to 1.0.0-pre.3 (#3090)
- 02f77bc chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108)
- aa3ff09 docs(license): fix typo inside quick start (#3134)
- f26b452 chore: update codeowners for docs (#3135)
- 3b6d7d8 fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
- e9a2549 fix: remove --security-checks none from image help (#3156)
- 3aa1912 fix: compliance flag description (#3160)
- fc82057 docs(k8s): fix a typo (#3163)
- 3a1f05e chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103)
v0.34.0
Changelog
- 7912f58 feat(vuln): support dependency graph for RHEL/CentOS (#3094)
- 9468056 feat(vuln): support dependency graph for dpkg and apk (#3093)
- 7cc83cc perf(license): enable license classifier only with "--license-full" (#3086)
- 5b975de feat(report): add secret scanning to ASFF template (#2860)
- b6cef12 feat: Allow override of containerd namespace (#3060)
- 0765148 fix(vuln): In alpine use Name as SrcName (#3079)
- 9e649b8 fix(secret): Alibaba AccessKey ID (#3083)
v0.33.0
Changelog
- af89249 refactor(k8s): custom reports (#3076)
- f4e970f fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
- 8ae4627 feat(image): add support for passing architecture and OS (#3012)
- 0501e70 test: disable containerd integration tests for non-amd64 arch (#3073)
- a377c8d feat(server): Add support for client/server mode to rootfs command (#3021)
- 02a73f0 feat(vuln): support non-packaged binaries (#3019)
- 18581f3 feat: compliance reports (#2951)
- 63b8e4d fix(flag): disable flag parsing for each plugin command (#3074)
- cbedd71 feat(nodejs): add support dependency location for yarn.lock files (#3016)
- b22e37e chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
- 9b0e979 feat: add k8s components (#2589)
- 5e25182 fix(secret): update the regex for secrets scanning (#2964)
- 9947e51 chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979)
- d2a15a7 fix: bump trivy-kubernetes (#3064)
- f2efc9c docs: fix missing 'image' subcommand (#3051)
- 34653c7 chore: Patch golang x/text vulnerability (#3046)
- e252ea8 chore: add licensed project logo (#3058)
- 439d216 feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
- 9f5113a refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
- c1e24d5 feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
- 212af07 docs(misconf): fix typo (#3043)
- 68f374a feat: add support for scanning azure ARM (#3011)
- d35c668 feat(report): add location.message to SARIF output (#3002) (#3003)
- 2150ffc chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980)
- ca434f7 feat(nodejs): add dependency line numbers for npm lock files (#2932)
- a8ff5f0 test(fs): add
--skip-files
,--skip-dirs
(#2984) - 561b2e7 docs: add Woodpecker CI integrations example (#2823)
- 4a3583d chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981)
- 4be9eeb chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976)
- a260d35 chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975)
- 558189f chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982)
- c2eb6ee fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
- 68f7952 fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
- be78da6 fix(sbom): use nuget purl type for dotnet-core (#2990)
- 92b5a19 perf: retrieve rekor entries in bulk (#2987)
- babd7e7 feat(aws): Custom rego policies for AWS scanning (#2994)
- 8ad9b8a docs: jq cli formatting (#2881)
- a78684c docs(repo): troubleshooting $TMPDIR customization (#2985)
- 7309ed0 chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969)
- 9515a5c chore(deps): bump actions/stale from 5 to 6 (#2970)
- 955aff6 chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971)
- db56d23 chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972)
- 05a7232 chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973)
- 2c39d47 chore: run
go fmt
(#2897) - 16a7dc1 chore(go): updates wazero to 1.0.0-pre.2 (#2955)
- ce4ba7c fix(aws): Less function for slice sorting always returns false #2967
- 4ffe746 fix(java): fix unmarshal pom exclusions (#2936)
v0.32.1
Changelog
- 8b1cee8 fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
- f5cbbb3 chore: expat lib and go binary deps vulns (#2940)
- 6882bdf wasm: Removes accidentally exported memory (#2950)
- 6ea9a61 fix(sbom): fix package name separation for gradle (#2906)
- 3ee4c96 docs(readme.md): fix broken integrations link (#2931)
- 5745961 fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
- e01253d fix(cli): split env values with ',' for slice flags (#2926)
- 0c1a42d fix(cli): config/helm: also take into account files with
.yml
(#2928) - 237b8dc fix(flag): add file-patterns flag for config subcommand (#2925)
- 047a0b3 chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)
v0.32.0
Changelog
- 585985e docs: add Rekor SBOM attestation scanning (#2893)
- d30fa00 chore: narrow the owner scope (#2894)
- 38c1513 fix: remove a patch number from the recommendation link (#2891)
- ba29ce6 fix: enable parsing of UUID-only rekor entry ID (#2887)
- 018eda6 docs(sbom): add SPDX scanning (#2885)
- 20f1e59 docs: restructure docs and add tutorials (#2883)
- 192fd78 feat(sbom): scan sbom attestation in the rekor record (#2699)
- 597836c feat(k8s): support outdated-api (#2877)
- 6c7bd67 chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815)
- 4127043 fix(c): support revisions in Conan parser (#2878)
- b677d7e feat: dynamic links support for scan results (#2838)
- 8e03bbb chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818)
- 27005c7 docs: update archlinux commands (#2876)
- b6e394d feat(secret): add line from dockerfile where secret was added to secret result (#2780)
- 9f6680a feat(sbom): Add unmarshal for spdx (#2868)
- db0aaf1 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827)
- bb3220c fix: revert asff arn and add documentation (#2852)
- c51f2b8 docs: batch-import-findings limit (#2851)
- 552732b chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872)
- 3165c37 feat(sbom): Add marshal for spdx (#2867)
- dac2b4a build: checkout before setting up Go (#2873)
- 39f83af chore: bump Go to 1.19 (#2861)
- 0ce9583 docs: azure doc and trivy (#2869)
- 2f37961 fix: Scan tarr'd dependencies (#2857)
- db14ef3 chore(helm): helm test with ingress (#2630)
- acb65d5 feat(report): add secrets to sarif format (#2820)
- a18cd7c chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807)
- 2de903c refactor: add a new interface for initializing analyzers (#2835)
- 63c3b8e chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840)
- 6717665 fix: update ProductArn with account id (#2782)
- 41a8496 feat(helm): make cache TTL configurable (#2798)
- 0f1f2c1 build(): Sign releaser artifacts, not only container manifests (#2789)
- b389a6f chore: improve doc about azure devops (#2795)
- 9ef9fce chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804)
- 7b3225d chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828)
- 37733ed chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825)
- 44d7e8d docs: don't push patch versions (#2824)
- 4839075 feat: add support for conan.lock file (#2779)
- 6b4ddaa feat: cache merged layers
- a18f398 chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805)
- 4dcce14 chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806)
- db45447 chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811)
- a246d0f chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810)
- 1800017 chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808)
- 218e41a chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814)
- a000ade feat: add support for gradle.lockfile (#2759)
- 43113bc chore(mod): updates wazero to 1.0.0-pre.1 #2791
- 5f0bf14 feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
- 2580ea1 Fix url validaton failures (#2783)
- 2473b2c fix(image): add logic to detect empty layers (#2790)
- 9d018d4 feat(rust): add dependency graph from Rust binaries (#2771)
v0.31.3
Changelog
- db67f16 fix: handle empty OS family (#2768)
- 77616be fix: fix k8s summary report (#2777)
- fcccfce fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
- 8bc215c chore: bump trivy-kubernetes (#2770)
- d8d8e62 fix(secret): Consider secrets in rpc calls (#2753)
- b0e89d4 fix(java): check depManagement from upper pom's (#2747)
- da6f1b6 fix(php): skip
composer.lock
insidevendor
folder (#2718) - 2f2952c fix: fix k8s rbac filter (#2765)
- 8bc56bf feat(misconf): skipping misconfigurations by AVD ID (#2743)
- 9c1ce5a chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
- 3cd10b2 docs: add MacPorts install instructions (#2727)
- f369bd3 docs: typo (#2730)
v0.31.2
v0.31.1
v0.31.0
Changelog
- 917f388 fix(flag): add error when there are no supported security checks (#2713)
- aef02aa fix(vuln): continue scanning when no vuln found in the first application (#2712)
- ed1fa89 revert: add new classes for vulnerabilities (#2701)
- a5d4f7f feat(secret): detect secrets removed or overwritten in upper layer (#2611)
- ddffb1b fix(cli): secret scanning perf link fix (#2607)
- bc85441 chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
- b259b25 feat: Add AWS Cloud scanning (#2493)
- f8edda8 docs: specify the type when verifying an attestation (#2697)
- 6879413 docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
- babfb17 fix(rpc): scanResponse rpc conversion for custom resources (#2692)
- 517d2e0 feat(rust): Add support for cargo-auditable (#2675)
- 0112385 feat: Support passing value overrides for configuration checks (#2679)
- 317a026 feat(sbom): add support for scanning a sbom attestation (#2652)
- 390c256 chore(image): skip symlinks and hardlinks from tar scan (#2634)
- 63c33bf fix(report): Update junit.tpl (#2677)
- de365c8 fix(cyclonedx): add nil check to metadata.component (#2673)
- 50db7da docs(secret): fix missing and broken links (#2674)
- e848e6d refactor(cyclonedx): implement json.Unmarshaler (#2662)
- df0b5e4 chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643)
- 006b8a5 chore(deps): bump github.com/Azure/go-autorest/autorest (#2642)
- 8d10de8 feat(kubernetes): add option to specify kubeconfig file path (#2576)
- 169c55c docs: follow Debian's "instructions to connect to a third-party repository" (#2511)
- 9b21831 chore(deps): bump github.com/google/licenseclassifier/v2 (#2644)
- 94db37e chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645)
- d983805 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647)
- d8a9572 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646)
- 3ab3050 chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641)
- 75984f3 chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640)
- 525c253 chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639)
- 5e327e4 chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638)
- 469d771 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648)
- 6bc8c87 chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649)
- 6ab832d chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651)
- 3a10497 feat(alma): set AlmaLinux 9 EOL (#2653)
- 55825d7 fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
- 6bb0e4b test(misconf): add tests for misconf handler for dockerfiles (#2621)
- 44d53be feat(oracle): set Oracle Linux 9 EOL (#2635)
- f396c67 BREAKING: add new classes for vulnerabilities (#2541)
- 3cd88ab fix(secret): add newline escaping for asymmetric private key (#2532)
- ea91fb9 docs: improve formatting (#2572)
- d0ca610 feat(helm): allows users to define an existing secret for tokens (#2587)
- d0ba59a docs(mariner): use tdnf in fs usage example (#2616)
- d7742b6 docs: remove unnecessary double quotation marks (#2609)
- 27027cf fix: Fix --file-patterns flag (#2625)
- c2a7ad5 feat(report): add support for Cosign vulnerability attestation (#2567)
- dfb86f4 docs(mariner): use v2.0 in examples (#2602)
- 946ce16 feat(report): add secrets template for codequality report (#2461)