Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0 #1984

Merged
merged 3 commits into from
Jul 5, 2024
Merged

chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0 #1984

merged 3 commits into from
Jul 5, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 1, 2024
edited by shino
Loading

2024-07-05 Postscript (shino)

  • installed.json (PHP composer vendor) lockfile scan is added
  • Cache directory interface changed

Bumps github.com/aquasecurity/trivy from 0.52.2 to 0.53.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.53.0

Changelog

  • c55b0e6ca release: v0.53.0 [main] (#6855)
  • 654217a65 feat(conda): add licenses support for environment.yml files (#6953)
  • 3d4ae8b5b fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
  • 55ccd06df feat: add memory cache backend (#7048)
  • 14d71ba63 fix(sbom): use package UIDs for uniqueness (#7042)
  • edc556b85 feat(php): add installed.json file support (#4865)
  • 4f8b3996e docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
  • 137c91642 fix: use embedded when command path not found (#7037)
  • 9e4927ee1 chore(deps): bump trivy-kubernetes version (#7012)
  • 4be02bab8 refactor: use google/wire for cache (#7024)
  • e9fc3e339 fix(cli): show info message only when --scanners is available (#7032)
  • 0ccdbfbb6 chore: enable float-compare rule from testifylint (#6967)
  • 9045f2445 docs: Add sudo on commands, chmod before mv on install docs (#7009)
  • 3d02a31b4 fix(plugin): respect --insecure (#7022)
  • 8d618e48a feat(k8s)!: node-collector dynamic commands support (#6861)
  • a76e3286c fix(sbom): take pkg name from purl for maven pkgs (#7008)
  • eb636c1b3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 (#7018)
  • 8d0ae1f5d feat!: add clean subcommand (#6993)
  • de201dc77 chore: use ! for breaking changes (#6994)
  • 979e118a9 feat(aws)!: Remove aws subcommand (#6995)
  • 648ead955 refactor: replace global cache directory with parameter passing (#6986)
  • 7eabb92ec fix(sbom): use purl for bitnami pkg names (#6982)
  • 333087c9e chore: bump Go toolchain version (#6984)
  • 6dff4223e refactor: unify cache implementations (#6977)
  • 9dc8a2ba6 docs: non-packaged and sbom clarifications (#6975)
  • b58d42dc9 BREAKING(aws): Deprecate trivy aws as subcmd in favour of a plugin (#6819)
  • 6469d37cc docs: delete unknown URL (#6972)
  • 30bcb9535 refactor: use version-specific URLs for documentation references (#6966)
  • e493fc931 refactor: delete db mock (#6940)
  • 983ac15f2 ci: add depguard (#6963)
  • dfe757e37 refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
  • f144e912d feat: Add local ImageID to SARIF metadata (#6522)
  • 5ee4e9d30 fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
  • f18d035ae feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
  • 1f8fca1fc feat(java): add support for maven-metadata.xml files for remote snapshot repositories. (#6950)
  • 2d85a003b fix(purl): add missed os types (#6955)
  • 417212e09 fix(cyclonedx): trim non-URL info for advisory.url (#6952)
  • 38b35dd3c fix(c): don't skip conan files from file-patterns and scan .conan2 cache dir (#6949)
  • eb6d0d977 ci: correctly handle categories (#6943)
  • 0af5730cb fix(image): parse image.inspect.Created field only for non-empty values (#6948)
  • c3192f061 fix(misconf): handle source prefix to ignore (#6945)
  • ec68c9ab4 fix(misconf): fix parsing of engine links and frameworks (#6937)
  • bc3741ae2 feat(misconf): support of selectors for all providers for Rego (#6905)
  • 735aadf2d ci: don't run tests for release-please PRs (#6936)
  • 52f7aa54b fix(license): return license separation using separators ,, or, etc. (#6916)
  • d77d9ce38 ci: use ubuntu-latest-m runner (#6918)
  • 55fa6109c feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
  • cd360dde2 BREAKING(misconf): flatten recursive types (#6862)

... (truncated)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.53.0 (2024-07-01)

⚠ BREAKING CHANGES

  • k8s: node-collector dynamic commands support (#6861)
  • add clean subcommand (#6993)
  • aws: Remove aws subcommand (#6995)

Features

  • add clean subcommand (#6993) (8d0ae1f)
  • Add local ImageID to SARIF metadata (#6522) (f144e91)
  • add memory cache backend (#7048) (55ccd06)
  • aws: Remove aws subcommand (#6995) (979e118)
  • conda: add licenses support for environment.yml files (#6953) (654217a)
  • dart: use first version of constraint for dependencies using SDK version (#6239) (042d6b0)
  • image: Set User-Agent header for Trivy container registry requests (#6868) (9b31697)
  • java: add support for maven-metadata.xml files for remote snapshot repositories. (#6950) (1f8fca1)
  • java: add support for sbt projects using sbt-dependency-lock (#6882) (f18d035)
  • k8s: node-collector dynamic commands support (#6861) (8d618e4)
  • misconf: add metadata to Cloud schema (#6831) (02d5404)
  • misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) (55fa610)
  • misconf: API Gateway V1 support for CloudFormation (#6874) (8491469)
  • misconf: support of selectors for all providers for Rego (#6905) (bc3741a)
  • php: add installed.json file support (#4865) (edc556b)
  • plugin: add support for nested archives (#6845) (622c67b)
  • sbom: migrate to CycloneDX v1.6 (#6903) (09e50ce)

Bug Fixes

  • c: don't skip conan files from file-patterns and scan .conan2 cache dir (#6949) (38b35dd)
  • cli: show info message only when --scanners is available (#7032) (e9fc3e3)
  • cyclonedx: trim non-URL info for advisory.url (#6952) (417212e)
  • debian: take installed files from the origin layer (#6849) (089b953)
  • image: parse image.inspect.Created field only for non-empty values (#6948) (0af5730)
  • license: return license separation using separators ,, or, etc. (#6916) (52f7aa5)
  • misconf: fix caching of modules in subdirectories (#6814) (0bcfedb)
  • misconf: fix parsing of engine links and frameworks (#6937) (ec68c9a)
  • misconf: handle source prefix to ignore (#6945) (c3192f0)
  • misconf: parsing numbers without fraction as int (#6834) (8141a13)
  • nodejs: fix infinite loop when package link from package-lock.json file is broken (#6858) (cf5aa33)
  • nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (7d083bc)
  • plugin: respect --insecure (#7022) (3d02a31)
  • purl: add missed os types (#6955) (2d85a00)
  • python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852) (faa9d92)
  • sbom: don't overwrite srcEpoch when decoding SBOM files (#6866) (04af59c)
  • sbom: fix panic when scanning SBOM file without root component into SBOM format (#7051) (3d4ae8b)
  • sbom: take pkg name from purl for maven pkgs (#7008) (a76e328)

... (truncated)

Commits
  • c55b0e6 release: v0.53.0 [main] (#6855)
  • 654217a feat(conda): add licenses support for environment.yml files (#6953)
  • 3d4ae8b fix(sbom): fix panic when scanning SBOM file without root component into SBOM...
  • 55ccd06 feat: add memory cache backend (#7048)
  • 14d71ba fix(sbom): use package UIDs for uniqueness (#7042)
  • edc556b feat(php): add installed.json file support (#4865)
  • 4f8b399 docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
  • 137c916 fix: use embedded when command path not found (#7037)
  • 9e4927e chore(deps): bump trivy-kubernetes version (#7012)
  • 4be02ba refactor: use google/wire for cache (#7024)
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
github.com/aquasecurity/trivy [>= 0.50.2.a, < 0.50.3]
github.com/aquasecurity/trivy [< 0.51, > 0.50.1]

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 1, 2024
@dependabot dependabot bot force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.53.0 branch from af72c65 to ac33e74 Compare July 4, 2024 05:14
@dependabot
chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0
a80edfc 
Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.52.2 to 0.53.0.
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md)
- [Commits](aquasecurity/trivy@v0.52.2...v0.53.0)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.53.0 branch from ac33e74 to a80edfc Compare July 4, 2024 05:17
@MaineK00n MaineK00n requested a review from shino July 4, 2024 05:18
@shino shino mentioned this pull request Jul 4, 2024
Merged
@shino
Copy link
Collaborator

shino commented Jul 4, 2024

Test for Composer's installed.json

% ./vuls scan -config integration/int-config.toml composer-vendor
[Jul  4 19:03:01]  INFO [localhost] vuls-v0.26.0-build-20240704_183504_85f96e5
[Jul  4 19:03:01]  INFO [localhost] Start scanning
[Jul  4 19:03:01]  INFO [localhost] config: integration/int-config.toml
[Jul  4 19:03:01]  INFO [localhost] Validating config...
[Jul  4 19:03:01]  INFO [localhost] Detecting Server/Container OS...
[Jul  4 19:03:01]  INFO [localhost] Detecting OS of servers...
[Jul  4 19:03:01]  INFO [localhost] (1/1) Detected: composer-vendor: pseudo
[Jul  4 19:03:01]  INFO [localhost] Detecting OS of containers...
[Jul  4 19:03:01]  INFO [localhost] Checking Scan Modes...
[Jul  4 19:03:01]  INFO [localhost] Detecting Platforms...
[Jul  4 19:03:01]  INFO [localhost] (1/1) composer-vendor is running on other
[Jul  4 19:03:01]  INFO [composer-vendor] Scanning listen port...
[Jul  4 19:03:01]  INFO [composer-vendor] Using Port Scanner: Vuls built-in Scanner
[Jul  4 19:03:01]  INFO [composer-vendor] Scanning Language-specific Packages...


Scan Summary
================
composer-vendor pseudo  0 installed, 0 updatable        3 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

% ./vuls report -config integration/int-config.toml
[Jul  4 19:03:21]  INFO [localhost] vuls-v0.26.0-build-20240704_183504_85f96e5
[Jul  4 19:03:21]  INFO [localhost] Validating config...
[Jul  4 19:03:21]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Jul  4 19:03:21]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Jul  4 19:03:21]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Jul  4 19:03:21]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Jul  4 19:03:21]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Jul  4 19:03:21]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Jul  4 19:03:21]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Jul  4 19:03:21]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-07-04T19-03-01+0900
[Jul  4 19:03:21]  INFO [localhost] Updating library db...
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 2 CVEs are detected with Library
[Jul  4 19:03:21]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 CVEs are detected with CPE
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 PoC are detected
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 exploits are detected
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: Cyber Threat Intelligences are detected for 0 CVEs
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: total 2 CVEs detected
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 CVEs filtered by --confidence-over=80
composer-vendor (pseudo)
========================
Total: 2 (Critical:0 High:2 Medium:0 Low:0 ?:0)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 3 libs

+----------------+------+--------+-----+-----------+---------+-----------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |    PACKAGES     |
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-2022-24775 |  8.9 |  AV:N  |     |           |   fixed | guzzlehttp/psr7 |
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-2023-29197 |  8.9 |  AV:N  |     |           |   fixed | guzzlehttp/psr7 |
+----------------+------+--------+-----+-----------+---------+-----------------+

@shino
Copy link
Collaborator

shino commented Jul 4, 2024

Binary size is still getting larger...

% ll vuls
-rwxr-xr-x 1 shino shino 146M Jul  4 18:36 vuls*

@shino shino requested review from MaineK00n and removed request for shino July 4, 2024 10:05
MaineK00n
MaineK00n approved these changes Jul 4, 2024
View reviewed changes
Copy link
Collaborator

@MaineK00n MaineK00n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🏖

@shino shino merged commit d4f7550 into master Jul 5, 2024
7 checks passed
@shino shino deleted the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.53.0 branch July 5, 2024 00:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shino @MaineK00n