diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 97cef9b..2e54c72 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.31.2 + TRIVY_VERSION: 0.34.0 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 3bbaf25..9e0d609 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.31.2 +FROM ghcr.io/aquasecurity/trivy:0.34.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index de25c53..2dc4fad 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -13,7 +13,7 @@ "id": "DS002", "name": "Misconfiguration", "shortDescription": { - "text": "DS002" + "text": "Image user should not be \u0026#39;root\u0026#39;" }, "fullDescription": { "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile." @@ -37,7 +37,7 @@ } } ], - "version": "0.31.2" + "version": "0.34.0" } }, "results": [ @@ -61,6 +61,9 @@ "endLine": 1, "endColumn": 1 } + }, + "message": { + "text": "Dockerfile" } } ] diff --git a/test/data/config.test b/test/data/config.test index 57f432a..d75ec79 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -28,6 +28,7 @@ { "Type": "Dockerfile Security Check", "ID": "DS002", + "AVDID": "AVD-DS-0002", "Title": "Image user should not be 'root'", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index 57f432a..d75ec79 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -28,6 +28,7 @@ { "Type": "Dockerfile Security Check", "ID": "DS002", + "AVDID": "AVD-DS-0002", "Title": "Image user should not be 'root'", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test index e21f8ee..ae8439c 100644 --- a/test/data/image-sarif.test +++ b/test/data/image-sarif.test @@ -37,7 +37,7 @@ } } ], - "version": "0.31.2" + "version": "0.34.0" } }, "results": [ diff --git a/test/data/image-trivyignores.test b/test/data/image-trivyignores.test index b9d3103..b17e763 100644 --- a/test/data/image-trivyignores.test +++ b/test/data/image-trivyignores.test @@ -75,12 +75,15 @@ Total: 19 (CRITICAL: 19) rust-app/Cargo.lock (cargo) =========================== -Total: 1 (CRITICAL: 1) +Total: 2 (CRITICAL: 2) ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ -│ smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │ +├──────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2021-25900 │ │ 0.6.9 │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │ │ │ │ │ │ │ and 1.x... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ diff --git a/test/data/image.test b/test/data/image.test index cddb9d1..86f29c9 100644 --- a/test/data/image.test +++ b/test/data/image.test @@ -75,12 +75,15 @@ Total: 19 (CRITICAL: 19) rust-app/Cargo.lock (cargo) =========================== -Total: 4 (CRITICAL: 4) +Total: 5 (CRITICAL: 5) ┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ -│ rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │ +│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │ +├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ rand_core │ CVE-2020-25576 │ │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │ │ │ │ │ │ │ for Rust.... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │ ├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ @@ -92,7 +95,7 @@ Total: 4 (CRITICAL: 4) │ │ │ │ │ │ for Rust.... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │ │ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ -│ │ CVE-2021-25900 │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ CVE-2021-25900 │ │ │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │ │ │ │ │ │ │ and 1.x... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ └───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ diff --git a/test/data/repo.test b/test/data/repo.test index 9c9d93b..b7bc4dc 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -69,7 +69,6 @@ ] }, "Match": "export GITHUB_PAT=****************************************", - "Deleted": false, "Layer": {} } ] diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index b7106b2..ede2795 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -60,6 +60,7 @@ "Vulnerabilities": [ { "VulnerabilityID": "CVE-2021-36159", + "PkgID": "apk-tools@2.10.6-r0", "PkgName": "apk-tools", "InstalledVersion": "2.10.6-r0", "FixedVersion": "2.10.7-r0",