v0.38.3

Changelog

• a12f58b chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827)
• ee51835 fix(java): skip empty files for jar post analyzer (#3832)
• 3987a67 fix(docker): build healthcheck command for line without /bin/sh prefix (#3831)
• 2bb25e7 refactor(license): use goyacc for license parser (#3824)
• 00c763b chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586)
• cac5881 fix: populate timeout context to node-collector (#3766)
• bd9c6e6 fix: exclude node collector scanning (#3771)
• 20f1067 fix: display correct flag in error message when skipping java db update #3808
• 1fac7bf fix: disable jar analyzer for scanners other than vuln (#3810)
• aaf2658 fix(sbom): fix incompliant license format for spdx (#3335)
• f830763 fix(java): the project props take precedence over the parent's props (#3320)
• 1aa3b7d docs: add canary build info to README.md (#3799)
• 57904c0 docs: adding link to gh token generation (#3784)
• bdccf72 docs: changing docs in accordance with #3460 (#3787)

v0.38.2

Changelog

• 800473a chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
• e6ab389 chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
• 6614398 fix(license): disable jar analyzer for licence scan only (#3780)
• 1dc6fee bump trivy-issue-action to v0.0.0; skip pkg dir (#3781)
• 3357ed0 fix: skip checking dirs for required post-analyzers (#3773)
• 1064636 docs: add information about plugin format (#3749)
• 60b7ef5 fix(sbom): add trivy version to spdx creators tool field (#3756)

v0.38.1

Changelog

• 497c955 feat(misconf): Add support to show policy bundle version (#3743)
• 5d54310 fix(python): fix error with optional dependencies in pyproject.toml (#3741)
• 44cf1e2 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
• 743b4b0 add id for package.json files (#3750)
• 6de4385 chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
• 9a0ceef chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
• 0501b46 chore(deps): bump github.com/google/go-containerregistry (#3731)
• ee3004d chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
• 5c8e604 chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)

v0.38.0

⚡Release highlights and summary⚡

👉 #3719

Changelog

• bc08366 fix(cli): pass integer to exit-on-eol (#3716)
• 23cdac0 feat: add kubernetes pss compliance (#3498)
• 302c8ae feat: Adding --module-dir and --enable-modules (#3677)
• 34120f4 feat: add special IDs for filtering secrets (#3702)
• e399ed8 chore(deps): Update defsec (#3713)
• ef7b762 docs(misconf): Add guide on input schema (#3692)
• 00daebc feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
• 98d1031 feat: docker multi credential support (#3631)
• b791362 feat: summarize vulnerabilities in compliance reports (#3651)
• 719fdb1 feat(python): parse pyproject.toml alongside poetry.lock (#3695)
• 3ff5699 feat(python): add dependency tree for poetry lock file (#3665)
• 33909d9 fix(cyclonedx): incompliant affect ref (#3679)
• d85a3e0 chore(helm): update skip-db-update environment variable (#3657)
• 551899c fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
• 3aaa2cf fix(sbom): export empty dependencies in CycloneDX (#3664)
• 9d1300c docs: java-db air-gap doc tweaks (#3561)
• 793cc43 feat(go): license support (#3683)
• 6a3294e feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
• e9dc21d fix(k8s): k8s label size (#3678)
• 12976d4 fix(cyclondx): fix array empty value, null to [] (#3676)
• 1dc2b34 refactor: rewrite gomod analyzer as post-analyzer (#3674)
• 92eaf63 feat: config outdated-api result filtered by k8s version (#3578)
• 9af436b fix: Update to Alpine 3.17.2 (#3655)
• 88ee68d feat: add support for virtual files (#3654)
• 75c96bd feat: add post-analyzers (#3640)
• baea399 chore(deps): updates wazero to 1.0.0-pre.9 (#3653)
• 7ca0db1 chore(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#3528)
• 866999e chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 (#3633)
• b7bfb9a feat(python): add dependency locations for Pipfile.lock (#3614)
• 9badef2 chore(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 (#3648)
• d856595 fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
• fe7c26a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.63.1 to 1.85.0 (#3607)
• f251dfc fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
• 9be8062 feat(cli): add command completion (#3061)
• 370098d docs(misconf): update dockerfile link (#3627)
• 32acd29 feat(flag): add exit-on-eosl option (#3423)
• aa8e185 chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.2 (#3533)
• 86603bb fix(cli): make java db repository configurable (#3595)
• 7b1e173 chore: bump trivy-kubernetes (#3613)

v0.37.3

Changelog

• 85d5d61 chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
• 2c17260 chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
• c54f1aa chore(deps): bump golang/x/mod to v0.8.0 (#3606)
• 625ea58 chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
• 623c7f9 chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
• d291c34 ci: quote pros in c++ for semantic pr (#3605)
• 6cac6c9 fix(image): check proxy settings from env for remote images (#3604)

v0.37.2

💔Breaking Change💔

Java DB

Added breaking change to Trivy Java DB.
Users who are using Trivy v0.37.0 or v0.37.1 for Java scanning need to remove the local cached Java DB with trivy image --reset and update Trivy to v0.37.2.

Changelog

• 12b563b BREAKING: use normalized trivy-java-db (#3583)
• 72a14c6 fix(image): add timeout for remote images (#3582)
• 4c01d73 chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
• 10dd5d1 chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
• 439c541 fix(misconf): handle dot files better (#3550)
• 200e04a chore: bump Go to 1.19 (#3551)
• a533ca8 chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
• 4bccbe6 chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
• d056208 chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
• f5e6574 chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
• d3da459 chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)

v0.37.1

Changelog

• 7f8868b fix(sbom): download the Java DB when generating SBOM (#3539)
• 364379b fix: use cgo free sqlite driver (#3521)
• 0205475 ci: fix path to dist folder (#3527)

v0.37.0

Changelog

• e9d2af9 fix(image): close layers (#3517)
• b169424 refactor: db client changed (#3515)
• 7bf1e19 feat(java): use trivy-java-db to get GAV (#3484)
• 023e45b docs: add note about the limitation in Rekor (#3494)
• 0fe62a9 docs: aggregate targets (#3503)
• 0373e08 deps: updates wazero to 1.0.0-pre.8 (#3510)
• a2e21f9 docs: add alma 9 and rocky 9 to supported os (#3513)
• 7d778b7 chore(deps): bump defsec to v0.82.9 (#3512)
• 9e9dbea chore: add missing target labels (#3504)
• d99a7b8 docs: add java vulnerability page (#3429)
• cb5af0b feat(image): add support for Docker CIS Benchmark (#3496)
• 6eec9ac feat(image): secret scanning on container image config (#3495)
• 1eca973 chore(deps): Upgrade defsec to v0.82.8 (#3488)
• fb0d8f3 feat(image): scan misconfigurations in image config (#3437)
• 501d424 chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
• 475dc17 feat(k8s): add node info resource (#3482)
• ed173b8 perf(secret): optimize secret scanning memory usage (#3453)
• 1b368be feat: support aliases in CLI flag, env and config (#3481)
• 66a83d5 fix(k8s): migrate rbac k8s (#3459)
• 81bee0f feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
• e107608 refactor: rename security-checks to scanners (#3467)
• aaf845d chore: display the troubleshooting URL for the DB denial error (#3474)
• ed5bb0b docs: yaml tabs to spaces, auto create namespace (#3469)
• 3158bfe docs: adding show-and-tell template to GH discussions (#3391)
• 85b6c4a fix: Fix a temporary file leak in case of error (#3465)
• 60bddae fix(test): sort cyclonedx components (#3468)
• e0bb04c docs: fixing spelling mistakes (#3462)
• c25e826 ci: set paths triggering VM tests in PR (#3438)
• 07ddc85 docs: typo in --skip-files (#3454)
• e88507c feat(custom-forward): Extended advisory data (#3444)
• e2dfee2 docs: fix spelling error (#3436)
• c575d6f refactor(image): extend image config analyzer (#3434)
• 036d5a8 fix(nodejs): add ignore protocols to yarn parser (#3433)
• e6d7f15 fix(db): check proxy settings when using insecure flag (#3435)
• a1d4427 feat(misconf): Fetch policies from OCI registry (#3015)
• 682351a ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
• ff0c451 ci: store URLs to Github Releases in RPM repository (#3414)
• ee12442 feat(server): add support of skip-db-update flag for hot db update (#3416)
• 2033e05 chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411)
• 6bc564e fix(image): handle wrong empty layer detection (#3375)
• b3b8d4d test: fix integration tests for spdx and cycloneDX (#3412)
• b88bcca feat(python): Include Conda packages in SBOMs (#3379)
• fbd8a13 feat: add support pubspec.lock files for dart (#3344)
• 0f545cf fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
• 76c883d fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
• a8b671b feat(server): log errors on server side (#3397)
• a5919ca chore(deps): bump defsec to address helm vulnerabilities (#3399)
• 89016da docs: rewrite installation docs and general improvements (#3368)
• c3759c6 chore: update code owners (#3393)
• 044fb97 chore: test docs separately from code (#3392)
• ad2e648 docs: use the formula maintained by Homebrew (#3389)
• ad25a77 docs: add Security Management section with SonarQube plugin

v0.36.1

Changelog

• 9039df4 fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
• 60cf4fe feat(flag): early fail when the format is invalid (#3370)
• 9470e3c chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
• d274d15 docs(aws): fix broken links (#3374)
• 2a870f8 chore(deps): bump actions/stale from 6 to 7 (#3360)
• 5974023 chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
• 02aa8c2 chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
• 6e6171f chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
• 066f277 chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
• 8cc3284 chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
• 8d71346 chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
• 5b944d2 chore(go): updates wazero to v1.0.0-pre.7 (#3355)
• 9c645b9 chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
• e2cd782 chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)

v0.36.0

Changelog

• 4813cf5 docs: improve compliance docs (#3340)
• 025e509 feat(deps): add yarn lock dependency tree (#3348)
• 4d59a1e fix: compliance change id and title naming (#3349)
• eaa5bcf feat: add support for mix.lock files for elixir language (#3328)
• a888440 feat: add k8s cis bench (#3315)
• 62b369e test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
• c110c4e revert: cache merged layers (#3334)
• bc759ef feat(cyclonedx): add recommendation (#3336)
• fe3831e feat(ubuntu): added support ubuntu ESM versions (#1893)
• b0cebec fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
• a66d3fe chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
• 5190f95 feat: Adding support for Windows testing (#3037)
• b00f3c6 feat: add support for Alpine 3.17 (#3319)
• a70f885 docs: change PodFile.lock to Podfile.lock (#3318)
• 1ec1fe6 fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
• 68eda79 feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
• b95d435 chore(go): remove experimental FS API usage in Wasm (#3299)
• ac6b7c3 ci: add workflow to add issues to roadmap project (#3292)
• cfabdf9 fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
• 56e3d8d chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
• bbccb44 feat(sbom): better support for third-party SBOMs (#3262)
• e879b06 docs: add information about languages with support for dependency locations (#3306)
• e92266f feat(vm): add region option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
• 01c7fb1 chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
• 23d0613 fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
• 407c240 docs: remove comparisons (#3289)
• 93c5d2d feat: add support for Wolfi Linux (#3215)
• 2809794 ci: add go.mod to canary workflow (#3288)
• 08b55c3 feat(python): skip dev dependencies (#3282)
• 52300e6 chore: update ubuntu version for Github action runnners (#3257)
• a7ac6ac fix(go): skip dep without Path for go-binaries (#3254)
• 4436a20 feat(rust): add ID for cargo pgks (#3256)
• 34d505a chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
• ea95602 chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
• aea298b feat: add support for swift cocoapods lock files (#2956)
• c67fe17 fix(sbom): use proper constants (#3286)
• f907255 chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
• 8f95743 test(vm): import relevant analyzers (#3285)
• 8744534 feat: support scan remote repository (#3131)
• c278d86 docs: fix typo in fluxcd (#3268)
• fa2281f docs: fix broken "ecosystem" link in readme (#3280)
• a3eece4 feat(misconf): Add compliance check support (#3130)
• 7a6cf5a docs: Adding Concourse resource for trivy (#3224)
• dd26bd2 chore(deps): change golang from 1.19.2 to 1.19 (#3249)
• cbba6d1 fix(sbom): duplicate dependson (#3261)
• fa2e3ac chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
• 5c43475 chore(go): updates wazero to 1.0.0-pre.4 (#3242)
• d29b0ed feat(report): add dependency locations to sarif format (#3210)
• 967e32f fix(rpm): add rocky to osVendors (#3241)
• 9477416 docs: fix a typo (#3236)
• 97ce61e feat(dotnet): add dependency parsing for nuget lock files (#3222)
• 17e13c4 docs: add pre-commit hook to community tools (#3203)
• b1a2c4e feat(helm): pass arbitrary env vars to trivy (#3208)