search

future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
https://vuls.io/
GNU General Public License v3.0
10.8k stars 1.16k forks source link

chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0 #1984

Closed dependabot[bot] closed 4 days ago

dependabot[bot] commented 1 week ago

2024-07-05 Postscript (shino)

Bumps github.com/aquasecurity/trivy from 0.52.2 to 0.53.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.53.0

Changelog

  • c55b0e6ca release: v0.53.0 [main] (#6855)
  • 654217a65 feat(conda): add licenses support for environment.yml files (#6953)
  • 3d4ae8b5b fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
  • 55ccd06df feat: add memory cache backend (#7048)
  • 14d71ba63 fix(sbom): use package UIDs for uniqueness (#7042)
  • edc556b85 feat(php): add installed.json file support (#4865)
  • 4f8b3996e docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
  • 137c91642 fix: use embedded when command path not found (#7037)
  • 9e4927ee1 chore(deps): bump trivy-kubernetes version (#7012)
  • 4be02bab8 refactor: use google/wire for cache (#7024)
  • e9fc3e339 fix(cli): show info message only when --scanners is available (#7032)
  • 0ccdbfbb6 chore: enable float-compare rule from testifylint (#6967)
  • 9045f2445 docs: Add sudo on commands, chmod before mv on install docs (#7009)
  • 3d02a31b4 fix(plugin): respect --insecure (#7022)
  • 8d618e48a feat(k8s)!: node-collector dynamic commands support (#6861)
  • a76e3286c fix(sbom): take pkg name from purl for maven pkgs (#7008)
  • eb636c1b3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 (#7018)
  • 8d0ae1f5d feat!: add clean subcommand (#6993)
  • de201dc77 chore: use ! for breaking changes (#6994)
  • 979e118a9 feat(aws)!: Remove aws subcommand (#6995)
  • 648ead955 refactor: replace global cache directory with parameter passing (#6986)
  • 7eabb92ec fix(sbom): use purl for bitnami pkg names (#6982)
  • 333087c9e chore: bump Go toolchain version (#6984)
  • 6dff4223e refactor: unify cache implementations (#6977)
  • 9dc8a2ba6 docs: non-packaged and sbom clarifications (#6975)
  • b58d42dc9 BREAKING(aws): Deprecate trivy aws as subcmd in favour of a plugin (#6819)
  • 6469d37cc docs: delete unknown URL (#6972)
  • 30bcb9535 refactor: use version-specific URLs for documentation references (#6966)
  • e493fc931 refactor: delete db mock (#6940)
  • 983ac15f2 ci: add depguard (#6963)
  • dfe757e37 refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
  • f144e912d feat: Add local ImageID to SARIF metadata (#6522)
  • 5ee4e9d30 fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
  • f18d035ae feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
  • 1f8fca1fc feat(java): add support for maven-metadata.xml files for remote snapshot repositories. (#6950)
  • 2d85a003b fix(purl): add missed os types (#6955)
  • 417212e09 fix(cyclonedx): trim non-URL info for advisory.url (#6952)
  • 38b35dd3c fix(c): don't skip conan files from file-patterns and scan .conan2 cache dir (#6949)
  • eb6d0d977 ci: correctly handle categories (#6943)
  • 0af5730cb fix(image): parse image.inspect.Created field only for non-empty values (#6948)
  • c3192f061 fix(misconf): handle source prefix to ignore (#6945)
  • ec68c9ab4 fix(misconf): fix parsing of engine links and frameworks (#6937)
  • bc3741ae2 feat(misconf): support of selectors for all providers for Rego (#6905)
  • 735aadf2d ci: don't run tests for release-please PRs (#6936)
  • 52f7aa54b fix(license): return license separation using separators ,, or, etc. (#6916)
  • d77d9ce38 ci: use ubuntu-latest-m runner (#6918)
  • 55fa6109c feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
  • cd360dde2 BREAKING(misconf): flatten recursive types (#6862)

... (truncated)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.53.0 (2024-07-01)

⚠ BREAKING CHANGES

  • k8s: node-collector dynamic commands support (#6861)
  • add clean subcommand (#6993)
  • aws: Remove aws subcommand (#6995)

Features

  • add clean subcommand (#6993) (8d0ae1f)
  • Add local ImageID to SARIF metadata (#6522) (f144e91)
  • add memory cache backend (#7048) (55ccd06)
  • aws: Remove aws subcommand (#6995) (979e118)
  • conda: add licenses support for environment.yml files (#6953) (654217a)
  • dart: use first version of constraint for dependencies using SDK version (#6239) (042d6b0)
  • image: Set User-Agent header for Trivy container registry requests (#6868) (9b31697)
  • java: add support for maven-metadata.xml files for remote snapshot repositories. (#6950) (1f8fca1)
  • java: add support for sbt projects using sbt-dependency-lock (#6882) (f18d035)
  • k8s: node-collector dynamic commands support (#6861) (8d618e4)
  • misconf: add metadata to Cloud schema (#6831) (02d5404)
  • misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) (55fa610)
  • misconf: API Gateway V1 support for CloudFormation (#6874) (8491469)
  • misconf: support of selectors for all providers for Rego (#6905) (bc3741a)
  • php: add installed.json file support (#4865) (edc556b)
  • plugin: add support for nested archives (#6845) (622c67b)
  • sbom: migrate to CycloneDX v1.6 (#6903) (09e50ce)

Bug Fixes

  • c: don't skip conan files from file-patterns and scan .conan2 cache dir (#6949) (38b35dd)
  • cli: show info message only when --scanners is available (#7032) (e9fc3e3)
  • cyclonedx: trim non-URL info for advisory.url (#6952) (417212e)
  • debian: take installed files from the origin layer (#6849) (089b953)
  • image: parse image.inspect.Created field only for non-empty values (#6948) (0af5730)
  • license: return license separation using separators ,, or, etc. (#6916) (52f7aa5)
  • misconf: fix caching of modules in subdirectories (#6814) (0bcfedb)
  • misconf: fix parsing of engine links and frameworks (#6937) (ec68c9a)
  • misconf: handle source prefix to ignore (#6945) (c3192f0)
  • misconf: parsing numbers without fraction as int (#6834) (8141a13)
  • nodejs: fix infinite loop when package link from package-lock.json file is broken (#6858) (cf5aa33)
  • nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (7d083bc)
  • plugin: respect --insecure (#7022) (3d02a31)
  • purl: add missed os types (#6955) (2d85a00)
  • python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852) (faa9d92)
  • sbom: don't overwrite srcEpoch when decoding SBOM files (#6866) (04af59c)
  • sbom: fix panic when scanning SBOM file without root component into SBOM format (#7051) (3d4ae8b)
  • sbom: take pkg name from purl for maven pkgs (#7008) (a76e328)

... (truncated)

Commits
  • c55b0e6 release: v0.53.0 [main] (#6855)
  • 654217a feat(conda): add licenses support for environment.yml files (#6953)
  • 3d4ae8b fix(sbom): fix panic when scanning SBOM file without root component into SBOM...
  • 55ccd06 feat: add memory cache backend (#7048)
  • 14d71ba fix(sbom): use package UIDs for uniqueness (#7042)
  • edc556b feat(php): add installed.json file support (#4865)
  • 4f8b399 docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
  • 137c916 fix: use embedded when command path not found (#7037)
  • 9e4927e chore(deps): bump trivy-kubernetes version (#7012)
  • 4be02ba refactor: use google/wire for cache (#7024)
  • Additional commits viewable in compare view


Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | github.com/aquasecurity/trivy | [>= 0.50.2.a, < 0.50.3] | | github.com/aquasecurity/trivy | [< 0.51, > 0.50.1] |

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
shino commented 5 days ago

Test for Composer's installed.json

% ./vuls scan -config integration/int-config.toml composer-vendor
[Jul  4 19:03:01]  INFO [localhost] vuls-v0.26.0-build-20240704_183504_85f96e5
[Jul  4 19:03:01]  INFO [localhost] Start scanning
[Jul  4 19:03:01]  INFO [localhost] config: integration/int-config.toml
[Jul  4 19:03:01]  INFO [localhost] Validating config...
[Jul  4 19:03:01]  INFO [localhost] Detecting Server/Container OS...
[Jul  4 19:03:01]  INFO [localhost] Detecting OS of servers...
[Jul  4 19:03:01]  INFO [localhost] (1/1) Detected: composer-vendor: pseudo
[Jul  4 19:03:01]  INFO [localhost] Detecting OS of containers...
[Jul  4 19:03:01]  INFO [localhost] Checking Scan Modes...
[Jul  4 19:03:01]  INFO [localhost] Detecting Platforms...
[Jul  4 19:03:01]  INFO [localhost] (1/1) composer-vendor is running on other
[Jul  4 19:03:01]  INFO [composer-vendor] Scanning listen port...
[Jul  4 19:03:01]  INFO [composer-vendor] Using Port Scanner: Vuls built-in Scanner
[Jul  4 19:03:01]  INFO [composer-vendor] Scanning Language-specific Packages...

Scan Summary
================
composer-vendor pseudo  0 installed, 0 updatable        3 libs

To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config integration/int-config.toml
[Jul  4 19:03:21]  INFO [localhost] vuls-v0.26.0-build-20240704_183504_85f96e5
[Jul  4 19:03:21]  INFO [localhost] Validating config...
[Jul  4 19:03:21]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Jul  4 19:03:21]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Jul  4 19:03:21]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Jul  4 19:03:21]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Jul  4 19:03:21]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Jul  4 19:03:21]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Jul  4 19:03:21]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Jul  4 19:03:21]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-07-04T19-03-01+0900
[Jul  4 19:03:21]  INFO [localhost] Updating library db...
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 2 CVEs are detected with Library
[Jul  4 19:03:21]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 CVEs are detected with CPE
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 PoC are detected
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 exploits are detected
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: Cyber Threat Intelligences are detected for 0 CVEs
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: total 2 CVEs detected
[Jul  4 19:03:21]  INFO [localhost] composer-vendor: 0 CVEs filtered by --confidence-over=80
composer-vendor (pseudo)
========================
Total: 2 (Critical:0 High:2 Medium:0 Low:0 ?:0)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 3 libs

+----------------+------+--------+-----+-----------+---------+-----------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |    PACKAGES     |
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-2022-24775 |  8.9 |  AV:N  |     |           |   fixed | guzzlehttp/psr7 |
+----------------+------+--------+-----+-----------+---------+-----------------+
| CVE-2023-29197 |  8.9 |  AV:N  |     |           |   fixed | guzzlehttp/psr7 |
+----------------+------+--------+-----+-----------+---------+-----------------+
shino commented 5 days ago

Binary size is still getting larger...

% ll vuls
-rwxr-xr-x 1 shino shino 146M Jul  4 18:36 vuls*