v0.48.2

Changelog

• 4cdff0e chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 (#5822)
• be969d4 chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#5809)
• 81748f5 chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#5805)

v0.48.1

Changelog

• ba825b2 chore(deps): bump trivy-iac to v0.7.1 (#5797)
• abf227e fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
• df49ea4 refactor(sbom): disable html escaping for CycloneDX (#5764)
• f25e2df refactor(purl): use pub from package-url (#5784)
• b5e3b77 docs(python): add note to using pip freeze for compatible releases (#5760)
• 6cc00c2 fix(report): use OS information for OS packages purl in github template (#5783)
• c317fe8 fix(report): fix error if miconfigs are empty (#5782)
• 9b4bced refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
• be5a550 fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
• 01edbda docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
• eb97419 fix(report): update Gitlab template (#5721)
• be1c554 feat(secret): add support of GitHub fine-grained tokens (#5740)
• a5342da fix(misconf): add an image misconf to result (#5731)
• 108a5b0 feat(secret): added support of Docker registry credentials (#5720)
• 6080e24 chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.45 to 1.25.11 (#5717)
• e27ec32 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.21.0 to 1.24.1 (#5701)

v0.48.0

⚡Release highlights and summary⚡

👉 #5724

Changelog

• f2aa9bf chore(deps): bump sigstore/cosign-installer from 4a861528be5e691840a69536975ada1d4c30349d to 1fc5bd396d372bee37d608f955b336615edf79c8 (#5696)
• 6d7e2f8 chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.1 (#5694)
• 0ff5f96 feat: filter k8s core components vuln results (#5713)
• a54d1e9 feat(vuln): remove duplicates in Fixed Version (#5596)
• 99c04c4 feat(report): output plugin (#4863)
• 70078b9 chore(deps): bump alpine from 3.18.4 to 3.18.5 (#5700)
• 49e83a6 chore(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 (#5704)
• af32cb3 chore(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.10.1 (#5699)
• 1766271 chore(deps): bump actions/github-script from 6 to 7 (#5697)
• 7ee8547 chore(deps): bump easimon/maximize-build-space from 8 to 9 (#5695)
• 654147f docs: typo in modules.md (#5712)
• 2569575 feat: Add flag to configure node-collector image ref (#5710)
• c061009 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.9.0 (#5702)
• aedbd85 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.4 to 2.31.0 (#5698)
• e018b9c chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.1 to 1.4.0 (#5706)
• b5874e3 feat(misconf): Add --misconfig-scanners option (#5670)
• 075d8f6 chore: bump Go to 1.21 (#5662)
• 16b757d feat: Packagesprops support (#5605)
• 372efc9 chore(deps): Bump up trivy misconf deps (#5656)
• edad5f6 docs: update adopters discussion template (#5632)
• ed9d340 docs: terraform tutorial links updated to point to correct loc (#5661)
• 8ff574e fix(secret): add sec and space to secret prefix for aws-secret-access-key (#5647)
• ad977a4 fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
• b1dc60b fix(secret): exclude upper case before secret for alibaba-access-key-id (#5618)
• 65351d4 docs: Update Arch Linux package URL in installation.md (#5619)
• c866f1c chore: add prefix to image errors (#5601)
• ed0022b docs(vuln): fix link anchor (#5606)
• 3c81727 docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
• 2145464 fix: k8s friendly error messages kbom non cluster scans (#5594)
• 44d0b28 feat: set InstalledFiles for DEB and RPM packages (#5488)
• ae4bcf6 fix(report): use time.Time for CreatedAt (#5598)
• b6fafa0 test: retry containerd initialization (#5597)
• 1336223 feat(misconf): Expose misconf engine debug logs with --debug option (#5550)
• 7105186 test: mock VM walker (#5589)
• d9d7f3f chore: bump node-collector v0.0.9 (#5591)
• e3c28f8 feat(misconf): Add support for --cf-params for CFT (#5507)
• ac0e327 feat(flag): replace '--slow' with '--parallel' (#5572)
• 5372067 fix(report): add escaping for Sarif format (#5568)
• a389529 chore: show a deprecation notice for --scanners config (#5587)
• f4dd062 feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
• d005f5a test: mock RPM DB (#5567)
• a96ec35 feat: add aliases to '--scanners' (#5558)
• 950e431 refactor: reintroduce output writer (#5564)
• 2310f0d chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#5543)
• 04b93e9 chore: not load plugins for auto-generating docs (#5569)
• cccaa15 chore: sort supported AWS services (#5570)
• 3891e3d fix: no schedule toleration (#5562)
• 138feb0 fix(cli): set correct scanners for k8s target (#5561)
• cb241a8 fix(sbom): add FilesAnalyzed and PackageVerificationCode fields for SPDX (#5533)
• e7f6a5c refactor(misconf): Update refactored dependencies (#5245)
• 2f5afa5 feat(secret): add built-in rule for JWT tokens (#5480)
• 91fc8da fix: trivy k8s parse ecr image with arn (#5537)
• 05df244 fix: fail k8s resource scanning (#5529)
• a1b4744 refactor(misconf): don't remove Highlighted in json format (#5531)
• 7712f8f docs(k8s): fix link in kubernetes.md (#5524)
• 043fbfc docs(k8s): fix whitespace in list syntax (#5525)

v0.47.0

⚡Release highlights and summary⚡

👉 #5520

Changelog

• d6df5fb docs: add info that license scanning supports file-patterns flag (#5484)
• 156d4cc docs: add Zora integration into Ecosystem session (#5490)
• 772d1d0 fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
• df47073 ci: use maximize build space for K8s tests (#5387)
• fed4710 fix: correct error mismatch causing race in fast walks (#5516)
• 46f1b9e docs: k8s vulnerability scanning (#5515)
• fdb3a15 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506)
• d0d956f chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493)
• 68b0797 docs: remove glad for java datasources (#5508)
• 474167c chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475)
• 7299867 chore: remove unused logger attribute in amazon detector (#5476)
• 8656bd9 fix: correct error mismatch causing race in fast walks (#5482)
• 2e10cd2 chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502)
• 13df746 chore(deps): bump docker/build-push-action from 4 to 5 (#5500)
• b0141cf chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491)
• 520830b fix(server): add licenses to BlobInfo message (#5382)
• 9a6e125 chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501)
• 6e59272 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497)
• f3de7bc feat: scan vulns on k8s core component apps (#5418)
• e2fb3dd fix(java): fix infinite loop when relativePath field points to pom.xml being scanned (#5470)
• 3e833be chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472)
• ca50b77 fix(sbom): save digests for package/application when scanning SBOM files (#5432)
• 048150d docs: fix the broken link (#5454)
• 013d901 docs: fix error when installing PyYAML for gh pages (#5462)
• 26b4959 fix(java): download java-db once (#5442)
• 57fa701 chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)
• 53c9a7d docs(misconf): Update --tf-exclude-downloaded-modules description (#5419)
• 01c98d1 feat(misconf): Support --ignore-policy in config scans (#5359)
• 05b3c86 docs(misconf): fix broken table for Use container image section (#5425)
• 1a15a3a feat(dart): add graph support (#5374)
• f2a12f5 refactor: define a new struct for scan targets (#5397)
• 6040d9f fix(sbom): add missed primaryURL and source severity for CycloneDX (#5399)
• e5317c7 fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
• 9fba79f chore(deps): move to aws-sdk-go-v2 (#5381)
• 00f2059 docs: remove --scanners none (#5384)
• 57a1022 docs: Update container_image.md #5182 (#5193)
• 5b2b4ea feat(report): Add InstalledFiles field to Package (#4706)

v0.46.1

Changelog

• 27a3e55 fix(java): download java-db once (#5442)
• d223732 chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)

v0.46.0

⚡Release highlights and summary⚡

👉 #5377

Changelog

• cbbd1ce feat(k8s): add support for vulnerability detection (#5268)
• 24a0d92 fix(python): override BOM in requirements.txt files (#5375)
• 0c3e2f0 docs: add kbom documentation (#5363)
• 6c12f04 test: use maximize build space for VM tests (#5362)
• c413422 chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365)
• 20ab703 fix(report): add escaping quotes in misconfig Title for asff template (#5351)
• 91841f5 ci: add workflow to check Go versions of dependencies (#5340)
• 57ba05c chore(deps): Upgrade defsec to v0.93.1 (#5348)
• fef3ed4 chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300)
• ced54ac fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
• 2798df9 fix: add config files to FS for post-analyzers (#5333)
• af485b3 fix: fix MIME warnings after updating to Go 1.20 (#5336)
• 008babf build: fix a compile error with Go 1.21 (#5339)
• 00d9c46 feat: added Metadata into the k8s resource's scan report (#5322)
• 03b6787 ci: check only PR's in actions/stale (#5337)
• e6d5889 chore: update adopters template (#5330)
• 74dbd8a ci: do not trigger tests on the push event (#5313)
• 393bfdc fix(sbom): use PURL or Group and Name in case of Java (#5154)
• 76eb8a5 docs: add buildkite repository to ecosystem page (#5316)
• 6c74ee1 chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290)
• 6119878 chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292)
• a346587 chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293)
• 7e613cc chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286)
• f05bc4b chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289)
• 3be5e6b chore: enable go-critic (#5302)
• f6cd21c chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288)
• f7b9751 chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287)
• 18d1687 close java-db client (#5273)
• eb60e9f chore(deps): bump docker/login-action from 2 to 3 (#5291)
• 5a92055 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294)
• 46afe65 chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304)
• 0bf2a11 chore(deps): bump github.com/opencontainers/image-spec (#5295)
• 23b5fec fix(report): removes git::http from uri in sarif (#5244)
• 4f1d576 Improve the meaning of sentence (#5301)
• 6ab2bdf chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297)
• 4217cff chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296)
• 1840584 add app nil check (#5274)
• c5ae9f2 typo: in secret.md (#5281)
• 562723f docs: add info about github format (#5265)
• 3dd5b1e feat(dotnet): add license support for NuGet (#5217)
• 5c18475 docs: correctly export variables (#5260)
• 0c08dde chore: Add line numbers for lint output (#5247)
• 0ccbb4f chore(cli): disable java-db flags in server mode (#5263)
• 908a491 feat(db): allow passing registry options (#5226)
• 5b4652d chore(deps): Bump up defsec to v0.93.0 (#5253)
• faf8d49 refactor(purl): use TypeApk from purl (#5232)
• 559c0f3 chore: enable more linters (#5228)
• 2baad46 ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236)
• df2bff9 Fix typo on ide.md (#5239)
• 44656f2 refactor: use defined types (#5225)
• 37af529 fix(purl): skip local Go packages (#5190)
• eea3320 docs: update info about license scanning in Yarn projects (#5207)
• 2e66620 ci: auto apply labels (#5200)
• 49680dc fix link (#5203)

v0.45.1

Changelog

• daae882 fix(purl): handle rust types (#5186)
• 81240cf chore: auto-close issues (#5177)
• bd0accd chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093)
• ecee794 fix(k8s): kbom support addons labels (#5178)
• 9ebc25d test: validate SPDX with the JSON schema (#5124)
• 9a49a37 chore: bump trivy-kubernetes-latest (#5161)
• ad1dc63 docs: add 'Signature Verification' guide (#4731)
• 7c68d4a docs: add image-scanner-with-trivy for ecosystem (#5159)
• ed49609 fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
• 1953972 chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102)
• c751601 Update filtering.md (#5131)
• ccc6d7c chore(deps): bump sigstore/cosign-installer (#5104)
• 48cbf45 chore(deps): bump github.com/cyphar/filepath-securejoin (#5143)
• a9c2c74 chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103)
• 120ac68 chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105)
• 41eaa78 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126)
• 932f927 chaging adopters discussion tempalte (#5091)
• db31333 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092)
• 8c0b7d6 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094)
• c61c664 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095)
• a99944c chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097)
• 9fc844e chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098)
• c504f8b chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106)

v0.45.0

⚡Release highlights and summary⚡

👉 #5082

Changelog

• cdab67e docs: add Bitnami (#5078)
• 7acc5e8 feat(docker): add support for scanning Bitnami components (#5062)
• 9628b1c feat: add support for .trivyignore.yaml (#5070)
• 4547e27 fix(terraform): improve detection of terraform files (#4984)
• 0c8919e feat: filter artifacts on --exclude-owned flag (#5059)
• c04f234 fix(sbom): cyclonedx advisory should omit null value (#5041)
• f811ed2 build: maximize build space for build tests (#5072)
• 69ea5bf feat: improve kbom component name (#5058)
• 3715dcb fix(pom): add licenses for pom artifacts (#5071)
• 07f7e98 chore(deps): Update defsec to v0.92.0 (#5068)
• d4ca3cc chore: bump Go to 1.20 (#5067)
• 49fdd58 feat: PURL matching with qualifiers in OpenVEX (#5061)
• 4401998 feat(java): add graph support for pom.xml (#4902)
• 9c211d0 feat(swift): add vulns for cocoapods (#5037)
• 422fa41 fix: support image pull secret for additional workloads (#5052)
• 8e93386 fix: #5033 Superfluous double quote in html.tpl (#5036)
• 9345a98 docs(repo): update trivy repo usage and example (#5049)
• 5d8da70 perf: Optimize Dockerfile for reduced layers and size (#5038)
• 1be9da7 feat: scan K8s Resources Kind with --all-namespaces (#5043)
• 0e17d0b fix: vulnerability typo (#5044)
• d70fab2 docs: adding a terraform tutorial to the docs (#3708)
• 2fa264a feat(report): add licenses to sarif format (#4866)
• 07ddf47 feat(misconf): show the resource name in the report (#4806)
• 9de3606 chore: update alpine base images (#5015)
• ef70d20 feat: add Package.resolved swift files support (#4932)
• ec5d8be feat(nodejs): parse licenses in yarn projects (#4652)
• 3114c87 fix: k8s private registries support (#5021)
• 6d79f55 bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
• 9ace591 feat(vuln): support last_affected field from osv (#4944)
• d442176 feat(server): add version endpoint (#4869)
• 63cd41d feat: k8s private registries support (#4987)
• cb16e23 fix(server): add indirect prop to package (#4974)
• a4e981b docs: add coverage (#4954)
• 6f03c79 feat(c): add location for lock file dependencies. (#4994)
• c748705 docs: adding blog post on ec2 (#4813)
• 4e1316c revert 32bit bins (#4977)
• fc959fc chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917)

v0.44.1

Changelog

• f105279 fix(report): return severity colors in table format (#4969)
• bc2b0ca build: maximize available disk space for release (#4937)
• 9493c6f test(cli): Fix assertion helptext (#4966)
• b0359de chore(deps): Bump defsec to v0.91.1 (#4965)
• d3a34e4 test: validate CycloneDX with the JSON schema (#4956)
• 798ef1b fix(server): add licenses to the Result message (#4955)
• e8cf281 fix(aws): resolve endpoint if endpoint is passed (#4925)
• f18b0db fix(sbom): move licenses to name field in Cyclonedx format (#4941)
• a796701 add only uniq deps in dependsOn (#4943)
• b544e0d use testify instead of gotest.tools (#4946)
• 067a0fc fix(nodejs): do not detect lock file in node_modules as an app (#4949)
• e6d7705 bump go-dep-parser (#4936)
• c584dc1 chore(deps): bump github.com/openvex/go-vex from 0.2.0 to 0.2.1 (#4914)
• 358d56b chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 (#4909)
• 17f3ea9 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#4912)
• 39ccbf7 test(aws): move part of unit tests to integration (#4884)
• 6d3ae3b docs(cli): update help string for file and dir skipping (#4872)
• 7d7a1ef chore(deps): bump sigstore/cosign-installer (#4910)
• fc74950 chore(deps): bump github.com/sosedoff/gitkit from 0.3.0 to 0.4.0 (#4916)
• b2a68bc chore(deps): bump k8s.io/api from 0.27.3 to 0.27.4 (#4918)
• e5c0c15 chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4919)
• da37803 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#4913)
• 9744e64 chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 (#4915)
• 99eebc6 docs: update the discussion template (#4928)

v0.44.0

⚡Release highlights and summary⚡

👉 #4903

Changelog

• d19c7d9 feat(repo): support local repositories (#4890)
• 3c19761 bump go-dep-parser (#4893)
• e1c2a8c fix(misconf): add missing fields to proto (#4861)
• 8b8e0e8 fix: remove trivy-db package replacement (#4877)
• f9efe44 chore(test): bump the integration test timeout to 15m (#4880)
• 7271d68 chore(deps): Update defsec to v0.91.0 (#4886)
• c3bc67c chore: update CODEOWNERS (#4871)
• 232ba82 feat(vuln): support vulnerability status (#4867)
• 11618c9 feat(misconf): Support custom URLs for policy bundle (#4834)
• 0707569 refactor: replace with sortable packages (#4858)
• fbe1c9e docs: correct license scanning sample command (#4855)
• 20c2246 fix(report): close the file (#4842)
• 24a3e54 feat(nodejs): add support for include-dev-deps flag for yarn (#4812)
• a7bd7bb feat(misconf): Add support for independently enabling libraries (#4070)
• 4aa9ea0 feat(secret): add secret config file for cache calculation (#4837)
• 5d349d8 Fix a link in gitlab-ci.md (#4850)
• a61531c fix(flag): use globalstar to skip directories (#4854)
• 78cc209 chore(deps): bump github.com/docker/docker from v23.0.5+incompatible to v23.0.7-0.20230714215826-f00e7af96042+incompatible (#4849)
• 9399604 fix(license): using common way for splitting licenses (#4434)
• 3e2416d fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
• ce77bb4 remove govulndb (#4783)
• c05caae fix(java): inherit licenses from parents (#4817)
• aca11b9 refactor: add allowed values for CLI flags (#4800)
• 4cecd17 add example regex to allow rules (#4827)
• 4bc8d29 feat(misconf): Support custom data for rego policies for cloud (#4745)
• 88243a0 docs: correcting the trivy k8s tutorial (#4815)
• 3c7d988 feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
• fd0fd10 fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
• d0d543b feat(misconf): enable --policy flag to accept directory and files both (#4777)
• b43a3e6 feat(python): add license fields (#4722)
• aef7b14 fix: support trivy k8s-version on k8s sub-command (#4786)