Releases: aquasecurity/trivy
Releases · aquasecurity/trivy
v0.34.0
Changelog
- 7912f58 feat(vuln): support dependency graph for RHEL/CentOS (#3094)
- 9468056 feat(vuln): support dependency graph for dpkg and apk (#3093)
- 7cc83cc perf(license): enable license classifier only with "--license-full" (#3086)
- 5b975de feat(report): add secret scanning to ASFF template (#2860)
- b6cef12 feat: Allow override of containerd namespace (#3060)
- 0765148 fix(vuln): In alpine use Name as SrcName (#3079)
- 9e649b8 fix(secret): Alibaba AccessKey ID (#3083)
v0.33.0
Changelog
- af89249 refactor(k8s): custom reports (#3076)
- f4e970f fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
- 8ae4627 feat(image): add support for passing architecture and OS (#3012)
- 0501e70 test: disable containerd integration tests for non-amd64 arch (#3073)
- a377c8d feat(server): Add support for client/server mode to rootfs command (#3021)
- 02a73f0 feat(vuln): support non-packaged binaries (#3019)
- 18581f3 feat: compliance reports (#2951)
- 63b8e4d fix(flag): disable flag parsing for each plugin command (#3074)
- cbedd71 feat(nodejs): add support dependency location for yarn.lock files (#3016)
- b22e37e chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
- 9b0e979 feat: add k8s components (#2589)
- 5e25182 fix(secret): update the regex for secrets scanning (#2964)
- 9947e51 chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979)
- d2a15a7 fix: bump trivy-kubernetes (#3064)
- f2efc9c docs: fix missing 'image' subcommand (#3051)
- 34653c7 chore: Patch golang x/text vulnerability (#3046)
- e252ea8 chore: add licensed project logo (#3058)
- 439d216 feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
- 9f5113a refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
- c1e24d5 feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
- 212af07 docs(misconf): fix typo (#3043)
- 68f374a feat: add support for scanning azure ARM (#3011)
- d35c668 feat(report): add location.message to SARIF output (#3002) (#3003)
- 2150ffc chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980)
- ca434f7 feat(nodejs): add dependency line numbers for npm lock files (#2932)
- a8ff5f0 test(fs): add
--skip-files
,--skip-dirs
(#2984) - 561b2e7 docs: add Woodpecker CI integrations example (#2823)
- 4a3583d chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981)
- 4be9eeb chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976)
- a260d35 chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975)
- 558189f chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982)
- c2eb6ee fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
- 68f7952 fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
- be78da6 fix(sbom): use nuget purl type for dotnet-core (#2990)
- 92b5a19 perf: retrieve rekor entries in bulk (#2987)
- babd7e7 feat(aws): Custom rego policies for AWS scanning (#2994)
- 8ad9b8a docs: jq cli formatting (#2881)
- a78684c docs(repo): troubleshooting $TMPDIR customization (#2985)
- 7309ed0 chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969)
- 9515a5c chore(deps): bump actions/stale from 5 to 6 (#2970)
- 955aff6 chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971)
- db56d23 chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972)
- 05a7232 chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973)
- 2c39d47 chore: run
go fmt
(#2897) - 16a7dc1 chore(go): updates wazero to 1.0.0-pre.2 (#2955)
- ce4ba7c fix(aws): Less function for slice sorting always returns false #2967
- 4ffe746 fix(java): fix unmarshal pom exclusions (#2936)
v0.32.1
Changelog
- 8b1cee8 fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
- f5cbbb3 chore: expat lib and go binary deps vulns (#2940)
- 6882bdf wasm: Removes accidentally exported memory (#2950)
- 6ea9a61 fix(sbom): fix package name separation for gradle (#2906)
- 3ee4c96 docs(readme.md): fix broken integrations link (#2931)
- 5745961 fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
- e01253d fix(cli): split env values with ',' for slice flags (#2926)
- 0c1a42d fix(cli): config/helm: also take into account files with
.yml
(#2928) - 237b8dc fix(flag): add file-patterns flag for config subcommand (#2925)
- 047a0b3 chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)
v0.32.0
Changelog
- 585985e docs: add Rekor SBOM attestation scanning (#2893)
- d30fa00 chore: narrow the owner scope (#2894)
- 38c1513 fix: remove a patch number from the recommendation link (#2891)
- ba29ce6 fix: enable parsing of UUID-only rekor entry ID (#2887)
- 018eda6 docs(sbom): add SPDX scanning (#2885)
- 20f1e59 docs: restructure docs and add tutorials (#2883)
- 192fd78 feat(sbom): scan sbom attestation in the rekor record (#2699)
- 597836c feat(k8s): support outdated-api (#2877)
- 6c7bd67 chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815)
- 4127043 fix(c): support revisions in Conan parser (#2878)
- b677d7e feat: dynamic links support for scan results (#2838)
- 8e03bbb chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818)
- 27005c7 docs: update archlinux commands (#2876)
- b6e394d feat(secret): add line from dockerfile where secret was added to secret result (#2780)
- 9f6680a feat(sbom): Add unmarshal for spdx (#2868)
- db0aaf1 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827)
- bb3220c fix: revert asff arn and add documentation (#2852)
- c51f2b8 docs: batch-import-findings limit (#2851)
- 552732b chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872)
- 3165c37 feat(sbom): Add marshal for spdx (#2867)
- dac2b4a build: checkout before setting up Go (#2873)
- 39f83af chore: bump Go to 1.19 (#2861)
- 0ce9583 docs: azure doc and trivy (#2869)
- 2f37961 fix: Scan tarr'd dependencies (#2857)
- db14ef3 chore(helm): helm test with ingress (#2630)
- acb65d5 feat(report): add secrets to sarif format (#2820)
- a18cd7c chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807)
- 2de903c refactor: add a new interface for initializing analyzers (#2835)
- 63c3b8e chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840)
- 6717665 fix: update ProductArn with account id (#2782)
- 41a8496 feat(helm): make cache TTL configurable (#2798)
- 0f1f2c1 build(): Sign releaser artifacts, not only container manifests (#2789)
- b389a6f chore: improve doc about azure devops (#2795)
- 9ef9fce chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804)
- 7b3225d chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828)
- 37733ed chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825)
- 44d7e8d docs: don't push patch versions (#2824)
- 4839075 feat: add support for conan.lock file (#2779)
- 6b4ddaa feat: cache merged layers
- a18f398 chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805)
- 4dcce14 chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806)
- db45447 chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811)
- a246d0f chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810)
- 1800017 chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808)
- 218e41a chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814)
- a000ade feat: add support for gradle.lockfile (#2759)
- 43113bc chore(mod): updates wazero to 1.0.0-pre.1 #2791
- 5f0bf14 feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
- 2580ea1 Fix url validaton failures (#2783)
- 2473b2c fix(image): add logic to detect empty layers (#2790)
- 9d018d4 feat(rust): add dependency graph from Rust binaries (#2771)
v0.31.3
Changelog
- db67f16 fix: handle empty OS family (#2768)
- 77616be fix: fix k8s summary report (#2777)
- fcccfce fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
- 8bc215c chore: bump trivy-kubernetes (#2770)
- d8d8e62 fix(secret): Consider secrets in rpc calls (#2753)
- b0e89d4 fix(java): check depManagement from upper pom's (#2747)
- da6f1b6 fix(php): skip
composer.lock
insidevendor
folder (#2718) - 2f2952c fix: fix k8s rbac filter (#2765)
- 8bc56bf feat(misconf): skipping misconfigurations by AVD ID (#2743)
- 9c1ce5a chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
- 3cd10b2 docs: add MacPorts install instructions (#2727)
- f369bd3 docs: typo (#2730)
v0.31.2
v0.31.1
v0.31.0
Changelog
- 917f388 fix(flag): add error when there are no supported security checks (#2713)
- aef02aa fix(vuln): continue scanning when no vuln found in the first application (#2712)
- ed1fa89 revert: add new classes for vulnerabilities (#2701)
- a5d4f7f feat(secret): detect secrets removed or overwritten in upper layer (#2611)
- ddffb1b fix(cli): secret scanning perf link fix (#2607)
- bc85441 chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
- b259b25 feat: Add AWS Cloud scanning (#2493)
- f8edda8 docs: specify the type when verifying an attestation (#2697)
- 6879413 docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
- babfb17 fix(rpc): scanResponse rpc conversion for custom resources (#2692)
- 517d2e0 feat(rust): Add support for cargo-auditable (#2675)
- 0112385 feat: Support passing value overrides for configuration checks (#2679)
- 317a026 feat(sbom): add support for scanning a sbom attestation (#2652)
- 390c256 chore(image): skip symlinks and hardlinks from tar scan (#2634)
- 63c33bf fix(report): Update junit.tpl (#2677)
- de365c8 fix(cyclonedx): add nil check to metadata.component (#2673)
- 50db7da docs(secret): fix missing and broken links (#2674)
- e848e6d refactor(cyclonedx): implement json.Unmarshaler (#2662)
- df0b5e4 chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643)
- 006b8a5 chore(deps): bump github.com/Azure/go-autorest/autorest (#2642)
- 8d10de8 feat(kubernetes): add option to specify kubeconfig file path (#2576)
- 169c55c docs: follow Debian's "instructions to connect to a third-party repository" (#2511)
- 9b21831 chore(deps): bump github.com/google/licenseclassifier/v2 (#2644)
- 94db37e chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645)
- d983805 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647)
- d8a9572 chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646)
- 3ab3050 chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641)
- 75984f3 chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640)
- 525c253 chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639)
- 5e327e4 chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638)
- 469d771 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648)
- 6bc8c87 chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649)
- 6ab832d chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651)
- 3a10497 feat(alma): set AlmaLinux 9 EOL (#2653)
- 55825d7 fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
- 6bb0e4b test(misconf): add tests for misconf handler for dockerfiles (#2621)
- 44d53be feat(oracle): set Oracle Linux 9 EOL (#2635)
- f396c67 BREAKING: add new classes for vulnerabilities (#2541)
- 3cd88ab fix(secret): add newline escaping for asymmetric private key (#2532)
- ea91fb9 docs: improve formatting (#2572)
- d0ca610 feat(helm): allows users to define an existing secret for tokens (#2587)
- d0ba59a docs(mariner): use tdnf in fs usage example (#2616)
- d7742b6 docs: remove unnecessary double quotation marks (#2609)
- 27027cf fix: Fix --file-patterns flag (#2625)
- c2a7ad5 feat(report): add support for Cosign vulnerability attestation (#2567)
- dfb86f4 docs(mariner): use v2.0 in examples (#2602)
- 946ce16 feat(report): add secrets template for codequality report (#2461)
v0.30.4
v0.30.3
Changelog
- fa8a8ba fix(server): use a new db worker for hot updates (#2581)
- 769ed55 docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)
- 5f9a963 docs: split commands to download db for different versions of oras (#2582)
- d93a997 feat(report): export exitcode for license checks (#2564)
- f9be138 fix: cli can use lowercase for severities (#2565)
- c7f0bc9 fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)
- c2f3731 fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)
- 7b4f2dc fix: enable some features of the wasm runtime (#2575)
- 8467790 fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521)
- e1e02d7 docs(sbom): improve sbom attestation documentation (#2566)