gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

chore(deps): Bump trivy-checks to v1.7.1 (#8467)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
simar7
2025-03-02 23:03:16 -07:00
committed by GitHub
parent 3d3a3d6f19
commit 09cdae6639
6 changed files with 324 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
go.mod
View File

@@ -24,7 +24,7 @@ require (
github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.6.1 github.com/aquasecurity/trivy-checks v1.7.1
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.7.0 github.com/aquasecurity/trivy-kubernetes v0.7.0
@@ -94,7 +94,7 @@ require (
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553 github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
github.com/openvex/go-vex v0.2.5 github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.3.3 github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/owenrumney/squealer v1.2.10 github.com/owenrumney/squealer v1.2.11
github.com/package-url/packageurl-go v0.1.3 github.com/package-url/packageurl-go v0.1.3
github.com/quasilyte/go-ruleguard/dsl v0.3.22 github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c

8
go.sum
View File

@@ -805,8 +805,8 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo= github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.6.1 h1:ANxKl+c9/k3Uk0YNQwpFBx++CG9Goi5T0YeN7Qimmf4= github.com/aquasecurity/trivy-checks v1.7.1 h1:Pn+Mk0SkqY7adfZT6ZsRjCuum3svr7n5z3w+HpGXmbY=
github.com/aquasecurity/trivy-checks v1.6.1/go.mod h1:xjHg4ivIIIFD7FFNpGrqxi1pRgAW1EXeG4VlkGiymjI= github.com/aquasecurity/trivy-checks v1.7.1/go.mod h1:YhmXAXgRdYIAYIr+/k/oEYUWoW7ZgGctmnJiV17ZcU8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.7.0 h1:0pRJFSslUYd9xzQIEw1c0mS7k1Vv489nH/LsxeU6yME= github.com/aquasecurity/trivy-kubernetes v0.7.0 h1:0pRJFSslUYd9xzQIEw1c0mS7k1Vv489nH/LsxeU6yME=
@@ -1676,8 +1676,8 @@ github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88
github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU= github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU=
github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/owenrumney/squealer v1.2.10 h1:Yxxy30sOhaK8/FeneHklV0sA6DP4UjUpky2opjdt4ZY= github.com/owenrumney/squealer v1.2.11 h1:vMudrj70VeOzY+t7Phz9Yo0wAgm4kXes9DcTLBVDqGY=
github.com/owenrumney/squealer v1.2.10/go.mod h1:V72uafpqPERMaJ/pA1MwK/dI0QRzLHCLnh6MqYmjFzY= github.com/owenrumney/squealer v1.2.11/go.mod h1:8KOuitfOfmS/OtzgxQbxnnrbngAGopfgKB/BiGGpqGA=
github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs= github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=

109
integration/testdata/helm.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 79, "Successes": 78,
"Failures": 15 "Failures": 16
}, },
"Misconfigurations": [ "Misconfigurations": [
{ {
@@ -91,7 +91,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -160,7 +161,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -229,7 +231,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -298,7 +301,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -367,7 +371,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -436,7 +441,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -505,7 +511,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -574,7 +581,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -643,7 +651,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -712,7 +721,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -781,7 +791,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -850,7 +861,8 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -919,7 +931,68 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV110",
"AVDID": "AVD-KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment nginx-deployment in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv110"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 5,
"EndLine": 7,
"Code": {
"Lines": [
{
"Number": 5,
"Content": " name: nginx-deployment",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: nginx-deployment",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
} }
}, },
{ {
@@ -946,7 +1019,8 @@
"Service": "general", "Service": "general",
"Code": { "Code": {
"Lines": null "Lines": null
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -972,7 +1046,8 @@
"Service": "general", "Service": "general",
"Code": { "Code": {
"Lines": null "Lines": null
} },
"RenderedCause": {}
} }
} }
] ]

116
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 90, "Successes": 89,
"Failures": 4 "Failures": 5
}, },
"Misconfigurations": [ "Misconfigurations": [
{ {
@@ -150,7 +150,8 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -278,7 +279,8 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -406,7 +408,108 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV110",
"AVDID": "AVD-KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment testchart in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv110"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 5,
"EndLine": 11,
"Code": {
"Lines": [
{
"Number": 5,
"Content": " name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " helm.sh/chart: testchart-0.1.0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mhelm.sh/chart\u001b[0m: testchart-0.1.0",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": " app.kubernetes.io/version: \"1.16.0\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/version\u001b[0m: \u001b[38;5;37m\"1.16.0\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " app.kubernetes.io/managed-by: Helm",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mapp.kubernetes.io/managed-by\u001b[0m: Helm",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
} }
}, },
{ {
@@ -433,7 +536,8 @@
"Service": "general", "Service": "general",
"Code": { "Code": {
"Lines": null "Lines": null
} },
"RenderedCause": {}
} }
} }
] ]

122
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 88, "Successes": 87,
"Failures": 6 "Failures": 7
}, },
"Misconfigurations": [ "Misconfigurations": [
{ {
@@ -150,7 +150,8 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -278,7 +279,8 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -406,7 +408,8 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -534,7 +537,8 @@
"LastCause": false "LastCause": false
} }
] ]
} },
"RenderedCause": {}
} }
}, },
{ {
@@ -633,7 +637,108 @@
"LastCause": true "LastCause": true
} }
] ]
} },
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV110",
"AVDID": "AVD-KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment testchart in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv110"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 5,
"EndLine": 11,
"Code": {
"Lines": [
{
"Number": 5,
"Content": " name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " helm.sh/chart: testchart-0.1.0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mhelm.sh/chart\u001b[0m: testchart-0.1.0",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " app.kubernetes.io/name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/name\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " app.kubernetes.io/instance: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/instance\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": " app.kubernetes.io/version: \"1.16.0\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp.kubernetes.io/version\u001b[0m: \u001b[38;5;37m\"1.16.0\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " app.kubernetes.io/managed-by: Helm",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mapp.kubernetes.io/managed-by\u001b[0m: Helm",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
} }
}, },
{ {
@@ -660,7 +765,8 @@
"Service": "general", "Service": "general",
"Code": { "Code": {
"Lines": null "Lines": null
} },
"RenderedCause": {}
} }
} }
] ]

4
pkg/iac/scanners/helm/test/scanner_test.go
View File

@@ -137,7 +137,7 @@ func Test_helm_scanner_with_dir(t *testing.T) {
require.NotNil(t, results) require.NotNil(t, results)
failed := results.GetFailed() failed := results.GetFailed()
assert.Len(t, failed, 13) assert.Len(t, failed, 14)
visited := make(map[string]bool) visited := make(map[string]bool)
for _, result := range failed { for _, result := range failed {
@@ -151,7 +151,7 @@ func Test_helm_scanner_with_dir(t *testing.T) {
"AVD-KSV-0015", "AVD-KSV-0016", "AVD-KSV-0015", "AVD-KSV-0016",
"AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030", "AVD-KSV-0020", "AVD-KSV-0021", "AVD-KSV-0030",
"AVD-KSV-0104", "AVD-KSV-0106", "AVD-KSV-0104", "AVD-KSV-0106",
"AVD-KSV-0117", "AVD-KSV-0117", "AVD-KSV-0110",
}, errorCodes) }, errorCodes)
ignored := results.GetIgnored() ignored := results.GetIgnored()