gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-21 06:43:05 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.31.3
Branches Tags
gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-8f43369130 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.32.1
Branches Tags
gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-8f43369130 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

61 Commits
v0.31.3 ... v0.32.1

Author SHA1 Message Date
DmitriyLewen
8b1cee845b fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943) 2022-09-28 15:32:01 +03:00
chenk
f5cbbb3fde chore: expat lib and go binary deps vulns (#2940) 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2022-09-28 12:14:29 +03:00
Crypt Keeper
6882bdf561 wasm: Removes accidentally exported memory (#2950) 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
 2022-09-28 11:12:46 +03:00
DmitriyLewen
6ea9a61cf3 fix(sbom): fix package name separation for gradle (#2906) 2022-09-28 11:11:23 +03:00
DmitriyLewen
3ee4c96f13 docs(readme.md): fix broken integrations link (#2931) 2022-09-28 11:03:20 +03:00
Moniseeta
5745961194 fix(image): handle images with single layer in rescan mergedLayers cache (#2927) 
For images with single layer, the layer key was directly being used as merged cache key.
This was posing an issue of data override and any other image having the same layer could get incorrect data.
So, fixed:
1. Even for 1 layer - merged layer key hash will be calculated
2. We will not go with assumption that merged data will have only 1 pkgInfo
3. We are setting a SchemaVersion in blob being generated in ToBlobInfo
 2022-09-22 14:46:28 +03:00
DmitriyLewen
e01253d54d fix(cli): split env values with ',' for slice flags (#2926) 2022-09-22 10:11:37 +03:00
Juan Antonio Osorio
0c1a42d4f3 fix(cli): config/helm: also take into account files with .yml (#2928) 
YAML files can also have the `.yml` file extension. So the helm config should take that into account.

Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
 2022-09-21 17:08:13 +01:00
DmitriyLewen
237b8dcd06 fix(flag): add file-patterns flag for config subcommand (#2925) 2022-09-21 10:02:58 +03:00
dependabot[bot]
047a0b3d88 chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2022-09-19 14:55:16 +03:00
Teppei Fukuda
585985edb3 docs: add Rekor SBOM attestation scanning (#2893) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2022-09-16 15:43:01 +03:00
Teppei Fukuda
d30fa00adc chore: narrow the owner scope (#2894) 2022-09-16 15:42:31 +03:00
afdesk
38c1513af6 fix: remove a patch number from the recommendation link (#2891) 2022-09-16 12:23:58 +03:00
saso
ba29ce648c fix: enable parsing of UUID-only rekor entry ID (#2887) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-16 11:16:41 +03:00
Teppei Fukuda
018eda618b docs(sbom): add SPDX scanning (#2885) 2022-09-16 10:20:40 +03:00
Anais Urlichs
20f1e5991a docs: restructure docs and add tutorials (#2883) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-15 21:27:58 +03:00
saso
192fd78ca2 feat(sbom): scan sbom attestation in the rekor record (#2699) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-15 20:16:39 +03:00
chenk
597836c3a2 feat(k8s): support outdated-api (#2877) 2022-09-15 13:02:16 +03:00
dependabot[bot]
6c7bd67c04 chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815) 2022-09-15 11:40:54 +03:00
François Poirotte
41270434fe fix(c): support revisions in Conan parser (#2878) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-15 11:35:44 +03:00
chenk
b677d7e2e8 feat: dynamic links support for scan results (#2838) 2022-09-15 10:42:33 +03:00
dependabot[bot]
8e03bbb422 chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818) 2022-09-15 10:16:47 +03:00
George Rodrigues
27005c7d6a docs: update archlinux commands (#2876) 2022-09-15 10:14:53 +03:00
DmitriyLewen
b6e394dc80 feat(secret): add line from dockerfile where secret was added to secret result (#2780) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-15 10:13:20 +03:00
Masahiro331
9f6680a1fa feat(sbom): Add unmarshal for spdx (#2868) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-15 08:39:59 +03:00
dependabot[bot]
db0aaf18e6 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827) 2022-09-14 17:28:14 +03:00
AndrewCharlesHay
bb3220c3de fix: revert asff arn and add documentation (#2852) 2022-09-14 17:27:46 +03:00
AndrewCharlesHay
c51f2b82e4 docs: batch-import-findings limit (#2851) 2022-09-14 17:26:32 +03:00
dependabot[bot]
552732b5d7 chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872) 2022-09-14 17:23:51 +03:00
Masahiro331
3165c376e2 feat(sbom): Add marshal for spdx (#2867) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-14 13:36:10 +03:00
Teppei Fukuda
dac2b4a281 build: checkout before setting up Go (#2873) 2022-09-14 13:27:27 +03:00
Teppei Fukuda
39f83afefe chore: bump Go to 1.19 (#2861) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2022-09-14 11:41:55 +03:00
Carol Valencia
0ce95830c8 docs: azure doc and trivy (#2869) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-09-14 09:20:57 +03:00
Owen Rumney
2f37961661 fix: Scan tarr'd dependencies (#2857) 
Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
 2022-09-12 14:55:38 +03:00
Carol Valencia
db14ef3cb5 chore(helm): helm test with ingress (#2630) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-09-12 12:13:08 +03:00
DmitriyLewen
acb65d565a feat(report): add secrets to sarif format (#2820) 
Co-authored-by: AMF <work@afdesk.com>
 2022-09-12 12:12:13 +03:00
dependabot[bot]
a18cd7c00a chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807) 2022-09-12 12:11:02 +03:00
Teppei Fukuda
2de903ca35 refactor: add a new interface for initializing analyzers (#2835) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2022-09-12 11:46:53 +03:00
dependabot[bot]
63c3b8ed19 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840) 2022-09-08 09:21:40 +03:00
AndrewCharlesHay
6717665ab0 fix: update ProductArn with account id (#2782) 2022-09-08 09:21:05 +03:00
Helge Eichelberg
41a8496716 feat(helm): make cache TTL configurable (#2798) 
Signed-off-by: elchenberg <elchenberg@users.noreply.github.com>
 2022-09-08 09:12:18 +03:00
Juan Antonio Osorio
0f1f2c1b29 build(): Sign releaser artifacts, not only container manifests (#2789) 2022-09-07 16:56:10 +03:00
Carol Valencia
b389a6f4fc chore: improve doc about azure devops (#2795) 
Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-09-07 16:52:53 +03:00
dependabot[bot]
9ef9fce589 chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804) 2022-09-07 16:48:15 +03:00
dependabot[bot]
7b3225d0d8 chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.14 (#2828) 2022-09-07 16:47:38 +03:00
dependabot[bot]
37733edc4b chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825) 2022-09-07 16:46:01 +03:00
Itay Shakury
44d7e8dde1 docs: don't push patch versions (#2824) 2022-09-07 16:40:28 +03:00
DmitriyLewen
4839075c28 feat: add support for conan.lock file (#2779) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2022-09-06 21:59:13 +03:00
Teppei Fukuda
6b4ddaaef2 feat: cache merged layers 
igned-off-by: knqyf263 <knqyf263@gmail.com>
 2022-09-06 11:04:00 +03:00
dependabot[bot]
a18f398ac0 chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805) 2022-09-04 12:32:45 +03:00
dependabot[bot]
4dcce14051 chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806) 2022-09-04 12:32:04 +03:00
dependabot[bot]
db4544711a chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811) 2022-09-04 12:15:53 +03:00
dependabot[bot]
a246d0f280 chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810) 2022-09-04 12:11:31 +03:00
dependabot[bot]
1800017a9a chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808) 2022-09-04 12:08:54 +03:00
dependabot[bot]
218e41a435 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814) 2022-09-04 12:08:13 +03:00
DmitriyLewen
a000adeed0 feat: add support for gradle.lockfile (#2759) 2022-09-01 11:27:36 +03:00
Crypt Keeper
43113bc01f chore(mod): updates wazero to 1.0.0-pre.1 #2791 
Signed-off-by: Adrian Cole <adrian@tetrate.io>
 2022-09-01 11:09:48 +03:00
jerbob92
5f0bf1445a feat: move file patterns to a global level to be able to use it on any analyzer (#2539) 2022-09-01 11:01:57 +03:00
Alex Samorukov
2580ea1583 Fix url validaton failures (#2783) 
While analyzing failure of the report schema validation i found URL looks like that: `https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)`. This causing gitlab to mark report as invalid. Patch provided just using first word of the url word.
 2022-08-30 15:57:40 +03:00
DmitriyLewen
2473b2c881 fix(image): add logic to detect empty layers (#2790) 
* add logic to detect empty layers

* add test for createdBy from buildkit
 2022-08-30 15:56:14 +03:00
afdesk
9d018d44b9 feat(rust): add dependency graph from Rust binaries (#2771) 2022-08-30 15:46:38 +03:00
199 changed files with 6701 additions and 2093 deletions
Expand all files Collapse all files

3
.github/CODEOWNERS vendored
View File

@@ -11,7 +11,8 @@ docs/docs/cloud @owenrumney @liamg @knqyf263
pkg/fanal/analyzer/config @owenrumney @liamg @knqyf263
pkg/fanal/handler/misconf @owenrumney @liamg @knqyf263
pkg/cloud @owenrumney @liamg @knqyf263
pkg/flag @owenrumney @liamg @knqyf263
pkg/flag/aws_flags.go @owenrumney @liamg @knqyf263
pkg/flag/misconf_flags.go @owenrumney @liamg @knqyf263
# Kubernetes scanning
pkg/k8s/ @josedonizetti @chen-keinan @knqyf263

2
.github/workflows/canary.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v3.0.5
uses: actions/cache@v3.0.8
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

2
.github/workflows/mkdocs-latest.yaml vendored
View File

@@ -35,7 +35,7 @@ jobs:
if: ${{ github.event.inputs.version == '' }}
run: |
VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
mike deploy --push --update-aliases $VERSION latest
mike deploy --push --update-aliases ${VERSION%.*} latest
- name: Deploy the latest documents from manual trigger
if: ${{ github.event.inputs.version != '' }}
run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

10
.github/workflows/publish-chart.yaml vendored
View File

@@ -15,8 +15,8 @@ env:
HELM_REP: helm-charts
GH_OWNER: aquasecurity
CHART_DIR: helm/trivy
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
KIND_VERSION: "v0.14.0"
KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
jobs:
test-chart:
runs-on: ubuntu-20.04
@@ -26,7 +26,7 @@ jobs:
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
uses: azure/setup-helm@b5b231a831f96336bbfeccc1329990f0005c5bb1
with:
version: v3.5.0
- name: Set up python
@@ -35,7 +35,7 @@ jobs:
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
uses: helm/chart-testing-action@09ed88797198755e5031f25be13da255e7e33aad
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d
with:
@@ -45,7 +45,7 @@ jobs:
run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
- name: Run chart-testing (Ingress enabled)
run: |
sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
ct lint-and-install --validate-maintainers=false --charts helm/trivy
publish-chart:

2
.github/workflows/release.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v3.0.5
uses: actions/cache@v3.0.8
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

17
.github/workflows/reusable-release.yaml vendored
View File

@@ -13,7 +13,6 @@ on:
type: string
env:
GO_VERSION: "1.18"
GH_USER: "aqua-bot"
jobs:
@@ -28,7 +27,7 @@ jobs:
contents: read # Not required for public repositories, but for clarity
steps:
- name: Cosign install
uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0
uses: sigstore/cosign-installer@b3413d484cc23cf8778c3d2aa361568d4eb54679
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
@@ -60,16 +59,16 @@ jobs:
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: go.mod
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v1
with:
@@ -100,10 +99,10 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v3.0.5
uses: actions/cache@v3.0.8
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.
# use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
# e.g. build and release runs
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

2
.github/workflows/semantic-pr.yaml vendored
View File

@@ -64,6 +64,8 @@ jobs:
dotnet
java
go
c
c++
os
lang

37
.github/workflows/test.yaml vendored
View File

@@ -10,8 +10,7 @@ on:
- 'LICENSE'
pull_request:
env:
GO_VERSION: "1.18"
TINYGO_VERSION: "0.24.0"
TINYGO_VERSION: "0.25.0"
jobs:
test:
name: Test
@@ -22,7 +21,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
- name: go mod tidy
run: |
@@ -35,7 +34,7 @@ jobs:
- name: Lint
uses: golangci/golangci-lint-action@v3.2.0
with:
version: v1.45
version: v1.49
args: --deadline=30m
skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
@@ -51,36 +50,34 @@ jobs:
name: Integration Test
runs-on: ubuntu-latest
steps:
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@v3
- name: Check out code into the Go module directory
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version-file: go.mod
- name: Run integration tests
run: make test-integration
- name: Run integration tests
run: make test-integration
module-test:
name: Module Integration Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
id: go
go-version-file: go.mod
- name: Install TinyGo
run: |
wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
- name: Checkout
uses: actions/checkout@v3
- name: Run module integration tests
run: |
make test-module-integration
@@ -107,13 +104,13 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3
with:
version: v1.4.1
args: release --snapshot --rm-dist --skip-publish --timeout 90m
args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
build-documents:
name: Documentation Test

7
.golangci.yaml
View File

@@ -21,18 +21,17 @@ linters-settings:
local-prefixes: github.com/aquasecurity
gosec:
excludes:
- G114
- G204
- G402
linters:
disable-all: true
enable:
- structcheck
- unused
- ineffassign
- typecheck
- govet
- varcheck
- deadcode
- revive
- gosec
- unconvert
@@ -43,7 +42,7 @@ linters:
- misspell
run:
go: 1.18
go: 1.19
skip-files:
- ".*._mock.go$"
- ".*._test.go$"

2
Dockerfile.protoc
View File

@@ -1,4 +1,4 @@
FROM golang:1.18.4
FROM golang:1.19.1
# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

2
Makefile
View File

@@ -26,7 +26,7 @@ $(GOBIN)/crane:
go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
$(GOBIN)/golangci-lint:
curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
$(GOBIN)/labeler:
go install github.com/knqyf263/labeler@latest

3
README.md
View File

@@ -39,6 +39,7 @@ Get Trivy by your favorite installation method. See [installation] section in th
- `apt-get install trivy`
- `yum install trivy`
- `pacman -S trivy`
- `brew install aquasecurity/trivy/trivy`
- `sudo port install trivy`
- `docker run aquasec/trivy`
@@ -137,7 +138,7 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
[getting-started]: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[docs]: https://aquasecurity.github.io/trivy
[integrations]:https://aquasecurity.github.io/trivy/latest/docs/integrations/
[integrations]:https://aquasecurity.github.io/trivy/latest/tutorials/integrations/
[installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[releases]: https://github.com/aquasecurity/trivy/releases
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/

2
contrib/gitlab.tpl
View File

@@ -70,7 +70,7 @@
,
{{- end -}}
{
"url": "{{ . }}"
"url": "{{ regexFind "[^ ]+" . }}"
}
{{- end }}
]

10
docs/community/credit.md
View File

@@ -1,10 +0,0 @@
# Author
[Teppei Fukuda][knqyf263] (knqyf263)
# Contributors
Thanks to all [contributors][contributors]
[knqyf263]: https://github.com/knqyf263
[contributors]: https://github.com/aquasecurity/trivy/graphs/contributors

48
docs/community/references.md
View File

@@ -1,48 +0,0 @@
# Additional References
There are external blogs and evaluations.
## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
- [the vulnerability remediation lifecycle of Alpine containers][alpine]
- [Continuous Container Vulnerability Testing with Trivy][semaphore]
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison Anchore Engine vs Clair vs Trivy][tool-comparison]
## Links
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
- [Istio evaluates scanners][istio]
## Presentations
- Aqua Security YouTube Channel
- [Trivy - container image scanning][intro]
- [Using Trivy in client server mode][server]
- [Tweaking Trivy output to fit your workflow][tweaking]
- [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
- [Trivy Open Source Scanner for Container Images Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

37
docs/community/tools.md
View File

@@ -1,37 +0,0 @@
# Community Tools
The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
Have you created a tool thats not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
## GitHub Actions
| Actions | Description |
| ------------------------------------------ | -------------------------------------------------------------------------------- |
| [gitrivy][gitrivy] | GitHub Issue + Trivy |
| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
## Semaphore
| Name | Description |
| -------------------------------------------------------| ----------------------------------------- |
| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
## CircleCI
| Orb | Description |
| -----------------------------------------| ----------------------------------------- |
| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
## Others
| Name | Description |
| -----------------------------------------| ----------------------------------------- |
| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links. |
[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
[gitrivy]: https://github.com/marketplace/actions/trivy-action
[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

58
docs/docs/attestation/rekor.md Normal file
View File

@@ -0,0 +1,58 @@
# Scan SBOM attestation in Rekor
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities.
## Prerequisites
1. SBOM attestation stored in Rekor
- See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor.
## Scanning
You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor.
!!! note
`--sbom-sources` can be used only with `trivy image` at the moment.
```bash
$ trivy image --sbom-sources rekor otms61/alpine:3.7.3 [~/src/github.com/aquasecurity/trivy]
2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled
2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine
2022-09-16T17:37:14.903+0900 INFO Detecting Alpine vulnerabilities...
2022-09-16T17:37:14.907+0900 INFO Number of language-specific files: 0
2022-09-16T17:37:14.908+0900 WARN This OS version is no longer supported by the distribution: alpine 3.7.3
2022-09-16T17:37:14.908+0900 WARN The vulnerability detection may be insufficient because security updates are not provided
otms61/alpine:3.7.3 (alpine 3.7.3)
==================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
│ │ │ │ │ │ adjustment im ...... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
├────────────┤ │ │ │ │ │
│ musl-utils │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
```
If you have your own Rekor instance, you can specify the URL via `--rekor-url`.
```bash
$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3
```
[rekor]: https://github.com/sigstore/rekor
[sbom-attest]: sbom.md#keyless-signing

1
docs/docs/attestation/sbom.md
View File

@@ -48,6 +48,7 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect
```bash
# The cyclonedx type is supported in Cosign v1.10.0 or later.
$ trivy image --format cyclonedx -o sbom.cdx.json <IMAGE>
# The following command uploads SBOM attestation to the public Rekor instance.
$ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json <IMAGE>
```

30
docs/docs/index.md
View File

@@ -1,28 +1,6 @@
# Docs
Trivy detects two types of security issues:
- [Vulnerabilities][vuln]
- [Misconfigurations][misconf]
Trivy can scan four different artifacts:
- [Container Images][container]
- [Filesystem][filesystem] and [Rootfs][rootfs]
- [Git Repositories][repo]
- [Kubernetes][kubernetes]
Trivy can be run in two different modes:
- [Standalone][standalone]
- [Client/Server][client-server]
Trivy can be run as a Kubernetes Operator:
- [Kubernetes Operator][kubernetesoperator]
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [Integrations][integrations] for details.
This documentation details how to use Trivy to access the features listed below.
## Features
@@ -67,7 +45,7 @@ See [Integrations][integrations] for details.
Please see [LICENSE][license] for Trivy licensing information.
[installation]: ../getting-started/installation.md
[installation]: ../index.md
[vuln]: ../docs/vulnerability/scanning/index.md
[misconf]: ../docs/misconfiguration/scanning.md
[kubernetesoperator]: ../docs/kubernetes/operator/index.md
@@ -79,7 +57,7 @@ Please see [LICENSE][license] for Trivy licensing information.
[standalone]: ../docs/references/modes/standalone.md
[client-server]: ../docs/references/modes/client-server.md
[integrations]: ../docs/integrations/index.md
[integrations]: ../tutorials/integrations/index.md
[os]: ../docs/vulnerability/detection/os.md
[lang]: ../docs/vulnerability/detection/language.md
@@ -91,4 +69,4 @@ Please see [LICENSE][license] for Trivy licensing information.
[sbom]: ../docs/sbom/index.md
[oci]: https://github.com/opencontainers/image-spec
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

29
docs/docs/integrations/aws-security-hub.md
View File

@@ -1,29 +0,0 @@
# AWS Security Hub
## Upload findings to Security Hub
In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
```
$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
```
ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
Then, you can upload it with AWS CLI.
```
$ aws securityhub batch-import-findings --findings file://report.asff
```
## Customize
You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
```
$ export AWS_REGION=us-west-1
$ export AWS_ACCOUNT_ID=123456789012
$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
```
## Reference
https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/

2
docs/docs/kubernetes/cli/scanning.md
View File

@@ -5,7 +5,7 @@
The Trivy K8s CLI allows you to scan your Kubernetes cluster for Vulnerabilities, Secrets and Misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/getting-started.md)
If you are looking for continuous cluster audit scanning, have a look at the [Trivy K8s operator.](../operator/index.md)
Trivy uses your local kubectl configuration to access the API server to list artifacts.

18
docs/docs/misconfiguration/options/others.md
View File

@@ -2,21 +2,3 @@
!!! hint
See also [Others](../../vulnerability/examples/others.md) in Vulnerability section.
## File patterns
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
Allowed values are here:
- dockerfile
- yaml
- json
- toml
- hcl
For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)

10
docs/docs/references/customization/config-file.md
View File

@@ -82,6 +82,11 @@ Available in client/server mode
```yaml
scan:
# Same as '--file-patterns'
# Default is empty
file-patterns:
-
# Same as '--skip-dirs'
# Default is empty
skip-dirs:
@@ -195,11 +200,6 @@ Available with misconfiguration scanning
```yaml
misconfiguration:
# Same as '--file-patterns'
# Default is empty
file-patterns:
-
# Same as '--include-non-failures'
# Default is false
include-non-failures: false

4
docs/docs/sbom/cyclonedx.md
View File

@@ -1,7 +1,7 @@
# CycloneDX
## Reporting
Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
## Generating
Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
Note that XML format is not supported at the moment.
You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.

31
docs/docs/sbom/index.md
View File

@@ -1,6 +1,6 @@
# SBOM
## Reporting
## Generating
Trivy can generate the following SBOM formats.
- [CycloneDX][cyclonedx]
@@ -181,34 +181,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.
- CycloneDX
- SPDX
- SPDX JSON
- CycloneDX-type attestation
To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
```bash
$ trivy sbom /path/to/cyclonedx.json
cyclonedx.json (alpine 3.7.1)
=========================
Total: 3 (CRITICAL: 3)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode()
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```
See [here][cyclonedx] for the detail.
!!! note
CycloneDX XML and SPDX are not supported at the moment.
CycloneDX XML is not supported at the moment.
```bash
$ trivy sbom /path/to/spdx.json
```
See [here][spdx] for the detail.
You can also scan an SBOM attestation.
In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].

49
docs/docs/sbom/spdx.md
View File

@@ -1,6 +1,7 @@
# SPDX
Trivy generates reports in the [SPDX][spdx] format.
## Generating
Trivy can generate SBOM in the [SPDX][spdx] format.
You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.
@@ -294,4 +295,50 @@ $ cat result.spdx.json | jq .
</details>
## Scanning
Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
The input format is automatically detected.
The following formats are supported:
- Tag-value (`--format spdx`)
- JSON (`--format spdx-json`)
```bash
$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
$ trivy sbom spdx.json
2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled
2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json
2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine
2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities...
2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0
spdx.json (alpine 3.16.0)
=========================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │
│ │ │ │ │ │ inflate in inflate.c... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
```
[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf

33
docs/docs/vulnerability/detection/data-source.md
View File

@@ -19,22 +19,23 @@
# Programming Language
| Language | Source | Commercial Use | Delay[^1]|
| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| | [Open Source Vulnerabilities (PyPI)][python-osv] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ✅ | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
| | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - |
| Java | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - |
| Go | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [The Go Vulnerability Database][go] | ✅ | - |
| Rust | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - |
| Language | Source | Commercial Use | Delay[^1]|
|----------|-----------------------------------------------------|:---------------:|:--------:|
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| | [Open Source Vulnerabilities (PyPI)][python-osv] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ✅ | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
| | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - |
| Java | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - |
| Go | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
| | [The Go Vulnerability Database][go] | ✅ | - |
| Rust | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - |
| C/C++ | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
[^1]: Intentional delay between vulnerability disclosure and registration in the DB

47
docs/docs/vulnerability/detection/language.md
View File

@@ -2,29 +2,31 @@
`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
| Language | File | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
| -------- |-------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
| Ruby | Gemfile.lock | - | - | ✅ | ✅ | included |
| | gemspec | ✅ | ✅ | - | - | included |
| Python | Pipfile.lock | - | - | ✅ | ✅ | excluded |
| | poetry.lock | - | - | ✅ | ✅ | included |
| | requirements.txt | - | - | ✅ | ✅ | included |
| | egg package[^1] | ✅ | ✅ | - | - | excluded |
| | wheel package[^2] | ✅ | ✅ | - | - | excluded |
| PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded |
| Node.js | package-lock.json | - | - | ✅ | ✅ | excluded |
| | yarn.lock | - | - | ✅ | ✅ | included |
| | pnpm-lock.yaml | - | - | ✅ | ✅ | excluded |
| | package.json | ✅ | ✅ | - | - | excluded |
| .NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included |
| | packages.config | ✅ | ✅ | ✅ | ✅ | excluded |
| | .deps.json | ✅ | ✅ | ✅ | ✅ | excluded |
| Java | JAR/WAR/PAR/EAR[^3][^4] | ✅ | ✅ | - | - | included |
| | pom.xml[^5] | - | - | ✅ | ✅ | excluded |
| Go | Binaries built by Go[^6] | | | - | - | excluded |
| | go.mod[^7] | - | - | | | included |
| Rust | Cargo.lock | | | ✅ | ✅ | included |
| Language | File | Image[^8] | Rootfs[^9] | Filesystem[^10] | Repository[^11] | Dev dependencies |
| -------- |--------------------------------------------------------------------------------------------| :-------: | :--------: | :-------------: | :-------------: | ---------------- |
| Ruby | Gemfile.lock | - | - | ✅ | ✅ | included |
| | gemspec | ✅ | ✅ | - | - | included |
| Python | Pipfile.lock | - | - | ✅ | ✅ | excluded |
| | poetry.lock | - | - | ✅ | ✅ | included |
| | requirements.txt | - | - | ✅ | ✅ | included |
| | egg package[^1] | ✅ | ✅ | - | - | excluded |
| | wheel package[^2] | ✅ | ✅ | - | - | excluded |
| PHP | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded |
| Node.js | package-lock.json | - | - | ✅ | ✅ | excluded |
| | yarn.lock | - | - | ✅ | ✅ | included |
| | pnpm-lock.yaml | - | - | ✅ | ✅ | excluded |
| | package.json | ✅ | ✅ | - | - | excluded |
| .NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included |
| | packages.config | ✅ | ✅ | ✅ | ✅ | excluded |
| | .deps.json | ✅ | ✅ | ✅ | ✅ | excluded |
| Java | JAR/WAR/PAR/EAR[^3][^4] | ✅ | ✅ | - | - | included |
| | pom.xml[^5] | - | - | ✅ | ✅ | excluded |
| | *gradle.lockfile | - | - | | | excluded |
| Go | Binaries built by Go[^6] | | | - | - | excluded |
| | go.mod[^7] | - | - | ✅ | ✅ | included |
| Rust | Cargo.lock | ✅ | ✅ | ✅ | ✅ | included |
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - | excluded
| C/C++ | conan.lock[^12] | - | - | ✅ | ✅ | excluded |
The path of these files does not matter.
@@ -41,3 +43,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^12]: To scan a filename other than the default filename(`conan.lock`) use [file-patterns](../examples/others.md#file-patterns)

16
docs/docs/vulnerability/examples/others.md
View File

@@ -16,6 +16,22 @@ If your image contains lock files which are not maintained by you, you can skip
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
## File patterns
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../../misconfiguration/custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
```
--file-patterns "dockerfile:.*.docker" --file-patterns "yaml:deployment" --file-patterns "pip:requirements-.*\.txt"
```
For more details, see [an example](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/file-patterns)
## Exit Code
By default, `Trivy` exits with code 0 even when vulnerabilities are detected.
Use the `--exit-code` option if you want to exit with a non-zero exit code.

10
docs/docs/vulnerability/examples/report.md
View File

@@ -15,7 +15,10 @@ Modern software development relies on the use of third-party libraries.
Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
This flag is only available with the `--format table` flag.
!!! note
Only Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.
This tree is the reverse of the npm list command.
However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,9 +63,6 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain
Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.
!!! note
Only Node.js (package-lock.json) is supported at the moment.
## JSON
```
@@ -273,7 +273,7 @@ The following example shows use of default HTML template when Trivy is installed
$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
```
[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
[new-json]: https://github.com/aquasecurity/trivy/discussions/1050
[action]: https://github.com/aquasecurity/trivy-action
[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md

93
docs/ecosystem/tools.md Normal file
View File

@@ -0,0 +1,93 @@
# Tools
This section includes several tools either added by the core maintainers from Aqua Security or the open source community.
## Official Trivy Tools
### GitHub Actions
| Actions | Description |
| ---------------------------- | -------------------------------------------------------------- |
| [trivy-action][trivy-action] | GitHub Actions for integrating Trivy into your GitHub pipeline |
### VSCode Extension
| Orb | Description |
| ------------------ | --------------------------- |
| [vs-code][vs-code] | VS Code extension for trivy |
### Vim Plugin
| Orb | Description |
| ---------------------- | -------------------- |
| [vim-trivy][vim-trivy] | Vim plugin for trivy |
### Docker Desktop Extension
| Orb | Description |
| ---------------------------------| ----------------------------------------------------------------------------------------------------- |
| [docker-desktop][docker-desktop] | Trivy Docker Desktop extension for scanning container images for vulnerabilities and generating SBOMs |
### Azure DevOps Pipelines Task
| Orb | Description |
| ---------------------------- | --------------------------------------------------------------- |
| [azure-devops][azure-devops] | An Azure DevOps Pipelines Task for Trivy, with an integrated UI |
### Trivy Kubernetes Operator
| Orb | Description |
| ---------------------------------| ---------------------------------------- |
| [trivy-operator][trivy-operator] | Kubernetes Operator for installing Trivy |
### Kubernetes Lens Extension
| Orb | Description |
| ---------------------------- | ----------------------------------- |
| [lens-extension][trivy-lens] | Trivy Extension for Kubernetes Lens |
## Community Tools
### GitHub Actions
| Actions | Description |
| ------------------------------------------ | -------------------------------------------------------------------------------- |
| [gitrivy][gitrivy] | GitHub Issue + Trivy |
| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
### Semaphore
| Name | Description |
| -------------------------------------------------------| ----------------------------------------- |
| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
### CircleCI
| Orb | Description |
| -----------------------------------------| ----------------------------------------- |
| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
### Others
| Name | Description |
| -----------------------------------------| ----------------------------------------- |
| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links. |
[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
[gitrivy]: https://github.com/marketplace/actions/trivy-action
[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
[trivy-action]: https://github.com/aquasecurity/trivy-action
[vs-code]: https://github.com/aquasecurity/trivy-vscode-extension
[vim-trivy]: https://github.com/aquasecurity/vim-trivy
[docker-desktop]: https://github.com/aquasecurity/trivy-docker-extension
[azure-devops]: https://github.com/aquasecurity/trivy-azure-pipelines-task
[trivy-operator]: https://github.com/aquasecurity/trivy-operator
[trivy-lens]: https://github.com/aquasecurity/trivy-operator-lens-extension

32
docs/getting-started/further.md
View File

@@ -1,32 +0,0 @@
# Further Reading
## Presentations
- Aqua Security YouTube Channel
- [Trivy - container image scanning][intro]
- [Using Trivy in client server mode][server]
- [Tweaking Trivy output to fit your workflow][tweaking]
- [How does a vulnerability scanner identify packages?][identify]
- CNCF Webinar 2020
- [Trivy Open Source Scanner for Container Images Just Download and Run!][cncf]
- KubeCon + CloudNativeCon Europe 2020 Virtual
- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security][kubecon]
## Blogs
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family][join]
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License][license]
- [DevSecOps with Trivy and GitHub Actions][actions]
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
- [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
[intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
[cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
[server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
[kubecon]: https://www.youtube.com/watch?v=WKE2XNZ2zr4
[identify]: https://www.youtube.com/watch?v=PaMnzeHBa8M
[tweaking]: https://www.youtube.com/watch?v=wFIGUjcRLnU
[join]: https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family
[license]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license
[actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
[actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
[vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code

71
docs/getting-started/installation.md
View File

@@ -1,4 +1,4 @@
# Installation
# CLI Installation
## RHEL/CentOS
@@ -46,19 +46,11 @@
## Arch Linux
Package trivy-bin can be installed from the Arch User Repository.
Package trivy can be installed from the Arch Community Package Manager.
=== "pikaur"
``` bash
pikaur -Sy trivy-bin
```
=== "yay"
``` bash
yay -Sy trivy-bin
```
```bash
pacman -S trivy
```
## Homebrew
@@ -203,28 +195,6 @@ The same image is hosted on [Amazon ECR Public][ecr] as well.
docker pull public.ecr.aws/aquasecurity/trivy:{{ git.tag[1:] }}
```
## Helm
### Installing from the Aqua Chart Repository
```
helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
helm repo update
helm search repo trivy
helm install my-trivy aquasecurity/trivy
```
### Installing the Chart
To install the chart with the release name `my-release`:
```
helm install my-release .
```
The command deploys Trivy on the Kubernetes cluster in the default configuration. The [Parameters][helm]
section lists the parameters that can be configured during installation.
### AWS private registry permissions
You may need to grant permissions to allow trivy to pull images from private registry (AWS ECR).
@@ -258,6 +228,37 @@ podAnnotations: {}
> **Tip**: List all releases using `helm list`.
## Other Tools to use and deploy Trivy
For additional tools and ways to install and use Trivy in different envrionments such as in Docker Desktop and Kubernetes clusters, see the links in the [Ecosystem section](../ecosystem/tools.md).
[ecr]: https://gallery.ecr.aws/aquasecurity/trivy
[registry]: https://github.com/orgs/aquasecurity/packages/container/package/trivy
[helm]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/helm/trivy
[slack]: https://slack.aquasec.com
[operator-docs]: https://aquasecurity.github.io/trivy-operator/latest/
[vuln]: ./docs/vulnerability/scanning/index.md
[misconf]: ./docs/misconfiguration/scanning.md
[kubernetesoperator]: ./docs/kubernetes/operator/index.md
[container]: ./docs/vulnerability/scanning/image.md
[rootfs]: ./docs/vulnerability/scanning/rootfs.md
[filesystem]: ./docs/vulnerability/scanning/filesystem.md
[repo]: ./docs/vulnerability/scanning/git-repository.md
[kubernetes]: ./docs/kubernetes/cli/scanning.md
[standalone]: ./docs/references/modes/standalone.md
[client-server]: ./docs/references/modes/client-server.md
[integrations]: ./tutorials/integrations/index.md
[os]: ./docs/vulnerability/detection/os.md
[lang]: ./docs/vulnerability/detection/language.md
[builtin]: ./docs/misconfiguration/policy/builtin.md
[quickstart]: ./getting-started/quickstart.md
[podman]: ./docs/advanced/container/podman.md
[sbom]: ./docs/sbom/index.md
[oci]: https://github.com/opencontainers/image-spec
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

44
docs/getting-started/overview.md
View File

@@ -1,44 +0,0 @@
# Overview
Trivy detects three types of security issues:
- [Vulnerabilities][vuln]
- [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- [Language-specific packages][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, pnpm, Cargo, NuGet, Maven, and Go)
- [Misconfigurations][misconf]
- Kubernetes
- Docker
- Terraform
- CloudFormation
- more coming soon
- [Secrets][secret]
- AWS access key
- GCP service account
- GitHub personal access token
- etc.
Trivy can scan three different artifacts:
- [Container Images][container]
- [Filesystem][filesystem]
- [Git Repositories][repo]
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [Integrations][integrations] for details.
[vuln]: ../docs/vulnerability/scanning/index.md
[os]: ../docs/vulnerability/detection/os.md
[lang]: ../docs/vulnerability/detection/language.md
[misconf]: ../docs/misconfiguration/scanning.md
[secret]: ../docs/secret/scanning.md
[container]: ../docs/vulnerability/scanning/image.md
[rootfs]: ../docs/vulnerability/scanning/rootfs.md
[filesystem]: ../docs/vulnerability/scanning/filesystem.md
[repo]: ../docs/vulnerability/scanning/git-repository.md
[integrations]: ../docs/integrations/index.md
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

5
docs/getting-started/quickstart.md
View File

@@ -1,5 +1,9 @@
# Quick Start
## Prerequisites
- Make sure to have the Trivy [CLI installed][installation]
## Scan image for vulnerabilities and secrets
Simply specify an image name (and a tag).
@@ -80,6 +84,7 @@ See https://avd.aquasec.com/misconfig/ds001
For more details, see [here][misconf].
[installation]: ./installation.md
[vulnerability]: ../docs/vulnerability/scanning/index.md
[misconf]: ../docs/misconfiguration/scanning.md
[secret]: ../docs/secret/scanning.md

BIN
docs/imgs/argocd-ui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 584 KiB

BIN
docs/imgs/docker-desktop.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 304 KiB

54
docs/index.md
View File

@@ -1,26 +1,34 @@
---
hide:
- navigation
- toc
---
![logo](imgs/logo.png){ align=left }
![logo](imgs/logo.png){ align=right }
`Trivy` (`tri` pronounced like **tri**gger, `vy` pronounced like en**vy**) is a simple and comprehensive [vulnerability][vulnerability]/[misconfiguration][misconf]/[secret][secret] scanner for containers and other artifacts.
`Trivy` detects vulnerabilities of [OS packages][os] (Alpine, RHEL, CentOS, etc.) and [language-specific packages][lang] (Bundler, Composer, npm, yarn, etc.).
In addition, `Trivy` scans [Infrastructure as Code (IaC) files][misconf] such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
`Trivy` also scans [hardcoded secrets][secret] like passwords, API keys and tokens.
`Trivy` is easy to use. Just install the binary and you're ready to scan.
All you need to do for scanning is to specify a target such as an image name of the container.
Trivy (tri pronounced like trigger, vy pronounced like envy) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
<div style="text-align: center">
<img src="imgs/overview.png" width="800">
</div>
Trivy has different scanners that look for different security issues, and different targets where it can find those issues.
Targets:
<div style="text-align: center; margin-top: 150px">
<h1 id="demo">Demo</h1>
</div>
- Container Image
- Filesystem
- Git repository (remote)
- Kubernetes cluster or resource
Scanners:
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC misconfigurations
- Sensitive information and secrets
It is designed to be used in CI. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily.
See [Integrations][integrations] for details.
Much more scanners and targets are coming up. [Join the Slack][slack] channel to stay up to date, ask questions, and let us know what features you would like to see.
Please see [LICENSE][license] for Trivy licensing information.
<figure style="text-align: center">
<video width="1000" autoplay muted controls loop>
@@ -41,18 +49,6 @@ All you need to do for scanning is to specify a target such as an image name of
<figcaption>Demo: Secret Detection</figcaption>
</figure>
---
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
[vulnerability]: docs/vulnerability/scanning/index.md
[misconf]: docs/misconfiguration/scanning.md
[secret]: docs/secret/scanning.md
[os]: docs/vulnerability/detection/os.md
[lang]: docs/vulnerability/detection/language.md
[aquasec]: https://aquasec.com
[oss]: https://www.aquasec.com/products/open-source-projects/
[discussions]: https://github.com/aquasecurity/trivy/discussions
[integrations]: ./tutorials/integrations/index.md
[slack]: https://slack.aquasec.com
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE

11
docs/community/cks.md → docs/tutorials/additional-resources/cks.md
View File

@@ -1,21 +1,26 @@
# CKS preparation resources
Community Resources
The [Certified Kubernetes Security Specialist (CKS) Exam](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) is offered by The Linux Foundation. It provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
### Community Resources
- [Trivy Video overview (short)][overview]
- [Example questions from the exam][exam]
- [More example questions][questions]
- [CKS exam study guide](study-guide)
- [Docker Image Vulnerabilities & Trivy Image Scanning Demo | K21Academy](https://youtu.be/gHz10UsEdys)
Aqua Security Blog posts
### Aqua Security Blog posts to learn more
- Supply chain security best [practices][supply-chain-best-practices]
- Supply chain [attacks][supply-chain-attacks]
-
If you know of interesting resources, please start a PR to add those to the list.
[overview]: https://youtu.be/2cjH6Zkieys
[exam]: https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-7-supply-chain-security-9cf62c34cf6a
[questions]: https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/06-Supply-Chain-Security/09-Scan-images-for-known-vulnerabilities-(Trivy).md
[study-guide]: https://devopscube.com/cks-exam-guide-tips/
[supply-chain-best-practices]: https://blog.aquasec.com/supply-chain-security-best-practices
[supply-chain-attacks]: https://blog.aquasec.com/supply-chain-threats-using-container-images

37
docs/tutorials/additional-resources/community.md Normal file
View File

@@ -0,0 +1,37 @@
# Community References
Below is a list of additional resources from the community.
## Vulnderability Scanning
- [Detecting Spring4Shell with Trivy and Grype](https://youtu.be/mOfBcpJWwSs)
## CI/CD Pipelines
- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
- [Continuous Container Vulnerability Testing with Trivy](https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy)
- [Getting Started With Trivy and Jenkins](https://youtu.be/MWe01VdwuMA)
- [How to use Tekton to set up a CI pipeline with OpenShift Pipelines](https://www.redhat.com/architect/cicd-pipeline-openshift-tekton)
## Misconfiguration Scanning
- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
- [How to write custom policies for Trivy](https://blog.ediri.io/how-to-write-custom-policies-for-trivy)
## SBOM, Attestation & related
- [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
## Trivy Kubernetes
- [Using Trivy Kubernetes in OVHCloud documentation.](https://docs.ovh.com/gb/en/kubernetes/installing-trivy/)
## Comparisons
- [the vulnerability remediation lifecycle of Alpine containers](https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/)
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy](https://boxboat.com/2020/04/24/image-scanning-tech-compared/)
- [Docker Image Security: Static Analysis Tool Comparison Anchore Engine vs Clair vs Trivy](https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/)
### Evaluations
- [Istio evaluating to use Trivy](https://github.com/istio/release-builder/pull/687#issuecomment-874938417)
- [Research Spike: evaluate Trivy for scanning running containers](https://gitlab.com/gitlab-org/gitlab/-/issues/270888)

38
docs/tutorials/additional-resources/references.md Normal file
View File

@@ -0,0 +1,38 @@
# Additional Resources and Tutorials
Below is a list of additional resources from Aqua Security.
## Announcements
- [Trivy Vulnerability Scanner Joins the Aqua Open-source Family](https://blog.aquasec.com/trivy-vulnerability-scanner-joins-aqua-family)
- [Trivy Image Vulnerability Scanner Now Under Apache 2.0 License](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-apache2.0-license)
## Vulnderability Scanning
- [Using Trivy to Discover Vulnerabilities in VS Code Projects](https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code)
- [How does a vulnerability scanner identify packages?](https://youtu.be/PaMnzeHBa8M)
- [Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security](https://youtu.be/WKE2XNZ2zr4)
## CI/CD Pipelines
- [DevSecOps with Trivy and GitHub Actions](https://blog.aquasec.com/devsecops-with-trivy-github-actions)
- [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action](https://blog.aquasec.com/github-vulnerability-scanner-trivy)
## Misconfiguration Scanning
- [Identifying Misconfigurations in your Terraform](https://youtu.be/cps1V5fOHtE)
## Client/Server
- [Using Trivy in client server mode](https://youtu.be/tNQ-VlahtYM)
## Workshops
- [Trivy Live Demo & Q&A](https://youtu.be/6Vw0QgJ-k5o)
- [First Steps to Full Lifecycle Security with Open Source Tools - Rory McCune & Anais Urlichs](https://youtu.be/nwJ0366rs6s)
## Older Resources
- [Webinar: Trivy Open Source Scanner for Container Images Just Download and Run!](https://youtu.be/XnYxX9uueoQ)
- [Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard](https://youtu.be/YvMY8to9aHI)
- [Get started with Kubernetes Security and Starboard](https://youtu.be/QgctrpTpJec)

0
docs/docs/integrations/aws-codepipeline.md → docs/tutorials/integrations/aws-codepipeline.md
View File

51
docs/tutorials/integrations/aws-security-hub.md Normal file
View File

@@ -0,0 +1,51 @@
# AWS Security Hub
## Upload findings to Security Hub
In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
```
$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
```
ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
The Product [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) field follows the pattern below to match what AWS requires for the [product resource type](https://github.com/awsdocs/aws-security-hub-user-guide/blob/master/doc_source/securityhub-partner-providers.md#aqua-security--aqua-cloud-native-security-platform-sends-findings).
{% raw %}
```
"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
```
{% endraw %}
In order to upload results you must first run [enable-import-findings-for-product](https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html) like:
```
aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity
```
Then, you can upload it with AWS CLI.
```
$ aws securityhub batch-import-findings --findings file://report.asff
```
### Note
The [batch-import-findings](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-import-findings.html#options) command limits the number of findings uploaded to 100 per request. The best known workaround to this problem is using [jq](https://stedolan.github.io/jq/) to run the following command
```
jq '.[:100]' report.asff 1> short_report.asff
```
## Customize
You can customize [asff.tpl](https://github.com/aquasecurity/trivy/blob/main/contrib/asff.tpl)
```
$ export AWS_REGION=us-west-1
$ export AWS_ACCOUNT_ID=123456789012
$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
```
## Reference
https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/

22
docs/tutorials/integrations/azure-devops.md Normal file
View File

@@ -0,0 +1,22 @@
# Azure Devops
- Here is the [Azure DevOps Pipelines Task for Trivy][action]
![trivy-azure](https://github.com/aquasecurity/trivy-azure-pipelines-task/blob/main/screenshot.png?raw=true)
### [Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster][azure2]
It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged. An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
### [Microsoft Defender for container registries and Trivy][azure]
This blog explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.
To set up the scanner, you'll need to enable Microsoft Defender for Containers and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.
The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy
[action]: https://github.com/aquasecurity/trivy-azure-pipelines-task
[azure]: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd
[azure2]: https://docs.microsoft.com/en-us/azure/aks/image-cleaner?tabs=azure-cli

0
docs/docs/integrations/bitbucket.md → docs/tutorials/integrations/bitbucket.md
View File

0
docs/docs/integrations/circleci.md → docs/tutorials/integrations/circleci.md
View File

0
docs/docs/integrations/github-actions.md → docs/tutorials/integrations/github-actions.md
View File

0
docs/docs/integrations/gitlab-ci.md → docs/tutorials/integrations/gitlab-ci.md
View File

0
docs/docs/integrations/index.md → docs/tutorials/integrations/index.md
View File

0
docs/docs/integrations/travis-ci.md → docs/tutorials/integrations/travis-ci.md
View File

120
docs/tutorials/kubernetes/cluster-scanning.md Normal file
View File

@@ -0,0 +1,120 @@
# Kubernetes Scanning Tutorial
## Prerequisites
To test the following commands yourself, make sure that youre connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, well use a one-node kind cluster.
Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
## Cluster Scanning
Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.
The Trivy K8s command is part of the Trivy CLI:
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
```
trivy k8s --report=summary
```
To get detailed information for all your resources, just replace summary with all:
```
trivy k8s --report=all
```
However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details.
Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result:
```
trivy k8s -n kube-system --report=summary
```
Again, if youd like to receive additional details, use the --report=all flag:
```
trivy k8s -n kube-system --report=all
```
Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities:
```
trivy k8s --severity=CRITICAL --report=summary
```
Note that you can use any of the Trivy flags on the Trivy K8s command.
With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment:
```
trivy k8s n app --report=summary deployments/react-application
```
## Trivy Operator
The Trivy K8s command is an imperative model to scan resources. We wouldnt want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.
The Trivy Operator follows the Kubernetes Operator Model. Operators automate human actions, and the result of the task is saved as custom resource definitions (CRDs) within your cluster.
This has several benefits:
- Trivy Operator is installed CRDs in our cluster. As a result, all our resources, including our security scanner and its scan results, are Kubernetes resources. This makes it much easier to integrate the Trivy Operator directly into our existing processes, such as connecting Trivy with Prometheus, a monitoring system.
- The Trivy Operator will automatically scan your resources every six hours. You can set up automatic alerting in case new critical security issues are discovered.
- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.
There are several ways that you can install the Trivy Operator in your cluster. In this guide, were going to use the Helm installation based on the [following documentation.](../../docs/kubernetes/operator/index.md)
Make sure that you have the [Helm CLI installed.](https://helm.sh/docs/intro/install/)
Next, run the following commands.
First, we are going to add the Aqua Security Helm repository to our Helm repository list:
```
helm repo add aqua https://aquasecurity.github.io/helm-charts/
```
Then, we will update all of our Helm repositories. Even if you have just added a new repository to your existing charts, this is generally good practice to have access to the latest changes:
```
helm repo update
```
Lastly, we can install the Trivy operator Helm Chart to our cluster:
```
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--set="trivy.ignoreUnfixed=true" \
--version v0.0.3
```
You can make sure that the operator is installed correctly via the following command:
```
kubectl get deployment -n trivy-system
```
Trivy will automatically start scanning your Kubernetes resources.
For instance, you can view vulnerability reports with the following command:
```
kubectl get vulnerabilityreports --all-namespaces -o wide
```
And then you can access the details of a security scan:
```
kubectl describe vulnerabilityreports <name of one of the above reports>
```
The same process can be applied to access Configauditreports:
```
kubectl get configauditreports --all-namespaces -o wide
```

125
docs/tutorials/kubernetes/gitops.md Normal file
View File

@@ -0,0 +1,125 @@
# Installing the Trivy-Operator through GitOps
This tutorial shows you how to install the Trivy Operator through GitOps platforms, namely ArgoCD and FluxCD.
## ArgoCD
Make sure to have [ArgoCD installed](https://argo-cd.readthedocs.io/en/stable/getting_started/) and running in your Kubernetes cluster.
You can either deploy the Trivy Operator through the argocd CLI or by applying a Kubernetes manifest.
ArgoCD command:
```
> kubectl create ns trivy-system
> argocd app create trivy-operator --repo https://github.com/aquasecurity/trivy-operator --path deploy/helm --dest-server https://kubernetes.default.svc --dest-namespace trivy-system
```
Note that this installation is directly related to our official Helm Chart. If you want to change any of the value, we'd suggest you to create a separate values.yaml file.
Kubernetes manifest `trivy-operator.yaml`:
```
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: trivy-operator
namespace: argocd
spec:
project: default
source:
chart: trivy-operator
repoURL: https://aquasecurity.github.io/helm-charts/
targetRevision: 0.0.3
helm:
values: |
trivy:
ignoreUnfixed: true
destination:
server: https://kubernetes.default.svc
namespace: trivy-system
syncPolicy:
automated:
prune: true
selfHeal: true
```
The apply the Kubernetes manifest. If you have the manifest locally, you can use the following command through kubectl:
```
> kubectl apply -f trivy-operator.yaml
application.argoproj.io/trivy-operator created
```
If you have the manifest in a Git repository, you can apply it to your cluster through the following command:
```
> kubectl apply -n argocd -f https://raw.githubusercontent.com/AnaisUrlichs/argocd-starboard/main/starboard/argocd-starboard.yaml
```
The latter command would allow you to make changes to the YAML manifest that ArgoCD would register automatically.
Once deployed, you want to tell ArgoCD to sync the application from the actual state to the desired state:
```
argocd app sync trivy-operator
```
Now you can see the deployment in the ArgoCD UI. Have a look at the ArgoCD documentation to know how to access the UI.
![ArgoCD UI after deploying the Trivy Operator](../../imgs/argocd-ui.png)
Note that ArgoCD is unable to show the Trivy CRDs as synced.
## FluxCD
Make sure to have [FluxCD installed](https://fluxcd.io/docs/installation/#install-the-flux-cli) and running in your Kubernetes cluster.
You can either deploy the Trivy Operator through the Flux CLI or by applying a Kubernetes manifest.
Flux command:
```
> kubectl create ns trivy-system
> flux create source helm trivy-operator --url https://aquasecurity.github.io/helm-charts --namespace trivy-system
> flux create helmrelease trivy-operator --chart trivy-operator
--source HelmRepository/trivy-operator
--chart-version 0.0.3
--namespace trivy-system
```
Kubernetes manifest `trivy-operator.yaml`:
```
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: trivy-operator
namespace: flux-system
spec:
interval: 60m
url: https://aquasecurity.github.io/helm-charts/
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: trivy-operator
namespace: trivy-system
spec:
chart:
spec:
chart: trivy-operator
sourceRef:
kind: HelmRepository
name: trivy-operator
namespace: flux-system
version: 0.0.5
interval: 60m
```
You can then apply the file to your Kubernetes cluster:
```
kubectl apply -f trivy-operator.yaml
```
## After the installation
After the install, you want to check that the Trivy operator is running in the trivy-system namespace:
```
kubectl get deployment -n trivy-system
```

114
docs/tutorials/kubernetes/kyverno.md Normal file
View File

@@ -0,0 +1,114 @@
# Attesting Image Scans With Kyverno
This tutorial is based on the following blog post by Chip Zoller: [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/)
This tutorial details
- Verify the container image has an attestation with Kyverno
### Prerequisites
1. [Attestation of the vulnerability scan uploaded][vuln-attestation]
2. A running Kubernetes cluster that kubectl is connected to
### Kyverno Policy to check attestation
The following policy ensures that the attestation is no older than 168h:
vuln-attestation.yaml
{% raw %}
```bash
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-vulnerabilities
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 10
failurePolicy: Fail
rules:
- name: not-older-than-one-week
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "CONTAINER-REGISTRY/*:*"
attestations:
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
conditions:
- all:
- key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}"
operator: LessThanOrEquals
value: "168h"
```
{% endraw %}
### Apply the policy to your Kubernetes cluster
Ensure that you have Kyverno already deployed and running on your cluster -- for instance throught he Kyverno Helm Chart.
Next, apply the above policy:
```
kubectl apply -f vuln-attestation.yaml
```
To ensure that the policy worked, we can deploye an example deployment file with our container image:
deployment.yaml
```
apiVersion: apps/v1
kind: Deployment
metadata:
name: cns-website
namespace: app
spec:
replicas: 2
selector:
matchLabels:
run: cns-website
template:
metadata:
labels:
run: cns-website
spec:
containers:
- name: cns-website
image: docker.io/anaisurlichs/cns-website:0.0.6
ports:
- containerPort: 80
imagePullPolicy: Always
resources:
limits:
memory: 512Mi
cpu: 200m
securityContext:
allowPrivilegeEscalation: false
```
Once we apply the deployment, it should pass since our attestation is available:
```
kubectl apply -f deployment.yaml -n app
deployment.apps/cns-website created
```
However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with `docker.io/anaisurlichs/cns-website:0.0.5` and applying the deployment:
```
kubectl apply -f deployment-two.yaml
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "cns-website", Namespace: "app"
for: "deployment-two.yaml": admission webhook "mutate.kyverno.svc-fail" denied the request:
resource Deployment/app/cns-website was blocked due to the following policies
check-image:
autogen-check-image: |
failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures:
```
[vuln-attestation]: ../signing/vuln-attestation.md

27
docs/tutorials/overview.md Normal file
View File

@@ -0,0 +1,27 @@
# Tutorials
Tutorials are a great way to learn about use cases and integrations. We highly encourage community members to share their Trivy use cases with us in the documentation.
There are two ways to contributor to the tutorials section
1. If you are creating any external content on Trivy, we would love to have it as part of our list of [external community resources][community-resources]
2. If you are creating an end-to-end tutorial on a specific Trivy use-case, we would love to feature it in our tutorial section. Read below how you can contribute tutorials to the docs.
## Process for adding new tutorials
Requirements
- The tutorial has to provide an end-to-end set of instructions
- Ideally, tutorials should focus on a specific use case
- If the tutorial is featuring other tools, those should be open source, too
- Make sure to describe the expected outcome after each instruction
**Tip:** Make sure that your tutorial is concise about a specific use case or integration.
How to add a tutorial
1. Simply create a new `.md` file in the tutorials folder of the docs
2. Add your content
3. Create a new index in the mkdocs.yaml file which is in the [root directory](https://github.com/aquasecurity/trivy) of the repository
4. Create a PR
[community-resources]: additional-resources/community.md

36
docs/tutorials/signing/vuln-attestation.md Normal file
View File

@@ -0,0 +1,36 @@
# Vulnerability Scan Record Attestation
This tutorial details
- Scan your container image for vulnerabilities
- Generate an attestation with Cosign
#### Prerequisites
1. Trivy CLI installed
2. Cosign installed
#### Scan Container Image for vulnerabilities
Scan your container image for vulnerabilities and save the scan result to a scan.json file:
```
trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6
```
* --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available
* --output scan.json: The scan output is scaved to a scan.json file instead of being displayed in the terminal.
Note: Replace the container image with the container image that you would like to scan.
#### Attestation of the vulnerability scan with Cosign
The following command generates an attestation for the vulnerability scan and uploads it to our container image:
```
cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6
```
Note: Replace the container image with the container image that you would like to scan.
See [here][vuln-attestation] for more details.
[vuln-attestation]: ../../docs/attestation/vuln.md

127
go.mod
View File

@@ -1,37 +1,41 @@
module github.com/aquasecurity/trivy
go 1.18
go 1.19
require (
github.com/CycloneDX/cyclonedx-go v0.6.0
github.com/Masterminds/sprig/v3 v3.2.2
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.22.0
github.com/alicebob/miniredis/v2 v2.23.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/go-dep-parser v0.0.0-20220819065825-29e1e04fb7ae
github.com/aquasecurity/defsec v0.75.3
github.com/aquasecurity/go-dep-parser v0.0.0-20220928105313-d3a51fe400e4
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
github.com/aquasecurity/table v1.7.2
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516
github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
github.com/aquasecurity/trivy-kubernetes v0.3.1-0.20220823151349-b90b48958b91
github.com/aws/aws-sdk-go-v2 v1.16.11
github.com/aws/aws-sdk-go-v2/config v1.17.0
github.com/aws/aws-sdk-go-v2/service/sts v1.16.13
github.com/caarlos0/env/v6 v6.9.3
github.com/aws/aws-sdk-go v1.44.95
github.com/aws/aws-sdk-go-v2 v1.16.14
github.com/aws/aws-sdk-go-v2/config v1.17.5
github.com/aws/aws-sdk-go-v2/service/sts v1.16.17
github.com/caarlos0/env/v6 v6.10.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.0
github.com/containerd/containerd v1.6.6
github.com/containerd/containerd v1.6.8
github.com/docker/docker v20.10.17+incompatible
github.com/docker/go-connections v0.4.0
github.com/fatih/color v1.13.0
github.com/go-enry/go-license-detector/v4 v4.3.0
github.com/go-openapi/runtime v0.24.1
github.com/go-openapi/strfmt v0.21.3
github.com/go-redis/redis/v8 v8.11.5
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/golang/protobuf v1.5.2
github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
github.com/google/go-containerregistry v0.11.0
github.com/google/licenseclassifier/v2 v2.0.0-pre6
github.com/google/uuid v1.3.0
github.com/google/wire v0.5.0
@@ -47,37 +51,40 @@ require (
github.com/mailru/easyjson v0.7.7
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/open-policy-agent/opa v0.43.0
github.com/open-policy-agent/opa v0.44.0
github.com/owenrumney/go-sarif/v2 v2.1.2
github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
github.com/samber/lo v1.27.0
github.com/samber/lo v1.27.1
github.com/secure-systems-lab/go-securesystemslib v0.4.0
github.com/sigstore/rekor v0.12.0
github.com/sosedoff/gitkit v0.3.0
github.com/spf13/cobra v1.5.0
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.12.0
github.com/stretchr/testify v1.8.0
github.com/testcontainers/testcontainers-go v0.13.0
github.com/tetratelabs/wazero v0.0.0-20220701105919-891761ac1ee2
github.com/tetratelabs/wazero v1.0.0-pre.1
github.com/twitchtv/twirp v8.1.2+incompatible
github.com/xlab/treeprint v1.1.0
go.etcd.io/bbolt v1.3.6
go.uber.org/zap v1.22.0
golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df
go.uber.org/zap v1.23.0
golang.org/x/exp v0.0.0-20220823124025-807a23277127
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
google.golang.org/protobuf v1.28.1
gopkg.in/yaml.v3 v3.0.1
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
)
require (
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.4 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.12.13 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.18 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.19 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.12.18 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.9 // indirect
github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.15.14 // indirect
github.com/aws/aws-sdk-go-v2/service/apigateway v1.15.14 // indirect
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.12.12 // indirect
github.com/aws/aws-sdk-go-v2/service/athena v1.18.4 // indirect
@@ -101,7 +108,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.5 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.13 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.12 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.12 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.15 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.12 // indirect
github.com/aws/aws-sdk-go-v2/service/kafka v1.17.13 // indirect
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.13 // indirect
@@ -115,22 +122,34 @@ require (
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.17 // indirect
github.com/aws/aws-sdk-go-v2/service/sns v1.17.13 // indirect
github.com/aws/aws-sdk-go-v2/service/sqs v1.19.4 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.16 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.21 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.3 // indirect
github.com/aws/aws-sdk-go-v2/service/workspaces v1.22.3 // indirect
github.com/aws/smithy-go v1.12.1 // indirect
github.com/aws/smithy-go v1.13.2 // indirect
github.com/emicklei/go-restful/v3 v3.8.0 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/loads v0.21.2 // indirect
github.com/go-openapi/spec v0.20.7 // indirect
github.com/go-openapi/validate v0.22.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/go-type-adapters v1.0.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
go.mongodb.org/mongo-driver v1.10.0 // indirect
gonum.org/v1/gonum v0.7.0 // indirect
)
require (
cloud.google.com/go v0.100.2 // indirect
cloud.google.com/go/compute v1.6.1 // indirect
cloud.google.com/go v0.103.0 // indirect
cloud.google.com/go/compute v1.7.0 // indirect
cloud.google.com/go/iam v0.3.0 // indirect
cloud.google.com/go/storage v1.14.0 // indirect
cloud.google.com/go/storage v1.23.0 // indirect
github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -149,22 +168,17 @@ require (
github.com/Masterminds/semver/v3 v3.1.1 // indirect
github.com/Masterminds/squirrel v1.5.3 // indirect
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/Microsoft/hcsshim v0.9.3 // indirect
github.com/Microsoft/hcsshim v0.9.4 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/VividCortex/ewma v1.1.1 // indirect
github.com/acomagu/bufpipe v1.0.3 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/agnivade/levenshtein v1.0.1 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/alecthomas/chroma v0.10.0 // indirect
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/aquasecurity/defsec v0.71.9
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
github.com/aws/aws-sdk-go v1.44.77
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
@@ -175,7 +189,7 @@ require (
github.com/containerd/cgroups v1.0.4 // indirect
github.com/containerd/continuity v0.3.0 // indirect
github.com/containerd/fifo v1.0.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3 // indirect
github.com/containerd/typeurl v1.0.2 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
@@ -203,8 +217,8 @@ require (
github.com/go-gorp/gorp/v3 v3.0.2 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.8.2 // indirect
github.com/gofrs/uuid v4.0.0+incompatible // indirect
@@ -241,7 +255,7 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
github.com/klauspost/compress v1.15.6 // indirect
github.com/klauspost/compress v1.15.8 // indirect
github.com/knqyf263/go-rpmdb v0.0.0-20220607073645-842f01763e21
github.com/knqyf263/nested v0.0.1
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
@@ -262,7 +276,7 @@ require (
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/buildkit v0.10.3
github.com/moby/buildkit v0.10.4
github.com/moby/locker v1.0.1 // indirect
github.com/moby/spdystream v0.2.0 // indirect
github.com/moby/sys/mount v0.3.3 // indirect
@@ -272,7 +286,7 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
github.com/morikuni/aec v1.0.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/olekukonko/tablewriter v0.0.5 // indirect
@@ -286,10 +300,10 @@ require (
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.12.2 // indirect
github.com/prometheus/client_golang v1.13.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
@@ -306,9 +320,8 @@ require (
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/stretchr/objx v0.4.0 // indirect
github.com/subosito/gotenv v1.4.0 // indirect
github.com/ulikunitz/xz v0.5.8 // indirect
github.com/ulikunitz/xz v0.5.10 // indirect
github.com/vbatts/tar-split v0.11.2 // indirect
github.com/vektah/gqlparser/v2 v2.4.6 // indirect
github.com/xanzy/ssh-agent v0.3.0 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -319,26 +332,26 @@ require (
github.com/zclconf/go-cty-yaml v1.0.2 // indirect
go.opencensus.io v0.23.0 // indirect
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
go.uber.org/atomic v1.7.0 // indirect
go.uber.org/multierr v1.7.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3
golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
golang.org/x/net v0.0.0-20220906165146-f3363e06e74c // indirect
golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
golang.org/x/text v0.3.7
golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
golang.org/x/tools v0.1.10 // indirect
google.golang.org/api v0.81.0 // indirect
golang.org/x/tools v0.1.12 // indirect
google.golang.org/api v0.92.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
google.golang.org/grpc v1.48.0 // indirect
google.golang.org/genproto v0.0.0-20220720214146-176da50484ac // indirect
google.golang.org/grpc v1.49.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.66.4 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect

501
go.sum
View File

File diff suppressed because it is too large Load Diff

15
goreleaser.yml
View File

@@ -235,6 +235,21 @@ docker_manifests:
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
- 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le'
signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
args:
- "sign-blob"
- "--oidc-issuer=https://token.actions.githubusercontent.com"
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "${artifact}"
artifacts: all
output: true
docker_signs:
- cmd: cosign
env:

1
helm/trivy/README.md
View File

@@ -72,6 +72,7 @@ The following table lists the configurable parameters of the Trivy chart and the
| `trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-db` |
| `trivy.cache.redis.enabled` | Enable Redis as caching backend | `false` |
| `trivy.cache.redis.url` | Specify redis connection url, e.g. redis://redis.redis.svc:6379 | `` |
| `trivy.cache.redis.ttl` | Specify redis TTL, e.g. 3600s or 24h | `` |
| `trivy.serverToken` | The token to authenticate Trivy client with Trivy server | `` |
| `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |

1
helm/trivy/templates/configmap.yaml
View File

@@ -9,6 +9,7 @@ data:
TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
{{- if .Values.trivy.cache.redis.enabled }}
TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
TRIVY_CACHE_TTL: {{ .Values.trivy.cache.redis.ttl | quote }}
{{- end }}
TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}

3
helm/trivy/values.yaml
View File

@@ -28,7 +28,7 @@ resources:
rbac:
create: true
pspEnabled: true
pspEnabled: false
podSecurityContext:
runAsUser: 65534
@@ -113,6 +113,7 @@ trivy:
redis:
enabled: false
url: "" # e.g. redis://redis.redis.svc:6379
ttl: "" # e.g 3600s, 24h
serviceAccount:
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME

3
integration/client_server_test.go
View File

@@ -12,10 +12,9 @@ import (
"testing"
"time"
"github.com/samber/lo"
cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/docker/go-connections/nat"
"github.com/samber/lo"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
testcontainers "github.com/testcontainers/testcontainers-go"

8
integration/docker_engine_test.go
View File

@@ -11,7 +11,7 @@ import (
"strings"
"testing"
"github.com/docker/docker/api/types"
api "github.com/docker/docker/api/types"
"github.com/docker/docker/client"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -213,7 +213,7 @@ func TestDockerEngine(t *testing.T) {
require.NoError(t, err, tt.name)
// ensure image doesnt already exists
_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
@@ -264,11 +264,11 @@ func TestDockerEngine(t *testing.T) {
compareReports(t, tt.golden, output)
// cleanup
_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})
_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
_, err = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
Force: true,
PruneChildren: true,
})

17
integration/fs_test.go
View File

@@ -73,6 +73,23 @@ func TestFilesystem(t *testing.T) {
},
golden: "testdata/pom.json.golden",
},
{
name: "gradle",
args: args{
securityChecks: "vuln",
input: "testdata/fixtures/fs/gradle",
},
golden: "testdata/gradle.json.golden",
},
{
name: "conan",
args: args{
securityChecks: "vuln",
listAllPkgs: true,
input: "testdata/fixtures/fs/conan",
},
golden: "testdata/conan.json.golden",
},
{
name: "dockerfile",
args: args{

1
integration/integration_test.go
View File

@@ -103,7 +103,6 @@ func readReport(t *testing.T, filePath string) types.Report {
// We don't compare repo tags because the archive doesn't support it
report.Metadata.RepoTags = nil
report.Metadata.RepoDigests = nil
for i, result := range report.Results {

106
integration/sbom_test.go
View File

@@ -8,23 +8,28 @@ import (
"testing"
cdx "github.com/CycloneDX/cyclonedx-go"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestCycloneDX(t *testing.T) {
func TestSBOM(t *testing.T) {
type args struct {
input string
format string
artifactType string
}
tests := []struct {
name string
args args
golden string
name string
args args
golden string
override types.Report
}{
{
name: "centos7-bom by trivy",
name: "centos7 cyclonedx",
args: args{
input: "testdata/fixtures/sbom/centos-7-cyclonedx.json",
format: "cyclonedx",
@@ -33,7 +38,7 @@ func TestCycloneDX(t *testing.T) {
golden: "testdata/centos-7-cyclonedx.json.golden",
},
{
name: "fluentd-multiple-lockfiles-bom by trivy",
name: "fluentd-multiple-lockfiles cyclonedx",
args: args{
input: "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
format: "cyclonedx",
@@ -42,7 +47,7 @@ func TestCycloneDX(t *testing.T) {
golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
},
{
name: "centos7-bom in in-toto attestation",
name: "centos7 in in-toto attestation",
args: args{
input: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
format: "cyclonedx",
@@ -50,6 +55,52 @@ func TestCycloneDX(t *testing.T) {
},
golden: "testdata/centos-7-cyclonedx.json.golden",
},
{
name: "centos7 spdx tag-value",
args: args{
input: "testdata/fixtures/sbom/centos-7-spdx.txt",
format: "json",
artifactType: "spdx",
},
golden: "testdata/centos-7.json.golden",
override: types.Report{
ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.txt",
ArtifactType: ftypes.ArtifactType("spdx"),
Results: types.Results{
{
Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
},
},
},
},
},
{
name: "centos7 spdx json",
args: args{
input: "testdata/fixtures/sbom/centos-7-spdx.json",
format: "json",
artifactType: "spdx",
},
golden: "testdata/centos-7.json.golden",
override: types.Report{
ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.json",
ArtifactType: ftypes.ArtifactType("spdx"),
Results: types.Results{
{
Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{Ref: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
{Ref: "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810"},
},
},
},
},
},
}
// Set up testing DB
@@ -61,7 +112,7 @@ func TestCycloneDX(t *testing.T) {
"--cache-dir", cacheDir, "sbom", "-q", "--skip-db-update", "--format", tt.args.format,
}
// Setup the output file
// Set up the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
outputFile = tt.golden
@@ -75,13 +126,46 @@ func TestCycloneDX(t *testing.T) {
assert.NoError(t, err)
// Compare want and got
want := decodeCycloneDX(t, tt.golden)
got := decodeCycloneDX(t, outputFile)
assert.Equal(t, want, got)
switch tt.args.format {
case "cyclonedx":
want := decodeCycloneDX(t, tt.golden)
got := decodeCycloneDX(t, outputFile)
assert.Equal(t, want, got)
case "json":
compareSBOMReports(t, tt.golden, outputFile, tt.override)
default:
require.Fail(t, "invalid format", "format: %s", tt.args.format)
}
})
}
}
// TODO(teppei): merge into compareReports
func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) {
want := readReport(t, wantFile)
want.ArtifactName = overrideWant.ArtifactName
want.ArtifactType = overrideWant.ArtifactType
want.Metadata.ImageID = ""
want.Metadata.ImageConfig = v1.ConfigFile{}
want.Metadata.DiffIDs = nil
for i, result := range want.Results {
for j := range result.Vulnerabilities {
want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
}
}
for i, result := range overrideWant.Results {
want.Results[i].Target = result.Target
for j, vuln := range result.Vulnerabilities {
want.Results[i].Vulnerabilities[j].Ref = vuln.Ref
}
}
got := readReport(t, gotFile)
assert.Equal(t, want, got)
}
func decodeCycloneDX(t *testing.T, filePath string) *cdx.BOM {
f, err := os.Open(filePath)
require.NoError(t, err)

76
integration/testdata/conan.json.golden vendored Normal file
View File

@@ -0,0 +1,76 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/conan",
"ArtifactType": "filesystem",
"Results": [
{
"Target": "conan.lock",
"Class": "lang-pkgs",
"Type": "conan",
"Packages": [
{
"ID": "bzip2/1.0.8",
"Name": "bzip2",
"Version": "1.0.8",
"Indirect": true
},
{
"ID": "expat/2.4.8",
"Name": "expat",
"Version": "2.4.8",
"Indirect": true
},
{
"ID": "openssl/1.1.1q",
"Name": "openssl",
"Version": "1.1.1q",
"Indirect": true
},
{
"ID": "pcre/8.43",
"Name": "pcre",
"Version": "8.43",
"Indirect": true,
"DependsOn": [
"bzip2/1.0.8",
"zlib/1.2.12"
]
},
{
"ID": "poco/1.9.4",
"Name": "poco",
"Version": "1.9.4",
"DependsOn": [
"pcre/8.43",
"zlib/1.2.12",
"expat/2.4.8",
"sqlite3/3.39.2",
"openssl/1.1.1q"
]
},
{
"ID": "sqlite3/3.39.2",
"Name": "sqlite3",
"Version": "3.39.2",
"Indirect": true
},
{
"ID": "zlib/1.2.12",
"Name": "zlib",
"Version": "1.2.12",
"Indirect": true
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-14155",
"PkgID": "pcre/8.43",
"PkgName": "pcre",
"InstalledVersion": "8.43",
"FixedVersion": "8.45",
"Severity": "UNKNOWN"
}
]
}
]
}

10
integration/testdata/fixtures/db/conan.yaml vendored Normal file
View File

@@ -0,0 +1,10 @@
- bucket: conan::GitLab Advisory Database Community
pairs:
- bucket: pcre
pairs:
- key: CVE-2020-14155
value:
PatchedVersions:
- "8.45"
VulnerableVersions:
- "<8.44"

25
integration/testdata/fixtures/db/vulnerability.yaml vendored
View File

@@ -1206,4 +1206,27 @@
- "https://github.com/advisories/GHSA-36p3-wjmg-h94x",
PublishedDate: "2022-04-01T23:15:00Z"
LastModifiedDate: "2022-05-19T14:21:00Z"
- key: CVE-2020-14155
value:
Title: "pcre: Integer overflow when parsing callout numeric arguments"
Description: "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring."
Severity: MEDIUM
CweIDs:
- CWE-190
VendorSeverity:
alma: 1
nvd: 2
CVSS:
nvd:
V2Vector: "AV:N/AC:L/Au:N/C:N/I:N/A:P"
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
V2Score: 5
V3Score: 5.3
redhat:
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
V3Score: 5.3
References:
- "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155",
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
PublishedDate: "2020-06-15T17:15:00Z"
LastModifiedDate: "2022-04-28T15:06:00Z"

77
integration/testdata/fixtures/fs/conan/conan.lock vendored Normal file
View File

@@ -0,0 +1,77 @@
{
"graph_lock": {
"nodes": {
"0": {
"options": "bzip2:build_executable=True\nbzip2:fPIC=True\nbzip2:shared=False\nexpat:char_type=char\nexpat:fPIC=True\nexpat:shared=False\nopenssl:386=False\nopenssl:enable_weak_ssl_ciphers=False\nopenssl:fPIC=True\nopenssl:no_aria=False\nopenssl:no_asm=False\nopenssl:no_async=False\nopenssl:no_bf=False\nopenssl:no_blake2=False\nopenssl:no_camellia=False\nopenssl:no_cast=False\nopenssl:no_chacha=False\nopenssl:no_cms=False\nopenssl:no_comp=False\nopenssl:no_ct=False\nopenssl:no_deprecated=False\nopenssl:no_des=False\nopenssl:no_dgram=False\nopenssl:no_dh=False\nopenssl:no_dsa=False\nopenssl:no_dso=False\nopenssl:no_ec=False\nopenssl:no_ecdh=False\nopenssl:no_ecdsa=False\nopenssl:no_engine=False\nopenssl:no_filenames=False\nopenssl:no_gost=False\nopenssl:no_hmac=False\nopenssl:no_idea=False\nopenssl:no_md4=False\nopenssl:no_md5=False\nopenssl:no_mdc2=False\nopenssl:no_ocsp=False\nopenssl:no_pinshared=False\nopenssl:no_rc2=False\nopenssl:no_rfc3779=False\nopenssl:no_rmd160=False\nopenssl:no_rsa=False\nopenssl:no_seed=False\nopenssl:no_sha=False\nopenssl:no_sm2=False\nopenssl:no_sm3=False\nopenssl:no_sm4=False\nopenssl:no_sock=False\nopenssl:no_srp=False\nopenssl:no_srtp=False\nopenssl:no_sse2=False\nopenssl:no_ssl=False\nopenssl:no_ssl3=False\nopenssl:no_stdio=False\nopenssl:no_tests=False\nopenssl:no_threads=False\nopenssl:no_tls1=False\nopenssl:no_ts=False\nopenssl:no_whirlpool=False\nopenssl:openssldir=None\nopenssl:shared=False\npcre:build_pcre_16=True\npcre:build_pcre_32=True\npcre:build_pcre_8=True\npcre:build_pcrecpp=False\npcre:build_pcregrep=True\npcre:fPIC=True\npcre:shared=False\npcre:with_bzip2=True\npcre:with_jit=False\npcre:with_stack_for_recursion=True\npcre:with_unicode_properties=True\npcre:with_utf=True\npcre:with_zlib=True\npoco:enable_active_record=deprecated\npoco:enable_apacheconnector=False\npoco:enable_cppparser=False\npoco:enable_crypto=True\npoco:enable_data=True\npoco:enable_data_odbc=False\npoco:enable_data_sqlite=True\npoco:enable_encodings=True\npoco:enable_fork=True\npoco:enable_json=True\npoco:enable_mongodb=True\npoco:enable_net=True\npoco:enable_netssl=True\npoco:enable_pagecompiler=False\npoco:enable_pagecompiler_file2page=False\npoco:enable_pdf=False\npoco:enable_pocodoc=False\npoco:enable_redis=True\npoco:enable_sevenzip=False\npoco:enable_util=True\npoco:enable_xml=True\npoco:enable_zip=True\npoco:fPIC=True\npoco:shared=False\nsqlite3:build_executable=True\nsqlite3:disable_gethostuuid=False\nsqlite3:enable_column_metadata=True\nsqlite3:enable_dbpage_vtab=False\nsqlite3:enable_dbstat_vtab=False\nsqlite3:enable_default_secure_delete=False\nsqlite3:enable_default_vfs=True\nsqlite3:enable_explain_comments=False\nsqlite3:enable_fts3=False\nsqlite3:enable_fts3_parenthesis=False\nsqlite3:enable_fts4=False\nsqlite3:enable_fts5=False\nsqlite3:enable_json1=False\nsqlite3:enable_math_functions=True\nsqlite3:enable_preupdate_hook=False\nsqlite3:enable_rtree=True\nsqlite3:enable_soundex=False\nsqlite3:enable_unlock_notify=True\nsqlite3:fPIC=True\nsqlite3:max_blob_size=None\nsqlite3:max_column=None\nsqlite3:max_variable_number=None\nsqlite3:omit_deprecated=False\nsqlite3:omit_load_extension=False\nsqlite3:shared=False\nsqlite3:threadsafe=1\nsqlite3:use_alloca=False\nzlib:fPIC=True\nzlib:shared=False",
"requires": [
"1"
],
"path": "../conanfile.txt",
"context": "host"
},
"1": {
"ref": "poco/1.9.4",
"options": "enable_active_record=deprecated\nenable_apacheconnector=False\nenable_cppparser=False\nenable_crypto=True\nenable_data=True\nenable_data_odbc=False\nenable_data_sqlite=True\nenable_encodings=True\nenable_fork=True\nenable_json=True\nenable_mongodb=True\nenable_net=True\nenable_netssl=True\nenable_pagecompiler=False\nenable_pagecompiler_file2page=False\nenable_pdf=False\nenable_pocodoc=False\nenable_redis=True\nenable_sevenzip=False\nenable_util=True\nenable_xml=True\nenable_zip=True\nfPIC=True\nshared=False\nbzip2:build_executable=True\nbzip2:fPIC=True\nbzip2:shared=False\nexpat:char_type=char\nexpat:fPIC=True\nexpat:shared=False\nopenssl:386=False\nopenssl:enable_weak_ssl_ciphers=False\nopenssl:fPIC=True\nopenssl:no_aria=False\nopenssl:no_asm=False\nopenssl:no_async=False\nopenssl:no_bf=False\nopenssl:no_blake2=False\nopenssl:no_camellia=False\nopenssl:no_cast=False\nopenssl:no_chacha=False\nopenssl:no_cms=False\nopenssl:no_comp=False\nopenssl:no_ct=False\nopenssl:no_deprecated=False\nopenssl:no_des=False\nopenssl:no_dgram=False\nopenssl:no_dh=False\nopenssl:no_dsa=False\nopenssl:no_dso=False\nopenssl:no_ec=False\nopenssl:no_ecdh=False\nopenssl:no_ecdsa=False\nopenssl:no_engine=False\nopenssl:no_filenames=False\nopenssl:no_gost=False\nopenssl:no_hmac=False\nopenssl:no_idea=False\nopenssl:no_md4=False\nopenssl:no_md5=False\nopenssl:no_mdc2=False\nopenssl:no_ocsp=False\nopenssl:no_pinshared=False\nopenssl:no_rc2=False\nopenssl:no_rfc3779=False\nopenssl:no_rmd160=False\nopenssl:no_rsa=False\nopenssl:no_seed=False\nopenssl:no_sha=False\nopenssl:no_sm2=False\nopenssl:no_sm3=False\nopenssl:no_sm4=False\nopenssl:no_sock=False\nopenssl:no_srp=False\nopenssl:no_srtp=False\nopenssl:no_sse2=False\nopenssl:no_ssl=False\nopenssl:no_ssl3=False\nopenssl:no_stdio=False\nopenssl:no_tests=False\nopenssl:no_threads=False\nopenssl:no_tls1=False\nopenssl:no_ts=False\nopenssl:no_whirlpool=False\nopenssl:openssldir=None\nopenssl:shared=False\npcre:build_pcre_16=True\npcre:build_pcre_32=True\npcre:build_pcre_8=True\npcre:build_pcrecpp=False\npcre:build_pcregrep=True\npcre:fPIC=True\npcre:shared=False\npcre:with_bzip2=True\npcre:with_jit=False\npcre:with_stack_for_recursion=True\npcre:with_unicode_properties=True\npcre:with_utf=True\npcre:with_zlib=True\nsqlite3:build_executable=True\nsqlite3:disable_gethostuuid=False\nsqlite3:enable_column_metadata=True\nsqlite3:enable_dbpage_vtab=False\nsqlite3:enable_dbstat_vtab=False\nsqlite3:enable_default_secure_delete=False\nsqlite3:enable_default_vfs=True\nsqlite3:enable_explain_comments=False\nsqlite3:enable_fts3=False\nsqlite3:enable_fts3_parenthesis=False\nsqlite3:enable_fts4=False\nsqlite3:enable_fts5=False\nsqlite3:enable_json1=False\nsqlite3:enable_math_functions=True\nsqlite3:enable_preupdate_hook=False\nsqlite3:enable_rtree=True\nsqlite3:enable_soundex=False\nsqlite3:enable_unlock_notify=True\nsqlite3:fPIC=True\nsqlite3:max_blob_size=None\nsqlite3:max_column=None\nsqlite3:max_variable_number=None\nsqlite3:omit_deprecated=False\nsqlite3:omit_load_extension=False\nsqlite3:shared=False\nsqlite3:threadsafe=1\nsqlite3:use_alloca=False\nzlib:fPIC=True\nzlib:shared=False",
"package_id": "c3c2e0fbf9199382c510453d5fa86501149cf57a",
"prev": "0",
"requires": [
"2",
"4",
"5",
"6",
"7"
],
"context": "host"
},
"2": {
"ref": "pcre/8.43",
"options": "build_pcre_16=True\nbuild_pcre_32=True\nbuild_pcre_8=True\nbuild_pcrecpp=False\nbuild_pcregrep=True\nfPIC=True\nshared=False\nwith_bzip2=True\nwith_jit=False\nwith_stack_for_recursion=True\nwith_unicode_properties=True\nwith_utf=True\nwith_zlib=True\nbzip2:build_executable=True\nbzip2:fPIC=True\nbzip2:shared=False\nzlib:fPIC=True\nzlib:shared=False",
"package_id": "fab187555fa87e54b51a5e8e8ff95b0f5855d00b",
"prev": "0",
"requires": [
"3",
"4"
],
"context": "host"
},
"3": {
"ref": "bzip2/1.0.8",
"options": "build_executable=True\nfPIC=True\nshared=False",
"package_id": "3df6ebb8a308d309e882b21988fd9ea103560e16",
"prev": "0",
"context": "host"
},
"4": {
"ref": "zlib/1.2.12",
"options": "fPIC=True\nshared=False",
"package_id": "76f87539fc90ff313e0b3182641a9bb558a717d2",
"prev": "0",
"context": "host"
},
"5": {
"ref": "expat/2.4.8",
"options": "char_type=char\nfPIC=True\nshared=False",
"package_id": "b025735bb0d121754b0b4aaae6c02d3b9546c56f",
"prev": "0",
"context": "host"
},
"6": {
"ref": "sqlite3/3.39.2",
"options": "build_executable=True\ndisable_gethostuuid=False\nenable_column_metadata=True\nenable_dbpage_vtab=False\nenable_dbstat_vtab=False\nenable_default_secure_delete=False\nenable_default_vfs=True\nenable_explain_comments=False\nenable_fts3=False\nenable_fts3_parenthesis=False\nenable_fts4=False\nenable_fts5=False\nenable_json1=False\nenable_math_functions=True\nenable_preupdate_hook=False\nenable_rtree=True\nenable_soundex=False\nenable_unlock_notify=True\nfPIC=True\nmax_blob_size=None\nmax_column=None\nmax_variable_number=None\nomit_deprecated=False\nomit_load_extension=False\nshared=False\nthreadsafe=1\nuse_alloca=False",
"package_id": "bc01b0a8d9a484b3b4226ef647e2ba7dd5b627ed",
"prev": "0",
"context": "host"
},
"7": {
"ref": "openssl/1.1.1q",
"options": "386=False\nenable_weak_ssl_ciphers=False\nfPIC=True\nno_aria=False\nno_asm=False\nno_async=False\nno_bf=False\nno_blake2=False\nno_camellia=False\nno_cast=False\nno_chacha=False\nno_cms=False\nno_comp=False\nno_ct=False\nno_deprecated=False\nno_des=False\nno_dgram=False\nno_dh=False\nno_dsa=False\nno_dso=False\nno_ec=False\nno_ecdh=False\nno_ecdsa=False\nno_engine=False\nno_filenames=False\nno_gost=False\nno_hmac=False\nno_idea=False\nno_md4=False\nno_md5=False\nno_mdc2=False\nno_ocsp=False\nno_pinshared=False\nno_rc2=False\nno_rfc3779=False\nno_rmd160=False\nno_rsa=False\nno_seed=False\nno_sha=False\nno_sm2=False\nno_sm3=False\nno_sm4=False\nno_sock=False\nno_srp=False\nno_srtp=False\nno_sse2=False\nno_ssl=False\nno_ssl3=False\nno_stdio=False\nno_tests=False\nno_threads=False\nno_tls1=False\nno_ts=False\nno_whirlpool=False\nopenssldir=None\nshared=False",
"package_id": "76f87539fc90ff313e0b3182641a9bb558a717d2",
"prev": "0",
"context": "host"
}
},
"revisions_enabled": false
},
"version": "0.4",
"profile_host": "[settings]\narch=x86_64\narch_build=x86_64\nbuild_type=Release\ncompiler=gcc\ncompiler.libcxx=libstdc++\ncompiler.version=5\nos=Linux\nos_build=Linux\n[options]\n[build_requires]\n[env]\n"
}

5
integration/testdata/fixtures/fs/gradle/gradle.lockfile vendored Normal file
View File

@@ -0,0 +1,5 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-databind:2.9.1=compileClasspath, runtimeClasspath
empty=

94
integration/testdata/fixtures/sbom/centos-7-spdx.json vendored Normal file
View File

@@ -0,0 +1,94 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2022-09-13T13:27:55.874784Z",
"creators": [
"Tool: trivy",
"Organization: aquasecurity"
]
},
"dataLicense": "CC0-1.0",
"documentNamespace": "http://aquasecurity.github.io/trivy/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-2906855d-5098-4a22-9a72-4f7099ea3d66",
"name": "integration/testdata/fixtures/images/centos-7.tar.gz",
"packages": [
{
"SPDXID": "SPDXRef-ContainerImage-dd5cad897c6263",
"attributionTexts": [
"SchemaVersion: 2",
"ImageID: sha256:f1cb7c7d58b73eac859c395882eec49d50651244e342cd6c68a5c7809785f427",
"DiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
],
"filesAnalyzed": false,
"name": "integration/testdata/fixtures/images/centos-7.tar.gz"
},
{
"SPDXID": "SPDXRef-OperatingSystem-2e91c856c499a371",
"filesAnalyzed": false,
"name": "centos",
"versionInfo": "7.6.1810"
},
{
"SPDXID": "SPDXRef-Package-5a18334f22149877",
"attributionTexts": [
"LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
"LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
],
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "GPLv3+",
"licenseDeclared": "GPLv3+",
"name": "bash",
"sourceInfo": "built package from: bash 4.2.46-31.el7",
"versionInfo": "4.2.46"
},
{
"SPDXID": "SPDXRef-Package-e16b1cbaa5186199",
"attributionTexts": [
"LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b",
"LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a"
],
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "OpenSSL",
"licenseDeclared": "OpenSSL",
"name": "openssl-libs",
"sourceInfo": "built package from: openssl-libs 1:1.0.2k-16.el7",
"versionInfo": "1.0.2k"
}
],
"relationships": [
{
"relatedSpdxElement": "SPDXRef-ContainerImage-dd5cad897c6263",
"relationshipType": "DESCRIBE",
"spdxElementId": "SPDXRef-DOCUMENT"
},
{
"relatedSpdxElement": "SPDXRef-OperatingSystem-2e91c856c499a371",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-ContainerImage-dd5cad897c6263"
},
{
"relatedSpdxElement": "SPDXRef-Package-5a18334f22149877",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-OperatingSystem-2e91c856c499a371"
},
{
"relatedSpdxElement": "SPDXRef-Package-e16b1cbaa5186199",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-OperatingSystem-2e91c856c499a371"
}
],
"spdxVersion": "SPDX-2.2"
}

57
integration/testdata/fixtures/sbom/centos-7-spdx.txt vendored Normal file
View File

@@ -0,0 +1,57 @@
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: integration/testdata/fixtures/images/centos-7.tar.gz
DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-6a2c050f-bc12-46dc-b2df-1f4e3e0b5e1d
Creator: Organization: aquasecurity
Creator: Tool: trivy
Created: 2022-09-13T13:24:58.796907Z
##### Package: integration/testdata/fixtures/images/centos-7.tar.gz
PackageName: integration/testdata/fixtures/images/centos-7.tar.gz
SPDXID: SPDXRef-ContainerImage-dd5cad897c6263
FilesAnalyzed: false
PackageAttributionText: SchemaVersion: 2
PackageAttributionText: ImageID: sha256:f1cb7c7d58b73eac859c395882eec49d50651244e342cd6c68a5c7809785f427
PackageAttributionText: DiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a
##### Package: centos
PackageName: centos
SPDXID: SPDXRef-OperatingSystem-2e91c856c499a371
PackageVersion: 7.6.1810
FilesAnalyzed: false
##### Package: bash
PackageName: bash
SPDXID: SPDXRef-Package-5a18334f22149877
PackageVersion: 4.2.46
FilesAnalyzed: false
PackageSourceInfo: built package from: bash 4.2.46-31.el7
PackageLicenseConcluded: GPLv3+
PackageLicenseDeclared: GPLv3+
ExternalRef: PACKAGE-MANAGER purl pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810
PackageAttributionText: LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
PackageAttributionText: LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a
##### Package: openssl-libs
PackageName: openssl-libs
SPDXID: SPDXRef-Package-e16b1cbaa5186199
PackageVersion: 1.0.2k
FilesAnalyzed: false
PackageSourceInfo: built package from: openssl-libs 1:1.0.2k-16.el7
PackageLicenseConcluded: OpenSSL
PackageLicenseDeclared: OpenSSL
ExternalRef: PACKAGE-MANAGER purl pkg:rpm/centos/openssl-libs@1:1.0.2k-16.el7?arch=x86_64&distro=centos-7.6.1810
PackageAttributionText: LayerDigest: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
PackageAttributionText: LayerDiffID: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a
##### Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBE SPDXRef-ContainerImage-dd5cad897c6263
Relationship: SPDXRef-ContainerImage-dd5cad897c6263 CONTAINS SPDXRef-OperatingSystem-2e91c856c499a371
Relationship: SPDXRef-OperatingSystem-2e91c856c499a371 DEPENDS_ON SPDXRef-Package-5a18334f22149877
Relationship: SPDXRef-OperatingSystem-2e91c856c499a371 DEPENDS_ON SPDXRef-Package-e16b1cbaa5186199

126
integration/testdata/gradle.json.golden vendored Normal file
View File

@@ -0,0 +1,126 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/gradle",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "gradle.lockfile",
"Class": "lang-pkgs",
"Type": "gradle",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-9548",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9548",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "jackson-databind: Serialization gadgets in anteros-core",
"Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-502"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 6.8,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-9548",
"https://github.com/FasterXML/jackson-databind/issues/2634",
"https://github.com/advisories/GHSA-p43x-xfjf-5jhr",
"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html",
"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"https://nvd.nist.gov/vuln/detail/CVE-2020-9548",
"https://security.netapp.com/advisory/ntap-20200904-0006/",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2020-03-02T04:15:00Z",
"LastModifiedDate": "2021-12-02T21:23:00Z"
},
{
"VulnerabilityID": "CVE-2021-20190",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",
"Layer": {},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20190",
"DataSource": {
"ID": "glad",
"Name": "GitLab Advisory Database Community",
"URL": "https://gitlab.com/gitlab-org/advisories-community"
},
"Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing",
"Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"Severity": "HIGH",
"CweIDs": [
"CWE-502"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 8.3,
"V3Score": 8.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-20190",
"https://bugzilla.redhat.com/show_bug.cgi?id=1916633",
"https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a",
"https://github.com/FasterXML/jackson-databind/issues/2854",
"https://github.com/advisories/GHSA-5949-rw7g-wx7w",
"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-20190",
"https://security.netapp.com/advisory/ntap-20210219-0008/"
],
"PublishedDate": "2021-01-19T17:15:00Z",
"LastModifiedDate": "2021-07-20T23:15:00Z"
}
]
}
]
}

6
integration/testdata/helm.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 76,
"Successes": 77,
"Failures": 2,
"Exceptions": 0
},
@@ -270,7 +270,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 79,
"Failures": 0,
"Exceptions": 0
}
@@ -280,7 +280,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 79,
"Failures": 0,
"Exceptions": 0
}

6
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 76,
"Successes": 77,
"Failures": 2,
"Exceptions": 0
},
@@ -270,7 +270,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 79,
"Failures": 0,
"Exceptions": 0
}
@@ -280,7 +280,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 79,
"Failures": 0,
"Exceptions": 0
}

6
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 74,
"Successes": 75,
"Failures": 4,
"Exceptions": 0
},
@@ -481,7 +481,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 79,
"Failures": 0,
"Exceptions": 0
}
@@ -491,7 +491,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Successes": 79,
"Failures": 0,
"Exceptions": 0
}

48
mkdocs.yml
View File

@@ -7,13 +7,33 @@ repo_url: https://github.com/aquasecurity/trivy
edit_uri: ""
nav:
- HOME: index.md
- Getting started:
- Overview: getting-started/overview.md
- Getting Started:
- Overview: index.md
- Installation: getting-started/installation.md
- Quick Start: getting-started/quickstart.md
- Further Reading: getting-started/further.md
- Docs:
- Tutorials:
- Overview: tutorials/overview.md
- CI/CD:
- Overview: tutorials/integrations/index.md
- GitHub Actions: tutorials/integrations/github-actions.md
- CircleCI: tutorials/integrations/circleci.md
- Travis CI: tutorials/integrations/travis-ci.md
- GitLab CI: tutorials/integrations/gitlab-ci.md
- Bitbucket Pipelines: tutorials/integrations/bitbucket.md
- AWS CodePipeline: tutorials/integrations/aws-codepipeline.md
- AWS Security Hub: tutorials/integrations/aws-security-hub.md
- Azure: tutorials/integrations/azure-devops.md
- Signing:
- Vulnerability Scan Record Attestation: tutorials/signing/vuln-attestation.md
- Kubernetes:
- Cluster Scanning: tutorials/kubernetes/cluster-scanning.md
- Kyverno: tutorials/kubernetes/kyverno.md
- GitOps: tutorials/kubernetes/gitops.md
- Additional Resources:
- Additional Resources: tutorials/additional-resources/references.md
- Community References: tutorials/additional-resources/community.md
- CKS Reference: tutorials/additional-resources/cks.md
- CLI:
- Overview: docs/index.md
- Vulnerability:
- Scanning:
@@ -78,15 +98,7 @@ nav:
- Attestation:
- SBOM: docs/attestation/sbom.md
- Cosign Vulnerability Scan Record: docs/attestation/vuln.md
- Integrations:
- Overview: docs/integrations/index.md
- GitHub Actions: docs/integrations/github-actions.md
- CircleCI: docs/integrations/circleci.md
- Travis CI: docs/integrations/travis-ci.md
- GitLab CI: docs/integrations/gitlab-ci.md
- Bitbucket Pipelines: docs/integrations/bitbucket.md
- AWS CodePipeline: docs/integrations/aws-codepipeline.md
- AWS Security Hub: docs/integrations/aws-security-hub.md
- SBOM Attestation in Rekor: docs/attestation/rekor.md
- Advanced:
- Modules: docs/advanced/modules.md
- Plugins: docs/advanced/plugins.md
@@ -119,15 +131,13 @@ nav:
- Server: docs/references/cli/server.md
- Plugin: docs/references/cli/plugin.md
- SBOM: docs/references/cli/sbom.md
- Module: docs/references/cli/module.md
- Modes:
- Standalone: docs/references/modes/standalone.md
- Client/Server: docs/references/modes/client-server.md
- Troubleshooting: docs/references/troubleshooting.md
- Community:
- Tools: community/tools.md
- References: community/references.md
- CKS Reference: community/cks.md
- Credits: community/credit.md
- Ecosystem: ecosystem/tools.md
- Contributing:
- How to contribute:
- Issues: community/contribute/issue.md
- Pull Requests: community/contribute/pr.md

5
pkg/commands/app.go
View File

@@ -533,8 +533,9 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
scanFlags := &flag.ScanFlagGroup{
// Enable only '--skip-dirs' and '--skip-files' and disable other flags
SkipDirs: &flag.SkipDirsFlag,
SkipFiles: &flag.SkipFilesFlag,
SkipDirs: &flag.SkipDirsFlag,
SkipFiles: &flag.SkipFilesFlag,
FilePatterns: &flag.FilePatternsFlag,
}
configFlags := &flag.Flags{

12
pkg/commands/artifact/inject.go
View File

@@ -22,7 +22,7 @@ import (
// initializeDockerScanner is for container image scanning in standalone mode
// e.g. dockerd, container registry, podman, etc.
func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
localArtifactCache cache.LocalArtifactCache, dockerOpt types.DockerOption, artifactOption artifact.Option) (
localArtifactCache cache.Cache, dockerOpt types.DockerOption, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneDockerSet)
return scanner.Scanner{}, nil, nil
@@ -31,26 +31,28 @@ func initializeDockerScanner(ctx context.Context, imageName string, artifactCach
// initializeArchiveScanner is for container image archive scanning in standalone mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeArchiveScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache,
localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, error) {
localArtifactCache cache.Cache, artifactOption artifact.Option) (scanner.Scanner, error) {
wire.Build(scanner.StandaloneArchiveSet)
return scanner.Scanner{}, nil
}
// initializeFilesystemScanner is for filesystem scanning in standalone mode
func initializeFilesystemScanner(ctx context.Context, path string, artifactCache cache.ArtifactCache,
localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
localArtifactCache cache.Cache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneFilesystemSet)
return scanner.Scanner{}, nil, nil
}
func initializeRepositoryScanner(ctx context.Context, url string, artifactCache cache.ArtifactCache,
localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
localArtifactCache cache.Cache, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneRepositorySet)
return scanner.Scanner{}, nil, nil
}
func initializeSBOMScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache,
localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
localArtifactCache cache.Cache, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneSBOMSet)
return scanner.Scanner{}, nil, nil
}

16
pkg/commands/artifact/run.go
View File

@@ -3,6 +3,7 @@ package artifact
import (
"context"
"errors"
"fmt"
"os"
"github.com/hashicorp/go-multierror"
@@ -16,7 +17,6 @@ import (
"github.com/aquasecurity/trivy/pkg/commands/operation"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/secret"
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
"github.com/aquasecurity/trivy/pkg/fanal/cache"
"github.com/aquasecurity/trivy/pkg/flag"
@@ -58,7 +58,7 @@ type ScannerConfig struct {
// Cache
ArtifactCache cache.ArtifactCache
LocalArtifactCache cache.LocalArtifactCache
LocalArtifactCache cache.Cache
// Client/Server options
RemoteOption client.ScannerOption
@@ -448,6 +448,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
ScanRemovedPackages: opts.ScanRemovedPkgs, // this is valid only for 'image' subcommand
ListAllPackages: opts.ListAllPkgs,
LicenseCategories: opts.LicenseCategories,
FilePatterns: opts.FilePatterns,
}
if slices.Contains(opts.SecurityChecks, types.SecurityCheckVulnerability) {
@@ -464,7 +465,6 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...),
PolicyPaths: opts.PolicyPaths,
DataPaths: opts.DataPaths,
FilePatterns: opts.FilePatterns,
HelmValues: opts.HelmValues,
HelmValueFiles: opts.HelmValueFiles,
HelmFileValues: opts.HelmFileValues,
@@ -504,18 +504,21 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
DisabledAnalyzers: disabledAnalyzers(opts),
SkipFiles: opts.SkipFiles,
SkipDirs: opts.SkipDirs,
FilePatterns: opts.FilePatterns,
InsecureSkipTLS: opts.Insecure,
Offline: opts.OfflineScan,
NoProgress: opts.NoProgress || opts.Quiet,
RepoBranch: opts.RepoBranch,
RepoCommit: opts.RepoCommit,
RepoTag: opts.RepoTag,
SBOMSources: opts.SBOMSources,
RekorURL: opts.RekorURL,
// For misconfiguration scanning
MisconfScannerOption: configScannerOptions,
// For secret scanning
SecretScannerOption: secret.ScannerOption{
SecretScannerOption: analyzer.SecretScannerOption{
ConfigPath: opts.SecretConfigPath,
},
},
@@ -562,7 +565,6 @@ func canonicalVersion(ver string) string {
if v.IsPreRelease() || v.Metadata() != "" {
return devVersion
}
// Add "v" prefix, "0.34.0" => "v0.34.0" for the url
return "v" + ver
// Add "v" prefix and cut a patch number, "0.34.0" => "v0.34" for the url
return fmt.Sprintf("v%d.%d", v.Major(), v.Minor())
}

48
pkg/commands/artifact/run_test.go Normal file
View File

@@ -0,0 +1,48 @@
package artifact
import (
"testing"
"github.com/stretchr/testify/require"
)
func TestCanonicalVersion(t *testing.T) {
tests := []struct {
title string
input string
want string
}{
{
title: "good way",
input: "0.34.0",
want: "v0.34",
},
{
title: "version with v - isn't right semver version",
input: "v0.34.0",
want: devVersion,
},
{
title: "dev version",
input: devVersion,
want: devVersion,
},
{
title: "pre-release",
input: "v0.34.0-beta1+snapshot-1",
want: devVersion,
},
{
title: "no version",
input: "",
want: devVersion,
},
}
for _, test := range tests {
t.Run(test.title, func(t *testing.T) {
got := canonicalVersion(test.input)
require.Equal(t, test.want, got)
})
}
}

12
pkg/commands/artifact/scanner.go
View File

@@ -27,7 +27,8 @@ func imageStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Sc
// archiveStandaloneScanner initializes an image archive scanner in standalone mode
// $ trivy image --input alpine.tar
func archiveStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, err := initializeArchiveScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache, conf.ArtifactOption)
s, err := initializeArchiveScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize the archive scanner: %w", err)
}
@@ -65,7 +66,8 @@ func archiveRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.Scan
// filesystemStandaloneScanner initializes a filesystem scanner in standalone mode
func filesystemStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeFilesystemScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache, conf.ArtifactOption)
s, cleanup, err := initializeFilesystemScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a filesystem scanner: %w", err)
}
@@ -83,7 +85,8 @@ func filesystemRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.S
// filesystemStandaloneScanner initializes a repository scanner in standalone mode
func repositoryStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeRepositoryScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache, conf.ArtifactOption)
s, cleanup, err := initializeRepositoryScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a filesystem scanner: %w", err)
}
@@ -92,7 +95,8 @@ func repositoryStandaloneScanner(ctx context.Context, conf ScannerConfig) (scann
// sbomStandaloneScanner initializes a SBOM scanner in standalone mode
func sbomStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeSBOMScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache, conf.ArtifactOption)
s, cleanup, err := initializeSBOMScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a cycloneDX scanner: %w", err)
}

46
pkg/commands/artifact/wire_gen.go
View File

@@ -29,14 +29,15 @@ import (
// initializeDockerScanner is for container image scanning in standalone mode
// e.g. dockerd, container registry, podman, etc.
func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache, localArtifactCache cache.LocalArtifactCache, dockerOpt types.DockerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
applierApplier := applier.NewApplier(localArtifactCache)
func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache, localArtifactCache cache.Cache, dockerOpt types.DockerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue
applierApplier := applier.NewApplier(localArtifactCache, v...)
detector := ospkg.Detector{}
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, detector, client)
v := _wireValue
typesImage, cleanup, err := image.NewContainerImage(ctx, imageName, dockerOpt, v...)
v2 := _wireValue2
typesImage, cleanup, err := image.NewContainerImage(ctx, imageName, dockerOpt, v2...)
if err != nil {
return scanner.Scanner{}, nil, err
}
@@ -52,13 +53,15 @@ func initializeDockerScanner(ctx context.Context, imageName string, artifactCach
}
var (
_wireValue = []image.Option(nil)
_wireValue = []applier.Option(nil)
_wireValue2 = []image.Option(nil)
)
// initializeArchiveScanner is for container image archive scanning in standalone mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeArchiveScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache, localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, error) {
applierApplier := applier.NewApplier(localArtifactCache)
func initializeArchiveScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache, localArtifactCache cache.Cache, artifactOption artifact.Option) (scanner.Scanner, error) {
v := _wireValue
applierApplier := applier.NewApplier(localArtifactCache, v...)
detector := ospkg.Detector{}
config := db.Config{}
client := vulnerability.NewClient(config)
@@ -76,8 +79,9 @@ func initializeArchiveScanner(ctx context.Context, filePath string, artifactCach
}
// initializeFilesystemScanner is for filesystem scanning in standalone mode
func initializeFilesystemScanner(ctx context.Context, path string, artifactCache cache.ArtifactCache, localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
applierApplier := applier.NewApplier(localArtifactCache)
func initializeFilesystemScanner(ctx context.Context, path string, artifactCache cache.ArtifactCache, localArtifactCache cache.Cache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue
applierApplier := applier.NewApplier(localArtifactCache, v...)
detector := ospkg.Detector{}
config := db.Config{}
client := vulnerability.NewClient(config)
@@ -91,8 +95,9 @@ func initializeFilesystemScanner(ctx context.Context, path string, artifactCache
}, nil
}
func initializeRepositoryScanner(ctx context.Context, url string, artifactCache cache.ArtifactCache, localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
applierApplier := applier.NewApplier(localArtifactCache)
func initializeRepositoryScanner(ctx context.Context, url string, artifactCache cache.ArtifactCache, localArtifactCache cache.Cache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue
applierApplier := applier.NewApplier(localArtifactCache, v...)
detector := ospkg.Detector{}
config := db.Config{}
client := vulnerability.NewClient(config)
@@ -107,8 +112,9 @@ func initializeRepositoryScanner(ctx context.Context, url string, artifactCache
}, nil
}
func initializeSBOMScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache, localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
applierApplier := applier.NewApplier(localArtifactCache)
func initializeSBOMScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache, localArtifactCache cache.Cache, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue
applierApplier := applier.NewApplier(localArtifactCache, v...)
detector := ospkg.Detector{}
config := db.Config{}
client := vulnerability.NewClient(config)
@@ -125,9 +131,9 @@ func initializeSBOMScanner(ctx context.Context, filePath string, artifactCache c
// initializeRemoteDockerScanner is for container image scanning in client/server mode
// e.g. dockerd, container registry, podman, etc.
func initializeRemoteDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache, remoteScanOptions client.ScannerOption, dockerOpt types.DockerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue2
v := _wireValue3
clientScanner := client.NewScanner(remoteScanOptions, v...)
v2 := _wireValue3
v2 := _wireValue4
typesImage, cleanup, err := image.NewContainerImage(ctx, imageName, dockerOpt, v2...)
if err != nil {
return scanner.Scanner{}, nil, err
@@ -144,14 +150,14 @@ func initializeRemoteDockerScanner(ctx context.Context, imageName string, artifa
}
var (
_wireValue2 = []client.Option(nil)
_wireValue3 = []image.Option(nil)
_wireValue3 = []client.Option(nil)
_wireValue4 = []image.Option(nil)
)
// initializeRemoteArchiveScanner is for container image archive scanning in client/server mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeRemoteArchiveScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, error) {
v := _wireValue2
v := _wireValue3
clientScanner := client.NewScanner(remoteScanOptions, v...)
typesImage, err := image.NewArchiveImage(filePath)
if err != nil {
@@ -167,7 +173,7 @@ func initializeRemoteArchiveScanner(ctx context.Context, filePath string, artifa
// initializeRemoteFilesystemScanner is for filesystem scanning in client/server mode
func initializeRemoteFilesystemScanner(ctx context.Context, path string, artifactCache cache.ArtifactCache, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue2
v := _wireValue3
clientScanner := client.NewScanner(remoteScanOptions, v...)
artifactArtifact, err := local2.NewArtifact(path, artifactCache, artifactOption)
if err != nil {
@@ -180,7 +186,7 @@ func initializeRemoteFilesystemScanner(ctx context.Context, path string, artifac
// initializeRemoteSBOMScanner is for sbom scanning in client/server mode
func initializeRemoteSBOMScanner(ctx context.Context, path string, artifactCache cache.ArtifactCache, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue2
v := _wireValue3
clientScanner := client.NewScanner(remoteScanOptions, v...)
artifactArtifact, err := sbom.NewArtifact(path, artifactCache, artifactOption)
if err != nil {

2
pkg/commands/operation/operation.go
View File

@@ -24,7 +24,7 @@ import (
// SuperSet binds cache dependencies
var SuperSet = wire.NewSet(
cache.NewFSCache,
wire.Bind(new(cache.LocalArtifactCache), new(cache.FSCache)),
wire.Bind(new(cache.Cache), new(cache.FSCache)),
NewCache,
)

2
pkg/detector/library/detect.go
View File

@@ -11,7 +11,7 @@ import (
func Detect(libType string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
driver, err := NewDriver(libType)
if err != nil {
return nil, xerrors.Errorf("failed to new driver: %w", err)
return nil, xerrors.Errorf("failed to initialize a driver: %w", err)
}
vulns, err := detect(driver, pkgs)

7
pkg/detector/library/driver.go
View File

@@ -37,7 +37,7 @@ func NewDriver(libType string) (Driver, error) {
case ftypes.GoBinary, ftypes.GoModule:
ecosystem = vulnerability.Go
comparer = compare.GenericComparer{}
case ftypes.Jar, ftypes.Pom:
case ftypes.Jar, ftypes.Pom, ftypes.Gradle:
ecosystem = vulnerability.Maven
comparer = maven.Comparer{}
case ftypes.Npm, ftypes.Yarn, ftypes.Pnpm, ftypes.NodePkg, ftypes.JavaScript:
@@ -49,6 +49,11 @@ func NewDriver(libType string) (Driver, error) {
case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg:
ecosystem = vulnerability.Pip
comparer = pep440.Comparer{}
case ftypes.Conan:
ecosystem = vulnerability.Conan
// Only semver can be used for version ranges
// https://docs.conan.io/en/latest/versioning/version_ranges.html
comparer = compare.GenericComparer{}
default:
return Driver{}, xerrors.Errorf("unsupported type %s", libType)
}

3
pkg/fanal/analyzer/all/import.go
View File

@@ -3,10 +3,13 @@ package all
import (
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/buildinfo"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/command/apk"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/all"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/c/conan"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/deps"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/binary"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/mod"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/gradle"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"

107
pkg/fanal/analyzer/analyzer.go
View File

@@ -5,6 +5,7 @@ import (
"errors"
"io/fs"
"os"
"regexp"
"sort"
"strings"
"sync"
@@ -31,17 +32,29 @@ var (
ErrNoPkgsDetected = xerrors.New("no packages detected")
)
type AnalysisInput struct {
Dir string
FilePath string
Info os.FileInfo
Content dio.ReadSeekerAt
//////////////////////
// Analyzer options //
//////////////////////
Options AnalysisOptions
// AnalyzerOptions is used to initialize analyzers
type AnalyzerOptions struct {
Group Group
FilePatterns []string
DisabledAnalyzers []Type
SecretScannerOption SecretScannerOption
}
type AnalysisOptions struct {
Offline bool
type SecretScannerOption struct {
ConfigPath string
}
////////////////
// Interfaces //
////////////////
// Initializer represents analyzers that need to take parameters from users
type Initializer interface {
Init(AnalyzerOptions) error
}
type analyzer interface {
@@ -58,6 +71,10 @@ type configAnalyzer interface {
Required(osFound types.OS) bool
}
////////////////////
// Analyzer group //
////////////////////
type Group string
const GroupBuiltin Group = "builtin"
@@ -91,6 +108,24 @@ type Opener func() (dio.ReadSeekCloserAt, error)
type AnalyzerGroup struct {
analyzers []analyzer
configAnalyzers []configAnalyzer
filePatterns map[Type][]*regexp.Regexp
}
///////////////////////////
// Analyzer input/output //
///////////////////////////
type AnalysisInput struct {
Dir string
FilePath string
Info os.FileInfo
Content dio.ReadSeekerAt
Options AnalysisOptions
}
type AnalysisOptions struct {
Offline bool
}
type AnalysisResult struct {
@@ -266,27 +301,58 @@ func belongToGroup(groupName Group, analyzerType Type, disabledAnalyzers []Type,
return true
}
func NewAnalyzerGroup(groupName Group, disabledAnalyzers []Type) AnalyzerGroup {
const separator = ":"
func NewAnalyzerGroup(opt AnalyzerOptions) (AnalyzerGroup, error) {
groupName := opt.Group
if groupName == "" {
groupName = GroupBuiltin
}
var group AnalyzerGroup
group := AnalyzerGroup{
filePatterns: map[Type][]*regexp.Regexp{},
}
for _, p := range opt.FilePatterns {
// e.g. "dockerfile:my_dockerfile_*"
s := strings.SplitN(p, separator, 2)
if len(s) != 2 {
return group, xerrors.Errorf("invalid file pattern (%s)", p)
}
fileType, pattern := s[0], s[1]
r, err := regexp.Compile(pattern)
if err != nil {
return group, xerrors.Errorf("invalid file regexp (%s): %w", p, err)
}
if _, ok := group.filePatterns[Type(fileType)]; !ok {
group.filePatterns[Type(fileType)] = []*regexp.Regexp{}
}
group.filePatterns[Type(fileType)] = append(group.filePatterns[Type(fileType)], r)
}
for analyzerType, a := range analyzers {
if !belongToGroup(groupName, analyzerType, disabledAnalyzers, a) {
if !belongToGroup(groupName, analyzerType, opt.DisabledAnalyzers, a) {
continue
}
// Initialize only scanners that have Init()
if ini, ok := a.(Initializer); ok {
if err := ini.Init(opt); err != nil {
return AnalyzerGroup{}, xerrors.Errorf("analyzer initialization error: %w", err)
}
}
group.analyzers = append(group.analyzers, a)
}
for analyzerType, a := range configAnalyzers {
if slices.Contains(disabledAnalyzers, analyzerType) {
if slices.Contains(opt.DisabledAnalyzers, analyzerType) {
continue
}
group.configAnalyzers = append(group.configAnalyzers, a)
}
return group
return group, nil
}
// AnalyzerVersions returns analyzer version identifier used for cache keys.
@@ -313,14 +379,16 @@ func (ag AnalyzerGroup) AnalyzeFile(ctx context.Context, wg *sync.WaitGroup, lim
return nil
}
// filepath extracted from tar file doesn't have the prefix "/"
cleanPath := strings.TrimLeft(filePath, "/")
for _, a := range ag.analyzers {
// Skip disabled analyzers
if slices.Contains(disabled, a.Type()) {
continue
}
// filepath extracted from tar file doesn't have the prefix "/"
if !a.Required(strings.TrimLeft(filePath, "/"), info) {
if !ag.filePatternMatch(a.Type(), cleanPath) && !a.Required(cleanPath, info) {
continue
}
rc, err := opener()
@@ -375,3 +443,12 @@ func (ag AnalyzerGroup) AnalyzeImageConfig(targetOS types.OS, configBlob []byte)
}
return nil
}
func (ag AnalyzerGroup) filePatternMatch(analyzerType Type, filePath string) bool {
for _, pattern := range ag.filePatterns[analyzerType] {
if pattern.MatchString(filePath) {
return true
}
}
return false
}

69
pkg/fanal/analyzer/analyzer_test.go
View File

@@ -281,6 +281,7 @@ func TestAnalyzeFile(t *testing.T) {
filePath string
testFilePath string
disabledAnalyzers []analyzer.Type
filePatterns []string
}
tests := []struct {
name string
@@ -377,6 +378,28 @@ func TestAnalyzeFile(t *testing.T) {
},
want: &analyzer.AnalysisResult{},
},
{
name: "happy path with library analyzer file pattern regex",
args: args{
filePath: "/app/Gemfile-dev.lock",
testFilePath: "testdata/app/Gemfile.lock",
filePatterns: []string{"bundler:Gemfile(-.*)?\\.lock"},
},
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: "bundler",
FilePath: "/app/Gemfile-dev.lock",
Libraries: []types.Package{
{
Name: "actioncable",
Version: "5.2.3",
},
},
},
},
},
},
{
name: "ignore permission error",
args: args{
@@ -393,6 +416,24 @@ func TestAnalyzeFile(t *testing.T) {
},
wantErr: "unable to open /lib/apk/db/installed",
},
{
name: "sad path with broken file pattern regex",
args: args{
filePath: "/app/Gemfile-dev.lock",
testFilePath: "testdata/app/Gemfile.lock",
filePatterns: []string{"bundler:Gemfile(-.*?\\.lock"},
},
wantErr: "error parsing regexp",
},
{
name: "sad path with broken file pattern",
args: args{
filePath: "/app/Gemfile-dev.lock",
testFilePath: "testdata/app/Gemfile.lock",
filePatterns: []string{"Gemfile(-.*)?\\.lock"},
},
wantErr: "invalid file pattern",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -400,7 +441,16 @@ func TestAnalyzeFile(t *testing.T) {
limit := semaphore.NewWeighted(3)
got := new(analyzer.AnalysisResult)
a := analyzer.NewAnalyzerGroup(analyzer.GroupBuiltin, tt.args.disabledAnalyzers)
a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{
FilePatterns: tt.args.filePatterns,
DisabledAnalyzers: tt.args.disabledAnalyzers,
})
if err != nil && tt.wantErr != "" {
require.NotNil(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
}
require.NoError(t, err)
info, err := os.Stat(tt.args.testFilePath)
require.NoError(t, err)
@@ -440,6 +490,7 @@ func TestAnalyzeConfig(t *testing.T) {
targetOS types.OS
configBlob []byte
disabledAnalyzers []analyzer.Type
filePatterns []string
}
tests := []struct {
name string
@@ -482,7 +533,11 @@ func TestAnalyzeConfig(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := analyzer.NewAnalyzerGroup(analyzer.GroupBuiltin, tt.args.disabledAnalyzers)
a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{
FilePatterns: tt.args.filePatterns,
DisabledAnalyzers: tt.args.disabledAnalyzers,
})
require.NoError(t, err)
got := a.AnalyzeImageConfig(tt.args.targetOS, tt.args.configBlob)
assert.Equal(t, tt.want, got)
})
@@ -517,7 +572,10 @@ func TestAnalyzer_AnalyzerVersions(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := analyzer.NewAnalyzerGroup(analyzer.GroupBuiltin, tt.disabled)
a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{
DisabledAnalyzers: tt.disabled,
})
require.NoError(t, err)
got := a.AnalyzerVersions()
fmt.Printf("%v\n", got)
assert.Equal(t, tt.want, got)
@@ -549,7 +607,10 @@ func TestAnalyzer_ImageConfigAnalyzerVersions(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := analyzer.NewAnalyzerGroup(analyzer.GroupBuiltin, tt.disabled)
a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{
DisabledAnalyzers: tt.disabled,
})
require.NoError(t, err)
got := a.ImageConfigAnalyzerVersions()
assert.Equal(t, tt.want, got)
})

9
pkg/fanal/analyzer/config/all/import.go Normal file
View File

@@ -0,0 +1,9 @@
package all
import (
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/dockerfile"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/helm"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/json"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/terraform"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/yaml"
)

54
pkg/fanal/analyzer/config/config.go
View File

@@ -1,29 +1,13 @@
package config
import (
"regexp"
"sort"
"strings"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/helm"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/dockerfile"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/json"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/terraform"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/yaml"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
const separator = ":"
type ScannerOption struct {
Trace bool
RegoOnly bool
Namespaces []string
FilePatterns []string
PolicyPaths []string
DataPaths []string
DisableEmbeddedPolicies bool
@@ -37,44 +21,6 @@ type ScannerOption struct {
func (o *ScannerOption) Sort() {
sort.Strings(o.Namespaces)
sort.Strings(o.FilePatterns)
sort.Strings(o.PolicyPaths)
sort.Strings(o.DataPaths)
}
func RegisterConfigAnalyzers(filePatterns []string) error {
var dockerRegexp, jsonRegexp, yamlRegexp, helmRegexp *regexp.Regexp
for _, p := range filePatterns {
// e.g. "dockerfile:my_dockerfile_*"
s := strings.SplitN(p, separator, 2)
if len(s) != 2 {
return xerrors.Errorf("invalid file pattern (%s)", p)
}
fileType, pattern := s[0], s[1]
r, err := regexp.Compile(pattern)
if err != nil {
return xerrors.Errorf("invalid file regexp (%s): %w", p, err)
}
switch fileType {
case types.Dockerfile:
dockerRegexp = r
case types.JSON:
jsonRegexp = r
case types.YAML:
yamlRegexp = r
case types.Helm:
helmRegexp = r
default:
return xerrors.Errorf("unknown file type: %s, pattern: %s", fileType, pattern)
}
}
analyzer.RegisterAnalyzer(dockerfile.NewConfigAnalyzer(dockerRegexp))
analyzer.RegisterAnalyzer(terraform.NewConfigAnalyzer())
analyzer.RegisterAnalyzer(json.NewConfigAnalyzer(jsonRegexp))
analyzer.RegisterAnalyzer(yaml.NewConfigAnalyzer(yamlRegexp))
analyzer.RegisterAnalyzer(helm.NewConfigAnalyzer(helmRegexp))
return nil
}

35
pkg/fanal/analyzer/config/config_test.go
View File

@@ -10,10 +10,9 @@ import (
func TestScannerOption_Sort(t *testing.T) {
type fields struct {
Namespaces []string
FilePatterns []string
PolicyPaths []string
DataPaths []string
Namespaces []string
PolicyPaths []string
DataPaths []string
}
tests := []struct {
name string
@@ -23,25 +22,22 @@ func TestScannerOption_Sort(t *testing.T) {
{
name: "happy path",
fields: fields{
Namespaces: []string{"main", "custom", "default"},
FilePatterns: []string{"dockerfile:foo*", "yaml:yml_*"},
PolicyPaths: []string{"policy"},
DataPaths: []string{"data/b", "data/c", "data/a"},
Namespaces: []string{"main", "custom", "default"},
PolicyPaths: []string{"policy"},
DataPaths: []string{"data/b", "data/c", "data/a"},
},
want: config.ScannerOption{
Namespaces: []string{"custom", "default", "main"},
FilePatterns: []string{"dockerfile:foo*", "yaml:yml_*"},
PolicyPaths: []string{"policy"},
DataPaths: []string{"data/a", "data/b", "data/c"},
Namespaces: []string{"custom", "default", "main"},
PolicyPaths: []string{"policy"},
DataPaths: []string{"data/a", "data/b", "data/c"},
},
},
{
name: "missing some fields",
fields: fields{
Namespaces: []string{"main"},
FilePatterns: nil,
PolicyPaths: nil,
DataPaths: nil,
Namespaces: []string{"main"},
PolicyPaths: nil,
DataPaths: nil,
},
want: config.ScannerOption{
Namespaces: []string{"main"},
@@ -51,10 +47,9 @@ func TestScannerOption_Sort(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
o := config.ScannerOption{
Namespaces: tt.fields.Namespaces,
FilePatterns: tt.fields.FilePatterns,
PolicyPaths: tt.fields.PolicyPaths,
DataPaths: tt.fields.DataPaths,
Namespaces: tt.fields.Namespaces,
PolicyPaths: tt.fields.PolicyPaths,
DataPaths: tt.fields.DataPaths,
}
o.Sort()

27
pkg/fanal/analyzer/config/dockerfile/docker.go
View File

@@ -5,7 +5,6 @@ import (
"io"
"os"
"path/filepath"
"regexp"
"strings"
"golang.org/x/xerrors"
@@ -14,21 +13,17 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
func init() {
analyzer.RegisterAnalyzer(&dockerConfigAnalyzer{})
}
const version = 1
var requiredFiles = []string{"Dockerfile", "Containerfile"}
type ConfigAnalyzer struct {
filePattern *regexp.Regexp
}
type dockerConfigAnalyzer struct{}
func NewConfigAnalyzer(filePattern *regexp.Regexp) ConfigAnalyzer {
return ConfigAnalyzer{
filePattern: filePattern,
}
}
func (s ConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
func (s dockerConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
b, err := io.ReadAll(input.Content)
if err != nil {
return nil, xerrors.Errorf("failed to read %s: %w", input.FilePath, err)
@@ -50,11 +45,7 @@ func (s ConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput)
// Required does a case-insensitive check for filePath and returns true if
// filePath equals/startsWith/hasExtension requiredFiles
func (s ConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
if s.filePattern != nil && s.filePattern.MatchString(filePath) {
return true
}
func (s dockerConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
base := filepath.Base(filePath)
ext := filepath.Ext(base)
for _, file := range requiredFiles {
@@ -69,10 +60,10 @@ func (s ConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
return false
}
func (s ConfigAnalyzer) Type() analyzer.Type {
func (s dockerConfigAnalyzer) Type() analyzer.Type {
return analyzer.TypeDockerfile
}
func (s ConfigAnalyzer) Version() int {
func (s dockerConfigAnalyzer) Version() int {
return version
}

23
pkg/fanal/analyzer/config/dockerfile/docker_test.go
View File

@@ -1,16 +1,14 @@
package dockerfile_test
package dockerfile
import (
"context"
"os"
"regexp"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/dockerfile"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
@@ -68,7 +66,7 @@ COPY --from=build /bar /bar
require.NoError(t, err)
defer f.Close()
a := dockerfile.NewConfigAnalyzer(nil)
a := dockerConfigAnalyzer{}
ctx := context.Background()
got, err := a.Analyze(ctx, analyzer.AnalysisInput{
FilePath: tt.inputFile,
@@ -88,10 +86,9 @@ COPY --from=build /bar /bar
func Test_dockerConfigAnalyzer_Required(t *testing.T) {
tests := []struct {
name string
filePattern *regexp.Regexp
filePath string
want bool
name string
filePath string
want bool
}{
{
name: "dockerfile",
@@ -143,16 +140,10 @@ func Test_dockerConfigAnalyzer_Required(t *testing.T) {
filePath: "deployment.json",
want: false,
},
{
name: "file pattern",
filePattern: regexp.MustCompile(`foo*`),
filePath: "foo_file",
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := dockerfile.NewConfigAnalyzer(tt.filePattern)
s := dockerConfigAnalyzer{}
got := s.Required(tt.filePath, nil)
assert.Equal(t, tt.want, got)
})
@@ -160,7 +151,7 @@ func Test_dockerConfigAnalyzer_Required(t *testing.T) {
}
func Test_dockerConfigAnalyzer_Type(t *testing.T) {
s := dockerfile.NewConfigAnalyzer(nil)
s := dockerConfigAnalyzer{}
want := analyzer.TypeDockerfile
got := s.Type()
assert.Equal(t, want, got)

29
pkg/fanal/analyzer/config/helm/helm.go
View File

@@ -8,7 +8,6 @@ import (
"io"
"os"
"path/filepath"
"regexp"
"strings"
"golang.org/x/xerrors"
@@ -18,21 +17,17 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
func init() {
analyzer.RegisterAnalyzer(&helmConfigAnalyzer{})
}
const version = 1
const maxTarSize = 209_715_200 // 200MB
type ConfigAnalyzer struct {
filePattern *regexp.Regexp
}
type helmConfigAnalyzer struct{}
func NewConfigAnalyzer(filePattern *regexp.Regexp) ConfigAnalyzer {
return ConfigAnalyzer{
filePattern: filePattern,
}
}
func (a ConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
func (a helmConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
if isArchive(input.FilePath) {
if !isHelmChart(input.FilePath, input.Content) {
return nil, nil
@@ -62,17 +57,13 @@ func (a ConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput)
}, nil
}
func (a ConfigAnalyzer) Required(filePath string, info os.FileInfo) bool {
if a.filePattern != nil && a.filePattern.MatchString(filePath) {
return true
}
func (a helmConfigAnalyzer) Required(filePath string, info os.FileInfo) bool {
if info.Size() > maxTarSize {
// tarball is too big to be Helm chart - move on
return false
}
for _, acceptable := range []string{".tpl", ".json", ".yaml", ".tar", ".tgz", ".tar.gz"} {
for _, acceptable := range []string{".tpl", ".json", ".yml", ".yaml", ".tar", ".tgz", ".tar.gz"} {
if strings.HasSuffix(strings.ToLower(filePath), acceptable) {
return true
}
@@ -88,11 +79,11 @@ func (a ConfigAnalyzer) Required(filePath string, info os.FileInfo) bool {
return false
}
func (ConfigAnalyzer) Type() analyzer.Type {
func (helmConfigAnalyzer) Type() analyzer.Type {
return analyzer.TypeHelm
}
func (ConfigAnalyzer) Version() int {
func (helmConfigAnalyzer) Version() int {
return version
}

26
pkg/fanal/analyzer/config/helm/helm_test.go
View File

@@ -3,7 +3,6 @@ package helm
import (
"context"
"os"
"regexp"
"testing"
"github.com/stretchr/testify/assert"
@@ -340,7 +339,7 @@ affinity: {}
info, err := os.Stat(tt.inputFile)
require.NoError(t, err)
a := NewConfigAnalyzer(nil)
a := helmConfigAnalyzer{}
ctx := context.Background()
got, err := a.Analyze(ctx, analyzer.AnalysisInput{
FilePath: tt.inputFile,
@@ -361,16 +360,20 @@ affinity: {}
func Test_helmConfigAnalyzer_Required(t *testing.T) {
tests := []struct {
name string
filePattern *regexp.Regexp
filePath string
want bool
name string
filePath string
want bool
}{
{
name: "yaml",
filePath: "testdata/testchart/Chart.yaml",
want: true,
},
{
name: "yaml - shorthand",
filePath: "testdata/testchart/templates/deployment.yml",
want: true,
},
{
name: "tpl",
filePath: "testdata/testchart/templates/_helpers.tpl",
@@ -406,17 +409,10 @@ func Test_helmConfigAnalyzer_Required(t *testing.T) {
filePath: "testdata/nope.tgz",
want: true, // its a tarball after all
},
{
name: "file pattern",
filePattern: regexp.MustCompile(`foo*`),
filePath: "foo_file",
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := NewConfigAnalyzer(tt.filePattern)
s := helmConfigAnalyzer{}
info, _ := os.Stat(tt.filePath)
@@ -427,7 +423,7 @@ func Test_helmConfigAnalyzer_Required(t *testing.T) {
}
func Test_helmConfigAnalyzer_Type(t *testing.T) {
s := NewConfigAnalyzer(nil)
s := helmConfigAnalyzer{}
want := analyzer.TypeHelm
got := s.Type()

0
pkg/fanal/analyzer/config/helm/testdata/testchart/templates/deployment.yaml → pkg/fanal/analyzer/config/helm/testdata/testchart/templates/deployment.yml vendored
View File

27
pkg/fanal/analyzer/config/json/json.go
View File

@@ -5,7 +5,6 @@ import (
"io"
"os"
"path/filepath"
"regexp"
"golang.org/x/xerrors"
@@ -13,6 +12,10 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
func init() {
analyzer.RegisterAnalyzer(&jsonConfigAnalyzer{})
}
const version = 1
var (
@@ -20,17 +23,9 @@ var (
excludedFiles = []string{types.NpmPkgLock, types.NuGetPkgsLock, types.NuGetPkgsConfig}
)
type ConfigAnalyzer struct {
filePattern *regexp.Regexp
}
type jsonConfigAnalyzer struct{}
func NewConfigAnalyzer(filePattern *regexp.Regexp) ConfigAnalyzer {
return ConfigAnalyzer{
filePattern: filePattern,
}
}
func (a ConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
func (a jsonConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
b, err := io.ReadAll(input.Content)
if err != nil {
return nil, xerrors.Errorf("failed to read %s: %w", input.FilePath, err)
@@ -50,11 +45,7 @@ func (a ConfigAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput)
}, nil
}
func (a ConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
if a.filePattern != nil && a.filePattern.MatchString(filePath) {
return true
}
func (a jsonConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
filename := filepath.Base(filePath)
for _, excludedFile := range excludedFiles {
if filename == excludedFile {
@@ -65,10 +56,10 @@ func (a ConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
return filepath.Ext(filePath) == requiredExt
}
func (ConfigAnalyzer) Type() analyzer.Type {
func (jsonConfigAnalyzer) Type() analyzer.Type {
return analyzer.TypeJSON
}
func (ConfigAnalyzer) Version() int {
func (jsonConfigAnalyzer) Version() int {
return version
}

23
pkg/fanal/analyzer/config/json/json_test.go
View File

@@ -1,16 +1,14 @@
package json_test
package json
import (
"context"
"os"
"regexp"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/json"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
@@ -133,7 +131,7 @@ func Test_jsonConfigAnalyzer_Analyze(t *testing.T) {
require.NoError(t, err)
defer f.Close()
s := json.NewConfigAnalyzer(nil)
s := jsonConfigAnalyzer{}
ctx := context.Background()
got, err := s.Analyze(ctx, analyzer.AnalysisInput{
@@ -154,10 +152,9 @@ func Test_jsonConfigAnalyzer_Analyze(t *testing.T) {
func Test_jsonConfigAnalyzer_Required(t *testing.T) {
tests := []struct {
name string
filePattern *regexp.Regexp
filePath string
want bool
name string
filePath string
want bool
}{
{
name: "json",
@@ -174,16 +171,10 @@ func Test_jsonConfigAnalyzer_Required(t *testing.T) {
filePath: "package-lock.json",
want: false,
},
{
name: "file pattern",
filePattern: regexp.MustCompile(`foo*`),
filePath: "foo_file",
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := json.NewConfigAnalyzer(tt.filePattern)
s := jsonConfigAnalyzer{}
got := s.Required(tt.filePath, nil)
assert.Equal(t, tt.want, got)
@@ -192,7 +183,7 @@ func Test_jsonConfigAnalyzer_Required(t *testing.T) {
}
func Test_jsonConfigAnalyzer_Type(t *testing.T) {
s := json.NewConfigAnalyzer(nil)
s := jsonConfigAnalyzer{}
want := analyzer.TypeJSON
got := s.Type()

Some files were not shown because too many files have changed in this diff Show More