gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.45.1
Branches Tags
gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-db43af7bd4 gitea-mirror:dependabot/go_modules/common-aee61fa259 gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
...
compare: gitea-mirror:v0.46.0
Branches Tags
gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-db43af7bd4 gitea-mirror:dependabot/go_modules/common-aee61fa259 gitea-mirror:main gitea-mirror:release-please--branches--main gitea-mirror:gh-pages gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

54 Commits
v0.45.1 ... v0.46.0

Author SHA1 Message Date
Teppei Fukuda
cbbd1ce1f0 feat(k8s): add support for vulnerability detection (#5268) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: chenk <hen.keinan@gmail.com>
 2023-10-14 12:32:55 +00:00
DmitriyLewen
24a0d92145 fix(python): override BOM in requirements.txt files (#5375) 2023-10-14 08:37:32 +00:00
Itay Shakury
0c3e2f08b7 docs: add kbom documentation (#5363) 2023-10-13 09:00:28 +00:00
DmitriyLewen
6c12f04286 test: use maximize build space for VM tests (#5362) 2023-10-13 01:42:57 +00:00
dependabot[bot]
c4134224a2 chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-12 15:45:22 +00:00
DmitriyLewen
20ab7033b8 fix(report): add escaping quotes in misconfig Title for asff template (#5351) 2023-10-11 07:38:07 +00:00
DmitriyLewen
91841f59ba ci: add workflow to check Go versions of dependencies (#5340) 2023-10-09 11:04:09 +00:00
simar7
57ba05c766 chore(deps): Upgrade defsec to v0.93.1 (#5348) 2023-10-08 12:40:21 +00:00
dependabot[bot]
fef3ed4358 chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-06 06:07:11 +00:00
Doug Donohoe
ced54aced1 fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342) 2023-10-05 14:45:45 +00:00
Nikita Pivkin
2798df916b fix: add config files to FS for post-analyzers (#5333) 2023-10-05 12:59:47 +00:00
DmitriyLewen
af485b33fd fix: fix MIME warnings after updating to Go 1.20 (#5336) 2023-10-05 12:58:40 +00:00
Teppei Fukuda
008babfb8b build: fix a compile error with Go 1.21 (#5339) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2023-10-05 10:06:32 +00:00
Alexandr Hacicheant
00d9c4666f feat: added Metadata into the k8s resource's scan report (#5322) 2023-10-05 08:16:50 +00:00
DmitriyLewen
03b6787c44 ci: check only PR's in actions/stale (#5337) 2023-10-05 07:36:02 +00:00
Itay Shakury
e6d5889ed4 chore: update adopters template (#5330) 2023-10-04 12:13:20 +00:00
Teppei Fukuda
74dbd8a1fd ci: do not trigger tests on the push event (#5313) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2023-10-03 11:10:05 +00:00
j1nka
393bfdc1ac fix(sbom): use PURL or Group and Name in case of Java (#5154) 2023-10-03 11:06:27 +00:00
Anais Urlichs
76eb8a57b6 docs: add buildkite repository to ecosystem page (#5316) 
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
 2023-10-03 09:02:52 +00:00
dependabot[bot]
6c74ee11f0 chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 09:01:37 +00:00
dependabot[bot]
6119878de1 chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 08:25:12 +00:00
dependabot[bot]
a346587b8d chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293) 
Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.3.1...v3.3.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 15:54:49 +00:00
dependabot[bot]
7e613cc5f7 chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286) 
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/uuid/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 15:45:32 +00:00
dependabot[bot]
f05bc4be4f chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289) 
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.1 to 1.7.2.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 15:45:07 +00:00
Teppei Fukuda
3be5e6b242 chore: enable go-critic (#5302) 
* chore: enable gocritic

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* refactor: fix lint issues

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: return true for latest versions

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* chore(lint): enforce map and slice styles

Signed-off-by: knqyf263 <knqyf263@gmail.com>

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2023-10-02 08:33:21 +00:00
dependabot[bot]
f6cd21c873 chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3.6.0...v4.1.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 08:31:07 +00:00
dependabot[bot]
f7b975187d chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287) 
Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.45.3 to 1.45.19.
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Commits](https://github.com/aws/aws-sdk-go/compare/v1.45.3...v1.45.19)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 07:35:19 +00:00
DmitriyLewen
18d168769c close java-db client (#5273) 2023-10-02 06:56:33 +00:00
dependabot[bot]
eb60e9f3c0 chore(deps): bump docker/login-action from 2 to 3 (#5291) 
Bumps [docker/login-action](https://github.com/docker/login-action) from 2 to 3.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 05:20:14 +00:00
dependabot[bot]
5a92055e1c chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294) 
Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.21.5 to 1.22.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.22.0/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/efs/v1.21.5...service/s3/v1.22.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 05:19:08 +00:00
dependabot[bot]
46afe65eed chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304) 
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 05:18:49 +00:00
dependabot[bot]
0bf2a11a2e chore(deps): bump github.com/opencontainers/image-spec (#5295) 
Bumps [github.com/opencontainers/image-spec](https://github.com/opencontainers/image-spec) from 1.1.0-rc4 to 1.1.0-rc5.
- [Release notes](https://github.com/opencontainers/image-spec/releases)
- [Changelog](https://github.com/opencontainers/image-spec/blob/main/RELEASES.md)
- [Commits](https://github.com/opencontainers/image-spec/compare/v1.1.0-rc4...v1.1.0-rc5)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/image-spec
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-02 05:18:09 +00:00
Ignacio Íñigo Hernández
23b5fece08 fix(report): removes git::http from uri in sarif (#5244) 
* fix(sarif): removes git::http from uri in sarif
* fix(sarif): removes git::http from uri in sarif

## Description

## Related issues
- Fixes https://github.com/aquasecurity/trivy/issues/5003

## Checklist
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

* fix lint

---------

Co-authored-by: Simar <simar@linux.com>
 2023-10-02 05:17:43 +00:00
PranitRout07
4f1d576e5a Improve the meaning of sentence (#5301) 
Sentence has incomplete meaning .
Go to this link to see the issue: https://aquasecurity.github.io/trivy/v0.45/tutorials/kubernetes/gitops/
 2023-10-01 18:13:12 +00:00
dependabot[bot]
6ab2bdfa7c chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297) 
Bumps [github.com/owenrumney/go-sarif/v2](https://github.com/owenrumney/go-sarif) from 2.2.0 to 2.2.2.
- [Release notes](https://github.com/owenrumney/go-sarif/releases)
- [Changelog](https://github.com/owenrumney/go-sarif/blob/main/.goreleaser.yml)
- [Commits](https://github.com/owenrumney/go-sarif/compare/v2.2.0...v2.2.2)

---
updated-dependencies:
- dependency-name: github.com/owenrumney/go-sarif/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-01 17:43:34 +00:00
dependabot[bot]
4217cffb5a chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296) 
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/term/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-01 17:30:33 +00:00
DmitriyLewen
1840584703 add app nil check (#5274) 2023-10-01 07:36:59 +00:00
Erik McKelvey
c5ae9f265f typo: in secret.md (#5281) 2023-10-01 07:27:47 +00:00
DmitriyLewen
562723f0a7 docs: add info about github format (#5265) 
* docs: add info about github format

* rename `GitHub SBOM` to `GitHub dependency snapshots`
 2023-09-28 18:40:45 +00:00
DmitriyLewen
3dd5b1e946 feat(dotnet): add license support for NuGet (#5217) 
* add nuspec files support

* docs: docs, log messages, comments refactoring

* save found licences to use next time

* refactor

* refactor

* fix typo
 2023-09-28 08:13:31 +00:00
Itay Shakury
5c18475f37 docs: correctly export variables (#5260) 
missing = in variable definition
 2023-09-28 07:15:48 +00:00
simar7
0c08dde015 chore: Add line numbers for lint output (#5247) 
* fix(github): Add line numbers for lint output

* correctional message check

* update messaging
 2023-09-28 07:12:47 +00:00
DmitriyLewen
0ccbb4f7fd chore(cli): disable java-db flags in server mode (#5263) 
* disable java-db flag for server mode

* update docs
 2023-09-28 07:10:14 +00:00
Michel Meyer
908a4914c7 feat(db): allow passing registry options (#5226) 
* feat(db): allow passing registry options

Signed-off-by: Michel Meyer <meyer_michel@outlook.com>

* feat(db): pass cli registry options to javaDB

---------

Signed-off-by: Michel Meyer <meyer_michel@outlook.com>
 2023-09-27 13:17:11 +00:00
simar7
5b4652d796 chore(deps): Bump up defsec to v0.93.0 (#5253) 2023-09-27 06:43:55 +00:00
DmitriyLewen
faf8d49c49 refactor(purl): use TypeApk from purl (#5232) 
* use TypeApk from purl

* refactor: some tweaks

Signed-off-by: knqyf263 <knqyf263@gmail.com>

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2023-09-26 08:55:23 +00:00
DmitriyLewen
559c0f30b1 chore: enable more linters (#5228) 
* chore: enable more linters

* fix typos

* ci: add `verbose` option in linter action

* ci: remove `verbose` option in linter action
 2023-09-26 06:20:54 +00:00
Nikita Pivkin
2baad46189 ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236) 
* chore: replace brews.tap with brews.repository

* ci: bump GoReleaser from 1.16.2 to 1.20.0
 2023-09-25 19:08:53 +00:00
za
df2bff9f5e Fix typo on ide.md (#5239) 
mange -> manage.
 2023-09-25 19:05:22 +00:00
Teppei Fukuda
44656f2853 refactor: use defined types (#5225) 
* refactor: replace string with defined types

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* chore: add gci

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix(purl): not confuse trivy type with purl type

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: fix cyclonedx fixture

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix(template): cast TargetType to string

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* chore: bump TinyGo to v0.29.0

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* test: change license to licence

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* use `analyzer.TypeGoMod` for gomod analyzer

* ignore `licence` for misspell linter

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2023-09-22 10:44:39 +00:00
Javier Freire Riobó
37af529947 fix(purl): skip local Go packages (#5190) 
* fix(purl): trim a final slash

* fix(purl): skip local Go packages

* fix(purl): a few improvements
 2023-09-20 14:19:21 +00:00
Nikita Pivkin
eea3320d83 docs: update info about license scanning in Yarn projects (#5207) 2023-09-19 06:24:11 +00:00
DmitriyLewen
2e6662060e ci: auto apply labels (#5200) 
* add label for mage file. Create workflow.

* fix typo

* setup go and aqua tools

* set fetch-depth == 1
 2023-09-18 13:51:12 +00:00
DmitriyLewen
49680dc881 fix link (#5203) 2023-09-18 08:07:56 +00:00
270 changed files with 5088 additions and 2256 deletions
Expand all files Collapse all files

54
.github/DISCUSSION_TEMPLATE/adopters.yml vendored
View File

@@ -1,35 +1,31 @@
title: "<company name> "
title: "<company name>"
labels: ["adopters"]
body:
- type: checkboxes
attributes:
label: Please select all the scan targets that you are using
options:
- label: Container Images
- label: Filesystem
- label: Git Repository
- label: Virtual Machine Images
- label: Kubernetes
- label: AWS
validations:
required: false
- type: checkboxes
attributes:
label: Which scanners are you using on those scan targets?
options:
- label: OS packages and software dependencies in use (SBOM)
- label: Known vulnerabilities (CVEs)
- label: IaC issues and misconfigurations
- label: Sensitive information and secrets
- label: Software licenses
validations:
required: false
- type: textarea
id: info
attributes:
label: "Additional Information"
description: "Please tell us more about your use case of Trivy -- anything that you would like to share 🎉"
value: |
...
label: "[Optional] How do you use Trivy?"
validations:
required: false
required: false
- type: checkboxes
attributes:
label: "[Optional] Which targets are you scanning with Trivy?"
options:
- label: "Container Image"
- label: "Filesystem"
- label: "Git Repository"
- label: "Virtual Machine Image"
- label: "Kubernetes"
- label: "AWS"
- label: "SBOM"
validations:
required: false
- type: checkboxes
attributes:
label: "[Optional] What kind of issues are scanning with Trivy?"
options:
- label: "Software Bill of Materials (SBOM)"
- label: "Known vulnerabilities (CVEs)"
- label: "IaC issues and misconfigurations"
- label: "Sensitive information and secrets"
- label: "Software licenses"

30
.github/workflows/auto-update-labels.yaml vendored Normal file
View File

@@ -0,0 +1,30 @@
name: Auto-update labels
on:
push:
paths:
- 'misc/triage/labels.yaml'
branches:
- main
jobs:
deploy:
name: Auto-update labels
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Install aqua tools
uses: aquaproj/aqua-installer@v2.1.2
with:
aqua_version: v1.25.0
- name: update labels
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: mage label

2
.github/workflows/canary.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v3.3.1
uses: actions/cache@v3.3.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

31
.github/workflows/check-go-versions.yaml vendored Normal file
View File

@@ -0,0 +1,31 @@
name: Check Go versions of dependencies
on:
pull_request:
paths:
- 'go.mod'
workflow_dispatch:
jobs:
check-go-versions:
name: Check Go versions of dependencies
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: stable
# This workflow is a workaround before the "old stable" version becomes Go 1.21.
# To avoid updating dependencies that require Go 1.21, we use this workflow
# Example of wrong update:
# https://github.com/aquasecurity/trivy/discussions/5323#discussioncomment-7186321
- name: Check that dependencies doesn't require Go 1.21
run: |
go mod tidy
if grep -q "go 1.21" go.mod; then
echo "One of new dependencies requires Go '1.21'. Use 'go get go@1.20' to fix this."
exit 1
fi

2
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
persist-credentials: true

2
.github/workflows/mkdocs-latest.yaml vendored
View File

@@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
persist-credentials: true

4
.github/workflows/publish-chart.yaml vendored
View File

@@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
- name: Install Helm
@@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
- name: Install chart-releaser

6
.github/workflows/release.yaml vendored
View File

@@ -19,12 +19,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v3.3.1
uses: actions/cache@v3.3.2
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
sudo apt-get -y install rpm reprepro createrepo-c distro-info
- name: Checkout trivy-repo
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
repository: ${{ github.repository_owner }}/trivy-repo
path: trivy-repo

16
.github/workflows/reusable-release.yaml vendored
View File

@@ -39,37 +39,37 @@ jobs:
uses: sigstore/cosign-installer@4a861528be5e691840a69536975ada1d4c30349d
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Show available Docker Buildx platforms
run: echo ${{ steps.buildx.outputs.platforms }}
- name: Login to docker.io registry
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ghcr.io registry
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ env.GH_USER }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Checkout code
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
@@ -93,7 +93,7 @@ jobs:
- name: GoReleaser
uses: goreleaser/goreleaser-action@v4
with:
version: v1.16.2
version: v1.20.0
args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
env:
GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
@@ -121,7 +121,7 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v3.3.1
uses: actions/cache@v3.3.2
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.

2
.github/workflows/scan.yaml vendored
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
- name: Run Trivy vulnerability scanner and create GitHub issues
uses: knqyf263/trivy-issue-action@v0.0.5

7
.github/workflows/stale-issues.yaml vendored
View File

@@ -1,4 +1,4 @@
name: "Stale issues"
name: "Stale PR's"
on:
schedule:
- cron: '0 0 * * *'
@@ -10,11 +10,10 @@ jobs:
- uses: actions/stale@v8
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'
exempt-issue-labels: 'lifecycle/frozen,lifecycle/active,priority/critical-urgent,priority/important-soon,priority/important-longterm,priority/backlog,priority/awaiting-more-evidence'
exempt-pr-labels: 'lifecycle/active'
stale-pr-label: 'lifecycle/stale'
stale-issue-label: 'lifecycle/stale'
days-before-stale: 60
days-before-issue-stale: '-1'
days-before-close: 20
days-before-issue-close: '-1'

2
.github/workflows/test-docs.yaml vendored
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
with:
fetch-depth: 0
persist-credentials: true

43
.github/workflows/test.yaml vendored
View File

@@ -1,14 +1,5 @@
name: Test
on:
push:
branches-ignore:
- 'main'
- 'gh-readonly-queue/**'
paths-ignore:
- '**.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
pull_request:
paths-ignore:
- '**.md'
@@ -24,7 +15,7 @@ jobs:
matrix:
operating-system: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v3.6.0
- uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
@@ -41,13 +32,20 @@ jobs:
if: matrix.operating-system == 'ubuntu-latest'
- name: Lint
id: lint
uses: golangci/golangci-lint-action@v3.7.0
with:
version: v1.52
args: --deadline=30m
version: v1.54
args: --deadline=30m --out-format=line-number
skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
if: matrix.operating-system == 'ubuntu-latest'
- name: Check if linter failed
run: |
echo "Linter failed, running 'mage lint:fix' might help to correct some errors"
exit 1
if: ${{ failure() && steps.lint.conclusion == 'failure' }}
- name: Install tools
uses: aquaproj/aqua-installer@v2.1.2
with:
@@ -71,7 +69,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
@@ -91,7 +89,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
@@ -111,7 +109,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
@@ -132,8 +130,17 @@ jobs:
name: VM Integration Test
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v8
with:
root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
remove-android: 'true'
remove-docker-images: 'true'
remove-dotnet: 'true'
remove-haskell: 'true'
- name: Checkout
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
@@ -167,7 +174,7 @@ jobs:
if: matrix.operating-system == 'ubuntu-latest'
- name: Checkout
uses: actions/checkout@v3.6.0
uses: actions/checkout@v4.1.0
- name: Set up Go
uses: actions/setup-go@v4
@@ -189,5 +196,5 @@ jobs:
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v4
with:
version: v1.16.2
version: v1.20.0
args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

54
.golangci.yaml
View File

@@ -17,14 +17,54 @@ linters-settings:
min-occurrences: 3
misspell:
locale: US
goimports:
local-prefixes: github.com/aquasecurity
ignore-words:
- licence
gosec:
excludes:
- G101
- G114
- G204
- G402
gci:
sections:
- standard
- default
- prefix(github.com/aquasecurity/)
- blank
- dot
gomodguard:
blocked:
modules:
- github.com/hashicorp/go-version:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
- github.com/Masterminds/semver:
recommendations:
- github.com/aquasecurity/go-version
reason: "`aquasecurity/go-version` is designed for our use-cases"
gocritic:
disabled-checks:
- appendAssign
- unnamedResult
- whyNoLint
- indexAlloc
- octalLiteral
- hugeParam
- rangeValCopy
- regexpSimplify
- sloppyReassign
- commentedOutCode
enabled-tags:
- diagnostic
- style
- performance
- experimental
- opinionated
settings:
ruleguard:
failOn: all
rules: '${configDir}/misc/lint/rules.go'
linters:
disable-all: true
@@ -39,14 +79,18 @@ linters:
- goconst
- gocyclo
- gofmt
- goimports
- misspell
- bodyclose
- gci
- gomodguard
- tenv
- gocritic
run:
go: '1.20'
skip-files:
- ".*._mock.go$"
- ".*._test.go$"
- ".*_mock.go$"
- ".*_test.go$"
- "integration/*"
- "examples/*"

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.18.3
FROM alpine:3.18.4
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

2
Dockerfile.canary
View File

@@ -1,4 +1,4 @@
FROM alpine:3.18.3
FROM alpine:3.18.4
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser

2
README.md
View File

@@ -139,7 +139,7 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/getting-started/coverage/
[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[rego]: https://www.openpolicyagent.org/docs/latest/#rego

2
aqua.yaml
View File

@@ -5,6 +5,6 @@ registries:
- type: standard
ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.27.0
- name: tinygo-org/tinygo@v0.29.0
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0

2
contrib/asff.tpl
View File

@@ -91,7 +91,7 @@
"Severity": {
"Label": "{{ $severity }}"
},
"Title": "Trivy found a misconfiguration in {{ $target }}: {{ .Title }}",
"Title": "Trivy found a misconfiguration in {{ $target }}: {{ escapeString .Title }}",
"Description": {{ escapeString $description | printf "%q" }},
"Remediation": {
"Recommendation": {

2
contrib/html.tpl
View File

@@ -85,7 +85,7 @@
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
<table>
{{- range . }}
<tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
<tr class="group-header"><th colspan="6">{{ .Type | toString | escapeXML }}</th></tr>
{{- if (eq (len .Vulnerabilities) 0) }}
<tr><th colspan="6">No Vulnerabilities found</th></tr>
{{- else }}

7
docs/community/contribute/pr.md
View File

@@ -27,7 +27,7 @@ $ ./trivy -h
You must pass the linter checks:
```shell
$ mage lint
$ mage lint:run
```
Additionally, you need to have run `go mod tidy`, so execute the following command as well:
@@ -36,6 +36,11 @@ Additionally, you need to have run `go mod tidy`, so execute the following comma
$ mage tidy
```
To autofix linters use the following command:
```shell
$ mage lint:fix
```
### Unit tests
Your PR must pass all the unit tests. You can test it as below.

12
docs/docs/advanced/private-registries/acr.md
View File

@@ -12,16 +12,16 @@ export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scop
# Usage
```bash
# must set TRIVY_USERNAME empty char
export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
export AZURE_CLIENT_ID=$(echo $SP_DATA | jq -r '.appId')
export AZURE_CLIENT_SECRET=$(echo $SP_DATA | jq -r '.password')
export AZURE_TENANT_ID=$(echo $SP_DATA | jq -r '.tenant')
```
# Testing
You can test credentials in the following manner.
```bash
docker run -it --rm -v /tmp:/tmp\
-e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
-e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
docker run -it --rm -v /tmp:/tmp \
-e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID \
aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
```

3
docs/docs/configuration/db.md
View File

@@ -64,6 +64,9 @@ Downloading the Java index DB from an external OCI registry can be done by using
$ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
```
!!! Note
In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
## Remove DBs
The `--reset` flag removes all caches and databases.

20
docs/docs/configuration/reporting.md
View File

@@ -8,6 +8,7 @@ Trivy supports the following formats:
- [SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)
- Template
- SBOM
- GitHub dependency snapshot
### Table (Default)
@@ -258,6 +259,20 @@ $ trivy image --format sarif -o report.sarif golang:1.12-alpine
This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
### GitHub dependency snapshot
Trivy supports the following packages.
- [OS packages][os_packages]
- [Language-specific packages][language_packages]
[GitHub dependency snapshots][github-sbom] can be generated with the `--format github` flag.
```
$ trivy image --format github -o report.gsbom alpine
```
This snapshot file can be [submitted][github-sbom-submit] to your GitHub repository.
### Template
| Scanner | Supported |
@@ -389,3 +404,8 @@ $ trivy convert --format table --severity CRITICAL result.json
[asff]: ../../tutorials/integrations/aws-security-hub.md
[sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
[sprig]: http://masterminds.github.io/sprig/
[github-sbom]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#about-dependency-submissions
[github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
[os_packages]: ../scanner/vulnerability.md#os-packages
[language_packages]: ../scanner/vulnerability.md#language-specific-packages

3
docs/docs/coverage/index.md
View File

@@ -5,4 +5,5 @@ For more detailed information about the specific platforms and languages, check
- [OS Packages](os/index.md)
- [Language-specific Packages](language/index.md)
- [IaC files](iac/index.md)
- [IaC files](iac/index.md)
- [Kubernetes clusters](./kubernetes.md)

22
docs/docs/coverage/kubernetes.md Normal file
View File

@@ -0,0 +1,22 @@
# Kubernetes
When scanning a Kubernetes cluster, Trivy differentiates between the following:
1. Cluster infrastructure (e.g api-server, kubelet, addons)
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Application workloads (e.g nginx, postgresql).
Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
- Misconfigurations
- Exposed secrets
To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md)

21
docs/docs/coverage/language/dotnet.md
View File

@@ -7,7 +7,7 @@ The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
|-----------|:----:|:-------------:|:-------:|
| .Net Core | ✓ | ✓ | - |
| NuGet | ✓ | ✓ | - |
| NuGet | ✓ | ✓ | |
The following table provides an outline of the features Trivy offers.
@@ -17,18 +17,31 @@ The following table provides an outline of the features Trivy offers.
| NuGet | packages.config | ✓ | Excluded | - | - |
| NuGet | packages.lock.json | ✓ | Included | ✓ | ✓ |
### *.deps.json
## *.deps.json
Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.
### packages.config
## packages.config
Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.
### packages.lock.json
### license detection
`packages.config` files don't have information about the licenses used.
Trivy uses [*.nuspec][nuspec] files from [global packages folder][global-packages] to detect licenses.
!!! note
The `licenseUrl` field is [deprecated][license-url]. Trivy doesn't parse this field and only checks the [license] field (license `expression` type only).
Currently only the default path and `NUGET_PACKAGES` environment variable are supported.
## packages.lock.json
Don't forgot to [enable][enable-lock] lock files in your project.
!!! tip
Please make sure your lock file is up-to-date after modifying dependencies.
### license detection
Same as [packages.config](#license-detection)
[enable-lock]: https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-the-lock-file
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[nuspec]: https://learn.microsoft.com/en-us/nuget/reference/nuspec
[global-packages]: https://learn.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders
[license]: https://learn.microsoft.com/en-us/nuget/reference/nuspec#license
[license-url]: https://learn.microsoft.com/en-us/nuget/reference/nuspec#licenseurl

2
docs/docs/coverage/language/nodejs.md
View File

@@ -7,7 +7,7 @@ The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
| -------- | :---: | :-----------: | :-----: |
| npm | ✓ | ✓ | ✓ |
| Yarn | ✓ | ✓ | - |
| Yarn | ✓ | ✓ | |
| pnpm | ✓ | ✓ | - |
The following table provides an outline of the features Trivy offers.

45
docs/docs/references/configuration/cli/trivy_server.md
View File

@@ -20,30 +20,27 @@ trivy server [flags]
### Options
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for server
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--listen string listen address in server mode (default "localhost:4954")
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating Java index database
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--clear-cache clear image caches without scanning
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for server
--listen string listen address in server mode (default "localhost:4954")
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
```
### Options inherited from parent commands

2
docs/docs/scanner/secret.md
View File

@@ -96,7 +96,7 @@ If the file doesn't exist, only built-in rules are used.
You can customize the config file path via the `--secret-config` flag.
!!! warning
Trivy uses [Golang regexp package](https://pkg.go.dev/regexp/syntax#hdr-Syntax). To use `^` and `$` as simbols of begin and end of line use multi-line mode -`(?m)`.
Trivy uses [Golang regexp package](https://pkg.go.dev/regexp/syntax#hdr-Syntax). To use `^` and `$` as symbols of begin and end of line use multi-line mode -`(?m)`.
### Custom Rules
Trivy allows defining custom rules.

17
docs/docs/scanner/vulnerability.md
View File

@@ -5,6 +5,9 @@ The following packages are supported.
- [OS packages](#os-packages)
- [Language-specific packages](#language-specific-packages)
- [Kubernetes components (control plane, node and addons)](#kubernetes-components-control-plane-node-and-addons)
Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
## OS Packages
Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
@@ -98,6 +101,18 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
[^1]: Intentional delay between vulnerability disclosure and registration in the DB
## Kubernetes
Trivy can detect vulnerabilities in Kubernetes clusters and components.
### Data Sources
| Vendor | Source |
| ------------- |---------------------------------------------|
| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
[^1]: Some manual triage and correction has been made.
## Database
Trivy downloads [the vulnerability database](https://github.com/aquasecurity/trivy-db) every 6 hours.
Trivy uses two types of databases for vulnerability detection:
@@ -180,3 +195,5 @@ Currently, specifying a username and password is not supported.
[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
[nvd]: https://nvd.nist.gov/vuln
[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

269
docs/docs/target/kubernetes.md
View File

@@ -3,21 +3,88 @@
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
## CLI
The Trivy K8s CLI allows you to scan your Kubernetes cluster for
Trivy can connect to your Kubernetes cluster and scan it for security issues using the `trivy k8s` command. This page covers the technical capabilities of Trivy Kubernetes scanning.
Trivy can also be installed *inside* your cluster as a Kubernetes Operator, and continuously scan it. For more about this, please see the [Trivy Operator][https://aquasecurity.github.io/trivy-operator/] project.
When scanning a Kubernetes cluster, Trivy differentiates between the following:
1. Cluster infrastructure (e.g api-server, kubelet, addons)
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Application workloads (e.g nginx, postgresql).
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Secrets
You can either run the CLI locally or integrate it into your CI/CD pipeline.
The difference to the Trivy CLI is that the Trivy K8s CLI allows you to scan running workloads directly within your cluster.
- Exposed secrets
If you are looking for continuous cluster audit scanning, have a look at the Trivy K8s operator below.
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
- Misconfigurations
- Exposed secrets
Trivy uses your local kubectl configuration to access the API server to list artifacts.
## Kubernetes target configurations
### Commands
Trivy follows the behavior of the `kubectl` tool as much as possible.
### Scope
The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:
1. A Kubernetes Kind. e.g `pod`, `deployment`, etc.
2. A Kubernetes Resource. e.g `pods/mypod`, etc.
3. `all`. Scan common workload kinds, as listed [here](https://github.com/aquasecurity/trivy-kubernetes/blob/bf8cc2a00d9772e0aa271f06d375b936152b54b1/pkg/k8s/k8s.go#L296:L314)
4. `cluster` scan the entire cluster including all namespaced resources and cluster level resources.
Examples:
```
trivy k8s all
trivy k8s pods
trivy k8s deploy myapp
trivy k8s pod/mypod
trivy k8s pods,deploy
trivy k8s cluster
```
Note that the scope argument must appear last in the command line, after any other flag.
### Cluster
By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.
You can also specify a `kubeconfig` using the `--kubeconfig` flag:
```
trivy k8s --kubeconfig ~/.kube/config2
```
### Namespace
By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:
```
trivy k8s --kubeconfig ~/.kube/config2 --namespace default
```
### Node
You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
```
trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
```
### Components types
You can control what kinds of components are discovered using the `--components` flag:
- `--components infra` will discover only cluster infrastructure components.
- `--components workloads` will discover only application workloads.
- If the flag is omitted: infra, workloads, and RBAC are discovered.
## Reporting and filtering
Since scanning an entire cluster for any security issue can be overwhelming, By default Trivy summarizes the results in a simple "summary" view.
By scoping the scan on a specific resource, you can see the detailed report.
You can always choose the report granularity using the `--report summary`/`--report all` flag.
Scan a full cluster and generate a simple summary report:
@@ -27,60 +94,24 @@ $ trivy k8s --report=summary cluster
![k8s Summary Report](../../imgs/trivy-k8s.png)
The summary report is the default. To get all of the detail the output contains, use `--report all`.
Filter by severity:
```
$ trivy k8s --severity=CRITICAL --report=all cluster
trivy k8s --severity=CRITICAL --report=all cluster
```
Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
```
$ trivy k8s --scanners=secret --report=summary cluster
trivy k8s --scanners=secret --report=summary cluster
# or
$ trivy k8s --scanners=config --report=summary cluster
trivy k8s --scanners=config --report=summary cluster
```
Scan a specific namespace:
The supported output formats are `table`, which is the default, and `json`.
```
$ trivy k8s -n kube-system --report=summary all
```
Use a specific kubeconfig file:
```
$ trivy k8s --kubeconfig ~/.kube/config2 -n kube-system --report=summary all
```
Scan a specific resource and get all the output:
```
$ trivy k8s deployment appname
```
Scan all deploys, or deploys and configmaps:
```
$ trivy k8s --report=summary deployment
$ trivy k8s --report=summary deployment,configmaps
```
If you want to pass in flags before scanning specific workloads, you will have to do it before the resource name.
For example, scanning a deployment in the app namespace of your Kubernetes cluster for critical vulnerabilities would be done through the following command:
```
$ trivy k8s -n app --severity=CRITICAL deployment/appname
```
This is specific to all Trivy CLI commands.
The supported formats are `table`, which is the default, and `json`.
To get a JSON output on a full cluster scan:
```
$ trivy k8s --format json -o results.json cluster
trivy k8s --format json -o results.json cluster
```
<details>
@@ -239,62 +270,10 @@ $ trivy k8s --format json -o results.json cluster
</details>
### Infra checks
Trivy by default scans kubernetes infra components (apiserver, controller-manager, scheduler and etcd)
if they exist under the `kube-system` namespace. For example, if you run a full cluster scan, or scan all
components under `kube-system` with commands:
```
$ trivy k8s cluster --report summary # full cluster scan
$ trivy k8s all -n kube-system --report summary # scan all components under kube-system
```
A table will be printed about misconfigurations found on kubernetes core components:
```
Summary Report for minikube
┌─────────────┬──────────────────────────────────────┬─────────────────────────────┐
│ Namespace │ Resource │ Kubernetes Infra Assessment │
│ │ ├────┬────┬────┬─────┬────────┤
│ │ │ C │ H │ M │ L │ U │
├─────────────┼──────────────────────────────────────┼────┼────┼────┼─────┼────────┤
│ kube-system │ Pod/kube-apiserver-minikube │ │ │ 1 │ 10 │ │
│ kube-system │ Pod/kube-controller-manager-minikube │ │ │ │ 3 │ │
│ kube-system │ Pod/kube-scheduler-minikube │ │ │ │ 1 │ │
└─────────────┴──────────────────────────────────────┴────┴────┴────┴─────┴────────┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
```
The infra checks are based on CIS Benchmarks recommendations for kubernetes.
If you want filter only for the infra checks, you can use the flag `--components` along with the `--scanners=config`
```
$ trivy k8s cluster --report summary --components=infra --scanners=config # scan only infra
```
Or, to filter for all other checks besides the infra checks, you can:
```
$ trivy k8s cluster --report summary --components=workload --scanners=config # scan all components besides infra
```
If you wish to exclude nodes from being scanned, you can use the flag `--exclude-nodes` with the node labels
```
trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
```
### Compliance
## Compliance
This section describes Kubernetes specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
#### Built in reports
The following reports are available out of the box:
| Compliance | Name for command | More info |
@@ -304,55 +283,77 @@ The following reports are available out of the box:
| Pod Security Standards, Baseline | `k8s-pss-baseline` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) |
| Pod Security Standards, Restricted | `k8s-pss-restricted` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) |
#### Examples
Examples:
Scan a full cluster and generate a compliance summary report:
Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:
```
$ trivy k8s cluster --compliance=<compliance_id> --report summary
trivy k8s cluster --compliance=k8s-pss-baseline --report summary
```
***Note*** : The `Issues` column represent the total number of failed checks for this control.
Get all of the detailed output for checks:
Get the detailed report for checks:
```
trivy k8s cluster --compliance=<compliance_id> --report all
trivy k8s cluster --compliance=k8s-cis --report all
```
Report result in JSON format:
Get summary report in JSON format:
```
trivy k8s cluster --compliance=<compliance_id> --report summary --format json
trivy k8s cluster --compliance=k8s-cis --report summary --format json
```
Get detailed report in JSON format:
```
trivy k8s cluster --compliance=<compliance_id> --report all --format json
trivy k8s cluster --compliance=k8s-cis --report all --format json
```
## Operator
Trivy has a native [Kubernetes Operator][operator] which continuously scans your Kubernetes cluster for security issues, and generates security reports as Kubernetes [Custom Resources][crd]. It does it by watching Kubernetes for state changes and automatically triggering scans in response to changes, for example initiating a vulnerability scan when a new Pod is created.
> Kubernetes-native security toolkit. ([Documentation][trivy-operator]).
<figure>
<figcaption>Workload reconcilers discover K8s controllers, manage scan jobs, and create VulnerabilityReport and ConfigAuditReport objects.</figcaption>
</figure>
[operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/
[crd]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
[trivy-operator]: https://aquasecurity.github.io/trivy-operator/latest
## SBOM
Trivy supports the generation of Kubernetes Bill of Materials (KBOM) for kubernetes cluster control plane components, node components and addons.
## KBOM
KBOM, Kubernetes Bill of Materials, is a manifest of all the important components that make up your Kubernetes cluster Control plane components, Node Components, and Addons, including their versions and images. Which “api-server” version are you currently running? Which flavor of kubelet is running on each node? What kind of etcd or storage are you currently using? And most importantly are there any vulnerabilities known to affect these components? These are all questions that KBOM can help you answer.
KBOM, Kubernetes Bill of Materials, is a manifest of all the important components that make up your Kubernetes cluster Control plane components, Node Components, and Addons, including their versions and images. Which “api-server” version are you currently running? Which flavor of "kubelet" is running on each node? What kind of etcd or storage are you currently using? And most importantly are there any vulnerabilities known to affect these components? These are all questions that KBOM can help you answer.
For more background on KBOM, see [here](https://blog.aquasec.com/introducing-kbom-kubernetes-bill-of-materials).
Trivy can generate KBOM in CycloneDX format:
```sh
trivy k8s cluster --format cyclonedx
```
trivy k8s cluster --format cyclonedx --output mykbom.cdx.json
```
Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:
```sh
trivy sbom mykbom.cdx.json
```
<details>
<summary>Result</summary>
```
2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300 INFO Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-09-28T22:52:25.717+0300 WARN e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-09-28T22:52:25.717+0300 INFO Detected OS: debian gnu/linux
2023-09-28T22:52:25.717+0300 WARN unsupported os : debian gnu/linux
2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3
2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...
Kubernetes (kubernetes)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH │ fixed │ 1.24.0 │ 1.22.14, 1.23.11, 1.24.5 │ runAsNonRoot logic bypass for Windows containers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25749 │
│ ├────────────────┼──────────┤ │ ├─────────────────────────────────┼──────────────────────────────────────────────────┤
│ │ CVE-2023-2431 │ LOW │ │ │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2431 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘
```
</details>
Find more in the [documentation for SBOM scanning](./sbom.md).
Currently KBOM vulnerability matching works for plain Kubernetes distributions and does not work well for vendor variants, including some cloud managed distributions.

31
docs/docs/target/sbom.md
View File

@@ -5,6 +5,7 @@ Trivy can take the following SBOM formats as an input and scan for vulnerabiliti
- SPDX
- SPDX JSON
- CycloneDX-type attestation
- [KBOM](./kubernetes.md#KBOM) in CycloneDX format
To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.
The input format is automatically detected.
@@ -107,3 +108,33 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
│ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
```
## KBOM
To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).
```shell
$ trivy k8s --format cyclonedx cluster -o kbom.json
$ trivy sbom kbom.json
2023-09-28T22:52:25.707+0300 INFO Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300 INFO Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-09-28T22:52:25.717+0300 WARN e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-09-28T22:52:25.717+0300 INFO Detected OS: debian gnu/linux
2023-09-28T22:52:25.717+0300 WARN unsupported os : debian gnu/linux
2023-09-28T22:52:25.717+0300 INFO Number of language-specific files: 3
2023-09-28T22:52:25.717+0300 INFO Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300 INFO Detecting gobinary vulnerabilities...
Kubernetes (kubernetes)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH │ fixed │ 1.24.0 │ 1.22.14, 1.23.11, 1.24.5 │ runAsNonRoot logic bypass for Windows containers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25749 │
│ ├────────────────┼──────────┤ │ ├─────────────────────────────────┼──────────────────────────────────────────────────┤
│ │ CVE-2023-2431 │ LOW │ │ │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2431 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘
```

14
docs/ecosystem/cicd.md
View File

@@ -9,6 +9,13 @@ GitHub Action for integrating Trivy into your GitHub pipeline
👉 Get it at: <https://github.com/aquasecurity/trivy-action>
## Azure DevOps (Official)
[Azure Devops](https://azure.microsoft.com/en-us/products/devops/#overview) is Microsoft Azure cloud native CI/CD service.
Trivy has a "Azure Devops Pipelines Task" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI.
👉 Get it at: <https://github.com/aquasecurity/trivy-azure-pipelines-task>
### trivy-action (Community)
GitHub Action to scan vulnerability using Trivy. If vulnerabilities are found by Trivy, it creates a GitHub Issue.
@@ -21,12 +28,11 @@ In this action, Trivy scans the dependency files such as package-lock.json and g
👉 Get it at: <https://github.com/marketplace/actions/trivy-github-issues>
## Azure DevOps (Official)
[Azure Devops](https://azure.microsoft.com/en-us/products/devops/#overview) is Microsoft Azure cloud native CI/CD service.
### Buildkite Plugin (Community)
Trivy has a "Azure Devops Pipelines Task" for Trivy, that lets you easily introduce security scanning into your workflow, with an integrated Azure Devops UI.
The trivy buildkite plugin provides a convenient mechanism for running the open-source trivy static analysis tool on your project.
👉 Get it at: <https://github.com/aquasecurity/trivy-azure-pipelines-task>
👉 Get it at: https://github.com/equinixmetal-buildkite/trivy-buildkite-plugin
## Semaphore (Community)
[Semaphore](https://semaphoreci.com/) is a CI/CD service.

2
docs/ecosystem/ide.md
View File

@@ -34,7 +34,7 @@ Trivy Docker Desktop extension for scanning container images for vulnerabilities
👉 Get it at: <https://github.com/aquasecurity/trivy-docker-extension>
## Rancher Desktop (Community)
[Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and mange it in a GUI.
[Rancher Desktop](https://rancherdesktop.io/) is an easy way to use containers and Kubernetes on your development machine, and manage it in a GUI.
Trivy is natively integrated with Rancher, no installation is needed. More info in Rancher documentation: <https://docs.rancherdesktop.io/getting-started/features#scanning-images>

2
docs/tutorials/kubernetes/gitops.md
View File

@@ -41,7 +41,7 @@ spec:
selfHeal: true
```
The apply the Kubernetes manifest. If you have the manifest locally, you can use the following command through kubectl:
To apply the Kubernetes manifest, if you have the manifest locally, you can use the following command through kubectl:
```
> kubectl apply -f trivy-operator.yaml

73
go.mod
View File

@@ -13,8 +13,8 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.30.4
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.92.0
github.com/aquasecurity/go-dep-parser v0.0.0-20230830122616-841bc0f812c7
github.com/aquasecurity/defsec v0.93.1
github.com/aquasecurity/go-dep-parser v0.0.0-20231013060839-6f348921ea39
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -23,14 +23,14 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
github.com/aquasecurity/trivy-kubernetes v0.5.7
github.com/aws/aws-sdk-go v1.45.3
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d
github.com/aws/aws-sdk-go v1.45.19
github.com/aws/aws-sdk-go-v2 v1.21.0
github.com/aws/aws-sdk-go-v2/config v1.18.38
github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5
github.com/aws/aws-sdk-go-v2/service/sts v1.22.0
github.com/bmatcuk/doublestar/v4 v4.6.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.4
@@ -46,9 +46,9 @@ require (
github.com/golang/protobuf v1.5.3
github.com/google/go-containerregistry v0.16.1
github.com/google/licenseclassifier/v2 v2.0.0
github.com/google/uuid v1.3.0
github.com/google/uuid v1.3.1
github.com/google/wire v0.5.0
github.com/hashicorp/go-getter v1.7.1
github.com/hashicorp/go-getter v1.7.2
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/golang-lru/v2 v2.0.6
github.com/in-toto/in-toto-golang v0.9.0
@@ -71,14 +71,15 @@ require (
github.com/moby/buildkit v0.11.6
github.com/open-policy-agent/opa v0.45.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc4
github.com/opencontainers/image-spec v1.1.0-rc5
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.2.0
github.com/owenrumney/go-sarif/v2 v2.2.2
github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/samber/lo v1.38.1
github.com/saracen/walker v0.1.3
github.com/secure-systems-lab/go-securesystemslib v0.7.0
github.com/sigstore/rekor v1.2.1
github.com/sigstore/rekor v1.2.2
github.com/sirupsen/logrus v1.9.3
github.com/sosedoff/gitkit v0.4.0
github.com/spdx/tools-golang v0.5.0
@@ -94,12 +95,12 @@ require (
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
go.etcd.io/bbolt v1.3.7
go.uber.org/zap v1.25.0
go.uber.org/zap v1.26.0
golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
golang.org/x/mod v0.12.0
golang.org/x/mod v0.13.0
golang.org/x/sync v0.3.0
golang.org/x/term v0.11.0
golang.org/x/text v0.12.0
golang.org/x/term v0.13.0
golang.org/x/text v0.13.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/protobuf v1.31.0
gopkg.in/yaml.v3 v3.0.1
@@ -109,11 +110,11 @@ require (
)
require (
cloud.google.com/go v0.110.0 // indirect
cloud.google.com/go/compute v1.19.3 // indirect
cloud.google.com/go v0.110.7 // indirect
cloud.google.com/go/compute v1.23.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v0.13.0 // indirect
cloud.google.com/go/storage v1.29.0 // indirect
cloud.google.com/go/iam v1.1.1 // indirect
cloud.google.com/go/storage v1.31.0 // indirect
dario.cat/mergo v1.0.0 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
@@ -180,7 +181,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 // indirect
github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4 // indirect
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.23.0 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 // indirect
github.com/aws/aws-sdk-go-v2/service/mq v1.15.0 // indirect
github.com/aws/aws-sdk-go-v2/service/neptune v1.20.7 // indirect
@@ -235,12 +236,12 @@ require (
github.com/go-logr/logr v1.2.4 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/errors v0.20.4 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/loads v0.21.2 // indirect
github.com/go-openapi/spec v0.20.9 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-openapi/swag v0.22.4 // indirect
github.com/go-openapi/validate v0.22.1 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.8.1 // indirect
@@ -253,10 +254,10 @@ require (
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.3 // indirect
github.com/google/s2a-go v0.1.5 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
github.com/googleapis/gax-go/v2 v2.8.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/gosuri/uitable v0.0.4 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
@@ -277,7 +278,7 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.16.5 // indirect
github.com/klauspost/compress v1.16.6 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/liamg/iamgo v0.0.9 // indirect
@@ -341,7 +342,7 @@ require (
github.com/stretchr/objx v0.5.0 // indirect
github.com/subosito/gotenv v1.4.2 // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/ulikunitz/xz v0.5.10 // indirect
github.com/ulikunitz/xz v0.5.11 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -356,17 +357,17 @@ require (
go.opentelemetry.io/otel/trace v1.14.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.12.0 // indirect
golang.org/x/net v0.14.0 // indirect
golang.org/x/oauth2 v0.8.0 // indirect
golang.org/x/sys v0.11.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.11.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.10.0 // indirect
google.golang.org/api v0.122.0 // indirect
golang.org/x/tools v0.13.0 // indirect
google.golang.org/api v0.138.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 // indirect
google.golang.org/grpc v1.57.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect

144
go.sum
View File

@@ -33,8 +33,8 @@ cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w9
cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA=
cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o=
cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw=
cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY=
cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI=
@@ -71,8 +71,8 @@ cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz
cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
cloud.google.com/go/compute v1.19.3 h1:DcTwsFgGev/wV5+q8o2fzgcHOaac+DKGC91ZlvpsQds=
cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI=
cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY=
cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
@@ -113,13 +113,12 @@ cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y97
cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc=
cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y=
cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8=
cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08=
cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4=
cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w=
cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE=
@@ -177,8 +176,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f
cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
cloud.google.com/go/storage v1.29.0 h1:6weCgzRvMg7lzuUurI4697AqIRPU1SvzHhynwpW31jI=
cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
cloud.google.com/go/storage v1.31.0 h1:+S3LjjEN2zZ+L5hOwj4+1OkGCsLVe0NzpXKQ1pSdTCI=
cloud.google.com/go/storage v1.31.0/go.mod h1:81ams1PrhW16L4kF7qg+4mTq7SRs5HsbDTM0bWvrwJ0=
cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw=
cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g=
cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU=
@@ -322,10 +321,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.92.0 h1:cls2JJSQ+vb06Qh2XjnODIRfZbrTGBkBQnjgC6R5+vA=
github.com/aquasecurity/defsec v0.92.0/go.mod h1:uZIC1NjU5R49619WvZOlhWRpCEf/7KD3Lm8nDKRjq+o=
github.com/aquasecurity/go-dep-parser v0.0.0-20230830122616-841bc0f812c7 h1:FSfz2vfnL3EvTh04zDx4SYxKmgDbYSr8td6R8XbtbB8=
github.com/aquasecurity/go-dep-parser v0.0.0-20230830122616-841bc0f812c7/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
github.com/aquasecurity/defsec v0.93.1 h1:y4XgRknjs2M58XVLANBT1wulO7N6Rz1oyfwNuzID+h4=
github.com/aquasecurity/defsec v0.93.1/go.mod h1:i80K4WRNbcIWDOQDWnTHkutBwplzw/uZD4laKbhu4sE=
github.com/aquasecurity/go-dep-parser v0.0.0-20231013060839-6f348921ea39 h1:5yB6PHCaU4yZzN1mMFnrpBerz2pgqYdDRRVSOj4EjVo=
github.com/aquasecurity/go-dep-parser v0.0.0-20231013060839-6f348921ea39/go.mod h1:RpdbxLhxxvWmv83HWNEiv+reFkmnV+GqHqr66mIU8nU=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-mock-aws v0.0.0-20230810212901-d6feebd39060 h1:V7nC90NpRDEubNpNEgRDtTfLH3RKQlZeY9/HSqxEze8=
@@ -344,12 +343,12 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E=
github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c=
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.5.7 h1:+tIrSnIkvweL+cuK0SSiYxF8EvKT3Xk1iuE9EWduV+c=
github.com/aquasecurity/trivy-kubernetes v0.5.7/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d h1:5urHj0NMGflp/M9Ll5QlKfo0Kf6nJ01RED1HRgl0CeE=
github.com/aquasecurity/trivy-kubernetes v0.5.8-0.20230928134646-b414e546fe6d/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -364,8 +363,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go v1.45.3 h1:Q8BksXg2ZUu2dCbA62+UCEtfvqsW8EO4tzt2IVeYAws=
github.com/aws/aws-sdk-go v1.45.3/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go v1.45.19 h1:+4yXWhldhCVXWFOQRF99ZTJ92t4DtoHROZIbN7Ujk/U=
github.com/aws/aws-sdk-go v1.45.19/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k=
github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw=
github.com/aws/aws-sdk-go-v2 v1.17.5/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
@@ -475,8 +474,8 @@ github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4 h1:EmEk3gRJzSEK8DUnkvTGDn/RQc
github.com/aws/aws-sdk-go-v2/service/kafka v1.19.4/go.mod h1:+O9qi0UC83Lk0KAnC/ixNcw4piXfUtPzXpYn/KC2Mhg=
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 h1:qVaBkJxFxm6o/9DPNnJU6L9O3V7ycEKhCvRm2BFBQTU=
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19/go.mod h1:9rLNg+J9SEe7rhge/YzKU3QTovlLqOmqH8akb0IB1ko=
github.com/aws/aws-sdk-go-v2/service/kms v1.23.0 h1:NXYeZBNg35rDBhcus60DFkIP7q6RNSkarLx+37ERX1g=
github.com/aws/aws-sdk-go-v2/service/kms v1.23.0/go.mod h1:aNfh11Smy55o65PB3MyKbkM8BFyFUcZmj1k+4g8eNfg=
github.com/aws/aws-sdk-go-v2/service/kms v1.24.1 h1:zDmx9yZjSYDaeakQVN16qfsLxhBeAxgclioB0+rOCDM=
github.com/aws/aws-sdk-go-v2/service/kms v1.24.1/go.mod h1:yrlimpsAJc9fXj3jHC7Ig2Zb4iMAoSJ/VVzChf22dZk=
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 h1:N7RkXX2SJbN+TCp295J3LdMR0KRFd2Bhi5nIO+svLQY=
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6/go.mod h1:oTJIIluTaJCRT6xP1AZpuU3JwRHBC0Q5O4Hg+SUxFHw=
github.com/aws/aws-sdk-go-v2/service/mq v1.15.0 h1:Z1q5y9q4feZb/h2H4D+MHqGflTEeyZH6MarBG6o00ng=
@@ -499,8 +498,9 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd1
github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 h1:dnInJb4S0oy8aQuri1mV6ipLlnZPfnsDNB9BGO9PDNY=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4=
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ=
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU=
github.com/aws/aws-sdk-go-v2/service/sts v1.22.0 h1:s4bioTgjSFRwOoyEFzAVCmFmoowBgjTR8gkrF/sQ4wk=
github.com/aws/aws-sdk-go-v2/service/sts v1.22.0/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU=
github.com/aws/aws-sdk-go-v2/service/workspaces v1.23.0 h1:lrgZ9pZm9utPOPAXmQhqtf8oWRRksoSFxOE8RoD+pHc=
github.com/aws/aws-sdk-go-v2/service/workspaces v1.23.0/go.mod h1:vPam8+zGthTXeaFWgl3Uqbzo/0QEoXF22jpuMZ97hSk=
github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
@@ -509,7 +509,6 @@ github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J
github.com/aws/smithy-go v1.14.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ=
github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -843,8 +842,8 @@ github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9Qy
github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
github.com/go-openapi/errors v0.20.3 h1:rz6kiC84sqNQoqrtulzaL/VERgkoCyB6WdEkc2ujzUc=
github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk=
github.com/go-openapi/errors v0.20.4 h1:unTcVm6PispJsMECE3zWgvG4xTiKda1LIR5rCRWLG6M=
github.com/go-openapi/errors v0.20.4/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk=
github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
@@ -875,8 +874,9 @@ github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU=
github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
@@ -1048,8 +1048,8 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.3 h1:FAgZmpLl/SXurPEZyCMPBIiiYeTbqfjlbdnCNTAkbGE=
github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/s2a-go v0.1.5 h1:8IYp3w9nysqv3JH+NJgXJzGbDHzLOTj43BmSkp+O7qg=
github.com/google/s2a-go v0.1.5/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
@@ -1057,15 +1057,16 @@ github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/wire v0.5.0 h1:I7ELFeVBr3yfPIcc8+MWvrjk+3VjbcSzoXm3JVa+jD8=
github.com/google/wire v0.5.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM=
github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
@@ -1075,8 +1076,8 @@ github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99
github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
github.com/googleapis/gax-go/v2 v2.8.0 h1:UBtEZqx1bjXtOQ5BVTkuYghXrr3N4V123VKJK67vJZc=
github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
@@ -1110,8 +1111,8 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/hashicorp/go-getter v1.7.1 h1:SWiSWN/42qdpR0MdhaOc/bLR48PLuP1ZQtYLRlM69uY=
github.com/hashicorp/go-getter v1.7.1/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
github.com/hashicorp/go-getter v1.7.2 h1:uJDtyXwEfalmp1PqdxuhZqrNkUyClZAhVeZYTArbqkg=
github.com/hashicorp/go-getter v1.7.2/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
@@ -1207,8 +1208,8 @@ github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8
github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk=
github.com/klauspost/compress v1.16.6/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422 h1:PPPlUUqPP6fLudIK4n0l0VU4KT2cQGnheW9x8pNiCHI=
@@ -1432,8 +1433,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
@@ -1460,8 +1461,8 @@ github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYr
github.com/openvex/go-vex v0.2.5 h1:41utdp2rHgAGCsG+UbjmfMG5CWQxs15nGqir1eRgSrQ=
github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88IO/0Wo=
github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
github.com/owenrumney/go-sarif/v2 v2.2.0 h1:1DmZaijK0HBZCR1fgcDSGa7VzYkU9NDmbZ7qC2QfUjE=
github.com/owenrumney/go-sarif/v2 v2.2.0/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/owenrumney/go-sarif/v2 v2.2.2 h1:x2acaiiAW9hu+78wbEYBRGLk5nRtHmkv7HeUsKvblwc=
github.com/owenrumney/go-sarif/v2 v2.2.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/owenrumney/squealer v1.1.1 h1:e+fg29IxdNARSc4s7CbYnqVSepm9eOqErLNNNR5XbAs=
github.com/owenrumney/squealer v1.1.1/go.mod h1:Q5ekVoyFSG2FlnCVIBGsyk/FSMA/ATv8PtwKIVX7t/o=
github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b h1:mUXbYcE4/ZAh9uto21SUH+FL/RGmD0OGYci9JX66jDc=
@@ -1533,6 +1534,8 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
@@ -1575,8 +1578,8 @@ github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFR
github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sigstore/rekor v1.2.1 h1:cEI4qn9IBvM7EkPQYl3YzCwCw97Mx8O2nHrv02XiI8U=
github.com/sigstore/rekor v1.2.1/go.mod h1:zcFO54qIg2G1/i0sE/nvmELUOng/n0MPjTszRYByVPo=
github.com/sigstore/rekor v1.2.2 h1:5JK/zKZvcQpL/jBmHvmFj3YbpDMBQnJQ6ygp8xdF3bY=
github.com/sigstore/rekor v1.2.2/go.mod h1:FGnWBGWzeNceJnp0x9eDFd41mI8aQqCjj+Zp0IEs0Qg=
github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -1676,8 +1679,9 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1
github.com/twitchtv/twirp v8.1.2+incompatible h1:0O6TfzZW09ZP5r+ORA90XQEE3PTgA6C7MBbl2KxvVgE=
github.com/twitchtv/twirp v8.1.2+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@@ -1780,8 +1784,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1812,8 +1816,8 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4
golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1853,8 +1857,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1925,8 +1929,8 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1953,8 +1957,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -2104,8 +2108,8 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -2114,8 +2118,8 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2130,8 +2134,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2209,8 +2213,8 @@ golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyj
golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2270,8 +2274,8 @@ google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ
google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70=
google.golang.org/api v0.122.0 h1:zDobeejm3E7pEG1mNHvdxvjs5XJoCMzyNH+CmwL94Es=
google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms=
google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0=
google.golang.org/api v0.138.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -2387,12 +2391,12 @@ google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqw
google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 h1:9NWlQfY2ePejTmfwUH1OWwmznFa+0kKcHGPDvcPza9M=
google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk=
google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 h1:m8v1xLLLzMe1m5P+gCTF8nJB9epwZQUBERm20Oy1poQ=
google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 h1:L6iMMGrtzgHsWofoFcihmDEMYeDR9KN/ThbPWGrh++g=
google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8=
google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44=
google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 h1:wukfNtZmZUurLN/atp2hiIeTKn7QJWIQdHzqmsOnAOk=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=

2
goreleaser.yml
View File

@@ -133,7 +133,7 @@ archives:
brews:
-
tap:
repository:
owner: aquasecurity
name: homebrew-trivy
homepage: "https://github.com/aquasecurity/trivy"

9
integration/sbom_test.go
View File

@@ -58,6 +58,15 @@ func TestSBOM(t *testing.T) {
},
golden: "testdata/fluentd-multiple-lockfiles.json.golden",
},
{
name: "minikube KBOM",
args: args{
input: "testdata/fixtures/sbom/minikube-kbom.json",
format: "json",
artifactType: "cyclonedx",
},
golden: "testdata/minikube-kbom.json.golden",
},
{
name: "centos7 in in-toto attestation",
args: args{

5
integration/testdata/fixtures/db/data-source.yaml vendored
View File

@@ -144,3 +144,8 @@
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- key: k8s::Official Kubernetes CVE Feed
value:
ID: "k8s"
Name: "Official Kubernetes CVE Feed"
URL: "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"

16
integration/testdata/fixtures/db/k8s.yaml vendored Normal file
View File

@@ -0,0 +1,16 @@
- bucket: "k8s::Official Kubernetes CVE Feed"
pairs:
- bucket: k8s.io/kubelet
pairs:
- key: CVE-2023-2431
value:
PatchedVersions:
- 1.24.14
- 1.25.9
- 1.26.4
- 1.27.1
VulnerableVersions:
- "< 1.24.14"
- ">= 1.25.0, < 1.25.9"
- ">= 1.26.0, < 1.26.4"
- ">= 1.27.0, < 1.27.1"

14
integration/testdata/fixtures/db/vulnerability.yaml vendored
View File

@@ -1037,6 +1037,20 @@
ghsa: 3.0
nvd: 3.0
redhat: 3.0
- key: CVE-2023-2431
value:
Title: "Bypass of seccomp profile enforcement "
Description: "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement..."
Severity: LOW
VendorSeverity:
k8s: 1
CVSS:
k8s:
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
V3Score: 3.4
References:
- https://github.com/kubernetes/kubernetes/issues/118690
- https://www.cve.org/cverecord?id=CVE-2023-2431
- key: CVE-2021-3712
value:
CVSS:

434
integration/testdata/fixtures/sbom/minikube-kbom.json vendored Normal file
View File

@@ -0,0 +1,434 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:e2daaea6-d96f-4b84-960c-0d72c348cd23",
"version": 1,
"metadata": {
"timestamp": "2023-09-29T06:25:00+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "0.45.1-15-g7bbd0d097"
}
],
"component": {
"bom-ref": "pkg:k8s/k8s.io%2Fkubernetes@1.27.0",
"type": "platform",
"name": "k8s.io/kubernetes",
"version": "1.27.0",
"purl": "pkg:k8s/k8s.io%2Fkubernetes@1.27.0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "minikube"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "cluster"
}
]
}
},
"components": [
{
"bom-ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"type": "operating-system",
"name": "ubuntu",
"version": "22.04.2",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "os-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "ubuntu"
}
]
},
{
"bom-ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
"type": "application",
"name": "node-core-components",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "golang"
}
]
},
{
"bom-ref": "a6350ac3-52f6-4c5f-a3e3-184b9a634bef",
"type": "platform",
"name": "minikube",
"properties": [
{
"name": "aquasecurity:trivy:Architecture",
"value": "arm64"
},
{
"name": "aquasecurity:trivy:HostName",
"value": "minikube"
},
{
"name": "aquasecurity:trivy:KernelVersion",
"value": "5.15.49-linuxkit-pr"
},
{
"name": "aquasecurity:trivy:NodeRole",
"value": "master"
},
{
"name": "aquasecurity:trivy:OperatingSystem",
"value": "linux"
},
{
"name": "aquasecurity:trivy:resource:Name",
"value": "minikube"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "b19a88a3-017d-4e70-a73a-75f48696ec0f",
"type": "application",
"name": "kube-dns",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "coredns-5d78c9869d-nd92n"
}
]
},
{
"bom-ref": "b1c502c9-3c6e-43af-822b-1cb55c6c6ff3",
"type": "application",
"name": "go.etcd.io/etcd/v3",
"version": "3.5.7-0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "etcd-minikube"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:golang/docker@24.0.4",
"type": "application",
"name": "docker",
"version": "24.0.4",
"purl": "pkg:golang/docker@24.0.4",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "docker"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fapiserver@1.27.0",
"type": "application",
"name": "k8s.io/apiserver",
"version": "1.27.0",
"purl": "pkg:k8s/k8s.io%2Fapiserver@1.27.0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-apiserver-minikube"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fcontroller-manager@1.27.0",
"type": "application",
"name": "k8s.io/controller-manager",
"version": "1.27.0",
"purl": "pkg:k8s/k8s.io%2Fcontroller-manager@1.27.0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-controller-manager-minikube"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fkube-proxy@1.27.0",
"type": "application",
"name": "k8s.io/kube-proxy",
"version": "1.27.0",
"purl": "pkg:k8s/k8s.io%2Fkube-proxy@1.27.0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-proxy-4wftc"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fkube-scheduler@1.27.0",
"type": "application",
"name": "k8s.io/kube-scheduler",
"version": "1.27.0",
"purl": "pkg:k8s/k8s.io%2Fkube-scheduler@1.27.0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-scheduler-minikube"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",
"type": "application",
"name": "k8s.io/kubelet",
"version": "1.27.0",
"purl": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "k8s.io/kubelet"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "pkg:oci/coredns@sha256%3Aa0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e?repository_url=registry.k8s.io%2Fcoredns%2Fcoredns",
"type": "container",
"name": "registry.k8s.io/coredns/coredns",
"version": "sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e",
"purl": "pkg:oci/coredns@sha256%3Aa0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e?repository_url=registry.k8s.io%2Fcoredns%2Fcoredns",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "registry.k8s.io/coredns/coredns:1.10.1"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/etcd@sha256%3A51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83?repository_url=registry.k8s.io%2Fetcd",
"type": "container",
"name": "registry.k8s.io/etcd",
"version": "sha256:51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83",
"purl": "pkg:oci/etcd@sha256%3A51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83?repository_url=registry.k8s.io%2Fetcd",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "registry.k8s.io/etcd:3.5.7-0"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/kube-apiserver@sha256%3A697cd88d94f7f2ef42144cb3072b016dcb2e9251f0e7d41a7fede557e555452d?repository_url=registry.k8s.io%2Fkube-apiserver",
"type": "container",
"name": "registry.k8s.io/kube-apiserver",
"version": "sha256:697cd88d94f7f2ef42144cb3072b016dcb2e9251f0e7d41a7fede557e555452d",
"purl": "pkg:oci/kube-apiserver@sha256%3A697cd88d94f7f2ef42144cb3072b016dcb2e9251f0e7d41a7fede557e555452d?repository_url=registry.k8s.io%2Fkube-apiserver",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "registry.k8s.io/kube-apiserver:1.27.0"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/kube-controller-manager@sha256%3A6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265?repository_url=registry.k8s.io%2Fkube-controller-manager",
"type": "container",
"name": "registry.k8s.io/kube-controller-manager",
"version": "sha256:6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265",
"purl": "pkg:oci/kube-controller-manager@sha256%3A6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265?repository_url=registry.k8s.io%2Fkube-controller-manager",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "registry.k8s.io/kube-controller-manager:1.27.0"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/kube-proxy@sha256%3A4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf?repository_url=registry.k8s.io%2Fkube-proxy",
"type": "container",
"name": "registry.k8s.io/kube-proxy",
"version": "sha256:4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf",
"purl": "pkg:oci/kube-proxy@sha256%3A4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf?repository_url=registry.k8s.io%2Fkube-proxy",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "registry.k8s.io/kube-proxy:1.27.0"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/kube-scheduler@sha256%3A5897d7a97d23dce25cbf36fcd6e919180a8ef904bf5156583ffdb6a733ab04af?repository_url=registry.k8s.io%2Fkube-scheduler",
"type": "container",
"name": "registry.k8s.io/kube-scheduler",
"version": "sha256:5897d7a97d23dce25cbf36fcd6e919180a8ef904bf5156583ffdb6a733ab04af",
"purl": "pkg:oci/kube-scheduler@sha256%3A5897d7a97d23dce25cbf36fcd6e919180a8ef904bf5156583ffdb6a733ab04af?repository_url=registry.k8s.io%2Fkube-scheduler",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "registry.k8s.io/kube-scheduler:1.27.0"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
}
],
"dependencies": [
{
"ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"dependsOn": []
},
{
"ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
"dependsOn": [
"pkg:golang/docker@24.0.4",
"pkg:k8s/k8s.io%2Fkubelet@1.27.0"
]
},
{
"ref": "a6350ac3-52f6-4c5f-a3e3-184b9a634bef",
"dependsOn": [
"5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"a62abb1f-cb38-4fde-90f3-2bda3b87ddb2"
]
},
{
"ref": "b19a88a3-017d-4e70-a73a-75f48696ec0f",
"dependsOn": [
"pkg:oci/coredns@sha256%3Aa0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e?repository_url=registry.k8s.io%2Fcoredns%2Fcoredns"
]
},
{
"ref": "b1c502c9-3c6e-43af-822b-1cb55c6c6ff3",
"dependsOn": [
"pkg:oci/etcd@sha256%3A51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83?repository_url=registry.k8s.io%2Fetcd"
]
},
{
"ref": "pkg:golang/docker@24.0.4",
"dependsOn": []
},
{
"ref": "pkg:k8s/k8s.io%2Fapiserver@1.27.0",
"dependsOn": [
"pkg:oci/kube-apiserver@sha256%3A697cd88d94f7f2ef42144cb3072b016dcb2e9251f0e7d41a7fede557e555452d?repository_url=registry.k8s.io%2Fkube-apiserver"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fcontroller-manager@1.27.0",
"dependsOn": [
"pkg:oci/kube-controller-manager@sha256%3A6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265?repository_url=registry.k8s.io%2Fkube-controller-manager"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fkube-proxy@1.27.0",
"dependsOn": [
"pkg:oci/kube-proxy@sha256%3A4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf?repository_url=registry.k8s.io%2Fkube-proxy"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fkube-scheduler@1.27.0",
"dependsOn": [
"pkg:oci/kube-scheduler@sha256%3A5897d7a97d23dce25cbf36fcd6e919180a8ef904bf5156583ffdb6a733ab04af?repository_url=registry.k8s.io%2Fkube-scheduler"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",
"dependsOn": []
},
{
"ref": "pkg:k8s/k8s.io%2Fkubernetes@1.27.0",
"dependsOn": [
"a6350ac3-52f6-4c5f-a3e3-184b9a634bef",
"b19a88a3-017d-4e70-a73a-75f48696ec0f",
"b1c502c9-3c6e-43af-822b-1cb55c6c6ff3",
"pkg:k8s/k8s.io%2Fapiserver@1.27.0",
"pkg:k8s/k8s.io%2Fcontroller-manager@1.27.0",
"pkg:k8s/k8s.io%2Fkube-proxy@1.27.0",
"pkg:k8s/k8s.io%2Fkube-scheduler@1.27.0"
]
},
{
"ref": "pkg:oci/coredns@sha256%3Aa0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e?repository_url=registry.k8s.io%2Fcoredns%2Fcoredns",
"dependsOn": []
},
{
"ref": "pkg:oci/etcd@sha256%3A51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83?repository_url=registry.k8s.io%2Fetcd",
"dependsOn": []
},
{
"ref": "pkg:oci/kube-apiserver@sha256%3A697cd88d94f7f2ef42144cb3072b016dcb2e9251f0e7d41a7fede557e555452d?repository_url=registry.k8s.io%2Fkube-apiserver",
"dependsOn": []
},
{
"ref": "pkg:oci/kube-controller-manager@sha256%3A6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265?repository_url=registry.k8s.io%2Fkube-controller-manager",
"dependsOn": []
},
{
"ref": "pkg:oci/kube-proxy@sha256%3A4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf?repository_url=registry.k8s.io%2Fkube-proxy",
"dependsOn": []
},
{
"ref": "pkg:oci/kube-scheduler@sha256%3A5897d7a97d23dce25cbf36fcd6e919180a8ef904bf5156583ffdb6a733ab04af?repository_url=registry.k8s.io%2Fkube-scheduler",
"dependsOn": []
}
],
"vulnerabilities": []
}

65
integration/testdata/minikube-kbom.json.golden vendored Normal file
View File

@@ -0,0 +1,65 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/sbom/minikube-kbom.json",
"ArtifactType": "cyclonedx",
"Metadata": {
"OS": {
"Family": "ubuntu",
"Name": "22.04.2",
"EOSL": false
},
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "testdata/fixtures/sbom/minikube-kbom.json (ubuntu 22.04.2)",
"Class": "os-pkgs",
"Type": "ubuntu"
},
{
"Target": "Kubernetes",
"Class": "lang-pkgs",
"Type": "kubernetes",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2023-2431",
"PkgName": "k8s.io/kubelet",
"InstalledVersion": "1.27.0",
"FixedVersion": "1.24.14, 1.25.9, 1.26.4, 1.27.1",
"Status": "fixed",
"Layer": {},
"SeveritySource": "k8s",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2431",
"PkgRef": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",
"DataSource": {
"ID": "k8s",
"Name": "Official Kubernetes CVE Feed",
"URL": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"
},
"Title": "Bypass of seccomp profile enforcement ",
"Description": "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement...",
"Severity": "LOW",
"CVSS": {
"k8s": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"V3Score": 3.4
}
},
"References": [
"https://github.com/kubernetes/kubernetes/issues/118690",
"https://www.cve.org/cverecord?id=CVE-2023-2431"
]
}
]
}
]
}

27
magefiles/magefile.go
View File

@@ -60,7 +60,7 @@ func (Tool) Wire() error {
// GolangciLint installs golangci-lint
func (Tool) GolangciLint() error {
const version = "v1.52.2"
const version = "v1.54.2"
if exists(filepath.Join(GOBIN, "golangci-lint")) {
return nil
}
@@ -277,12 +277,20 @@ func (Test) UpdateVMGolden() error {
return sh.RunWithV(ENV, "go", "test", "-v", "-tags=vm_integration", "./integration/...", "-update")
}
// Lint runs linters
func Lint() error {
type Lint mg.Namespace
// Run runs linters
func (Lint) Run() error {
mg.Deps(Tool{}.GolangciLint)
return sh.RunV("golangci-lint", "run", "--timeout", "5m")
}
// Fix auto fixes linters
func (Lint) Fix() error {
mg.Deps(Tool{}.GolangciLint)
return sh.RunV("golangci-lint", "run", "--timeout", "5m", "--fix")
}
// Fmt formats Go code and proto files
func Fmt() error {
// Check if clang-format is installed
@@ -357,6 +365,12 @@ func Clean() error {
return nil
}
// Label updates labels
func Label() error {
mg.Deps(Tool{}.Labeler)
return sh.RunV("labeler", "apply", "misc/triage/labels.yaml", "-l", "5")
}
type Docs mg.Namespace
// Serve launches MkDocs development server to preview the documentation page
@@ -379,11 +393,12 @@ func (Docs) Generate() error {
func findProtoFiles() ([]string, error) {
var files []string
err := filepath.WalkDir("rpc", func(path string, d fs.DirEntry, err error) error {
if err != nil {
switch {
case err != nil:
return err
} else if d.IsDir() {
case d.IsDir():
return nil
} else if filepath.Ext(path) == ".proto" {
case filepath.Ext(path) == ".proto":
files = append(files, path)
}
return nil

22
misc/lint/rules.go Normal file
View File

@@ -0,0 +1,22 @@
//go:build ruleguard
package gorules
import "github.com/quasilyte/go-ruleguard/dsl"
// cf. https://github.com/golang/go/wiki/CodeReviewComments#declaring-empty-slices
func declareEmptySlices(m dsl.Matcher) {
m.Match(
`$name := []$t{}`,
`$name := make([]$t, 0)`,
).
Suggest(`var $name []$t`).
Report(`replace '$$' with 'var $name []$t'`)
}
// cf. https://github.com/uber-go/guide/blob/master/style.md#initializing-maps
func initializeMaps(m dsl.Matcher) {
m.Match(`map[$key]$value{}`).
Suggest(`make(map[$key]$value)`).
Report(`replace '$$' with 'make(map[$key]$value)`)
}

1
mkdocs.yml
View File

@@ -108,6 +108,7 @@ nav:
- Helm: docs/coverage/iac/helm.md
- Kubernetes: docs/coverage/iac/kubernetes.md
- Terraform: docs/coverage/iac/terraform.md
- Kubernetes: docs/coverage/kubernetes.md
- Configuration:
- Overview: docs/configuration/index.md
- Filtering: docs/configuration/filtering.md

3
pkg/cache/remote_test.go vendored
View File

@@ -8,8 +8,6 @@ import (
"testing"
"time"
rpcScanner "github.com/aquasecurity/trivy/rpc/scanner"
google_protobuf "github.com/golang/protobuf/ptypes/empty"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -20,6 +18,7 @@ import (
fcache "github.com/aquasecurity/trivy/pkg/fanal/cache"
"github.com/aquasecurity/trivy/pkg/fanal/types"
rpcCache "github.com/aquasecurity/trivy/rpc/cache"
rpcScanner "github.com/aquasecurity/trivy/rpc/scanner"
)
type mockCacheServer struct {

11
pkg/cloud/aws/cache/cache.go vendored
View File

@@ -37,7 +37,7 @@ var ErrCacheNotFound = fmt.Errorf("cache record not found")
var ErrCacheIncompatible = fmt.Errorf("cache record used incomatible schema")
var ErrCacheExpired = fmt.Errorf("cache record expired")
func New(cacheDir string, maxCacheAge time.Duration, accountID string, region string) *Cache {
func New(cacheDir string, maxCacheAge time.Duration, accountID, region string) *Cache {
return &Cache{
path: path.Join(cacheDir, "cloud", "aws", accountID, strings.ToLower(region), "data.json"),
accountID: accountID,
@@ -70,7 +70,7 @@ func (c *Cache) load() (*CacheData, error) {
return &data, nil
}
func (c *Cache) ListServices(required []string) (included []string, missing []string) {
func (c *Cache) ListServices(required []string) (included, missing []string) {
data, err := c.load()
if err != nil {
@@ -101,12 +101,11 @@ func (c *Cache) LoadState() (*state.State, error) {
return data.State, nil
}
func (c *Cache) AddServices(state *state.State, includedServices []string) error {
func (c *Cache) AddServices(s *state.State, includedServices []string) error {
data := &CacheData{
SchemaVersion: SchemaVersion,
State: state,
Services: map[string]ServiceMetadata{},
State: s,
Services: make(map[string]ServiceMetadata),
Updated: time.Now(),
}

7
pkg/cloud/aws/commands/run.go
View File

@@ -95,10 +95,11 @@ func processOptions(ctx context.Context, opt *flag.Options) error {
}
func filterServices(opt *flag.Options) error {
if len(opt.Services) == 0 && len(opt.SkipServices) == 0 {
switch {
case len(opt.Services) == 0 && len(opt.SkipServices) == 0:
log.Logger.Debug("No service(s) specified, scanning all services...")
opt.Services = allSupportedServicesFunc()
} else if len(opt.SkipServices) > 0 {
case len(opt.SkipServices) > 0:
log.Logger.Debug("excluding services: ", opt.SkipServices)
for _, s := range allSupportedServicesFunc() {
if slices.Contains(opt.SkipServices, s) {
@@ -108,7 +109,7 @@ func filterServices(opt *flag.Options) error {
opt.Services = append(opt.Services, s)
}
}
} else if len(opt.Services) > 0 {
case len(opt.Services) > 0:
log.Logger.Debugf("Specific services were requested: [%s]...", strings.Join(opt.Services, ", "))
for _, service := range opt.Services {
var found bool

10
pkg/cloud/aws/commands/run_test.go
View File

@@ -7,13 +7,13 @@ import (
"testing"
"time"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"github.com/aquasecurity/trivy/pkg/compliance/spec"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/compliance/spec"
"github.com/aquasecurity/trivy/pkg/flag"
)
const expectedS3ScanResult = `{

12
pkg/cloud/aws/scanner/scanner.go
View File

@@ -87,15 +87,19 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
return nil, false, xerrors.Errorf("unable to create policyfs: %w", err)
}
scannerOpts = append(scannerOpts, options.ScannerWithPolicyFilesystem(policyFS))
scannerOpts = append(scannerOpts, options.ScannerWithPolicyDirs(policyPaths...))
scannerOpts = append(scannerOpts,
options.ScannerWithPolicyFilesystem(policyFS),
options.ScannerWithPolicyDirs(policyPaths...),
)
dataFS, dataPaths, err := misconf.CreateDataFS(option.RegoOptions.DataPaths)
if err != nil {
log.Logger.Errorf("Could not load config data: %s", err)
}
scannerOpts = append(scannerOpts, options.ScannerWithDataDirs(dataPaths...))
scannerOpts = append(scannerOpts, options.ScannerWithDataFilesystem(dataFS))
scannerOpts = append(scannerOpts,
options.ScannerWithDataDirs(dataPaths...),
options.ScannerWithDataFilesystem(dataFS),
)
scannerOpts = addPolicyNamespaces(option.RegoOptions.PolicyNamespaces, scannerOpts)

9
pkg/cloud/report/convert_test.go
View File

@@ -4,16 +4,13 @@ import (
"sort"
"testing"
fanaltypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aws/aws-sdk-go-v2/aws/arn"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/stretchr/testify/assert"
"github.com/aquasecurity/defsec/pkg/scan"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
fanaltypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
func Test_ResultConversion(t *testing.T) {

3
pkg/cloud/report/resource.go
View File

@@ -6,11 +6,10 @@ import (
"sort"
"strconv"
"github.com/aquasecurity/tml"
"golang.org/x/term"
"github.com/aquasecurity/table"
"github.com/aquasecurity/tml"
pkgReport "github.com/aquasecurity/trivy/pkg/report/table"
"github.com/aquasecurity/trivy/pkg/types"
)

4
pkg/cloud/report/result.go
View File

@@ -5,10 +5,8 @@ import (
"io"
"github.com/aquasecurity/tml"
renderer "github.com/aquasecurity/trivy/pkg/report/table"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
renderer "github.com/aquasecurity/trivy/pkg/report/table"
"github.com/aquasecurity/trivy/pkg/types"
)

3
pkg/cloud/report/service.go
View File

@@ -7,9 +7,8 @@ import (
"strconv"
"time"
"github.com/aquasecurity/tml"
"github.com/aquasecurity/table"
"github.com/aquasecurity/tml"
pkgReport "github.com/aquasecurity/trivy/pkg/report/table"
"github.com/aquasecurity/trivy/pkg/types"
)

12
pkg/cloud/report/service_test.go
View File

@@ -5,18 +5,14 @@ import (
"path/filepath"
"testing"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/stretchr/testify/assert"
"github.com/aws/aws-sdk-go-v2/aws/arn"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/defsec/pkg/scan"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/flag"
)
func Test_ServiceReport(t *testing.T) {

12
pkg/commands/app.go
View File

@@ -14,7 +14,6 @@ import (
"golang.org/x/xerrors"
awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
"github.com/aquasecurity/trivy/pkg/commands/artifact"
"github.com/aquasecurity/trivy/pkg/commands/convert"
@@ -308,7 +307,7 @@ func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
func NewFilesystemCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup := flag.NewReportFlagGroup()
reportFormat := flag.ReportFormatFlag
reportFormat.Usage = "specify a compliance report format for the output" //@TODO: support --report summary for non compliance reports
reportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
reportFlagGroup.ReportFormat = &reportFormat
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
@@ -583,6 +582,11 @@ func NewServerCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
RegistryFlagGroup: flag.NewRegistryFlagGroup(),
}
// java-db only works on client side.
serverFlags.DBFlagGroup.DownloadJavaDBOnly = nil // disable '--download-java-db-only'
serverFlags.DBFlagGroup.SkipJavaDBUpdate = nil // disable '--skip-java-db-update'
serverFlags.DBFlagGroup.JavaDBRepository = nil // disable '--java-db-repository'
cmd := &cobra.Command{
Use: "server [flags]",
Aliases: []string{"s"},
@@ -622,7 +626,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup.ListAllPkgs = nil // disable '--list-all-pkgs'
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
reportFormat := flag.ReportFormatFlag
reportFormat.Usage = "specify a compliance report format for the output" //@TODO: support --report summary for non compliance reports
reportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
reportFlagGroup.ReportFormat = &reportFormat
scanFlags := &flag.ScanFlagGroup{
@@ -1209,6 +1213,6 @@ func flagErrorFunc(command *cobra.Command, err error) error {
if err := command.Help(); err != nil {
return err
}
command.Println() //add empty line after list of flags
command.Println() // add empty line after list of flags
return err
}

2
pkg/commands/artifact/run.go
View File

@@ -329,7 +329,7 @@ func (r *runner) initJavaDB(opts flag.Options) error {
// Update the Java DB
noProgress := opts.Quiet || opts.NoProgress
javadb.Init(opts.CacheDir, opts.JavaDBRepository, opts.SkipJavaDBUpdate, noProgress, opts.Insecure)
javadb.Init(opts.CacheDir, opts.JavaDBRepository, opts.SkipJavaDBUpdate, noProgress, opts.RegistryOpts())
if opts.DownloadJavaDBOnly {
if err := javadb.Update(); err != nil {
return xerrors.Errorf("Java DB error: %w", err)

24
pkg/compliance/report/report.go
View File

@@ -3,10 +3,9 @@ package report
import (
"io"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"golang.org/x/xerrors"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/compliance/spec"
"github.com/aquasecurity/trivy/pkg/types"
@@ -68,7 +67,10 @@ type Writer interface {
func Write(report *ComplianceReport, option Option) error {
switch option.Format {
case types.FormatJSON:
jwriter := JSONWriter{Output: option.Output, Report: option.Report}
jwriter := JSONWriter{
Output: option.Output,
Report: option.Report,
}
return jwriter.Write(report)
case types.FormatTable:
if !report.empty() {
@@ -94,7 +96,7 @@ func (r ComplianceReport) empty() bool {
// buildControlCheckResults create compliance results data
func buildControlCheckResults(checksMap map[string]types.Results, controls []defsecTypes.Control) []*ControlCheckResult {
complianceResults := make([]*ControlCheckResult, 0)
var complianceResults []*ControlCheckResult
for _, control := range controls {
var results types.Results
for _, c := range control.Checks {
@@ -113,14 +115,14 @@ func buildControlCheckResults(checksMap map[string]types.Results, controls []def
}
// buildComplianceReportResults create compliance results data
func buildComplianceReportResults(checksMap map[string]types.Results, spec defsecTypes.Spec) *ComplianceReport {
controlCheckResult := buildControlCheckResults(checksMap, spec.Controls)
func buildComplianceReportResults(checksMap map[string]types.Results, s defsecTypes.Spec) *ComplianceReport {
controlCheckResult := buildControlCheckResults(checksMap, s.Controls)
return &ComplianceReport{
ID: spec.ID,
Title: spec.Title,
Description: spec.Description,
Version: spec.Version,
RelatedResources: spec.RelatedResources,
ID: s.ID,
Title: s.Title,
Description: s.Description,
Version: s.Version,
RelatedResources: s.RelatedResources,
Results: controlCheckResult,
}
}

3
pkg/compliance/report/report_test.go
View File

@@ -4,10 +4,9 @@ import (
"fmt"
"testing"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"github.com/stretchr/testify/assert"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/compliance/report"

4
pkg/compliance/spec/compliance.go
View File

@@ -29,7 +29,7 @@ const (
// Scanners reads spec control and determines the scanners by check ID prefix
func (cs *ComplianceSpec) Scanners() (types.Scanners, error) {
scannerTypes := map[types.Scanner]struct{}{}
scannerTypes := make(map[types.Scanner]struct{})
for _, control := range cs.Spec.Controls {
for _, check := range control.Checks {
scannerType := scannerByCheckID(check.ID)
@@ -44,7 +44,7 @@ func (cs *ComplianceSpec) Scanners() (types.Scanners, error) {
// CheckIDs return list of compliance check IDs
func (cs *ComplianceSpec) CheckIDs() map[types.Scanner][]string {
checkIDsMap := map[types.Scanner][]string{}
checkIDsMap := make(map[types.Scanner][]string)
for _, control := range cs.Spec.Controls {
for _, check := range control.Checks {
scannerType := scannerByCheckID(check.ID)

3
pkg/compliance/spec/compliance_test.go
View File

@@ -4,10 +4,9 @@ import (
"sort"
"testing"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"github.com/stretchr/testify/assert"
defsecTypes "github.com/aquasecurity/defsec/pkg/types"
"github.com/aquasecurity/trivy/pkg/compliance/spec"
"github.com/aquasecurity/trivy/pkg/types"
)

4
pkg/db/db.go
View File

@@ -52,9 +52,9 @@ func WithDBRepository(dbRepository string) Option {
}
// WithClock takes a clock
func WithClock(clock clock.Clock) Option {
func WithClock(c clock.Clock) Option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}

3
pkg/detector/library/compare/maven/compare.go
View File

@@ -1,9 +1,8 @@
package maven
import (
"golang.org/x/xerrors"
version "github.com/masahiro331/go-mvn-version"
"golang.org/x/xerrors"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"

2
pkg/detector/library/detect.go
View File

@@ -8,7 +8,7 @@ import (
)
// Detect scans and returns vulnerabilities of library
func Detect(libType string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
func Detect(libType ftypes.LangType, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
driver, ok := NewDriver(libType)
if !ok {
return nil, nil

11
pkg/detector/library/driver.go
View File

@@ -20,7 +20,7 @@ import (
)
// NewDriver returns a driver according to the library type
func NewDriver(libType string) (Driver, bool) {
func NewDriver(libType ftypes.LangType) (Driver, bool) {
var ecosystem dbTypes.Ecosystem
var comparer compare.Comparer
@@ -65,9 +65,6 @@ func NewDriver(libType string) (Driver, bool) {
// https://www.swift.org/package-manager/#importing-dependencies
ecosystem = vulnerability.Swift
comparer = compare.GenericComparer{}
case ftypes.Bitnami:
ecosystem = vulnerability.Bitnami
comparer = compare.GenericComparer{}
case ftypes.Cocoapods:
// CocoaPods uses RubyGems version specifiers
// https://guides.cocoapods.org/making/making-a-cocoapod.html#cocoapods-versioning-specifics
@@ -76,6 +73,12 @@ func NewDriver(libType string) (Driver, bool) {
case ftypes.CondaPkg:
log.Logger.Warn("Conda package is supported for SBOM, not for vulnerability scanning")
return Driver{}, false
case ftypes.Bitnami:
ecosystem = vulnerability.Bitnami
comparer = compare.GenericComparer{}
case ftypes.K8sUpstream:
ecosystem = vulnerability.Kubernetes
comparer = compare.GenericComparer{}
default:
log.Logger.Warnf("The %q library type is not supported for vulnerability scanning", libType)
return Driver{}, false

2
pkg/detector/library/driver_test.go
View File

@@ -23,7 +23,7 @@ func TestDriver_Detect(t *testing.T) {
tests := []struct {
name string
fixtures []string
libType string
libType ftypes.LangType
args args
want []types.DetectedVulnerability
wantErr string

26
pkg/detector/ospkg/alma/alma.go
View File

@@ -9,6 +9,7 @@ import (
"k8s.io/utils/clock"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alma"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -30,9 +31,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -60,9 +61,8 @@ func NewScanner(opts ...option) *Scanner {
// Detect vulnerabilities in package using AlmaLinux scanner
func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting AlmaLinux vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
osVer = osver.Major(osVer)
log.Logger.Debugf("AlmaLinux: os version: %s", osVer)
log.Logger.Debugf("AlmaLinux: the number of packages: %d", len(pkgs))
@@ -107,19 +107,9 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks the OSFamily can be scanned using AlmaLinux scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osver.Major(osVer))
}
func addModularNamespace(name, label string) string {

29
pkg/detector/ospkg/alma/alma_test.go
View File

@@ -70,8 +70,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "skip modular package",
fixtures: []string{"testdata/fixtures/modular.yaml", "testdata/fixtures/data-source.yaml"},
name: "skip modular package",
fixtures: []string{
"testdata/fixtures/modular.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "8.4",
pkgs: []ftypes.Package{
@@ -94,8 +97,11 @@ func TestScanner_Detect(t *testing.T) {
want: nil,
},
{
name: "modular package",
fixtures: []string{"testdata/fixtures/modular.yaml", "testdata/fixtures/data-source.yaml"},
name: "modular package",
fixtures: []string{
"testdata/fixtures/modular.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "8.6",
pkgs: []ftypes.Package{
@@ -131,8 +137,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "Get returns an error",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "Get returns an error",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "8.4",
pkgs: []ftypes.Package{
@@ -167,7 +176,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -195,13 +204,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: false,
},
{
name: "unknown",
name: "latest",
now: time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "alma",
osVer: "unknown",
osVer: "999",
},
want: false,
want: true,
},
}
for _, tt := range tests {

25
pkg/detector/ospkg/alpine/alpine.go
View File

@@ -10,6 +10,7 @@ import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -55,9 +56,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -85,9 +86,7 @@ func NewScanner(opts ...option) *Scanner {
// Detect vulnerabilities in package using Alpine scanner
func (s *Scanner) Detect(osVer string, repo *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting Alpine vulnerabilities...")
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
osVer = osver.Minor(osVer)
repoRelease := s.repoRelease(repo)
log.Logger.Debugf("alpine: os version: %s", osVer)
@@ -173,19 +172,9 @@ func (s *Scanner) isVulnerable(installedVersion version.Version, adv dbTypes.Adv
return installedVersion.LessThan(fixedVersion)
}
// IsSupportedVersion checks the OSFamily can be scanned using Alpine scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Infof("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return true // may be the latest version
}
return s.clock.Now().Before(eol)
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osver.Minor(osVer))
}
func (s *Scanner) repoRelease(repo *ftypes.Repository) string {

50
pkg/detector/ospkg/alpine/alpine_test.go
View File

@@ -5,8 +5,6 @@ import (
"testing"
"time"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
fake "k8s.io/utils/clock/testing"
@@ -34,8 +32,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/alpine.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "3.10.2",
pkgs: []ftypes.Package{
@@ -88,8 +89,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "contain rc",
fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
name: "contain rc",
fixtures: []string{
"testdata/fixtures/alpine.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "3.10",
pkgs: []ftypes.Package{
@@ -116,8 +120,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "contain pre",
fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
name: "contain pre",
fixtures: []string{
"testdata/fixtures/alpine.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "3.10",
pkgs: []ftypes.Package{
@@ -150,12 +157,15 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "repository is newer than OS version",
fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
name: "repository is newer than OS version",
fixtures: []string{
"testdata/fixtures/alpine.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "3.9.3",
repo: &ftypes.Repository{
Family: os.Alpine,
Family: ftypes.Alpine,
Release: "3.10",
},
pkgs: []ftypes.Package{
@@ -182,8 +192,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "Get returns an error",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "Get returns an error",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "3.10.2",
pkgs: []ftypes.Package{
@@ -198,12 +211,15 @@ func TestScanner_Detect(t *testing.T) {
wantErr: "failed to get alpine advisories",
},
{
name: "No src name",
fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
name: "No src name",
fixtures: []string{
"testdata/fixtures/alpine.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "3.9.3",
repo: &ftypes.Repository{
Family: os.Alpine,
Family: ftypes.Alpine,
Release: "3.10",
},
pkgs: []ftypes.Package{
@@ -253,7 +269,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {

19
pkg/detector/ospkg/amazon/amazon.go
View File

@@ -4,13 +4,13 @@ import (
"strings"
"time"
"k8s.io/utils/clock"
version "github.com/knqyf263/go-deb-version"
"go.uber.org/zap"
"golang.org/x/xerrors"
"k8s.io/utils/clock"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/amazon"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -35,9 +35,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -118,17 +118,12 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks if os can be scanned using amazon scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
osVer = strings.Fields(osVer)[0]
if osVer != "2" && osVer != "2022" && osVer != "2023" {
osVer = "1"
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
return osver.Supported(s.clock, eolDates, osFamily, osVer)
}

39
pkg/detector/ospkg/amazon/amazon_test.go
View File

@@ -30,8 +30,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "amazon linux 1",
fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
name: "amazon linux 1",
fixtures: []string{
"testdata/fixtures/amazon.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "1.2",
pkgs: []ftypes.Package{
@@ -64,8 +67,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "amazon linux 2",
fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
name: "amazon linux 2",
fixtures: []string{
"testdata/fixtures/amazon.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "2",
pkgs: []ftypes.Package{
@@ -96,8 +102,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "amazon linux 2023",
fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
name: "amazon linux 2023",
fixtures: []string{
"testdata/fixtures/amazon.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "2023",
pkgs: []ftypes.Package{
@@ -128,8 +137,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "empty version",
fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
name: "empty version",
fixtures: []string{
"testdata/fixtures/amazon.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "2",
pkgs: []ftypes.Package{
@@ -140,8 +152,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "Get returns an error",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "Get returns an error",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "1",
pkgs: []ftypes.Package{
@@ -176,7 +191,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -219,7 +234,7 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
osFamily: "amazon",
osVer: "2022",
},
want: false,
want: true,
},
{
name: "amazon linux 2023",

11
pkg/detector/ospkg/chainguard/chainguard.go
View File

@@ -5,9 +5,8 @@ import (
"golang.org/x/xerrors"
"k8s.io/utils/clock"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/chainguard"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/chainguard"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -20,9 +19,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -103,8 +102,8 @@ func (s *Scanner) isVulnerable(installedVersion version.Version, adv dbTypes.Adv
return installedVersion.LessThan(fixedVersion)
}
// IsSupportedVersion checks the OSFamily can be scanned using Chainguard scanner
func (s *Scanner) IsSupportedVersion(_, _ string) bool {
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(_ ftypes.OSType, _ string) bool {
// Chainguard doesn't have versions, so there is no case where a given input yields a
// result of an unsupported Chainguard version.

44
pkg/detector/ospkg/chainguard/chainguard_test.go
View File

@@ -4,17 +4,16 @@ import (
"sort"
"testing"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestScanner_Detect(t *testing.T) {
@@ -30,8 +29,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/chainguard.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/chainguard.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -69,8 +71,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "contain rc",
fixtures: []string{"testdata/fixtures/chainguard.yaml", "testdata/fixtures/data-source.yaml"},
name: "contain rc",
fixtures: []string{
"testdata/fixtures/chainguard.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -96,8 +101,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "contain pre",
fixtures: []string{"testdata/fixtures/chainguard.yaml", "testdata/fixtures/data-source.yaml"},
name: "contain pre",
fixtures: []string{
"testdata/fixtures/chainguard.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -129,8 +137,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "Get returns an error",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "Get returns an error",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -144,11 +155,14 @@ func TestScanner_Detect(t *testing.T) {
wantErr: "failed to get Chainguard advisories",
},
{
name: "No src name",
fixtures: []string{"testdata/fixtures/chainguard.yaml", "testdata/fixtures/data-source.yaml"},
name: "No src name",
fixtures: []string{
"testdata/fixtures/chainguard.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
repo: &ftypes.Repository{
Family: os.Chainguard,
Family: ftypes.Chainguard,
Release: "3.10",
},
pkgs: []ftypes.Package{

25
pkg/detector/ospkg/debian/debian.go
View File

@@ -1,7 +1,6 @@
package debian
import (
"strings"
"time"
version "github.com/knqyf263/go-deb-version"
@@ -11,6 +10,7 @@ import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/debian"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -47,9 +47,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -78,9 +78,7 @@ func NewScanner(opts ...option) *Scanner {
func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting Debian vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
osVer = osver.Major(osVer)
log.Logger.Debugf("debian: os version: %s", osVer)
log.Logger.Debugf("debian: the number of packages: %d", len(pkgs))
@@ -141,16 +139,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks is OSFamily can be scanned using Debian
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osver.Major(osVer))
}

22
pkg/detector/ospkg/debian/debian_test.go
View File

@@ -31,8 +31,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/debian.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/debian.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "9.1",
pkgs: []ftypes.Package{
@@ -84,8 +87,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "invalid bucket",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "invalid bucket",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "9.1",
pkgs: []ftypes.Package{
@@ -127,7 +133,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -155,13 +161,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: false,
},
{
name: "unknown",
name: "latest",
now: time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "debian",
osVer: "unknown",
osVer: "999",
},
want: false,
want: true,
},
}
for _, tt := range tests {

41
pkg/detector/ospkg/detect.go
View File

@@ -19,7 +19,6 @@ import (
"github.com/aquasecurity/trivy/pkg/detector/ospkg/suse"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/wolfi"
fos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
@@ -29,38 +28,38 @@ var (
// ErrUnsupportedOS defines error for unsupported OS
ErrUnsupportedOS = xerrors.New("unsupported os")
drivers = map[string]Driver{
fos.Alpine: alpine.NewScanner(),
fos.Alma: alma.NewScanner(),
fos.Amazon: amazon.NewScanner(),
fos.CBLMariner: mariner.NewScanner(),
fos.Debian: debian.NewScanner(),
fos.Ubuntu: ubuntu.NewScanner(),
fos.RedHat: redhat.NewScanner(),
fos.CentOS: redhat.NewScanner(),
fos.Rocky: rocky.NewScanner(),
fos.Oracle: oracle.NewScanner(),
fos.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
fos.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux),
fos.Photon: photon.NewScanner(),
fos.Wolfi: wolfi.NewScanner(),
fos.Chainguard: chainguard.NewScanner(),
drivers = map[ftypes.OSType]Driver{
ftypes.Alpine: alpine.NewScanner(),
ftypes.Alma: alma.NewScanner(),
ftypes.Amazon: amazon.NewScanner(),
ftypes.CBLMariner: mariner.NewScanner(),
ftypes.Debian: debian.NewScanner(),
ftypes.Ubuntu: ubuntu.NewScanner(),
ftypes.RedHat: redhat.NewScanner(),
ftypes.CentOS: redhat.NewScanner(),
ftypes.Rocky: rocky.NewScanner(),
ftypes.Oracle: oracle.NewScanner(),
ftypes.OpenSUSELeap: suse.NewScanner(suse.OpenSUSE),
ftypes.SLES: suse.NewScanner(suse.SUSEEnterpriseLinux),
ftypes.Photon: photon.NewScanner(),
ftypes.Wolfi: wolfi.NewScanner(),
ftypes.Chainguard: chainguard.NewScanner(),
}
)
// RegisterDriver is defined for extensibility and not supposed to be used in Trivy.
func RegisterDriver(name string, driver Driver) {
func RegisterDriver(name ftypes.OSType, driver Driver) {
drivers[name] = driver
}
// Driver defines operations for OS package scan
type Driver interface {
Detect(string, *ftypes.Repository, []ftypes.Package) ([]types.DetectedVulnerability, error)
IsSupportedVersion(string, string) bool
IsSupportedVersion(ftypes.OSType, string) bool
}
// Detect detects the vulnerabilities
func Detect(_, osFamily, osName string, repo *ftypes.Repository, _ time.Time, pkgs []ftypes.Package) ([]types.DetectedVulnerability, bool, error) {
func Detect(_, osFamily ftypes.OSType, osName string, repo *ftypes.Repository, _ time.Time, pkgs []ftypes.Package) ([]types.DetectedVulnerability, bool, error) {
driver, err := newDriver(osFamily)
if err != nil {
return nil, false, ErrUnsupportedOS
@@ -81,7 +80,7 @@ func Detect(_, osFamily, osName string, repo *ftypes.Repository, _ time.Time, pk
return vulns, eosl, nil
}
func newDriver(osFamily string) (Driver, error) {
func newDriver(osFamily ftypes.OSType) (Driver, error) {
if driver, ok := drivers[osFamily]; ok {
return driver, nil
}

11
pkg/detector/ospkg/mariner/mariner.go
View File

@@ -1,12 +1,11 @@
package mariner
import (
"strings"
version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -30,9 +29,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
log.Logger.Info("Detecting CBL-Mariner vulnerabilities...")
// e.g. 1.0.20210127
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
osVer = osver.Minor(osVer)
log.Logger.Debugf("CBL-Mariner: os version: %s", osVer)
log.Logger.Debugf("CBL-Mariner: the number of packages: %d", len(pkgs))
@@ -75,8 +72,8 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks the OS version can be scanned using CBL-Mariner scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(_ ftypes.OSType, _ string) bool {
// EOL is not in public at the moment.
return true
}

22
pkg/detector/ospkg/oracle/oracle.go
View File

@@ -9,6 +9,7 @@ import (
"k8s.io/utils/clock"
oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -58,10 +59,7 @@ func extractKsplice(v string) string {
func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting Oracle Linux vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
osVer = osver.Major(osVer)
log.Logger.Debugf("Oracle Linux: os version: %s", osVer)
log.Logger.Debugf("Oracle Linux: the number of packages: %d", len(pkgs))
@@ -102,17 +100,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks is OSFamily can be scanned with Oracle scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osver.Major(osVer))
}

43
pkg/detector/ospkg/oracle/oracle_test.go
View File

@@ -21,7 +21,7 @@ import (
func TestScanner_IsSupportedVersion(t *testing.T) {
vectors := map[string]struct {
clock clock.Clock
osFamily string
osFamily ftypes.OSType
osVersion string
expected bool
}{
@@ -73,11 +73,11 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
osVersion: "8",
expected: false,
},
"unknown": {
"latest": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "unknown",
expected: false,
osVersion: "latest",
expected: true,
},
}
@@ -109,8 +109,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "detected",
fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
name: "detected",
fixtures: []string{
"testdata/fixtures/oracle7.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "7",
pkgs: []ftypes.Package{
@@ -140,8 +143,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "without ksplice",
fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
name: "without ksplice",
fixtures: []string{
"testdata/fixtures/oracle7.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "7",
pkgs: []ftypes.Package{
@@ -159,8 +165,11 @@ func TestScanner_Detect(t *testing.T) {
want: nil,
},
{
name: "the installed version has ksplice2",
fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
name: "the installed version has ksplice2",
fixtures: []string{
"testdata/fixtures/oracle7.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "7",
pkgs: []ftypes.Package{
@@ -180,8 +189,11 @@ func TestScanner_Detect(t *testing.T) {
want: nil,
},
{
name: "with ksplice",
fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
name: "with ksplice",
fixtures: []string{
"testdata/fixtures/oracle7.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "7",
pkgs: []ftypes.Package{
@@ -213,8 +225,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "malformed",
fixtures: []string{"testdata/fixtures/invalid-type.yaml", "testdata/fixtures/data-source.yaml"},
name: "malformed",
fixtures: []string{
"testdata/fixtures/invalid-type.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "7",
pkgs: []ftypes.Package{

16
pkg/detector/ospkg/photon/photon.go
View File

@@ -8,6 +8,7 @@ import (
"k8s.io/utils/clock"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/photon"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -31,9 +32,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -94,12 +95,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks if the OS version reached end-of-support.
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osVer)
}

22
pkg/detector/ospkg/photon/photon_test.go
View File

@@ -30,8 +30,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/photon.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/photon.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "1.0",
pkgs: []ftypes.Package{
@@ -66,8 +69,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "invalid bucket",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "invalid bucket",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "1.0",
pkgs: []ftypes.Package{
@@ -102,7 +108,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -130,13 +136,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: false,
},
{
name: "unknown",
name: "latest",
now: time.Date(2022, 1, 31, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "photon",
osVer: "unknown",
osVer: "999.0",
},
want: false,
want: true,
},
}
for _, tt := range tests {

34
pkg/detector/ospkg/redhat/redhat.go
View File

@@ -16,7 +16,7 @@ import (
ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings"
redhat "github.com/aquasecurity/trivy-db/pkg/vulnsrc/redhat-oval"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -70,9 +70,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -100,9 +100,8 @@ func NewScanner(opts ...option) *Scanner {
// Detect scans and returns redhat vulnerabilities
func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting RHEL/CentOS vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
osVer = osver.Major(osVer)
log.Logger.Debugf("Red Hat: os version: %s", osVer)
log.Logger.Debugf("Red Hat: the number of packages: %d", len(pkgs))
@@ -143,7 +142,7 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
uniqVulns := map[string]types.DetectedVulnerability{}
uniqVulns := make(map[string]types.DetectedVulnerability)
for _, adv := range advisories {
// if Arches for advisory is empty or pkg.Arch is "noarch", then any Arches are affected
if len(adv.Arches) != 0 && pkg.Arch != "noarch" {
@@ -209,24 +208,13 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
}
// IsSupportedVersion checks is OSFamily can be scanned with Redhat scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
osVer = osver.Major(osVer)
if osFamily == ftypes.CentOS {
return osver.Supported(s.clock, centosEOLDates, osFamily, osVer)
}
var eolDate time.Time
var ok bool
if osFamily == os.RedHat {
eolDate, ok = redhatEOLDates[osVer]
} else if osFamily == os.CentOS {
eolDate, ok = centosEOLDates[osVer]
}
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eolDate)
return osver.Supported(s.clock, redhatEOLDates, osFamily, osVer)
}
func isFromSupportedVendor(pkg ftypes.Package) bool {

20
pkg/detector/ospkg/redhat/redhat_test.go
View File

@@ -5,11 +5,10 @@ import (
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
fake "k8s.io/utils/clock/testing"
"github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
@@ -138,8 +137,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
VulnerabilityID: "CVE-2020-12403",
VendorIDs: []string{"RHSA-2021:0538", "RHSA-2021:0876"},
VulnerabilityID: "CVE-2020-12403",
VendorIDs: []string{
"RHSA-2021:0538",
"RHSA-2021:0876",
},
PkgName: "nss",
InstalledVersion: "3.36.0-7.1.el7_6",
FixedVersion: "3.53.1-17.el7_3",
@@ -376,7 +378,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -422,13 +424,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: true,
},
{
name: "unknown",
name: "latest",
now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "unknown",
osVer: "8.0",
osFamily: "redhat",
osVer: "999.0",
},
want: false,
want: true,
},
}
for _, tt := range tests {

27
pkg/detector/ospkg/rocky/rocky.go
View File

@@ -1,7 +1,6 @@
package rocky
import (
"strings"
"time"
version "github.com/knqyf263/go-rpm-version"
@@ -9,6 +8,7 @@ import (
"k8s.io/utils/clock"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/rocky"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -30,9 +30,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -60,9 +60,8 @@ func NewScanner(opts ...option) *Scanner {
// Detect vulnerabilities in package using Rocky Linux scanner
func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting Rocky Linux vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
osVer = osver.Major(osVer)
log.Logger.Debugf("Rocky Linux: os version: %s", osVer)
log.Logger.Debugf("Rocky Linux: the number of packages: %d", len(pkgs))
@@ -107,19 +106,9 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
return vulns, nil
}
// IsSupportedVersion checks the OSFamily can be scanned using Rocky Linux scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osver.Major(osVer))
}
func addModularNamespace(name, label string) string {

29
pkg/detector/ospkg/rocky/rocky_test.go
View File

@@ -30,8 +30,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/rocky.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/rocky.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "8.5",
pkgs: []ftypes.Package{
@@ -67,8 +70,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "skip modular package",
fixtures: []string{"testdata/fixtures/modular.yaml", "testdata/fixtures/data-source.yaml"},
name: "skip modular package",
fixtures: []string{
"testdata/fixtures/modular.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "8.5",
pkgs: []ftypes.Package{
@@ -91,8 +97,11 @@ func TestScanner_Detect(t *testing.T) {
want: nil,
},
{
name: "Get returns an error",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "Get returns an error",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "8.5",
pkgs: []ftypes.Package{
@@ -127,7 +136,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -155,13 +164,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: false,
},
{
name: "unknown",
name: "latest",
now: time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "rocky",
osVer: "unknown",
osVer: "999.0",
},
want: false,
want: true,
},
}
for _, tt := range tests {

30
pkg/detector/ospkg/suse/suse.go
View File

@@ -3,13 +3,12 @@ package suse
import (
"time"
version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"
"k8s.io/utils/clock"
version "github.com/knqyf263/go-rpm-version"
susecvrf "github.com/aquasecurity/trivy-db/pkg/vulnsrc/suse-cvrf"
fos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -42,7 +41,7 @@ var (
"15.4": time.Date(2023, 12, 31, 23, 59, 59, 0, time.UTC),
"15.5": time.Date(2028, 12, 31, 23, 59, 59, 0, time.UTC),
// 6 months after SLES 15 SP7 release
//"15.6": time.Date(2028, 12, 31, 23, 59, 59, 0, time.UTC),
// "15.6": time.Date(2028, 12, 31, 23, 59, 59, 0, time.UTC),
}
opensuseEolDates = map[string]time.Time{
@@ -65,9 +64,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -149,20 +148,9 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
}
// IsSupportedVersion checks if OSFamily can be scanned using SUSE scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
var eolDate time.Time
var ok bool
if osFamily == fos.SLES {
eolDate, ok = slesEolDates[osVer]
} else if osFamily == fos.OpenSUSELeap {
eolDate, ok = opensuseEolDates[osVer]
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
if osFamily == ftypes.SLES {
return osver.Supported(s.clock, slesEolDates, osFamily, osVer)
}
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eolDate)
return osver.Supported(s.clock, opensuseEolDates, osFamily, osVer)
}

24
pkg/detector/ospkg/suse/suse_test.go
View File

@@ -31,8 +31,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/suse.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/suse.yaml",
"testdata/fixtures/data-source.yaml",
},
distribution: suse.OpenSUSE,
args: args{
osVer: "15.3",
@@ -68,8 +71,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "broken bucket",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "broken bucket",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
distribution: suse.SUSEEnterpriseLinux,
args: args{
osVer: "15.3",
@@ -105,7 +111,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -136,13 +142,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: false,
},
{
name: "unknown",
name: "latest",
now: time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "unknown",
osVer: "unknown",
osFamily: "opensuse.leap",
osVer: "999.0",
},
want: false,
want: true,
},
}
for _, tt := range tests {

14
pkg/detector/ospkg/ubuntu/ubuntu.go
View File

@@ -9,6 +9,7 @@ import (
"k8s.io/utils/clock"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -68,9 +69,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -148,13 +149,8 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
}
// IsSupportedVersion checks is OSFamily can be scanned using Ubuntu scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
eol, ok := eolDates[s.versionFromEolDates(osVer)]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
func (s *Scanner) IsSupportedVersion(osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(s.clock, eolDates, osFamily, osVer)
}
// versionFromEolDates checks if actual (not ESM) version is not outdated

36
pkg/detector/ospkg/ubuntu/ubuntu_test.go
View File

@@ -32,8 +32,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/ubuntu.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/ubuntu.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "20.04",
now: time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
@@ -81,8 +84,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "ubuntu 20.04-ESM. 20.04 is not outdated",
fixtures: []string{"testdata/fixtures/ubuntu.yaml", "testdata/fixtures/data-source.yaml"},
name: "ubuntu 20.04-ESM. 20.04 is not outdated",
fixtures: []string{
"testdata/fixtures/ubuntu.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "20.04-ESM",
now: time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
@@ -130,8 +136,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "ubuntu 20.04-ESM. 20.04 is outdated",
fixtures: []string{"testdata/fixtures/ubuntu.yaml", "testdata/fixtures/data-source.yaml"},
name: "ubuntu 20.04-ESM. 20.04 is outdated",
fixtures: []string{
"testdata/fixtures/ubuntu.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "20.04-ESM",
now: time.Date(2031, 3, 31, 23, 59, 59, 0, time.UTC),
@@ -149,8 +158,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "broken bucket",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "broken bucket",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "21.04",
now: time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
@@ -189,7 +201,7 @@ func TestScanner_Detect(t *testing.T) {
func TestScanner_IsSupportedVersion(t *testing.T) {
type args struct {
osFamily string
osFamily ftypes.OSType
osVer string
}
tests := []struct {
@@ -235,13 +247,13 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
want: false,
},
{
name: "unknown",
name: "latest",
now: time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
args: args{
osFamily: "ubuntu",
osVer: "unknown",
osVer: "99.04",
},
want: false,
want: true,
},
}
for _, tt := range tests {

38
pkg/detector/ospkg/version/version.go Normal file
View File

@@ -0,0 +1,38 @@
package version
import (
"strings"
"time"
"k8s.io/utils/clock"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
)
// Major returns the major version
// e.g. 8.1 => 8
func Major(osVer string) string {
osVer, _, _ = strings.Cut(osVer, ".")
return osVer
}
// Minor returns the major and minor version
// e.g. 3.17.2 => 3.17
func Minor(osVer string) string {
major, s, ok := strings.Cut(osVer, ".")
if !ok {
return osVer
}
minor, _, _ := strings.Cut(s, ".")
return major + "." + minor
}
func Supported(c clock.Clock, eolDates map[string]time.Time, osFamily ftypes.OSType, osVer string) bool {
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return true // can be the latest version
}
return c.Now().Before(eol)
}

8
pkg/detector/ospkg/wolfi/wolfi.go
View File

@@ -19,9 +19,9 @@ type options struct {
type option func(*options)
func WithClock(clock clock.Clock) option {
func WithClock(c clock.Clock) option {
return func(opts *options) {
opts.clock = clock
opts.clock = c
}
}
@@ -102,8 +102,8 @@ func (s *Scanner) isVulnerable(installedVersion version.Version, adv dbTypes.Adv
return installedVersion.LessThan(fixedVersion)
}
// IsSupportedVersion checks the OSFamily can be scanned using Wolfi scanner
func (s *Scanner) IsSupportedVersion(_, _ string) bool {
// IsSupportedVersion checks if the version is supported.
func (s *Scanner) IsSupportedVersion(_ ftypes.OSType, _ string) bool {
// Wolfi doesn't have versions, so there is no case where a given input yields a
// result of an unsupported Wolfi version.

44
pkg/detector/ospkg/wolfi/wolfi_test.go
View File

@@ -4,17 +4,16 @@ import (
"sort"
"testing"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/wolfi"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/wolfi"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestScanner_Detect(t *testing.T) {
@@ -30,8 +29,11 @@ func TestScanner_Detect(t *testing.T) {
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/wolfi.yaml", "testdata/fixtures/data-source.yaml"},
name: "happy path",
fixtures: []string{
"testdata/fixtures/wolfi.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -69,8 +71,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "contain rc",
fixtures: []string{"testdata/fixtures/wolfi.yaml", "testdata/fixtures/data-source.yaml"},
name: "contain rc",
fixtures: []string{
"testdata/fixtures/wolfi.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -96,8 +101,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "contain pre",
fixtures: []string{"testdata/fixtures/wolfi.yaml", "testdata/fixtures/data-source.yaml"},
name: "contain pre",
fixtures: []string{
"testdata/fixtures/wolfi.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -129,8 +137,11 @@ func TestScanner_Detect(t *testing.T) {
},
},
{
name: "Get returns an error",
fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
name: "Get returns an error",
fixtures: []string{
"testdata/fixtures/invalid.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
pkgs: []ftypes.Package{
{
@@ -144,11 +155,14 @@ func TestScanner_Detect(t *testing.T) {
wantErr: "failed to get Wolfi advisories",
},
{
name: "No src name",
fixtures: []string{"testdata/fixtures/wolfi.yaml", "testdata/fixtures/data-source.yaml"},
name: "No src name",
fixtures: []string{
"testdata/fixtures/wolfi.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
repo: &ftypes.Repository{
Family: os.Wolfi,
Family: ftypes.Wolfi,
Release: "3.10",
},
pkgs: []ftypes.Package{

60
pkg/fanal/analyzer/analyzer.go
View File

@@ -16,15 +16,15 @@ import (
"golang.org/x/xerrors"
dio "github.com/aquasecurity/go-dep-parser/pkg/io"
aos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
fos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
"github.com/aquasecurity/trivy/pkg/fanal/log"
"github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/misconf"
)
var (
analyzers = map[Type]analyzer{}
postAnalyzers = map[Type]postAnalyzerInitialize{}
analyzers = make(map[Type]analyzer)
postAnalyzers = make(map[Type]postAnalyzerInitialize)
// ErrUnknownOS occurs when unknown OS is analyzed.
ErrUnknownOS = xerrors.New("unknown OS")
@@ -241,8 +241,8 @@ func (r *AnalysisResult) Sort() {
})
}
func (r *AnalysisResult) Merge(new *AnalysisResult) {
if new == nil || new.isEmpty() {
func (r *AnalysisResult) Merge(newResult *AnalysisResult) {
if newResult == nil || newResult.isEmpty() {
return
}
@@ -250,47 +250,47 @@ func (r *AnalysisResult) Merge(new *AnalysisResult) {
r.m.Lock()
defer r.m.Unlock()
r.OS.Merge(new.OS)
r.OS.Merge(newResult.OS)
if new.Repository != nil {
r.Repository = new.Repository
if newResult.Repository != nil {
r.Repository = newResult.Repository
}
if len(new.PackageInfos) > 0 {
r.PackageInfos = append(r.PackageInfos, new.PackageInfos...)
if len(newResult.PackageInfos) > 0 {
r.PackageInfos = append(r.PackageInfos, newResult.PackageInfos...)
}
if len(new.Applications) > 0 {
r.Applications = append(r.Applications, new.Applications...)
if len(newResult.Applications) > 0 {
r.Applications = append(r.Applications, newResult.Applications...)
}
// Merge SHA-256 digests of unpackaged files
if new.Digests != nil {
r.Digests = lo.Assign(r.Digests, new.Digests)
if newResult.Digests != nil {
r.Digests = lo.Assign(r.Digests, newResult.Digests)
}
r.Misconfigurations = append(r.Misconfigurations, new.Misconfigurations...)
r.Secrets = append(r.Secrets, new.Secrets...)
r.Licenses = append(r.Licenses, new.Licenses...)
r.SystemInstalledFiles = append(r.SystemInstalledFiles, new.SystemInstalledFiles...)
r.Misconfigurations = append(r.Misconfigurations, newResult.Misconfigurations...)
r.Secrets = append(r.Secrets, newResult.Secrets...)
r.Licenses = append(r.Licenses, newResult.Licenses...)
r.SystemInstalledFiles = append(r.SystemInstalledFiles, newResult.SystemInstalledFiles...)
if new.BuildInfo != nil {
if newResult.BuildInfo != nil {
if r.BuildInfo == nil {
r.BuildInfo = new.BuildInfo
r.BuildInfo = newResult.BuildInfo
} else {
// We don't need to merge build info here
// because there is theoretically only one file about build info in each layer.
if new.BuildInfo.Nvr != "" || new.BuildInfo.Arch != "" {
r.BuildInfo.Nvr = new.BuildInfo.Nvr
r.BuildInfo.Arch = new.BuildInfo.Arch
if newResult.BuildInfo.Nvr != "" || newResult.BuildInfo.Arch != "" {
r.BuildInfo.Nvr = newResult.BuildInfo.Nvr
r.BuildInfo.Arch = newResult.BuildInfo.Arch
}
if len(new.BuildInfo.ContentSets) > 0 {
r.BuildInfo.ContentSets = new.BuildInfo.ContentSets
if len(newResult.BuildInfo.ContentSets) > 0 {
r.BuildInfo.ContentSets = newResult.BuildInfo.ContentSets
}
}
}
r.CustomResources = append(r.CustomResources, new.CustomResources...)
r.CustomResources = append(r.CustomResources, newResult.CustomResources...)
}
func belongToGroup(groupName Group, analyzerType Type, disabledAnalyzers []Type, analyzer any) bool {
@@ -318,7 +318,7 @@ func NewAnalyzerGroup(opt AnalyzerOptions) (AnalyzerGroup, error) {
}
group := AnalyzerGroup{
filePatterns: map[Type][]*regexp.Regexp{},
filePatterns: make(map[Type][]*regexp.Regexp),
}
for _, p := range opt.FilePatterns {
// e.g. "dockerfile:my_dockerfile_*"
@@ -374,11 +374,11 @@ type Versions struct {
// AnalyzerVersions returns analyzer version identifier used for cache keys.
func (ag AnalyzerGroup) AnalyzerVersions() Versions {
analyzerVersions := map[string]int{}
analyzerVersions := make(map[string]int)
for _, a := range ag.analyzers {
analyzerVersions[string(a.Type())] = a.Version()
}
postAnalyzerVersions := map[string]int{}
postAnalyzerVersions := make(map[string]int)
for _, a := range ag.postAnalyzers {
postAnalyzerVersions[string(a.Type())] = a.Version()
}
@@ -434,7 +434,7 @@ func (ag AnalyzerGroup) AnalyzeFile(ctx context.Context, wg *sync.WaitGroup, lim
Content: rc,
Options: opts,
})
if err != nil && !errors.Is(err, aos.AnalyzeOSError) {
if err != nil && !errors.Is(err, fos.AnalyzeOSError) {
log.Logger.Debugf("Analysis error: %s", err)
return
}

44
pkg/fanal/analyzer/analyzer_test.go
View File

@@ -14,7 +14,6 @@ import (
dio "github.com/aquasecurity/go-dep-parser/pkg/io"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
aos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
"github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/javadb"
"github.com/aquasecurity/trivy/pkg/mapfs"
@@ -28,7 +27,6 @@ import (
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/pkg/apk"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/repo/apk"
_ "github.com/aquasecurity/trivy/pkg/fanal/handler/all"
_ "modernc.org/sqlite"
)
@@ -52,7 +50,7 @@ func TestAnalysisResult_Merge(t *testing.T) {
name: "happy path",
fields: fields{
OS: types.OS{
Family: aos.Debian,
Family: types.Debian,
Name: "9.8",
},
PackageInfos: []types.PackageInfo{
@@ -108,7 +106,7 @@ func TestAnalysisResult_Merge(t *testing.T) {
},
want: analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Debian,
Family: types.Debian,
Name: "9.8",
},
PackageInfos: []types.PackageInfo{
@@ -159,21 +157,21 @@ func TestAnalysisResult_Merge(t *testing.T) {
name: "redhat must be replaced with oracle",
fields: fields{
OS: types.OS{
Family: aos.RedHat, // this must be overwritten
Family: types.RedHat, // this must be overwritten
Name: "8.0",
},
},
args: args{
new: &analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Oracle,
Family: types.Oracle,
Name: "8.0",
},
},
},
want: analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Oracle,
Family: types.Oracle,
Name: "8.0",
},
},
@@ -182,21 +180,21 @@ func TestAnalysisResult_Merge(t *testing.T) {
name: "debian must be replaced with ubuntu",
fields: fields{
OS: types.OS{
Family: aos.Debian, // this must be overwritten
Family: types.Debian, // this must be overwritten
Name: "9.0",
},
},
args: args{
new: &analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Ubuntu,
Family: types.Ubuntu,
Name: "18.04",
},
},
},
want: analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Ubuntu,
Family: types.Ubuntu,
Name: "18.04",
},
},
@@ -206,21 +204,21 @@ func TestAnalysisResult_Merge(t *testing.T) {
fields: fields{
// This must be overwritten
OS: types.OS{
Family: aos.Ubuntu,
Family: types.Ubuntu,
Name: "16.04",
},
},
args: args{
new: &analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Ubuntu,
Family: types.Ubuntu,
Extended: true,
},
},
},
want: analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Ubuntu,
Family: types.Ubuntu,
Name: "16.04",
Extended: true,
},
@@ -230,25 +228,25 @@ func TestAnalysisResult_Merge(t *testing.T) {
name: "alpine OS needs to be extended with apk repositories",
fields: fields{
OS: types.OS{
Family: aos.Alpine,
Family: types.Alpine,
Name: "3.15.3",
},
},
args: args{
new: &analyzer.AnalysisResult{
Repository: &types.Repository{
Family: aos.Alpine,
Family: types.Alpine,
Release: "edge",
},
},
},
want: analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Alpine,
Family: types.Alpine,
Name: "3.15.3",
},
Repository: &types.Repository{
Family: aos.Alpine,
Family: types.Alpine,
Release: "edge",
},
},
@@ -257,21 +255,21 @@ func TestAnalysisResult_Merge(t *testing.T) {
name: "alpine must not be replaced with oracle",
fields: fields{
OS: types.OS{
Family: aos.Alpine, // this must not be overwritten
Family: types.Alpine, // this must not be overwritten
Name: "3.11",
},
},
args: args{
new: &analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Oracle,
Family: types.Oracle,
Name: "8.0",
},
},
},
want: analyzer.AnalysisResult{
OS: types.OS{
Family: aos.Alpine, // this must not be overwritten
Family: types.Alpine, // this must not be overwritten
Name: "3.11",
},
},
@@ -567,7 +565,7 @@ func TestAnalyzerGroup_PostAnalyze(t *testing.T) {
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: string(analyzer.TypeJar),
Type: types.Jar,
FilePath: "testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar",
Libraries: types.Packages{
{
@@ -587,7 +585,7 @@ func TestAnalyzerGroup_PostAnalyze(t *testing.T) {
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: string(analyzer.TypePoetry),
Type: types.Poetry,
FilePath: "testdata/post-apps/poetry/happy/poetry.lock",
Libraries: types.Packages{
{
@@ -616,7 +614,7 @@ func TestAnalyzerGroup_PostAnalyze(t *testing.T) {
if tt.analyzerType == analyzer.TypeJar {
// init java-trivy-db with skip update
javadb.Init("./language/java/jar/testdata", "ghcr.io/aquasecurity/trivy-java-db", true, false, false)
javadb.Init("./language/java/jar/testdata", "ghcr.io/aquasecurity/trivy-java-db", true, false, types.RegistryOptions{Insecure: false})
}
ctx := context.Background()

2
pkg/fanal/analyzer/buildinfo/dockerfile.go
View File

@@ -119,7 +119,7 @@ func parseVersion(nvr string) string {
// https://github.com/moby/buildkit/blob/b33357bcd2e3319b0323037c900c13b45a228df1/frontend/dockerfile/dockerfile2llb/convert.go#L474-L482
func metaArgsToMap(metaArgs []instructions.KeyValuePairOptional) map[string]string {
m := map[string]string{}
m := make(map[string]string)
for _, arg := range metaArgs {
m[arg.Key] = arg.ValueString()

3
pkg/fanal/analyzer/config/azurearm/azurearm_test.go
View File

@@ -3,9 +3,10 @@ package azurearm
import (
"testing"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
)
func Test_azureARMConfigAnalyzer_Required(t *testing.T) {

Some files were not shown because too many files have changed in this diff Show More