Prepare for v0.44.0

[knqyf263]

🚀 What's new? 🚀

🛡️ Vulnerability Status Support 📊

This update introduces the ability to display the status of vulnerabilities in both table and JSON formats. A new flag --ignore-status has been added, which allows users to ignore vulnerabilities with a certain status during the scan.

The status of a vulnerability provides additional context about its lifecycle. For example, a status of "will_not_fix" indicates that the vulnerability is known but there are no plans to address it. This can be useful information when prioritizing remediation efforts.

Here's how you can use the new --ignore-status flag:

$ trivy image --ignore-status will_not_fix,fix_deferred centos:7

In the example above, Trivy will scan the centos:7 image and ignore any vulnerabilities with the status will_not_fix or fix_deferred. This can be useful if you want to focus on actionable vulnerabilities.

See the document for a list of statuses, supported operating systems and other detailed information.

📁 Local repository support in trivy repo 📁

trivy repo now supports scanning of local repositories in addition to remote ones. Previously, trivy repo was used to scan remote repositories only. Now, with the addition of local repository support, you can use the same command to scan your local repositories as well.

$ trivy repo --scanners vuln /path/to/localrepo

In the example above, Trivy will scan the local repository located at /path/to/localrepo. This is equivalent to using the trivy fs command.

📦 Yarn support for --include-dev-deps flag 🧶

This update extends the --include-dev-deps flag to support Yarn in addition to npm. The --include-dev-deps flag was introduced in Trivy v0.43.0 to include development dependencies in the scan for npm. Now, this functionality is available for Yarn as well, allowing users to include development dependencies in their vulnerability scans.

$ trivy fs --include-dev-deps /path/to/project

In the example above, Trivy will scan the project located at /path/to/project and include development dependencies in the scan. This can be useful if you want to ensure that your development environment is also free from vulnerabilities.

📮Support --config-data for cloud scanning 🀧

It's now possible to supply custom input data for cloud scanning policies. See here for more info.

👨🏼‍🚒--policy flag now can accept directories and files both 🆒

We've added support so you can now supply one or multiple files as input to the --policy flag. For instance:

$ trivy config --policy <path/to/dir>

and

$ trivy config --policy <path/to/one/policy>

Will both work as intended.

👷‍♂️ Notable Fixes 🛠️

• feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script #4770 (Thanks to @ozbillwang )
• fix(containerd): Use img platform in exporter instead of strict host platform #4477 (Thanks to @AliDatadog)
• fix: support trivy k8s-version on k8s sub-command #4786
• fix(rocky): add architectures support for advisories #4691
• feat: Support multiple instances of same terraform resource #4627
• fix(nodejs): add support of local packages for package-lock.json #4893