v0.51.0

[aqua-bot]

📑 Table of Contents

• 💔 Breaking Change 💔
  • ⎈ Trivy Kubernetes new experience 😄
• 🛫 Deprecation 🌆
  • 🐹 Policies have now been renamed into Checks ✅
• 🚀 What's new? 🚀
  • 🥽 Detecting Vulnerabilities in Standard Packages for Go Binaries 🔍
  • 🧩 Go Binary Parser Enhancement 🔄
  • 📜 License Detection for Conan Files 🔄
  • 📦 Conan v2.x Lockfile Support 🔍
  • 🌱 Conda: Support for environment.yaml Files 📋
  • ✍🏼Ignoring Terraform resources by Nested Attributes 🪵
  • 🪻Checks bundle now supports Private Registries ⼛
  • 🧌Improved fallback support for checks 🧚🏻‍♂️
• 👷‍♂️ Notable Fixes 🛠️

💔 Breaking Change 💔

⎈ Trivy Kubernetes new experience 😄

We've been collecting feedback from the community about Trivy's Kubernetes scanning (trivy k8s), and we are happy to finally incorporate many of the small changes that have been discussed. The new Kubernetes scanning user experience is simplified and more intuitive. We recommended to re-read the Kubernetes Scanning documentation page, but here is a summary of changes:

New usage:

trivy k8s [flags] [kubeconfig context]

Kubeconfig context is optional name of existing context in the relevant kubeconfig. If omitted, default context from kubeconfig will be used.

Flags:

1. --skip-images - prevent pulling and scanning container images (including vulnerabilities and secrets).
2. --include-kinds - include the listed kinds in scanning.
3. --exclude-kinds - exclude the listed kinds from scanning
4. --include-namespaces - include the listed namespaces in scanning.
5. --exclude-namespaces - exclude the listed namespaces from scanning.
6. --disable-node-collector - disable the scan-job that Trivy spawns on nodes by default (no node-level findings).

Removed from the new experience

Target name:

1. cluster (trivy k8s cluster)
2. all (trivy k8s all) - assumed by default
3. kind/resource (trivy k8s deployment/orion)

Flags:

1. --context - promoted to target name
2. --component (workload, infra) - use namespaces and kinds selectors instead (in the future we might provide more convenience around this)
3. --all-namespaces - assumed by default
4. --namespace (namespace name) - replaced by include/exclude-namespaces

For additional info, please refer to the documentation or ask us in discussions.

🛫 Deprecation 🌆

🐹 Policies have now been renamed into Checks ✅

We've simplified our nomenclature by renaming misconfiguration "policies" into "checks", in order to avoid ambiguity (initially discussed here. Detailed migration steps are shared here.
For the time being, all existing checks that reference --policy-* will continue to work but going forwards the recommendation is to move them over to the new names.

This also applies to the checks repo which has been renamed into trivy-checks and can be found here: https://github.com/aquasecurity/trivy-checks
The previously known policy bundle will also continue to be available at ghcr.io/aquasecurity/trivy-policies but we advise to start using the new checks bundle over at ghcr.io/aquasecurity/trivy-checks.

🚀 What's new? 🚀

🥽 Detecting Vulnerabilities in Standard Packages for Go Binaries 🔍

Trivy has introduced a new feature that enables the detection of vulnerabilities in standard packages for Go binaries. For example, when a Go binary is found to have been compiled with Go 1.21.6, Trivy will identify vulnerabilities in standard packages (e.g., crypto/rand and net/http) that were detected in Go 1.21.6 and earlier versions. It's important to note that the detection is based on the Go version, and Trivy does not consider whether the standard package is actually being used in the binary.

trivy (gobinary)
================
Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 3, CRITICAL: 3)

┌────────────────────────────────┬────────────────┬──────────┬──────────┬──────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │  Status  │  Installed Version   │ Fixed Version  │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
...
├────────────────────────────────┼────────────────┼──────────┤          ├──────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                         │ CVE-2023-45288 │ HIGH     │          │ 1.21.6               │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of           │
│                                │                │          │          │                      │                │ CONTINUATION frames causes DoS                               │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                                ├────────────────┼──────────┤          │                      ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-45289 │ MEDIUM   │          │                      │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of          │
│                                │                │          │          │                      │                │ sensitive headers and cookies on HTTP redirect...            │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-45290 │          │          │                      │                │ golang: net/http: memory exhaustion in                       │
│                                │                │          │          │                      │                │ Request.ParseMultipartForm                                   │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-24783 │          │          │                      │                │ golang: crypto/x509: Verify panics on certificates with an   │
│                                │                │          │          │                      │                │ unknown public key algorithm...                              │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-24784 │          │          │                      │                │ golang: net/mail: comments in display names are incorrectly  │
│                                │                │          │          │                      │                │ handled                                                      │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                                ├────────────────┤          │          │                      │                ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-24785 │          │          │                      │                │ golang: html/template: errors returned from MarshalJSON      │
│                                │                │          │          │                      │                │ methods may break template escaping                          │
│                                │                │          │          │                      │                │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
└────────────────────────────────┴────────────────┴──────────┴──────────┴──────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Read more here.

🧩 Go Binary Parser Enhancement 🔄

When scanning binaries compiled with Go, Trivy can now detect the main module name from build information. For example, when scanning the Grafana binary, previously Trivy only detected it's Go dependencies and their vulnerabilities, but now Trivy also detects that this binary is the Grafana application.

This feature depends on parsing -ldflags to search for -X sub-flags which are commonly used to set the binary version during the build.

Thanks to @oatovar

📜 License Detection for Conan Files 🔄

Trivy now supports license detection in Conan projects by parsing conanfile.py in the cache directory. This enhancement allows for improving compliance tracking and reporting.

📦 Conan v2.x Lockfile Support 🔍

Trivy now supports Conan v2.x lockfiles. This update specifically adapts to changes in the lockfile format, which has reduced the amount of information available compared to v1. Therefore, current support is limited: all dependent packages are included in the scan results, but it does not detect which packages are direct/transitive dependencies and does not support dependency trees.

$ trivy repo <path/to/conan-lockfile-v2>

Read more here

Thanks to @dus7eh

🌱 Conda: Support for environment.yaml Files 📋

Trivy now supports scanning environment.yaml files, used with Conda. This update enables Trivy to detect packages listed in these files, although currently, vulnerability detection is not supported due to the absence of a Conda-specific vulnerability database. The scanning can be done for package listing and SBOM generation in various formats.

$ trivy repo /path/to/environment.yaml

Read more here.

✍🏼Ignoring Terraform resources by Nested Attributes 🪵

It's now possible to ignore checks with nested attributes.

#trivy:ignore:*[logging_config.prefix=myprefix]
resource "aws_cloudfront_distribution" "example" {
  logging_config {
    include_cookies = false
    bucket          = "mylogs.s3.amazonaws.com"
    prefix          = "myprefix"
  }
}

Read more here

🪻Checks bundle now supports Private Registries ⼛

You can now pass the --check-bundle-repository flag which includes a bundles that lives in a private registry by specifying credentials as such

Read more here

Thanks to @JeffResc for your contribution.

🧌Improved fallback support for checks 🧚🏻‍♂️

We've made misconfiguration scanning more robust in case things don't go as expected. If case a check from the downloaded checks bundle is not loaded as expected, Trivy will now fallback to using the check's previous (known good) version, which is embedded with the Trivy engine itseld.
This would allow the users to always have a working misconfiguration check instead of skipping the errornous checks completely. It would also allow the Trivy team to maintain backwards compatibility with each new release of the checks bundle, even if the input schema is changed.

👷‍♂️ Notable Fixes 🛠️

• fix(helm): scan the subcharts once #6382
• feat(cloudformation): add support for logging and endpoint access for the EKS service #6421
• fix(cloudformation): resolve DedicatedMasterEnabled parsing issue in OpenSearch service #6423
• fix(misconf): Escape template value correctly #6292
• bug(k8s): KSV110 does not seem to be applied #5137
• bug(terraform): module output values are not passed into the context of other modules #6274
• bug(misconf): YAML and JSON inputs of same file yield different output formats from Trivy #6485