Prepare for v0.38.0

[knqyf263]

Draft to collaborate on v0.38.0 release announcement

🚀 What's new? 🚀

🐳 Complete Docker CIS Benchmark 📝

In the previous release we have introduced Docker CIS Benchmark scanning to Trivy (trivy image --compliance docker-cis). With this release Trivy now completes the report by detecting vulnerabilities of installed packages (section 4.4) and secrets in the Dockerfile (section 4.10).

$ trivy image --compliance docker-cis my-image
...

Summary Report for compliance: CIS Docker Community Edition Benchmark v1.1.0
┌──────┬──────────┬─────────────────────────────────────────────────────────────────────────┬────────┬────────┐
│  ID  │ Severity │                              Control Name                               │ Status │ Issues │
├──────┼──────────┼─────────────────────────────────────────────────────────────────────────┼────────┼────────┤
│ 4.1  │   HIGH   │ Ensure a user for the container has been created                        │  FAIL  │   1    │
│ 4.2  │   HIGH   │ Ensure that containers use trusted base images (Manual)                 │   -    │   -    │
│ 4.3  │   HIGH   │ Ensure unnecessary packages are not installed in the container (Manual) │   -    │   -    │
│ 4.4  │ CRITICAL │ Ensure images are scanned and rebuilt to include security patches       │  PASS  │   0    │
│ 4.5  │   LOW    │ Ensure Content trust for Docker is Enabled (Manual)                     │   -    │   -    │
│ 4.6  │   LOW    │ Ensure HEALTHCHECK instructions have been added to the container image  │  FAIL  │   1    │
│ 4.7  │   HIGH   │ Ensure update instructions are not use alone in the Dockerfile          │  PASS  │   0    │
│ 4.8  │   HIGH   │ Ensure setuid and setgid permissions are removed in the images (Manual) │   -    │   -    │
│ 4.9  │   LOW    │ Ensure COPY is used instead of ADD in Dockerfile                        │  FAIL  │   1    │
│ 4.10 │ CRITICAL │ Ensure secrets are not stored in Dockerfiles (Manual)                   │  FAIL  │   2    │
│ 4.11 │  MEDIUM  │ Ensure verified packages are only Installed (Manual)                    │   -    │   -    │
└──────┴──────────┴─────────────────────────────────────────────────────────────────────────┴────────┴────────┘

⎈ Kubernetes resources for deprecated and removal APIs 💀

When Trivy scans Kubernetes resources it can now alert when the resource is using a deprecated (or about to be) API, and will also suggest the recommended newer version. now can easily check resources against specific k8s version

trivy config ~/data/input.json  --k8s-version=1.22.0
2023-02-08T18:00:49.111+0200  INFO  Misconfiguration scanning is enabled
input.json (kubernetes)

Tests: 145 (SUCCESSES: 144, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: apiVersion 'batch/v1beta1' and kind ‘CronJob' should be replaced with the new API 'batch.v1.CronJob'
See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/api/batch/v1beta1/zz_generated.prerelease-lifecycle.go
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
apiVersion 'batch/v1beta1' and kind 'CronJob' has been deprecated on: 'v1.21' and planned for removal on:'v1.25'

See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/api/batch/v1beta1/zz_generated.prerelease-lifecycle.go
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 input.json:1-5
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ {
   2 │     "apiVersion": "batch/v1beta1",
   3 │     "kind": "CronJob",
   4 │     "metadata": {
   5 └         "name": "pi"
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

🐭 Dependency tree and license support for Go 🌲

When scanning a Go project, Trivy now identifies dependency relationships and licenses. This works by finding package sources in $GOPATH so in order to work, make sure modules were downloaded to local cache beforehand (go mod download/go mod tidy).

$ trivy fs --scanners vuln --dependency-tree ./go.mod
2023-02-28T13:50:25.836+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
...

go.mod (gomod)
==============
Total: 6 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go        │ CVE-2020-8911  │ MEDIUM   │ 1.44.131          │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto   │
│                                  │                │          │                   │               │ SDK for golang...                                           │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                   │
│                                  ├────────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                                  │ CVE-2020-8912  │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto  │
│                                  │                │          │                   │               │ SDK for golang...                                           │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                   │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2023-25153 │ MEDIUM   │ 1.6.15            │ 1.6.18        │ containerd is an open source container runtime. Before      │
│                                  │                │          │                   │               │ versions 1.6.18 ...                                         │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-25153                  │
│                                  ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173 │          │                   │               │ containerd is an open source container runtime. A bug was   │
│                                  │                │          │                   │               │ found in...                                                 │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-25173                  │
├──────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter   │ CVE-2023-0475  │          │ 1.6.2             │ 1.7.0         │ HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to  │
│                                  │                │          │                   │               │ decompressi ......                                          │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0475                   │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net                 │ CVE-2022-41723 │ LOW      │ 0.5.0             │ 0.7.0         │ [http2/hpack: avoid quadratic complexity in hpack decoding] │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41723                  │
└──────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
go.mod
├── github.com/aws/aws-sdk-go@v1.44.131, (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
├── github.com/containerd/containerd@v1.6.15, (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
│   ├── github.com/open-policy-agent/opa@v0.44.1-0.20220927105354-00e835a7cc15
│   └── helm.sh/helm/v3@v3.11.1
├── github.com/hashicorp/go-getter@v1.6.2, (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
└── golang.org/x/net@v0.5.0, (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    ├── github.com/open-policy-agent/opa@v0.44.1-0.20220927105354-00e835a7cc15
    ├── golang.org/x/crypto@v0.5.0
    ├── golang.org/x/tools@v0.2.0
    └── ...(omitted)...
        ├── github.com/hashicorp/go-getter@v1.6.2
        └── helm.sh/helm/v3@v3.11.1

See here for detail.

📃 Dependency tree for Poetry (Python) 🌲

When scanning a Poetry project, Trivy now identifies dependency relationships and shows the tree with --dependency-tree. It also requires pyproject.toml alongside poetry.lock to identify dependency relationships.

$ trivy fs --dependency-tree .
2023-03-01T09:53:36.273+0200    INFO    "--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-03-01T09:53:36.284+0200    INFO    Vulnerability scanning is enabled
...
2023-03-01T09:53:36.296+0200    INFO    Detecting poetry vulnerabilities...

poetry.lock (poetry)
====================
Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 4, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │     Fixed Version      │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ django  │ CVE-2021-35042 │ CRITICAL │ 3.1.7             │ 3.1.13, 3.2.5          │ django: potential SQL injection via unsanitized              │
│         │                │          │                   │                        │ QuerySet.order_by() input                                    │
│         │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-35042                   │
│         ├────────────────┼──────────┤                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2021-31542 │ HIGH     │                   │ 2.2.21, 3.1.9, 3.2.1   │ django: Potential directory-traversal via uploaded files     │
│         │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-31542                   │
│         ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2021-33571 │          │                   │ 2.2.24, 3.1.12, 3.2.4  │ django: Possible indeterminate SSRF, RFI, and LFI attacks    │
│         │                │          │                   │                        │ since validators accepted leading...                         │
│         │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-33571                   │
│         ├────────────────┤          │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2021-44420 │          │                   │ 2.2.25, 3.1.14, 3.2.10 │ django: potential bypass of an upstream access control based │
│         │                │          │                   │                        │ on URL paths...                                              │
│         │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-44420                   │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ urllib3 │ CVE-2021-33503 │ HIGH     │ 1.25.11           │ 1.26.5                 │ python-urllib3: ReDoS in the parsing of authority part of    │
│         │                │          │                   │                        │ URL                                                          │
│         │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2021-33503                   │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
poetry.lock
├── django@3.1.7, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)
└── urllib3@1.25.11, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    └── requests@2.22.0

See here for detail.

💎 Dependency tree for Bundler (Ruby) 🌲

Trivy now shows a dependency origin tree on Gemfile.lock. The following example describes the vulnerable actionpack is introduced by actioncable, which is a direct dependency of the Ruby project.

$ trivy fs --dependency-tree ./Gemfile.lock 
...

Dependency Origin Tree (Reversed)
=================================
Gemfile.lock
└── actionpack@5.2.3, (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 0)
    └── actioncable@5.2.3

🧭 Command completion

$ trivy completion zsh -h
Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need
to enable it.  You can execute the following once:

    echo "autoload -U compinit; compinit" >> ~/.zshrc

To load completions in your current shell session:

    source <(trivy completion zsh); compdef _trivy trivy

To load completions for every new session, execute once:

#### Linux:

    trivy completion zsh > "${fpath[1]}/_trivy"

#### macOS:

    trivy completion zsh > $(brew --prefix)/share/zsh/site-functions/_trivy

You will need to start a new shell for this setup to take effect.

See the documentation for detail.

Thanks, @didiermichel and @congbang-le

🕐 Fail on EOSL OS 🚫

You may surprisingly get no vulnerabilities in old images. OS vendors don't provide security advisories for OSes at the end of service (EOL), then newly disclosed vulnerabilities may not be detected. The --exit-on-eol flag enables you to be aware of this situation.

$ trivy image --exit-on-eol 1 alpine:3.10
...

alpine:3.10 (alpine 3.10.9)
===========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.10.6-r0         │ 2.10.7-r0     │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │
│           │                │          │                   │               │ other products, mishandles...                               │
│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-36159                  │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2023-03-01T11:07:17.941+0200    ERROR   Detected EOL OS: alpine 3.10.9
$ echo $?
1

It fails scanning on EOL OSes with the specified exit code.

Thanks, @blueskyson

🫖 Configure the Java DB repository

In the previous release we introduced new Java scanning architecture that does not rely on external API calls during scan and thus is much more reliable. The new Java scanner uses a dedicated "Trivy Java DB" that is added to the regular "Trivy DB" for Java scanning. This release makes is possible override the default Java DB location using a new flag: --java-db-repository.

$ trivy image --java-db-repository ghcr.io/your_account/trivy-java-db tomcat:9.0.71-jdk8               
2023-02-11T15:10:19.858+0100    INFO    Vulnerability scanning is enabled
2023-02-11T15:10:23.632+0100    INFO    Java DB Repository: ghcr.io/nobbs/trivy-java-db:1
2023-02-11T15:10:23.632+0100    INFO    Downloading the Java DB...
...

Thanks, @nobbs

🎨 Ability to supply custom schemas for Rego policies

It's now possible to supply your custom schemas (or use from a collection of built-in ones) in your Rego policies while doing misconfiguration scanning.

You can read more on this here for more details.

🔮Add optional selectors for Policies

In this release we've introduced the support for subtypes on selectors. With such granular selectors, you can specifically target certain rego policies to be only evaluated if the resources under scan are applicable.

See here for more details on how to use this feature.