v0.22.0 #1518
aqua-bot
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
💔 BREAKING CHANGES 💔
JAR/WAR/EAR detection is disabled in filesytem and repository scanning
We assume JAR/WAR/EAR detection is mainly used in container image scanning. You can scan
pom.xmlinstead infsandreposubcommands. Therootfssubcommand still can be used for JAR/WAR/EAR scanning.See here for the details.
🚀 What's new? 🚀
☕ Support for pom.xml 🎉
Trivy now scans
pom.xmlfor Java applications. It is enabled forfilesystemandrepositorysubcommands and disabled forimagesubcommand.$ cat /app/pom.xml ... <dependencies> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.14.1</version> </dependency> </dependencies> ... $ trivy fs /app/ 2021-12-24T18:38:54.229+0200 INFO Number of language-specific files: 1 2021-12-24T18:38:54.229+0200 INFO Detecting pom vulnerabilities... pom.xml (pom) ============= Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 2) +-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+ | org.apache.logging.log4j:log4j-core | CVE-2021-44228 | CRITICAL | 2.14.1 | 2.15.0 | log4j-core: Remote code execution | | | | | | | in Log4j 2.x when logs contain | | | | | | | an attacker-controlled... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44228 | + +------------------+ + +----------------+---------------------------------------+ | | CVE-2021-45046 | | | 2.16.0 | log4j-core: DoS in log4j 2.x | | | | | | | with thread context message | | | | | | | pattern and context... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-45046 | + +------------------+----------+ +----------------+---------------------------------------+ | | CVE-2021-45105 | HIGH | | 2.17.0, 2.12.3 | log4j-core: DoS in log4j | | | | | | | 2.x with Thread Context | | | | | | | Map (MDC) input data... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-45105 | +-------------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+Trivy recursively resolves dependencies in pom.xml. In the above example, Trivy also scans the dependencies of log4j-core. If log4j-core doesn’t exist in the local repositories, it will be fetched from the remote repositories. Dependencies whose scope is "test", "provided", “system” and "runtime" will be skipped.
pom.xmlis not a lock file and the dependency might not be pinned to the specified version. If version requirements such as(,1.0]and[1.2,1.3]are used, those dependencies will be skipped.https://maven.apache.org/pom.html#Dependency_Version_Requirement_Specification
In addition, plugins are not supported.
📴 Add
--offline-scanoption 📵The
--offline-scanoption prevents Trivy from sending API requests to identify dependencies. Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't exist in the local repositories. It means a number of detected vulnerabilties might be fewer in offline mode. It would work if all the dependencies are in local.This option doesn’t affect DB download. You need to specify
--skip-updateas well as--offline-scanin an air-gapped environment.As for misconfiguration detection, you have to specify
--skip-policy-updatein an air-gapped environment.See here for more details.
🎩 Support for RPM NDB
RPM databases can be either in Berkeley DB format or optionally in the newer "native" NDB format. there are linux distributions that switched their implementation of the rpm database away from Berkeley DB out of concerns about the future levels of maintenance after its license change. Trivy now scans those distributions.
See
Thanks, @dirkmueller
Include JAR file path
You can find
PkgPathin the JSON result.$ trivy image -f json [YOUR_JAVA_IMAGE] ... "Vulnerabilities": [ { "VulnerabilityID": "CVE-2021-44228", "PkgName": "org.apache.logging.log4j:log4j-api", "PkgPath": "/app/java/log4j-api-2.13.2-sources.jar", "InstalledVersion": "2.13.2", "FixedVersion": "2.15.0", ... }Support for misconfiguration results in html.tpl
$ trivy config --format=template --template='@contrib/html.tpl' /path/to/conf_dir🐞 Bug fixes 🐛
improve memory usage (#1509)
Changelog
42f795f fix(java/pom): ignore unsupported requirements (#1514)
8f737cc feat(cli): warning for root command (#1516)
76249bd BREAKING: disable JAR detection in fs/repo scanning (#1512)
59957d4 feat(scan): support --offline-scan option (#1511)
da8b72d fix: improve memory usage (#1509)
b713ad0 feat(java): support pom.xml (#1501)
56115e9 docs: fixing rust link to security advisory (#1504)
7f859af Add missing IacMetdata (#1505)
628a796 feat(jar): add file path (#1498)
82fba77 feat(rpm): support NDB (#1497)
d5269da feat: added misconfiguration field for html.tpl (#1444)
Docker images
docker pull aquasec/trivy:0.22.0docker pull ghcr.io/aquasecurity/trivy:0.22.0docker pull public.ecr.aws/aquasecurity/trivy:0.22.0This discussion was created from the release v0.22.0.
Beta Was this translation helpful? Give feedback.
All reactions