Releases: aquasecurity/trivy
v0.13.0
Important change
Support npm and RubyGems versioning semantics (#740)
npm and RubyGems have different versioning/constraint semantics from other languages, so we developed libraries for them. In the future, we will probably develop libraries for other languages such as Python.
New features
Skip downloading DB if a remote DB is not updated (#717)
Once the vulnerability DB is downloaded, it will not be updated within one hour so that Trivy will not download the same DB many times by mistake.
Support
Add back support for FreeBSD & OpenBSD (#728)
Provide binaries for FreeBSD & OpenBSD
Add support for ppc64le architecture (#724)
Provide binaries for the ppc64le (Power) architecture.
Bug fixes
Handle ksplice advisories of Oracle Linux(#745)
Skip ksplice advisories when the installed package is not a ksplice package during Oracle Linux scanning. Also, if the package is a ksplice one, we should not use the normal advisories.
Skip packages from unsupported repository (remi) (#695)
Skip scanning RPM packages installed from the remi repository
Changelog
1391b3b fix(oracle): handle ksplice advisories (#745)
b6d5b82 fix: version comparison (#740)
9dfb0fe updated Readme.md (#737)
4555469 Add suse sles 15.2 to the EOL list as well (#734)
c189aa6 Update README.md (#731)
8442528 Warn when a user attempts to use trivy without a detectable lockfile (#729)
d09787e Add back support for FreeBSD & OpenBSD (#728)
0285a89 Add support for ppc64le architecture (#724)
7d7784f Skip packages from unsupported repository (remi) (#695)
ca6f196 Skip downloading DB if a remote DB is not updated (#717)
e621cf2 Sunsetting VendorVectors (#718)
906ab54 Add GitHub Container Registry to README (#712)
1549c25 update BUG_REPORT.md using H2 instead of bold formatting (#714)
fe1d07e fix(ci/deb): do not remove old packages for EOL versions (#706)
793a1aa Add linter check support (#679)
4a94477 Optimize images (#696)
9bc2b19 Update triage.md (#701)
Docker images
docker pull docker.io/aquasec/trivy:0.13.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.13.0docker pull ghcr.io/aquasecurity/trivy:latest
v0.12.0
New features
Add --skip-files option (#624)
Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.
$ trivy image --skip-files "/Gemfile.lock,/app/Pipfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
Add health check endpoint to trivy server (#644)
$ trivy server &
$ curl http://127.0.0.1:4954/healthz
ok
Add --skip-update option to fs and repo subcommand (#641)
$ trivy fs -h | grep skip-update
--skip-update skip db update (default: false) [$TRIVY_SKIP_UPDATE]
Publish the official image in GitHub Container Registry (#627)
$ docker pull ghcr.io/aquasecurity/trivy:latest
Add CWE-ID (#614)
Trivy server responds CWE-ID in a scan result.
Fixes
Show help for subcommands (#628, #629)
$ trivy image
NAME:
trivy image - scan an image
USAGE:
trivy image [command options] image_name
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
...
Changelog
49691ba ci(circle): update remote docker version (#683)
87ff0c1 suse: update end of life dates for SLES service packs (#676)
de30c3f update readme for parallel run issue (#660)
4c3bfb8 fix link for Clear images section in README (#659)
8b21cfe add link to Gitlab CI pipeline in README (#658)
46700f7 test: add tests for mux (#645)
014be7e chore: bump up Go to 1.15 (#646)
b3ff2c3 Add contrib/ to the release chain for Docker (#638)
9c786de Add health check endpoint to trivy server (#644)
188e108 fix(cli): show help for subcommands (#629)
7d7842f Add --skip-update option to fs and repo subcommand (#641)
901a371 goreleaser.yml: Add all templates to archive (#636)
095b5ce fix(cli): show help when no argument is passed (#628)
1d3f70e chore(image): push the official image to GitHub Container Registry as well (#627)
5e308da feat(cli): add --skip-files option (#624)
2231e40 chore(docs): update comparison table (#623)
b3680f0 logo: Add new Trivy logo (#615)
8952779 fix(Readme) - Results using a template (#622)
165d593 Improve Gitlab CI installation step in README (#621)
d8b0962 feat(rpc): add CWE-ID (#614)
d35e8ec Add all templates to the docker image (#619)
Docker images
docker pull docker.io/aquasec/trivy:0.12.0docker pull docker.io/aquasec/trivy:latestdocker pull ghcr.io/aquasecurity/trivy:0.12.0docker pull ghcr.io/aquasecurity/trivy:latest
v0.11.0
New features
Support AWS Security Hub (#594)
See here for the detail.
Support --skip-dirs option (#595)
Specify the directory where the traversal is skipped.
$ trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge
Support custom data sources (#613)
Your custom data source can be added into trivy-db. See #613 for details.
Fixes
fix(alpine): use source package (#607)
IMPORTANT: Trivy shows sub packages which are actually installed in the image, instead of an origin package. You should clear the cache once after Trivy is updated to v0.11.0.
For example, the origin package of libcrypto1.1 is openssl and Trivy used to display vulnerabilities of openssl even when openssl is not installed. Now, Trivy displays vulnerabilities of libcrypto1.1.
Before:
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| openssl | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
After
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 8, HIGH: 0, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+--------------------------------+
| libcrypto1.1 | CVE-2019-1549 | MEDIUM | 1.1.1c-r0 | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+--------------+------------------+----------+ + +--------------------------------+
| libssl1.1 | CVE-2019-1549 | MEDIUM | | | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2019-1563 | | | 1.1.1d-r0 | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+ + +---------------+--------------------------------+
| | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation fault in |
| | | | | | SSL_check_chain causes denial |
| | | | | | of service |
+ +------------------+----------+ +---------------+--------------------------------+
| | CVE-2019-1547 | LOW | | 1.1.1d-r0 | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+--------------+------------------+----------+-------------------+---------------+--------------------------------
fix: remove error using no options (#539)
Before:
$ trivy
2020-06-18T10:28:44.983+0100 ERROR trivy requires at least 1 argument or --input option
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
...
After:
$ trivy
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
...
Changelog
f50b0ce feat(library): support a custom data source (#613)
ed8607b fix(alpine): use source package (#607)
ea28d3b test(vulnerability): fix usages of new trivy-db refactor changes (#611)
827cea3 refactor(bundler): remove unnecessary code (#610)
b2a0d83 codecov: Move into root directory (#608)
85e0139 fix: fullDescription field in SARIF output is not correctly escaped (#605)
80d5df0 chore(docs): add AWS Security Hub (#598)
3a54e5b refactor(writer): define the constructor for TemplateWriter (#597)
acc6a9b circleci: Allow coverage changes without a failure (#599)
96af6dc feat: add --skip-directories option (#595)
675e1b4 Added test and support of ASFF template (#594)
8ca484f fix: remove error using no options (#539)
Docker images
docker pull docker.io/aquasec/trivy:0.11.0docker pull docker.io/aquasec/trivy:latest
v0.10.2
Changelog
9a25f4f Fix comparison table to use words instead of symbols (#587)
467ec46 sarif: Remove extra periods from short descriptions (#590)
52feff2 Added template fucntion to escape string before output (#583)
Docker images
docker pull docker.io/aquasec/trivy:0.10.2docker pull docker.io/aquasec/trivy:latest
v0.10.1
v0.10.0
Changes
Ensure trivy docker image runs as a non root user (#519)
This change has been reverted in v0.10.1.
Trivy runs as a non-root user in the docker image. If you run Trivy in the docker image and specify the root directory as a cache directory as follows, it may fail due to permission denied.
$ docker run --rm -v $PWD:/root/.cache/ aquasec/trivy:latest --cache-dir /root/.cache image centos:7
In that case, you can try a different directory like
$ docker run --rm -v $PWD:/tmp/.cache/ aquasec/trivy:latest --cache-dir /tmp/.cache image centos:7
See also: https://github.com/aquasecurity/trivy#others
Only show severity total from filter flags (#559)
$ trivy image --severity MEDIUM alpine:3.10.2
2020-07-30T16:16:37.890+0300 INFO Detecting Alpine vulnerabilities...
alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 4 (MEDIUM: 4)
New features
Support OPA to filter vulnerabilities (#562)
Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.
$ trivy image --policy contrib/example_filter/basic.rego centos:7
For more details: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy
Add CWE-ID (#561)
$ trivy image -f json alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"CweIDs": [
"CWE-330"
],
...
Add --list-all-pkgs option (#574)
--list-all-pkgs option outputs all the installed packages/libraries even though there are no vulnerabilities.
$ trivy image -f json --list-all-pkgs alpine:3.10.2
[
{
"Target": "alpine:3.10.2 (alpine 3.10.2)",
"Type": "alpine",
"Packages": [
{
"Name": "alpine-baselayout",
"Version": "3.1.2-r0",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
{
"Name": "alpine-keys",
"Version": "2.1-r2",
"Layer": {
"DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
}
},
...
Add sarif template (#558)
Fixes
- improve ruby comparison version check. (#552)
- Fix --timeout flag (#569)
- rpc: Add CVSS information to client/server (#564)
Changelog
20f2bae Fix non-root directory permission denied error (#578)
8eb9df8 .circleci: Add code coverage (#572)
88aaffa Added support of list-all-packages (#574)
469c0b4 fix: only show severity total from filter flags (#559)
4a34f72 Update README.md (#575)
4d721e1 SARIF: Tweak format for GitHub UI (#571)
9c91da8 Add non root user (#570)
5b9d942 rpc: Add CVSS information to client/server (#564)
d6b37cb Fix --timeout flag (#569)
9c6f077 feat(report): support OPA to filter vulnerabilities (#562)
0b5d936 Fixed case when pre-release is in suffix (#565)
6eebed3 improve ruby comparison version check. (#552)
43085a8 Added sarif template (#558)
4f90b11 feat(vulnerability): add CWE-ID (#561)
Docker images
docker pull docker.io/aquasec/trivy:0.10.0docker pull docker.io/aquasec/trivy:latest
v0.9.2
New Features
Support JUnit XML (#541)
You can see the result on the dashboard if your CI service supports JUnit XML. This is an example of CircleCI.
Azure DevOps (Thank you, @lgulliver)
This is implemented by @rahul2393.
Include CVSS score info in a result (#530)
{
"VulnerabilityID": "CVE-2019-1547",
"PkgName": "openssl",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"CVSS": {
"nvd": {
"V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 1.9,
"V3Score": 4.7
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.5
}
},
...
}
Bug fixes
- fix(writer):
Error retrieving template from pathwhen --format is not template but template is provided (#556) - fix(log): write error messages to stderr (#538)
- fix(alpine): replace go-deb-version with go-apk-version (#520)
- fix: MissingBlobs is implemented different in FS and S3 the method log… (#522)
Changelog
d9fa353 Fixing Error retrieving template from path when --format is not template but template is provided (#556)
9a1d746 Adding contrib/junit.tpl to docker image (#554)
d18d17b db: Update trivy-db to include CVSS score info (#530)
4b57c0d docs: fix markdown (#553)
ccd9b2d Added function to escape string in failure message title and descriptions (#551)
ec770cd Added JUNIT support (#541)
b7ec633 chore(docs): mention air-gapped environment (#544)
7aabff1 chore(README): add programming languages (#543)
9dc1bdf fix(log): write error messages to stderr (#538)
2ac672a Use StoreMetadata from trivy-db (#509)
11ae6b2 docs: add more CI options to README (#535)
f201f59 chore(Dockerfile): bump up alpine to 3.12 (#528)
25d45e1 fix(alpine): replace go-deb-version with go-apk-version (#520)
298ba99 fix: MissingBlobs is implemented different in FS and S3 the method log… (#522)
Docker images
docker pull docker.io/aquasec/trivy:0.9.2docker pull docker.io/aquasec/trivy:latest
v0.9.1
v0.9.0
New Features
[IMPORTANT] Support GitHub Advisory Database (#467)
Trivy supports GitHub Advisory Database to detect vulnerabilities of programming language libraries. It uses multiple data sources for each language as show below.
https://github.com/aquasecurity/trivy#data-source
This allows Trivy to be more accurate and affects the number of vulnerabilities Trivy detects.
Thank you for the contribution, @masahiro331!
Filesystem scan
Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
When you specify the path to your project, Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
$ trivy fs /path/to/project
Also, Trivy can scan your container from inside the container.
$ docker run --rm -it alpine:3.11
/ # apk add curl
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
Embed in Dockerfile 🎉
Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner
$ cat Dockerfile
FROM alpine:3.7
RUN apk add --no-cache curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress / \
&& trivy --reset && rm -f /usr/loca/bin/trivy && apk del curl
$ docker build -t vulnerable-image .
Git Repository scan
Scan your remote git repository.
$ trivy repo https://github.com/aquasecurity/trivy-ci-test
Only public repositories are supported.
Bug fixes
CVE duplication in scanning result
Close aquasecurity/harbor-scanner-trivy#114
When Trivy scans an image containing multiple lock files regardless of OS and packages, it sometimes has false positives.
Changelog
020c4a3 fix(app): add ArgsUsage (#508)
2f2d1a9 feat: support repository and filesystem scan (#503)
03ad8a3 Add GHSA support (#467)
1218e11 refactor: define common options and embed them into the option for subcommand (#502)
Docker images
docker pull docker.io/aquasec/trivy:0.9.0docker pull docker.io/aquasec/trivy:latest
v0.8.0
New Feature
Add image subcommand (#493)
We deprecated $ trivy IMAGE_NAME and introduced image subcommand.
$ trivy image alpine:3.11
Add CVSS Vectors to JSON output. (#484)
You can see CVSS vectors in a result JSON.
$ trivy image --format=json alpine=3.10.4
[...output snipped...]
"VendorVectors": {
"nvd": {
"v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"redhat": {
"v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
},
[...output snipped...]
Support registry token (#482)
To scan a private image, you can pass a registry token instead of ID/PW. This is useful when you develop a registry integration such as Harbor and Quay.
$ export TRIVY_REGISTRY_TOKEN=$(curl -u "username:password" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:org/private_image:pull")
$ trivy org/private_image:latest
Changelog
78b7529 Add image subcommand (#493)
e2bcb44 fix: remove help template (#500)
a57c27e vulnerability: Add CVSS Vectors to JSON output. (#484)
926f323 feat: support registry token (#482)
aa20adb chore: bump up urfave/cli to v2 (#499)
3e0779a chore(doc): update README (#490)
Docker images
docker pull docker.io/aquasec/trivy:0.8.0docker pull docker.io/aquasec/trivy:latest