Version: 0.37.3-bp154.2.9.1
* Wed Feb 15 2023 dmueller@suse.com
- Update to version 0.37.3 (bsc#1208091, CVE-2023-25165):
* chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
* chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
* chore(deps): bump golang/x/mod to v0.8.0 (#3606)
* chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
* chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
* ci: quote pros in c++ for semantic pr (#3605)
* fix(image): check proxy settings from env for remote images (#3604)
* Fri Feb 10 2023 kastl@b1-systems.de
- Update to version 0.37.2:
* BREAKING: use normalized trivy-java-db (#3583)
* fix(image): add timeout for remote images (#3582)
* chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#3532)
* chore(deps): bump golang.org/x/text from 0.5.0 to 0.6.0 (#3534)
* fix(misconf): handle dot files better (#3550)
* chore: bump Go to 1.19 (#3551)
* chore(deps): bump alpine from 3.17.0 to 3.17.1 (#3522)
* chore(deps): bump docker/build-push-action from 3 to 4 (#3523)
* chore(deps): bump actions/cache from 3.2.2 to 3.2.4 (#3524)
* chore(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.4.0 (#3525)
* chore(deps): bump aquaproj/aqua-installer from 1.2.0 to 2.0.2 (#3526)
* Wed Feb 01 2023 dmueller@suse.com
- Update to version 0.37.1:
* fix(sbom): download the Java DB when generating SBOM (#3539)
* fix: use cgo free sqlite driver (#3521)
* ci: fix path to dist folder (#3527)
* Wed Feb 01 2023 dmueller@suse.com
- Update to version 0.37.0:
* fix(image): close layers (#3517)
* refactor: db client changed (#3515)
* feat(java): use trivy-java-db to get GAV (#3484)
* docs: add note about the limitation in Rekor (#3494)
* docs: aggregate targets (#3503)
* deps: updates wazero to 1.0.0-pre.8 (#3510)
* docs: add alma 9 and rocky 9 to supported os (#3513)
* chore(deps): bump defsec to v0.82.9 (#3512)
* chore: add missing target labels (#3504)
* docs: add java vulnerability page (#3429)
* feat(image): add support for Docker CIS Benchmark (#3496)
* feat(image): secret scanning on container image config (#3495)
* chore(deps): Upgrade defsec to v0.82.8 (#3488)
* feat(image): scan misconfigurations in image config (#3437)
* chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
* feat(k8s): add node info resource (#3482)
* perf(secret): optimize secret scanning memory usage (#3453)
* feat: support aliases in CLI flag, env and config (#3481)
* fix(k8s): migrate rbac k8s (#3459)
* feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
* refactor: rename security-checks to scanners (#3467)
* chore: display the troubleshooting URL for the DB denial error (#3474)
* docs: yaml tabs to spaces, auto create namespace (#3469)
* docs: adding show-and-tell template to GH discussions (#3391)
* fix: Fix a temporary file leak in case of error (#3465)
* fix(test): sort cyclonedx components (#3468)
* docs: fixing spelling mistakes (#3462)
* ci: set paths triggering VM tests in PR (#3438)
* docs: typo in --skip-files (#3454)
* feat(custom-forward): Extended advisory data (#3444)
* docs: fix spelling error (#3436)
* refactor(image): extend image config analyzer (#3434)
* fix(nodejs): add ignore protocols to yarn parser (#3433)
* fix(db): check proxy settings when using insecure flag (#3435)
* feat(misconf): Fetch policies from OCI registry (#3015)
* ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
* ci: store URLs to Github Releases in RPM repository (#3414)
* feat(server): add support of `skip-db-update` flag for hot db update (#3416)
* chore(deps): bump github.com/moby/buildkit from v0.10.6 to v0.11.0 (#3411)
* fix(image): handle wrong empty layer detection (#3375)
* test: fix integration tests for spdx and cycloneDX (#3412)
* feat(python): Include Conda packages in SBOMs (#3379)
* feat: add support pubspec.lock files for dart (#3344)
* fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
* fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
* feat(server): log errors on server side (#3397)
* chore(deps): bump defsec to address helm vulnerabilities (#3399)
* docs: rewrite installation docs and general improvements (#3368)
* chore: update code owners (#3393)
* chore: test docs separately from code (#3392)
* docs: use the formula maintained by Homebrew (#3389)
* docs: add `Security Management` section with SonarQube plugin
* Thu Jan 05 2023 dmueller@suse.com
- Update to version 0.36.1:
* fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
* feat(flag): early fail when the format is invalid (#3370)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
* docs(aws): fix broken links (#3374)
* chore(deps): bump actions/stale from 6 to 7 (#3360)
* chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
* chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
* chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
* chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
* chore(go): updates wazero to v1.0.0-pre.7 (#3355)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)
* Mon Jan 02 2023 dmueller@suse.com
- Update to version 0.36.0:
* docs: improve compliance docs (#3340)
* feat(deps): add yarn lock dependency tree (#3348)
* fix: compliance change id and title naming (#3349)
* feat: add support for mix.lock files for elixir language (#3328)
* feat: add k8s cis bench (#3315)
* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
* revert: cache merged layers (#3334)
* feat(cyclonedx): add recommendation (#3336)
* feat(ubuntu): added support ubuntu ESM versions (#1893)
* fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
* chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
* feat: Adding support for Windows testing (#3037)
* feat: add support for Alpine 3.17 (#3319)
* docs: change PodFile.lock to Podfile.lock (#3318)
* fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
* feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
* chore(go): remove experimental FS API usage in Wasm (#3299)
* ci: add workflow to add issues to roadmap project (#3292)
* fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
* feat(sbom): better support for third-party SBOMs (#3262)
* docs: add information about languages with support for dependency locations (#3306)
* feat(vm): add `region` option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
* chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
* fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
* docs: remove comparisons (#3289)
* feat: add support for Wolfi Linux (#3215)
* ci: add go.mod to canary workflow (#3288)
* feat(python): skip dev dependencies (#3282)
* chore: update ubuntu version for Github action runnners (#3257)
* fix(go): skip dep without Path for go-binaries (#3254)
* feat(rust): add ID for cargo pgks (#3256)
* chore(deps): bump github.com/samber/lo from 1.33.0 to 1.36.0 (#3263)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#3253)
* feat: add support for swift cocoapods lock files (#2956)
* fix(sbom): use proper constants (#3286)
* chore(deps): bump golang.org/x/term from 0.1.0 to 0.3.0 (#3278)
* test(vm): import relevant analyzers (#3285)
* feat: support scan remote repository (#3131)
* docs: fix typo in fluxcd (#3268)
* docs: fix broken "ecosystem" link in readme (#3280)
* feat(misconf): Add compliance check support (#3130)
* docs: Adding Concourse resource for trivy (#3224)
* chore(deps): change golang from 1.19.2 to 1.19 (#3249)
* fix(sbom): duplicate dependson (#3261)
* chore(deps): bump alpine from 3.16.2 to 3.17.0 (#3247)
* chore(go): updates wazero to 1.0.0-pre.4 (#3242)
* feat(report): add dependency locations to sarif format (#3210)
* fix(rpm): add rocky to osVendors (#3241)
* docs: fix a typo (#3236)
* feat(dotnet): add dependency parsing for nuget lock files (#3222)
* docs: add pre-commit hook to community tools (#3203)
* feat(helm): pass arbitrary env vars to trivy (#3208)
* Mon Nov 28 2022 kastl@b1-systems.de
- Update to version 0.35.0:
* chore(vm): update xfs filesystem parser for change log (#3230)
* feat: add virtual machine scan command (#2910)
* docs: reorganize index and readme (#3026)
* fix: `slowSizeThreshold` should be less than `defaultSizeThreshold` (#3225)
* feat: Export functions for trivy plugin (#3204)
* feat(image): add support wildcard for platform os (#3196)
* fix: load compliance report from file system (#3161)
* fix(suse): use package name to get advisories (#3199)
* docs(image): space issues during image scan (#3190)
* feat(containerd): scan image by digest (#3075)
* fix(vuln): add package name to title (#3183)
* fix: present control status instead of compliance percentage in compliance report (#3181)
* perf(license): remove go-enry/go-license-detector. (#3187)
* fix: workdir command as empty layer (#3087)
* docs: reorganize ecosystem section (#3025)
* feat(dotnet): add support dependency location for dotnet-core files (#3095)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.136 (#3174)
* chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 (#3109)
* feat(dotnet): add support dependency location for nuget lock files (#3032)
* chore: update code owners for misconfigurations (#3176)
* feat: add slow mode (#3084)
* docs: fix typo in enable-builin-rules mentions (#3118)
* feat: Add maintainer field to OS packages (#3149)
* docs: fix some typo (#3171)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.18.0 (#3175)
* chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#3112)
* docs: fix links on Built-in Policies page (#3124)
* chore(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#3117)
* chore(deps): bump github.com/samber/lo from 1.28.2 to 1.33.0 (#3116)
* fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
* chore: use newline for semantic pr (#3172)
* chore(deps): bump azure/setup-helm from 3.3 to 3.4 (#3107)
* chore(deps): bump sigstore/cosign-installer from 2.7.0 to 2.8.1 (#3106)
* chore(deps): bump amannn/action-semantic-pull-request from 4 to 5 (#3105)
* chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#3104)
* fix(spdx): rename describes field in spdx (#3102)
* chore: handle GOPATH with several paths in make file (#3092)
* docs(flag): add "rego" configuration file options (#3165)
* chore(go): updates wazero to 1.0.0-pre.3 (#3090)
* chore(deps): bump actions/cache from 3.0.9 to 3.0.11 (#3108)
* docs(license): fix typo inside quick start (#3134)
* chore: update codeowners for docs (#3135)
* fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
* fix: remove --security-checks none from image help (#3156)
* fix: compliance flag description (#3160)
* docs(k8s): fix a typo (#3163)
* chore(deps): bump golang from 1.19.1 to 1.19.2 (#3103)
* Mon Oct 31 2022 kastl@b1-systems.de
- Update to version 0.34.0:
* feat(vuln): support dependency graph for RHEL/CentOS (#3094)
* feat(vuln): support dependency graph for dpkg and apk (#3093)
* perf(license): enable license classifier only with "--license-full" (#3086)
* feat(report): add secret scanning to ASFF template (#2860)
* feat: Allow override of containerd namespace (#3060)
* fix(vuln): In alpine use Name as SrcName (#3079)
* fix(secret): Alibaba AccessKey ID (#3083)
* Wed Oct 26 2022 kastl@b1-systems.de
- Update to version 0.33.0:
* refactor(k8s): custom reports (#3076)
* fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
* feat(image): add support for passing architecture and OS (#3012)
* test: disable containerd integration tests for non-amd64 arch (#3073)
* feat(server): Add support for client/server mode to rootfs command (#3021)
* feat(vuln): support non-packaged binaries (#3019)
* feat: compliance reports (#2951)
* fix(flag): disable flag parsing for each plugin command (#3074)
* feat(nodejs): add support dependency location for yarn.lock files (#3016)
* chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
* feat: add k8s components (#2589)
* fix(secret): update the regex for secrets scanning (#2964)
* chore(deps): bump github.com/samber/lo from 1.27.1 to 1.28.2 (#2979)
* fix: bump trivy-kubernetes (#3064)
* docs: fix missing 'image' subcommand (#3051)
* chore: Patch golang x/text vulnerability (#3046)
* chore: add licensed project logo (#3058)
* feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
* refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
* feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
* docs(misconf): fix typo (#3043)
* feat: add support for scanning azure ARM (#3011)
* feat(report): add location.message to SARIF output (#3002) (#3003)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.95 to 1.44.109 (#2980)
* feat(nodejs): add dependency line numbers for npm lock files (#2932)
* test(fs): add `--skip-files`, `--skip-dirs` (#2984)
* docs: add Woodpecker CI integrations example (#2823)
* chore(deps): bump github.com/sigstore/rekor from 0.12.0 to 0.12.2 (#2981)
* chore(deps): bump github.com/liamg/memoryfs from 1.4.2 to 1.4.3 (#2976)
* chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#2975)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 (#2982)
* fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
* fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
* fix(sbom): use nuget purl type for dotnet-core (#2990)
* perf: retrieve rekor entries in bulk (#2987)
* feat(aws): Custom rego policies for AWS scanning (#2994)
* docs: jq cli formatting (#2881)
* docs(repo): troubleshooting $TMPDIR customization (#2985)
* chore(deps): bump actions/cache from 3.0.8 to 3.0.9 (#2969)
* chore(deps): bump actions/stale from 5 to 6 (#2970)
* chore(deps): bump sigstore/cosign-installer from 2.5.1 to 2.7.0 (#2971)
* chore(deps): bump helm/chart-testing-action from 2.3.0 to 2.3.1 (#2972)
* chore(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#2973)
* chore: run `go fmt` (#2897)
* chore(go): updates wazero to 1.0.0-pre.2 (#2955)
* fix(aws): Less function for slice sorting always returns false #2967
* fix(java): fix unmarshal pom exclusions (#2936)
* Wed Sep 28 2022 dmueller@suse.com
- Update to version 0.32.1:
* fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
* chore: expat lib and go binary deps vulns (#2940)
* wasm: Removes accidentally exported memory (#2950)
* fix(sbom): fix package name separation for gradle (#2906)
* docs(readme.md): fix broken integrations link (#2931)
* fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
* fix(cli): split env values with ',' for slice flags (#2926)
* fix(cli): config/helm: also take into account files with `.yml` (#2928)
* fix(flag): add file-patterns flag for config subcommand (#2925)
* chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)
* Mon Sep 19 2022 dmueller@suse.com
- Update to version 0.32.0:
* docs: add Rekor SBOM attestation scanning (#2893)
* chore: narrow the owner scope (#2894)
* fix: remove a patch number from the recommendation link (#2891)
* fix: enable parsing of UUID-only rekor entry ID (#2887)
* docs(sbom): add SPDX scanning (#2885)
* docs: restructure docs and add tutorials (#2883)
* feat(sbom): scan sbom attestation in the rekor record (#2699)
* feat(k8s): support outdated-api (#2877)
* chore(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4 (#2815)
* fix(c): support revisions in Conan parser (#2878)
* feat: dynamic links support for scan results (#2838)
* chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 (#2818)
* docs: update archlinux commands (#2876)
* feat(secret): add line from dockerfile where secret was added to secret result (#2780)
* feat(sbom): Add unmarshal for spdx (#2868)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#2827)
* fix: revert asff arn and add documentation (#2852)
* docs: batch-import-findings limit (#2851)
* chore(deps): bump golang from 1.19.0 to 1.19.1 (#2872)
* feat(sbom): Add marshal for spdx (#2867)
* build: checkout before setting up Go (#2873)
* chore: bump Go to 1.19 (#2861)
* docs: azure doc and trivy (#2869)
* fix: Scan tarr'd dependencies (#2857)
* chore(helm): helm test with ingress (#2630)
* feat(report): add secrets to sarif format (#2820)
* chore(deps): bump azure/setup-helm from 1.1 to 3.3 (#2807)
* refactor: add a new interface for initializing analyzers (#2835)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.77 to 1.44.92 (#2840)
* fix: update ProductArn with account id (#2782)
* feat(helm): make cache TTL configurable (#2798)
* build(): Sign releaser artifacts, not only container manifests (#2789)
* chore: improve doc about azure devops (#2795)
* chore(deps): bump sigstore/cosign-installer from 2.5.0 to 2.5.1 (#2804)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#2825)
* docs: don't push patch versions (#2824)
* feat: add support for conan.lock file (#2779)
* feat: cache merged layers
* chore(deps): bump helm/chart-testing-action from 2.2.1 to 2.3.0 (#2805)
* chore(deps): bump actions/cache from 3.0.5 to 3.0.8 (#2806)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 (#2811)
* chore(deps): bump github.com/aquasecurity/table from 1.7.2 to 1.8.0 (#2810)
* chore(deps): bump github.com/samber/lo from 1.27.0 to 1.27.1 (#2808)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.22.0 to 2.23.0 (#2814)
* feat: add support for gradle.lockfile (#2759)
* chore(mod): updates wazero to 1.0.0-pre.1 #2791
* feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
* Fix url validaton failures (#2783)
* fix(image): add logic to detect empty layers (#2790)
* feat(rust): add dependency graph from Rust binaries (#2771)
* Mon Sep 05 2022 dmueller@suse.com
- Update to version 0.31.3:
* fix: handle empty OS family (#2768)
* fix: fix k8s summary report (#2777)
* fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
* chore: bump trivy-kubernetes (#2770)
* fix(secret): Consider secrets in rpc calls (#2753)
* fix(java): check depManagement from upper pom's (#2747)
* fix(php): skip `composer.lock` inside `vendor` folder (#2718)
* fix: fix k8s rbac filter (#2765)
* feat(misconf): skipping misconfigurations by AVD ID (#2743)
* chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
* docs: add MacPorts install instructions (#2727)
* docs: typo (#2730)
* Tue Aug 16 2022 dmueller@suse.com
- Update to version 0.31.2:
* fix: Correctly handle recoverable AWS scanning errors (#2726)
* docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)
* Tue Aug 16 2022 dmueller@suse.com
- Update to version 0.31.1:
* fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)
* Tue Aug 16 2022 dmueller@suse.com
- Update to version 0.31.0:
* fix(flag): add error when there are no supported security checks (#2713)
* fix(vuln): continue scanning when no vuln found in the first application (#2712)
* revert: add new classes for vulnerabilities (#2701)
* feat(secret): detect secrets removed or overwritten in upper layer (#2611)
* fix(cli): secret scanning perf link fix (#2607)
* chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
* feat: Add AWS Cloud scanning (#2493)
* docs: specify the type when verifying an attestation (#2697)
* docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
* fix(rpc): scanResponse rpc conversion for custom resources (#2692)
* feat(rust): Add support for cargo-auditable (#2675)
* feat: Support passing value overrides for configuration checks (#2679)
* feat(sbom): add support for scanning a sbom attestation (#2652)
* chore(image): skip symlinks and hardlinks from tar scan (#2634)
* fix(report): Update junit.tpl (#2677)
* fix(cyclonedx): add nil check to metadata.component (#2673)
* docs(secret): fix missing and broken links (#2674)
* refactor(cyclonedx): implement json.Unmarshaler (#2662)
* chore(deps): bump github.com/aquasecurity/table from 1.6.0 to 1.7.2 (#2643)
* chore(deps): bump github.com/Azure/go-autorest/autorest (#2642)
* feat(kubernetes): add option to specify kubeconfig file path (#2576)
* docs: follow Debian's "instructions to connect to a third-party repository" (#2511)
* chore(deps): bump github.com/google/licenseclassifier/v2 (#2644)
* chore(deps): bump github.com/samber/lo from 1.24.0 to 1.27.0 (#2645)
* chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#2647)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#2646)
* chore(deps): bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2641)
* chore(deps): bump actions/cache from 3.0.4 to 3.0.5 (#2640)
* chore(deps): bump alpine from 3.16.0 to 3.16.1 (#2639)
* chore(deps): bump golang from 1.18.3 to 1.18.4 (#2638)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.48 to 1.44.66 (#2648)
* chore(deps): bump github.com/open-policy-agent/opa from 0.42.0 to 0.43.0 (#2649)
* chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2651)
* feat(alma): set AlmaLinux 9 EOL (#2653)
* fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
* test(misconf): add tests for misconf handler for dockerfiles (#2621)
* feat(oracle): set Oracle Linux 9 EOL (#2635)
* BREAKING: add new classes for vulnerabilities (#2541)
* fix(secret): add newline escaping for asymmetric private key (#2532)
* docs: improve formatting (#2572)
* feat(helm): allows users to define an existing secret for tokens (#2587)
* docs(mariner): use tdnf in fs usage example (#2616)
* docs: remove unnecessary double quotation marks (#2609)
* fix: Fix --file-patterns flag (#2625)
* feat(report): add support for Cosign vulnerability attestation (#2567)
* docs(mariner): use v2.0 in examples (#2602)
* feat(report): add secrets template for codequality report (#2461)
Version: 0.30.4-bp153.8.1
* Wed Jul 27 2022 kastl@b1-systems.de
- Update to version 0.30.4:
* fix: remove the first arg when running as a plugin (#2595)
* fix: k8s controlplaner scanning (#2593)
* fix(vuln): GitLab report template (#2578)
* Tue Jul 26 2022 kastl@b1-systems.de
- Update to version 0.30.3:
* fix(server): use a new db worker for hot updates (#2581)
* docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)
* docs: split commands to download db for different versions of oras (#2582)
* feat(report): export exitcode for license checks (#2564)
* fix: cli can use lowercase for severities (#2565)
* fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)
* fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)
* fix: enable some features of the wasm runtime (#2575)
* fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521)
* docs(sbom): improve sbom attestation documentation (#2566)
* Thu Jul 21 2022 kastl@b1-systems.de
- Update to version 0.30.2:
* fix(report): show the summary without results (#2548)
* fix(cli): replace '-' to '_' for env vars (#2561)
* Wed Jul 20 2022 kastl@b1-systems.de
- Update to version 0.30.1:
* chore: remove a test repository (#2551)
* fix(license): lazy loading of classifiers (#2547)
* fix: CVE-2022-1996 in Trivy (#2499)
* docs(sbom): add sbom attestation (#2527)
* feat(rocky): set Rocky Linux 9 EOL (#2543)
* docs: add attributes to the video tag to autoplay demo videos (#2538)
* fix: yaml files with non-string chart name (#2534)
* fix: skip dirs (#2530)
* feat(repo): add support for branch, commit, & tag (#2494)
* fix: remove auto configure environment variables via viper (#2526)
* Sat Jul 16 2022 kastl@b1-systems.de
- Update to version 0.30.0:
* fix: separating multiple licenses from one line in dpkg copyright files (#2508)
* fix: change a capital letter for `plugin uninstall` subcommand (#2519)
* fix: k8s hide empty report when scanning resource (#2517)
* refactor: fix comments (#2516)
* fix: scan vendor dir (#2515)
* feat: Add support for license scanning (#2418)
* chore: add owners for secret scanning (#2485)
* fix: remove dependency-tree flag for image subcommand (#2492)
* fix(k8s): add shorthand for k8s namespace flag (#2495)
* docs: add information about using multiple servers to troubleshooting (#2498)
* ci: add pushing canary build images to registries (#2428)
* chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.0 (#2479)
* feat(dotnet): add support for .Net core .deps.json files (#2487)
* feat(amazon): add support for 2022 version (#2429)
* Type correction bitnami chart (#2415)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.1 to 2.1.2 (#2449)
* chore(deps): bump github.com/aquasecurity/table from 1.5.1 to 1.6.0 (#2446)
* docs: add config file and update CLI references (#2489)
* feat: add support for flag groups (#2488)
* refactor: move from urfave/cli to spf13/cobra (#2458)
* fix: Fix secrets output not containing file/lines (#2467)
* fix: clear output with modules (#2478)
* chore(deps): bump github.com/mailru/easyjson from 0.7.6 to 0.7.7 (#2448)
* docs(cbl): distroless 1.0 supported (#2473)
* fix: Fix example dockerfile rego policy (#2460)
* fix(config): add helm to list of config analyzers (#2457)
* feat: k8s resouces scan (#2395)
* feat(sbom): add cyclonedx sbom scan (#2203)
* chore(deps): bump wazero to latest main (#2436)
* chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.8.0 (#2444)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.21.0 to 2.22.0 (#2445)
* chore(deps): bump sigstore/cosign-installer from 2.3.0 to 2.4.1 (#2442)
* chore(deps): bump actions/setup-python from 3 to 4 (#2441)
* chore(deps): bump github.com/Azure/azure-sdk-for-go (#2450)
* docs: remove links to removed content (#2431)
* ci: added rpm build for rhel 9 (#2437)
* fix(secret): remove space from asymmetric private key (#2434)
* chore(deps): bump actions/cache from 3.0.2 to 3.0.4 (#2440)
* chore(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#2439)
* chore(deps): bump golang from 1.18.2 to 1.18.3 (#2438)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.25 to 1.44.46 (#2447)
* test(integration): fix golden files for debian 9 (#2435)
* fix(cli): fix version string in docs link when secret scanning is enabled (#2422)
* refactor: move CycloneDX marshaling (#2420)
* docs(nodejs): add docs about pnpm support (#2423)
* docs: improve k8s usage documentation (#2425)
* feat: Make secrets scanning output consistant (#2410)
* ci: create canary build after main branch changes (#1638)
* fix(misconf): skip broken scans (#2396)
* feat(nodejs): add pnpm support (#2414)
* fix: Fix false positive for use of COS images (#2413)
* eliminate nerdctl dependency (#2412)
* Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403)
* fix(go): no cast to lowercase go package names (#2401)
* BREAKING(sbom): change 'trivy sbom' to scan SBOM (#2408)
* fix(server): hot update the db from custom repository (#2406)
* feat: added license parser for dpkg (#2381)
* chore(helm): bump appVersion to latest release (#2397)
* fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400)
* feat: extract stripe publishable and secret keys (#2392)
* feat: rbac support k8s sub-command (#2339)
* feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390)
* docs: Updating README with new CLI command (#2359)
* fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383)
* chore: add integration label and merge security label (#2316)
* Fri Jul 08 2022 dmueller@suse.com
- Update to version 0.29.2:
* chore: skip Visual Studio Code project folder (#2379)
* fix(helm): handle charts with templated names (#2374)
* docs: redirect operator docs to trivy-operator repo (#2372)
* fix(secret): use secret result when determining Failed status (#2370)
* try removing libdb-dev
* run integration tests in fanal
* use same testing images in fanal
* feat(helm): add support for trivy dbRepository (#2345)
* fix: Fix failing test due to deref lint issue
* test: Fix broken test
* fix: Fix makefile when no previous named ref is visible in a shallow clone
* chore: Fix linting issues in fanal
* refactor: Fix fanal import paths and remove dotfiles
* chore: bump defsec version v0.68.1
* Wed Jun 22 2022 kastl@b1-systems.de
- Update to version 0.29.1:
* fix(report): add required fields to the SARIF template (#2341)
* chore: fix spelling errors (#2352)
* Omit Remediation if PrimaryURL is empty (#2006)
* docs(repo): Link to installation documentation in readme shows 404 (#2348)
* feat(alma): support for scanning of modular packages for AlmaLinux (#2347)
* Wed Jun 22 2022 kastl@b1-systems.de
- Update to version 0.29.0:
* fix(lang): fix dependency graph in client server mode (#2336)
* feat: allow expiration date for .trivyignore entries (#2332)
* feat(lang): add dependency origin graph (#1970)
* docs: update nix installation info (#2331)
* feat: add rbac scanning support (#2328)
* refactor: move WordPress module to another repository (#2329)
* ci: add support for ppc64le (#2281)
* feat: add support for WASM modules (#2195)
* feat(secret): show recommendation for slow scanning (#2051)
* fix(flag): remove --clear-cache flag client mode (#2301)
* fix(java): added check for looping for variable evaluation in pom file (#2322)
* BREAKING(k8s): change CLI API (#2186)
* feat(alpine): add Alpine Linux 3.16 (#2319)
* docs: bump trivy-operator to v0.0.7 (#2320)
* ci: add `go mod tidy` check (#2314)
* chore: run `go mod tidy` (#2313)
* fix: do not exit if one resource is not found (#2311)
* feat(cli): use stderr for all log messages (resolve #381) (#2289)
* test: replace deprecated subcommand client in integration tests (#2308)
* feat: add support for containerd (#2305)
* fix(kubernetes): Support floats in manifest yaml (#2297)
* docs(kubernetes): dead links (#2307)
* chore: add license label (#2304)
* feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293)
* feat(helm): add pod annotations (#2272)
* refactor: do not import defsec in fanal types package (#2292)
* feat(report): Add misconfiguration support to ASFF report template (#2285)
* test: use images in GHCR (#2275)
* feat(helm): support pod annotations (#2265)
* feat(misconf): Helm chart scanning (#2269)
* docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267)
* fix: mask redis credentials when logging (#2264)
* refactor: extract commands Runner interface (#2147)
* chore(deps): bump alpine from 3.15.4 to 3.16.0 (#2234)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.2 to 0.6.0 (#2245)
* docs: update operator release (#2263)
* chore(deps): bump github.com/urfave/cli/v2 from 2.6.0 to 2.8.1 (#2243)
* feat(redhat): added architecture check (#2172)
* docs: updating links in the docs to work again (#2256)
* docs: fix readme (#2251)
* fix: fixed incorrect CycloneDX output format (#2255)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.3 (#2241)
* chore(deps): bump github.com/samber/lo from 1.19.0 to 1.21.0 (#2242)
* chore(deps): bump goreleaser/goreleaser-action from 2 to 3 (#2240)
* chore(deps): bump docker/setup-buildx-action from 1 to 2 (#2238)
* chore(deps): bump docker/setup-qemu-action from 1 to 2 (#2236)
* chore(deps): bump golang from 1.18.1 to 1.18.2 (#2235)
* chore(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#2237)
* chore(deps): bump docker/login-action from 1 to 2 (#2239)
* chore(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#2246)
* refactor(deps): move dependencies to package (#2189)
* fix(report): change github format version to required (#2229)
* docs: update readme (#2110)
* docs: added information about choosing advisory database (#2212)
* chore: update trivy-kubernetes (#2224)
* docs: clarifying parts of the k8s docs and updating links (#2222)
* fix(k8s): timeout error logging (#2179)
* chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214)
* feat(k8s): add --context flag (#2171)
* fix(k8s): properly instantiate TableWriter (#2175)
* test: fixed integration tests after updating testcontainers to v0.13.0 (#2208)
* chore: update labels (#2197)
* fix(report): fixed panic if all misconf reports were removed in filter (#2188)
* feat(k8s): scan secrets (#2178)
* feat(report): GitHub Dependency Snapshots support (#1522)
* feat(db): added insecure skip tls verify to download trivy db (#2140)
* fix(redhat): always use vulns with fixed version if there is one (#2165)
* chore(redhat): Add support for Red Hat UBI 9. (#2183)
* fix(k8s): update trivy-kubernetes (#2163)
* fix misconfig start line for code quality tpl (#2181)
* fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176)
* docs(vuln): Include GitLab 15.0 integration (#2153)
* docs: fix the operator version (#2167)
* fix(k8s): summary report when when only vulns exit (#2146)
* chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156)
* perf(misconf): Improve performance when scanning very large files (#2152)
* docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150)
* chore(deps): Update fanal (for less verbose code in misconf results) (#2151)
* docs: fixed installation instruction for rhel/centos (#2143)
Version: 0.28.0-bp154.2.3.1
* Mon May 23 2022 dmueller@suse.com
- Update to version 0.28.0 (bsc#1199760, CVE-2022-28946):
* fix: remove Highlighted from json output (#2131)
* fix: remove trivy-kubernetes replace (#2132)
* docs: Add Operator docs under Kubernetes section (#2111)
* fix(k8s): security-checks panic (#2127)
* ci: added k8s scope (#2130)
* docs: Update misconfig output in examples (#2128)
* fix(misconf): Fix coloured output in Goland terminal (#2126)
* docs(secret): Fix default value of --security-checks in docs (#2107)
* refactor(report): move colorize function from trivy-db (#2122)
* feat: k8s resource scanning (#2118)
* chore: add CODEOWNERS (#2121)
* feat(image): add `--server` option for remote scans (#1871)
* refactor: k8s (#2116)
* refactor: export useful APIs (#2108)
* docs: fix k8s doc (#2114)
* feat(kubernetes): Add report flag for summary (#2112)
* fix: Remove problematic advanced rego policies (#2113)
* feat(misconf): Add special output format for misconfigurations (#2100)
* feat: add k8s subcommand (#2065)
* chore: fix make lint version (#2102)
* fix(java): handle relative pom modules (#2101)
* fix(misconf): Add missing links for non-rego misconfig results (#2094)
* feat(misconf): Added fs.FS based scanning via latest defsec (#2084)
* chore(deps): bump trivy-issue-action to v0.0.4 (#2091)
* chore(deps): bump github.com/twitchtv/twirp (#2077)
* chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (#2074)
* chore(os): updated fanal version and alpine distroless test (#2086)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 (#2075)
* chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (#2076)
* feat(report): add support for SPDX (#2059)
* chore(deps): bump actions/setup-go from 2 to 3 (#2073)
* chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (#2071)
* chore(deps): bump golang from 1.18.0 to 1.18.1 (#2069)
* chore(deps): bump actions/stale from 4 to 5 (#2070)
* chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (#2072)
* chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (#2079)
* chore: app version 0.27.0 (#2046)
* fix(misconf): added to skip conf files if their scanning is not enabled (#2066)
* docs(secret) fix rule path in docs (#2061)
* docs: change from go.sum to go.mod (#2056)
* Wed Apr 27 2022 kastl@b1-systems.de
- Update to version 0.27.1:
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926)
* refactor(fs): scanner options (#2050)
* feat(secret): truncate long line (#2052)
* docs: fix a broken bullets (#2042)
* feat(ubuntu): add 22.04 approx eol date (#2044)
* docs: update installation.md (#2027)
* docs: add Containerfile (#2032)
* Tue Apr 26 2022 kastl@b1-systems.de
- Update to version 0.27.0:
* fix(go): fixed panic to scan gomod without version (#2038)
* docs(mariner): confirm it works with Mariner 2.0 VM (#2036)
* feat(secret): support enable rules (#2035)
* chore: app version 26.0 (#2030)
* docs(secret): add a demo movie (#2031)
* feat: support cache TTL in Redis (#2021)
* fix(go): skip system installed binaries (#2028)
* fix(go): check if go.sum is nil (#2029)
* feat: add secret scanning (#1901)
* chore: gh publish only with push the tag release (#2025)
* fix(fs): ignore permission errors (#2022)
* test(mod): using correct module inside test go.mod (#2020)
* feat(server): re-add proxy support for client/server communications (#1995)
* fix(report): truncate a description before escaping in ASFF template (#2004)
* fix(cloudformation): correct margin removal for empty lines (#2002)
* fix(template): correct check of old sarif template files (#2003)
* Sat Apr 16 2022 kastl@b1-systems.de
- Update to version 0.26.0:
* feat(alpine): warn mixing versions (#2000)
* Update ASFF template (#1914)
* chore(deps): replace `containerd/containerd` version to fix CVE-2022-23648 (#1994)
* chore(deps): bump alpine from 3.15.3 to 3.15.4 (#1993)
* test(go): add integration tests for gomod (#1989)
* fix(python): fixed panic when scan .egg archive (#1992)
* fix(go): set correct go modules type (#1990)
* feat(alpine): support apk repositories (#1987)
* docs: add CBL-Mariner (#1982)
* docs(go): fix version (#1986)
* feat(go): support go.mod in Go 1.17+ (#1985)
* ci: fix URLs in the PR template (#1972)
* ci: add semantic pull requests check (#1968)
* docs(issue): added docs for wrong detection issues (#1961)
* Thu Apr 14 2022 kastl@b1-systems.de
- Update to version 0.25.4:
* docs: move CONTRIBUTING.md to docs (#1971)
* refactor(table): use file name instead package path (#1966)
* fix(sbom): add --db-repository (#1964)
* feat(table): add PkgPath in table result (#1960)
* fix(pom): merge multiple pom imports in a good manner (#1959)
* Wed Apr 06 2022 kastl@b1-systems.de
- Update to version 0.25.3:
* fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956)
* fix(misconf): update BurntSushi/toml for fix runtime error (#1948)
* fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947)
* feat(jar): allow setting Maven Central URL using environment variable (#1939)
* chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931)
* chore(chart): remove version comments (#1933)
* Wed Apr 06 2022 kastl@b1-systems.de
- Update to version 0.25.2:
* fix(downloadDB): add flag to server command (#1942)
* Tue Apr 05 2022 kastl@b1-systems.de
- Update to version 0.25.1:
* fix(misconf): update defsec to resolve panics (#1935)
* chore(deps): bump github.com/docker/docker (#1924)
* docs: restructure the documentation (#1887)
* chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 (#1923)
* chore(deps): bump actions/cache from 2 to 3.0.1 (#1920)
* chore(deps): bump actions/checkout from 2 to 3 (#1916)
* chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.39.0 (#1921)
* chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.1.0 (#1919)
* chore(deps): bump helm/chart-testing-action from 2.2.0 to 2.2.1 (#1918)
* chore(deps): bump golang from 1.17 to 1.18.0 (#1915)
* Add trivy horizontal logo (#1932)
* chore(deps): bump alpine from 3.15.0 to 3.15.3 (#1917)
* chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 (#1925)
* chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#1927)
* feat(db): Add dbRepository flag to get advisory database from OCI registry (#1873)
* Fri Apr 01 2022 Johannes Kastl <kastl@b1-systems.de>
- Buildrequire go1.18 as upstream says in go.mod
* Fri Apr 01 2022 kastl@b1-systems.de
- Update to version 0.25.0:
* docs(filter vulnerabilities): fix link (#1880)
* feat(template) Add misconfigurations to gitlab codequality report (#1756)
* fix(rpc): add PkgPath field to client / server mode (#1643)
* fix(vulnerabilities): fixed trivy-db vulns (#1883)
* feat(cache): remove temporary cache after filesystem scanning (#1868)
* feat(sbom): add a dedicated sbom command (#1799)
* feat(cyclonedx): add vulnerabilities (#1832)
* fix(option): hide false warning about remote options (#1865)
* chore: bump up Go to 1.18 (#1862)
* feat(filesystem): scan in client/server mode (#1829)
* refactor(template): remove unused test (#1861)
* fix(cli): json format for trivy version (#1854)
* docs: change URL for tfsec-checks (#1857)
Version: 0.24.4-bp153.5.1
* Tue Mar 22 2022 Dirk Müller <dmueller@suse.com>
- tie to go.17 as 1.18 became available
* Fri Mar 18 2022 kastl@b1-systems.de
- Update to version 0.24.4:
* fix(docker): Getting images without a tag (#1852)
* docs(gitlab-ci): Use environment variables TRIVY_CACHE_DIR and TRIVY_NO_PROGRESS (#1801)
* Thu Mar 17 2022 Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.17
* Wed Mar 16 2022 kastl@b1-systems.de
- Update to version 0.24.3:
* chore(issue labels): added new labels (#1839)
* refactor: clarify db update warning messages (#1808)
* chore(ci): change trivy vulnerability scan for every day (#1838)
* feat(helm): make Trivy service name configurable (#1825)
* chore(deps): updated sprig to version v3.2.2. (#1814)
* chore(deps): updated testcontainers-go to version v0.12.0 (#1822)
* docs: add packages.config for .NET (#1823)
* build: sign container image (#1668)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.4.0 to 0.5.0 (#1778)
* docs: fix Installation documentation (#1804)
* fix(report): ensure json report got a final new line (#1797)
* fix(terraform): resolve panics in defsec (#1811)
* feat(docker): Label images based on OCI image spec (#1793)
* fix(helm): indentation for ServiceAccount annotations (#1795)
* fix(hcl): fix panic in hcl2json (#1791)
* chore(helm): remove psp from helm manifest (#1315)
* build: Replace `make protoc` with `for loop` to return an error (#1655)
* fix: ASFF template to match ASFF schema (#1685)
* feat(helm): Add support for server token (#1734)
* Thu Mar 03 2022 kastl@b1-systems.de
- Update to version 0.24.2:
* fix(pom): keep an order of dependencies (#1784)
* chore: bump up Go to 1.17 (#1781)
* chore(deps): bump actions/setup-python from 2 to 3 (#1776)
* chore(deps): bump golangci/golangci-lint-action from 2 to 3.1.0 (#1777)
* Sun Feb 27 2022 kastl@b1-systems.de
- Update to version 0.24.1:
* fix(python): correct handling pip package names with a hyphen (#1771)
* doc(docker): fix command to run trivy with docker on linux (#1761)
* feat(helm): Add support for custom labels (#1767)
* chore(helm): bump chart to trivy 0.24.0 (#1762)
* docs: remove erroneous command (#1763)
* Wed Feb 23 2022 kastl@b1-systems.de
- Update to version 0.24.0:
* chore(deps): bump github.com/spf13/afero from 1.6.0 to 1.8.1 (#1708)
* fix(option): warn list-all-pkgs only with the table format (#1755)
* feat(option): warn "--list-all-pkgs" with "--format table" (#1632)
* feat(report): add support for CycloneDX (#1081)
* chore(deps): update the defsec and tfsec versions (#1747)
* fix(scanner): fix skip of language-specific files when scanning rootf? (#1751)
* chore(deps): bump github.com/google/wire from 0.4.0 to 0.5.0 (#1712)
* feat(report): considering App.Writer when printing results (#1722)
* chore(deps): replace `satori` version and skipping examples folder (#1745)
* build: add s390x container images (#1726)
* feat(template) Add misconfigurations to junit report (#1724)
* chore(deps): bump github.com/twitchtv/twirp (#1709)
* feat(client): configure TLS InsecureSkipVerify for server connection (#1287)
* fix(rpc): Supports RPC calls for new identifier CustomResource (#1605)
* chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 (#1705)
* chore(deps): bump github.com/caarlos0/env/v6 from 6.0.0 to 6.9.1 (#1707)
* feat(helm): Parameterise ServiceAccount annotations (#1677)
* chore(deps): bump github.com/hashicorp/go-getter from 1.5.2 to 1.5.11 (#1710)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.0.3 to 3.0.8 (#1704)
* chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.2 (#1711)
* chore(dependabot): enable gomod monthly (#1699)
* fix(gitlab tpl): escape double quote (#1635)
* build: Make `make protoc` be consistent (#1682)
* feat(purl): add generate purl package utilities (#1574)
* refactor: move result structs under types (#1696)
* feat(mariner): add support for CBL-Mariner 2.0 (#1694)
* docs(gitlab-ci): fix Script in GitLab CI Example #1688
* chore: Upgrade helm chart version (#1683)
* chore(mod): update Go dependencies (#1681)
* docs: fix typos in markdown docs (#1674)
* docs: update documentation for image scanning of tar files to use a tag present on Docker Hub (#1671)
* fix(repo): --no-progress suppresses git output (#1669)
* Tue Feb 01 2022 kastl@b1-systems.de
- Update to version 0.23.0:
* docs: add ACR navigator (#1651)
* fix: update example Rego files and docs (#1628)
* feat(option): show a link to GitHub Discussions for --light deprecation (#1650)
* fix(sarif): fix the warning message (#1647)
* refactor: migrate to prefixed buckets (#1644)
* feat(mariner): add support for CBL-Mariner (#1640)
* docs: commercial use available (#1641)
* feat: support azure acr (#1611)
* feat(os-pkg): add data sources (#1636)
* feat(redhat): support build info in RHEL (#807)
* fix: change links in pull_request_template to static URLs (#1634)
* feat(lang-pkg): add data sources (#1625)
* feat(detector): support custom detector (#1615)
* docs(contribution): change role who should resolve comments (#1618)
* docs: add PR template (#1602)
* feat(rocky): support Rocky Linux (#1570)
* Add the ability to set dockerhub credentials in the helm chart (#1569)
* feat(cache): redis TLS support (#1297)
* feat(java): add support for PAR files (#1599)
* refactor(rust): move rust-advisory-db to OSV (#1591)
* feat: log ignored vulnerabilities on debug (#1378)
* chore(mod): hcl2json deps update (#1585)
* fix(rpm): do not ignore installed files via third-party rpm (#1594)
* feat(fs): allow scanning a single file (#1578)
* refactor(python): drop Safety DB (#1580)
* feat: added insecure tls skip to scan git repo (#1528)
* Supress git clone output (#1590)
* fix(alma): skip modular package because MODULARITYLABEL is not set (#1588)
* feat(photon os): added EOL dates check (#1587)
* docs: update supported os (#1586)
* BREAKING: remove root command (#1579)
* docs: add Rust to Language-specific Packages Table (#1577)
* docs: update int doc for gitlab ci (#1575)
* BREAKING: migrate the sarif template to Go code (#1437)
* refactor: remove unused field (#1567)
* chore(deps): bump helm/chart-testing-action from 2.1.0 to 2.2.0 (#1554)
* docs: gitlab integration (#1381)
* feat(alma): support AlmaLinux (#1238)
* docs: added note about default template path when Trivy installed using rpm (#1551)
* BREAKING: Trivy DB from GHCR (#1539)
* feat(cli): Do not set default commands when a plugin is being run (#1549)
* fix: add fingerprint field to codequality template (#1541)
* fix(image): correct handling of uncompressed layers (#1544)
* chore: helm chart app version 0.22.0 (#1535)
* test(integration): use fixtures (#1532)
Version: 0.22.0-bp153.2.1
* Tue Dec 28 2021 dmueller@suse.com
- Update to version 0.22.0 (jsc#SLE-18339):
* fix(java/pom): ignore unsupported requirements (#1514)
* feat(cli): warning for root command (#1516)
* BREAKING: disable JAR detection in fs/repo scanning (#1512)
* feat(scan): support --offline-scan option (#1511)
* fix: improve memory usage (#1509)
* feat(java): support pom.xml (#1501)
* docs: fixing rust link to security advisory (#1504)
* Add missing IacMetdata (#1505)
* feat(jar): add file path (#1498)
* feat(rpm): support NDB (#1497)
* feat: added misconfiguration field for html.tpl (#1444)
* Tue Dec 21 2021 dmueller@suse.com
- Update to version 0.21.3:
* fix(docs): typo (#1488)
* feat(plugin): Add option to update plugin (#1462)
* fix: fixed skipFiles/skipDirs flags for relative path (#1482)
* feat (plugin): add list and info command for plugin (#1452)
* fix: set up a vulnerability severity (#1458)
* chore: add arm64 deb package (#1480)
* Link to trivy tutorial on Semaphore (#1449)
* refactor(helm): externalize env vars to configMap (#1345)
* docs: provide more information on scanning Google's GCR (#1426)
* docs(misconfiguration): added instruction for misconfiguration detection (#1428)
* Update git-repository.md (#1430)
* fix(hooks): exclude unrelated lib types from system files filtering (#1431)
* chore: run `go fmt` (#1429)
* fix(sarif): change `help` field in the sarif template. (#1423)
* Update fanal with cfsec version update (#1425)
* Replace deprecated option in goreleaser (#1406)
* feat(alpine): support 3.15 (#1422)
* chore: test the helm chart in the PR and used the commit hash (#1414)
* chore(deps): bump alpine from 3.14 to 3.15.0 (#1417)
* chore(release): add ubuntu older versions to deploy script (#1416)
* Sun Dec 05 2021 dmueller@suse.com
- Update to version 0.21.1:
* chore(mod): tidy (#1415)
* fix(rpc): fix nil layer transmit (#1410)
* Lang advisory order (#1409)
* chore: add support for s390x arch (#1304)
* fix(chart): ingress helm manifest-update trivy image (#1323)
* docs: Add comparison for cfsec (#1388)
* remove: delete unused functions in utils package (#1379)
* fix(sarif): fix validation errors (#1376)
* docs: add Bitbucket Pipelines (#1374)
* docs: add community integrations (#1361)
* Use a stable SARIF identifier (#1230)
* fix(python): fix parsing of requirements.txt with hash checking mode available in pip since version 8.0
* feat(iac): Add line information (#1366)
* feat(cloudformation): Adding support for cfsec IaC scanning (#1360)
* chore: send debug and info logs to stdout in install.sh, not stderr. (#1264)
* Update containerd to v1.5.7 and docker-cli to v20.10.9 (#1356)
* chore: update SBOM generation (#1349)
* Wed Nov 10 2021 dmueller@suse.com
- Update to version 0.20.2:
* docs: update builtin.md (#1335)
* chore: fix issues with Homebrew formula (#1329)
* chore: bump GoReleaser to v0.183.0 (#1328)
* docs: update iac.md for a typo (#1326)
* docs: typo fix (#1308)
* Add new networking API features to Ingress (#1262)
* chore(release): bump up GoReleaser to v0.182.1 (#1299)
* fix(yarn): support quoted version (#1298)
* feat(custom-forward): Forward the extended advisory data (#1247)
* feat(javascript) : Initialize npm driver for javascript packages (#1289)
* fix(cli): fix incorrect comparision of DB metadata type. (#1286)
* docs: add footer to readme (#1281)
* feat(report): add package path (#1274)
* feat(command): add rootfs command (#1271)
* fix: update fanal (#1272)
* feat(commands): remove deprecated options (#1270)
* Aggregate jar result for table (#1269)
* BREAKING(report): migrate to new json schema (#1265)
* feat: improve --skip-dirs and --skip-files (#1249)
* fix(gobinary): skip large files (#1259)
* Disable library analyzer for OS only scan type (#1191)
* chore: update trivy version (#1252)
* refactor: move from io/ioutil to io and os package (#1245)
* fix: brew test command (#1253)
* fix:added layer info in packages (#1248)
* fix(go/binary): improve debug messages (#1244)
* Update db.go (#1199)
* fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243)
* feat(debian): support the versions that reached EOL (#1237)
* feat(alpine): support unfixed vulnerabilities (#1235)
* feat(report): add image config (#1231)
* feat(nodejs): support package.json (#1225)
* refactor: use testing DB instead of mock (#1234)
* feat(ruby): support gemspec (#1224)
* feat(python): add packaging detector and respective hook (#1223)
* feat(license): Added support to new License field of go-dep-parser's library (#1167)
* fix(oracle): handle advisories contain ksplice versions (#1209)
* fix(docs): remove OSVDB advisories (#1215)
* docs: fix typos in CONTRIBUTING.md (#1181)
* Update EOL of Debian 11 (#1180)
* fix(plugin): resolve a closure (#1207)
* docs: fix typo (#1206)
* fix(detector): change an argument for trivy-db getter (#1203)
* chore(mod): update fanal (#1179)
* Add license info to package data (#1176)
* feat(nuget): support packages.config (#1095)
* feat(python): add support for requirements.txt (#1169)
* GitLab CI integration documentation (#1168)
* chore(gorelease) change goreleaser config to include template examples (#1138)
* chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153)
* chore(deps): bump actions/stale from 3 to 4 (#1152)
* feat(report): add end of service life flag to OS metadata (#1142)
* chore: set up Dependabot for github-actions and docker (#1128)
* docs: fix typo (#1149)
* docs: add some external links (#1147)
* chore (release): add ubuntu esm versions to deploy script (#1151)
* docs(troubleshooting) add urls which are required to download vuls db (#1137)
* Updated the Alpine Image to 3.14 (latest) (#1130)
* Added EOL for Ubuntu 21.10 (#1131)
* fix(image): disabled scanning of config files within container images (#1133)
* docs: fixed typo (#1124)
* update cyclonedx github action to v0.3.0 (#1127)
* fix(policy): fix panic on the first run (#1116)
* docs(misconf): add comparison with Conftest and tfsec (#1111)
* feat(report): add schema version (#1110)
* fix(scan): change unknown os from info to debug (#1109)
* docs: add misconfiguration (#1101)
* fix(config): rename include-successes with include-non-failures (#1107)
* feat(config): support --trace (#1106)
* fix(policy): reduce the Internet access (#1105)
* chore: bump golangci-lint to v1.41.1 (#1104)
* feat: support config scanning (#931)
* feat(report): add artifact metadata (#1079)
* Generate SBOM (#1076)
* fix(db): multiple prefixed data sources (#1070)
* Add EOL date for Alpine 3.14 (#1072)
* suse: mark sle 15.3 as maintained, add opensuse 15.3 (#1059)
* docs: improve data sources (#1069)
* chore(label): add kind/security-advisory (#1068)
* fix(asff): replace slice with substr (#1058)
* fix(helm-chart): parametrized ingress host path (#1049)
* feat: support Google Artifact Repository (#1055)
* Update ASFF template to use label for severity (#1047)
* BREAKING: migrate to a new JSON schema (#782)
* docs: Fix link to AWS Security Hub template (#1046)
* refactor(server): support gzip (#1045)
* chore(rpc): update protoc and twirp (#1044)
* Added support for list all packages flag in client (#1032)
* chore: chart with 0.18.3 (#1033)
* feat: add gitlab codequality template (#895)
* feat(plugin): add aqua plugin (#1029)
* fix(go): if patchedVersion is empty mark it as vulnerable (#1030)
* docs(ubuntu): fix supported versions (#1028)
* Support Ubuntu 21.04 (#1027)
* chore: remove codecov (#1016)
* fix typo on github-actions.md (#1022)
- drop 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch (upstream)
* Thu Jun 10 2021 Dirk Müller <dmueller@suse.com>
- add 0001-suse-mark-sle-15.3-as-maintained-add-opensuse-15.3.patch
* Thu Jun 10 2021 Dirk Müller <dmueller@suse.com>
- strip binaries
* Mon Jun 07 2021 dmueller@suse.com
- Update to version 0.18.3:
* chore(ci): change to more granular tokens (#1014)
* chore(ci): add Go scanning and update dependencies (#1001)
* docs: Add HIGH severity to Trivy command in GitLab CI example to match comment (#1013)
* fix(image): disable go.sum scanning (#1007)
* fix(gomod): handle go.sum with an empty line (#1006)
* feat: prepare for config scanning (#1005)
* Clarify that dev dependencies are excluded (#986)
* Include target value in Sarif template ruleID (#991)
* chore(mkdocs): allow workflow_dispatch (#989)
* fix(vuln) unique vulnerabilities from different data sources (#984)
* feat(go): added support of gomod analyzer (#978)
* Mon May 03 2021 dmueller@suse.com
- Update to version 0.17.2:
* Upgrade fanal dependency (#976)
* docs: mention upx binaries (#974)
* Upgrade alpine to fix git and libcurl vulnerabilities in trivy docker image scan (#971)
* fix(fs): skip dirs (#969)
* chore(ci): replace GITHUB_TOKEN with ORG_GITHUB_TOKEN (#965)
* chore(ci): clone trivy-repo after releasing binaries (#963)
* docs: add golang support (#962)
* fix(table): skip zero vulnerabilities on java (#961)
* chore(ci): create a release discussion (#959)
* feat(go): support binary scan (#948)
* feat(java): support GitLab Advisory Database (#917)
* feat: show help message when the context's deadline passes (#955)
* chore(mkdocs): replace github token (#954)
* Update SARIF report template (#935)
* Update install docs to make commands consistent (#933)
* Docker multi-platform image build with `buildx`, using Goreleaser (#915)
* Fix JUnit template for AWS CodeBuild compatibility (#904)
* break(cli): use StringSliceFlag for skip-dirs/files (#916)
* docs: add white logo (#914)
* add package name in ruleID (#913)
* feat: gh-action for stale issues (#908)
* chore(triage): add lifecycle/active label (#909)
* feat: publish helm repository (#888)
* Fix Documentation Typo (#901)
* docs: migrate README to MkDocs (#884)
* refactor(internal): export internal packages (#887)
* feat: support plugins (#878)
* chore(ci): deploy dev docs only for the main branch (#882)
* add MkDocs implementation (#870)
* docs(README): update ubuntu versions (#877)
* support Ubuntu 20.10 (#876)
* feat(cache): introduce versioned cache (#865)
* chore: bump up Go to 1.16 (#861)
* fix: allow the latest tag (#864)
* feat: disable analyzers (#846)
* chore(ci): push the official image to public ECR (#855)
* chore(ci): migrate CircleCI to GitHub Actions (#850)
* adds example with multistage build (#853)
* remove SARIF helpUri if empty (#841) (#845)
* Add Sprig to Template Engine (#832)
* Fix "GitLab CI using Trivy container" usage example (fixes #843) (#844)
* feat(java): support jar/war/ear (#837)
* fix(app): increase the default value of timeout (#842)
* Update README.md (#838)
* Fix compatibility for Jenkins xunit plugin (#820)
* README: add Gitlab job that uses a container with trivy (#823)
* feat: support Podman (#825)
* fix(eol): update EOL dates (#824)
* fix(python): follow PEP 440 (#816)
* Support alpine 3.13 (#819)
* Changed the output string to "Using your github token". (#814)
* Align comment with code (#812)
* Parse redis backend url (#804)
* Update README.md (#810)
* Added nodeSelector, affinity and tolerations to helm chart (#803)
* Fix readme typo in policy flag (#805)
* Fix errors in SARIF format (#801)
* Fix env variable for github token (#796)
* fix(vulnerability): set unknown severity for empty values (#793)
* Remove global flags from filesystem command (#772)
* Add imagePullSecrets to helm Chart (#789)
* Add redis cache backend configuration options (#784)
* Update README.md (#735)
* feat(redhat): support modular packages (#790)
* Fix formatting of log message (#785)
* chore(ci): migrate unit tests to GitHub Actions (#779)
* shifted: brews.github to brews.tap (#780)
* Fri Jan 08 2021 rbrown@suse.com
- Update to version 0.15.0:
* Feat: NuGet Scanner (#686)
* feat(cache): support Redis (#770)
* fix(redhat): skip module packages (#776)
* chore: migrate from master to main (#778)
* chore(circleci): remove gofmt (#777)
* chore(README): remove experimental (#775)
* NVD: Add timestamps. (#761)
* (fix): Make the table output less wide. (#763)
* Add gitHubToken to prevent rate limit problems (#769)
* Add helm chart to install trivy in server mode. (#751)
* chore(docs): add nix install (#762)
* HTML template (#567)
* feat: remove rpm dependency (#753)
* fix(vulnerability): make an empty severity UNKNOWN (#759)
* chore(README): add TRIVY_INSECURE (#760)
* feat(vulnerability): add primary URLs (#752)
* Thu Nov 26 2020 dmueller@suse.com
- Update to version 0.13.0:
* fix(oracle): handle ksplice advisories (#745)
* fix: version comparison (#740)
* updated Readme.md (#737)
* Add suse sles 15.2 to the EOL list as well (#734)
* Update README.md (#731)
* Warn when a user attempts to use trivy without a detectable lockfile (#729)
* Add back support for FreeBSD & OpenBSD (#728)
* Add support for ppc64le architecture (#724)
* Skip packages from unsupported repository (remi) (#695)
* Skip downloading DB if a remote DB is not updated (#717)
* Sunsetting VendorVectors (#718)
* Add GitHub Container Registry to README (#712)
* update BUG_REPORT.md using H2 instead of bold formatting (#714)
* fix(ci/deb): do not remove old packages for EOL versions (#706)
* Add linter check support (#679)
* Optimize images (#696)
* Update triage.md (#701)
- remove 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch (merged)
* Fri Oct 30 2020 Dirk Mueller <dmueller@suse.com>
- add 0001-Add-suse-sles-15.2-to-the-EOL-list-as-well.patch
* Wed Oct 28 2020 Dirk Mueller <dmueller@suse.com>
- revert _service and build changes in last update to use
the proper macros
- set VERSION parameter properly (jsc#CAPS-105)
- remove update-end-of-life-dates.patch
* Thu Oct 22 2020 Stefan Nica <snica@suse.com>
- Require golang >= 1.15 to fix EINTR read issues (jsc#CAPS-170)
* Thu Oct 22 2020 Dirk Mueller <dmueller@suse.com>
- add update-end-of-life-dates.patch
* Tue Oct 20 2020 msabate@suse.com
- Update to version 0.12.0:
* ci(circle): update remote docker version (#683)
* suse: update end of life dates for SLES service packs (#676)
* update readme for parallel run issue (#660)
* fix link for Clear images section in README (#659)
* add link to Gitlab CI pipeline in README (#658)
* test: add tests for mux (#645)
* chore: bump up Go to 1.15 (#646)
* Add contrib/ to the release chain for Docker (#638)
* Add health check endpoint to trivy server (#644)
* fix(cli): show help for subcommands (#629)
* Tue Sep 08 2020 jsuchome@suse.com
- Update to version 0.9.2:
* Fixing `Error retrieving template from path` when --format is not template but template is provided (#556)
* Adding contrib/junit.tpl to docker image (#554)
* db: Update trivy-db to include CVSS score info (#530)
* docs: fix markdown (#553)
* Added function to escape string in failure message title and descriptions (#551)
* Added JUNIT support (#541)
* chore(docs): mention air-gapped environment (#544)
* chore(README): add programming languages (#543)
* fix(log): write error messages to stderr (#538)
* Use StoreMetadata from trivy-db (#509)
* docs: add more CI options to README (#535)
* chore(Dockerfile): bump up alpine to 3.12 (#528)
* fix(alpine): replace go-deb-version with go-apk-version (#520)
* fix: MissingBlobs is implemented different in FS and S3 the method log? (#522)
* Wed Aug 19 2020 dmueller@suse.com
- Update to version 0.9.1:
* fix(alpine): support 3.12 (#517)
* chore(README): prepare for v0.9.0 (#507)
* fix(config): transpose arguments (#516)
* Tue Jul 28 2020 jsuchome@suse.com
- Update to version 0.9.0:
* fix(app): add ArgsUsage (#508)
* feat: support repository and filesystem scan (#503)
* Add GHSA support (#467)
* refactor: define common options and embed them into the option for subcommand (#502)
* Add image subcommand (#493)
* fix: remove help template (#500)
* vulnerability: Add CVSS Vectors to JSON output. (#484)
* feat: support registry token (#482)
* chore: bump up urfave/cli to v2 (#499)
* chore(doc): update README (#490)
* chore(ci): move integration tests to GitHub Actions (#485)
* feat: support OCI Image Format (#475)
* chore(github): fix issue templates (#483)
* contrib/gitlab.tpl: Add new id field (#468)
* chore(docs): add triage.md (#473)
* fix: handle a scratch/busybox/DockerSlim image gracefully (#476)
* rpc: Fix output to use templates when in client server mode. (#469)
* Override with Vendor score if exists (#433)
* docs: Update installation docs for pointing to Trivy Releases. (#463)
* Fri Jul 24 2020 jsuchome@suse.com
- enabled changesgenerate option to automatically generate changes
* Thu Jul 16 2020 jsuchome@suse.com
- initial release of 0.6.0 version, supported by Harbor 2.0