Prepare for v0.47.0

[knqyf263]

Draft to collaborate on v0.47.0 release announcement

🚀 What's new? 🚀

⎈ Kubernetes Control Plane and Node components vulnerability scanning 💀

Trivy now supports the Kubernetes control plane and node components (apiserver, controller-manager, kubelet, kube-proxy and etc) vulnerability scanning.

trivy k8s cluster --scanners vuln  --report all

220 / 220 [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 77 p/s

ControlPlaneComponents/k8s.io/apiserver (kubernetes)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver │ CVE-2022-3162 │ MEDIUM   │ fixed  │ 1.21.1            │ 1.22.16, 1.23.14, 1.24.8, 1.25.4 │ Unauthorized read of Custom Resources                     │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2022-3162                 │
│                  ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2727 │          │        │                   │ 1.24.15, 1.25.11, 1.26.6, 1.27.3 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                  │               │          │        │                   │                                  │ admission plugin                                          │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                  ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                  │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                  │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                  │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└──────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

🃏 Adding --ignore-policy support for Misconfiguration scanning 🖍️

Misconfiguration scanning now correctly supports passing in an ignore-file via --ignore-policy flag. Furthermore, passing in an ignore-policy will now render the ignored results as Exceptions if they were found to be misconfigured.

Below is an example invocation:

$ trivy config --ignore-policy=./config-ignore-policy.rego <input>

main.yaml (cloudformation)
==========================
Tests: 12 (SUCCESSES: 3, FAILURES: 8, EXCEPTIONS: 1)
Failures: 8 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 5, CRITICAL: 0)

🌳 Dependency graph support for pubspec.yaml (Dart) 🕸️

Trivy has introduced graph support for pubspec.yaml (Dart), enhancing its existing capabilities to identify the origin of the vulnerable packages. This feature allows users to view the reversed dependency origin tree for their Dart projects, providing a clearer understanding of the dependencies and their associated vulnerabilities.

Trivy looks into the cache dir to build the dependency relationship. Please make sure the cache directory contains all the dependencies required by your application. To download missing dependencies, use dart pub get command.

$ trivy fs --dependency-tree ./pubspec.lock   
...
2023-10-16T13:24:43.488+0600	INFO	Number of language-specific files: 1
2023-10-16T13:24:43.488+0600	INFO	Detecting pub vulnerabilities...

pubspec.lock (pub)
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ dio     │ CVE-2021-31402 │ HIGH     │ fixed  │ 4.0.6             │ 5.0.0         │ dio vulnerable to CRLF injection with HTTP method string │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-31402               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
pubspec.lock
└── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    └── [email protected]

👷‍♂️ Notable Fixes 🛠️

• docs(cli): fix the description of the --tf-exclude-downloaded-modules flag #5416