Prepare for v0.53.0

[chen-keinan]

Draft to collaborate on v0.53.0

📑 Table of Contents

💔 Breaking Changes 💔

🌵 Cache Management Flags Removed 🌵

As announced here, the following cache management flags will be removed:

• --reset
• --clear-cache
• --reset-checks-bundle

These flags will be replaced by the new trivy clean command.
See here for more details.

☁️Trivy AWS is now available via a plugin ☁

As announced before, Trivy's AWS scanning is now offered as a separate plugin. It is no longer shipped with Trivy by default, but can be easily installed as such:

trivy plugin install github.com/aquasecurity/trivy-aws

🫓 Trivy misconfiguration schema flattened 🚜

As announced before Trivy's internal cloud schema has been improved to remove potential recursions. This is relevant only for rule authors, and does not effect users.

Kuberetes compliance changes

Trivy now defines a naming convention for compliance reports in the form of: {platform}-{type}-{version}. Following are the renamed specs:

• k8s-cis -> k8s-cis-1.23
• k8s-nsa -> k8s-nsa-1.0
• k8s-pss-baseline -> k8s-pss-baseline-0.1
• k8s-pss-restricted -> k8s-pss-restricted-0.1
• docker-cis -> docker-cis-1.6.0

➗ Trivy now scans composer.lock files only in fs and repo modes. 🧩

We have added support for installed.json files.
So we separated the PHP files:

• composer.lock for fs and repo modes.
• installed.json for image and rootfs modes.

🚀 What's new? 🚀

🐍 Support for License Detection for environment.yml Files (Conda) 📜

Trivy now supports license detection for environment.yml files by parsing <package.json> files in prefix directory.

environment.yaml (license)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────┬──────────────┬────────────────┬──────────┐
│    Package    │   License    │ Classification │ Severity │
├───────────────┼──────────────┼────────────────┼──────────┤
│ _openmp_mutex │ BSD-3-Clause │ Notice         │ LOW      │
└───────────────┴──────────────┴────────────────┴──────────┘

Read more here.

🔎 Support for determining Dart dependency version from SDK constraint 🔍

For Dart dependencies that use SDK as version, Trivy now uses the first version of the SDK constraint.

For example in this case the version of flutter_test will be 3.3.0:

flutter_test:
    dependency: "direct dev"
    description: flutter
    source: sdk
    version: "0.0.0"
sdks:
  dart: ">=2.18.0 <3.0.0"
  flutter: "^3.3.0"

Read more here.

🗃️ Support for maven-metadata.xml for maven snapshot repositories 📥

Some maven snapshot repositories (e.g. oss.sonatype.org) use maven-metadata.xml with the latest pom file name.
Trivy now parses this file.
If the file doesn't exist or doesn't contain pom file name information - Trivy checks the <artifactId>-<version>.pom file (as for release repositories).

🎊 Support for installed.json PHP files ✨

Trivy now scans installed.json files (available in image and rootfs modes).

installed.json (composer-installed)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ guzzlehttp/psr7 │ CVE-2022-24775 │ MEDIUM   │ fixed  │ 1.8.3             │ 1.8.4, 2.1.1  │ Improper Input Validation in guzzlehttp/psr7       │
│                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24775         │
│                 ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────┤
│                 │ CVE-2023-29197 │          │        │                   │ 1.9.1, 2.4.5  │ Improper header name validation in guzzlehttp/psr7 │
│                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29197         │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

Read more here.

🌀 Trivy migrated to CycloneDX v1.6 🌪️

Trivy now uses CycloneDX v1.6 for cyclonedx format.

🧠 Memory Cache Backend ⚡

Trivy introduces a memory cache backend, enhancing scan efficiency for repositories, filesystems, and SBOMs by reducing unnecessary disk I/O operations. By default, memory backend is used for these scan targets, so no changes are required. For container images and VM images, the filesystem cache remains in use, but you can specify --cache-backend memory if you don't need a cache for subsequent scans.

$ trivy image debian:11 --cache-backend memory

🧾 Compliance framework improvements ⎈

🥡 Node collector commands ⛏️

The "node-collector" component, that collects data from within nodes for evaluation by checks, is now more flexible and extensible. The Trivy compliance definision now has a new commands field that refers to scriptlets that collect data by the node-collector. The data is then available in rego checks for evaluation. This makes it easier for users to contribute and maintain specs.

For example, here's a snippet from the new CIS benchmark for Kubernetes:

spec:
  id: k8s-cis-1.23
  title: CIS Kubernetes Benchmarks v1.23
  description: CIS Kubernetes Benchmarks
  platform: k8s
  type: cis
  version: '1.23'
  relatedResources:
  - https://www.cisecurity.org/benchmark/kubernetes
  controls:
  - id: 1.1.1
    name: Ensure that the API server pod specification file permissions are set to
      600 or more restrictive
    description: Ensure that the API server pod specification file has permissions
      of 600 or more restrictive
    checks:
    - id: AVD-KCV-0073
    commands:
    - id: CMD-0001
    severity: HIGH

for more details check our docs on compliance contribution

🧾 New compliance specs ☑️

• eks-cis-1.4
• rke2-cis-1.24

We are working on adding more platforms. Please let us know if yould like to help!

🫔 Selector support for all providers 🍏

Trivy now supports selectors and subtypes for all cloud providers.

# METADATA
# title: "Test"
# scope: package
# schemas:
# - input: schema["cloud"]
# custom:
#   id: TEST001
#   avd_id: TEST001
#   severity: LOW
#   input:
#     selector:
#     - type: cloud
#       subtypes:
#         - service: compute
#           provider: google

Previously Trivy only supported AWS and Kubernetes.

🐳 New resources support in misconfiguration scanning 🎍

We have added the following resources as part of our misconfiguration scanning to enhance our scanning posture.

• AWS EC2 SecurityGroupIngress
• AWS EC2 SecurityGroupEgress
• AWS API Gateway

📦 Plugin GitHub Archives Support 🗂️

This update introduces support for nested archives in Trivy plugins. Users can now directly download and install plugins from GitHub repository archives, simplifying the installation process.

$ trivy plugin install https://github.com/aquasecurity/trivy-plugin-referrer/archive/refs/heads/main.zip

👷‍♂️ Notable Fixes 🛠️

• bug(misconf): False positive AWS-0102 #7006
• bug(terraform): inline ignore doesn't work in remote modules #6941
• bug(conan): Trivy doesn't parse the .conan2/p directory to detect the license for the v2 lock file. #6931
• bug(conan): file filters for conan lock no longer working #6946
• fix(cyclonedx): trim non-URL characters #6801
• bug(licenses): Trivy doesn't separate licenses by ,, or, etc. #6915
• fix(bitnami): use purl to detect bitnami pkg name #6981
• bug(java): use artifactId and groupId from purl in sbom mode #7007
• bug(bom): panic when scanning CycloneDX file without metadata.component into SBOM format #7050
• bug(bom): overwrite epoch if srcEpoch is 0 #6865
• fix(poetry): handle package names in a case-insensitive manner #6817
• bug(pnpm): infinity loop for markRootPkgs function #6848
• bug(npm): runtime: out of memory #6854