release: v0.56.2 [release/v0.56] (#7694)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.56.0"}
+{".":"0.56.2"}

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [0.56.2](https://github.com/aquasecurity/trivy/compare/v0.56.1...v0.56.2) (2024-10-10)
+
+
+### Bug Fixes
+
+* **redhat:** include arch in PURL qualifiers [backport: release/v0.56] ([#7702](https://github.com/aquasecurity/trivy/issues/7702)) ([f6700ec](https://github.com/aquasecurity/trivy/commit/f6700ec10e819fb2fc0573782e87d2d31d2c50f1))
+* **sbom:** add options for DBs in private registries [backport: release/v0.56] ([#7691](https://github.com/aquasecurity/trivy/issues/7691)) ([25d2540](https://github.com/aquasecurity/trivy/commit/25d2540f12272603bf27eb67f4b3fba52b1ddab8))
+
+## [0.56.1](https://github.com/aquasecurity/trivy/compare/v0.56.0...v0.56.1) (2024-10-03)
+
+
+### Bug Fixes
+
+* **db:** fix javadb downloading error handling [backport: release/v0.56] ([#7646](https://github.com/aquasecurity/trivy/issues/7646)) ([5dbdadf](https://github.com/aquasecurity/trivy/commit/5dbdadfe4578288d5c3f2a5b625fff4a3580f8c5))
+
 ## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-10-03)
 
 

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -47,12 +47,14 @@ trivy sbom [flags] SBOM_PATH
       --offline-scan                 do not issue API requests to identify dependencies
   -o, --output string                output file name
       --output-plugin-arg string     [EXPERIMENTAL] output plugin arguments
+      --password strings             password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
       --pkg-relationships strings    list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
       --pkg-types strings            list of package types (os,library) (default [os,library])
       --redis-ca string              redis ca file location, if using redis as cache backend
       --redis-cert string            redis certificate file location, if using redis as cache backend
       --redis-key string             redis key file location, if using redis as cache backend
       --redis-tls                    enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string        registry token
       --rekor-url string             [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --sbom-sources strings         [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings             comma-separated list of what security issues to detect (vuln,license) (default [vuln])
@@ -67,6 +69,7 @@ trivy sbom [flags] SBOM_PATH
   -t, --template string              output template
       --token string                 for authentication in client/server mode
       --token-header string          specify a header name for token in client/server mode (default "Trivy-Token")
+      --username strings             username. Comma-separated usernames allowed.
       --vex strings                  [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 

pkg/commands/app.go

@@ -1143,7 +1143,8 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		CacheFlagGroup:         flag.NewCacheFlagGroup(),
 		DBFlagGroup:            flag.NewDBFlagGroup(),
 		PackageFlagGroup:       flag.NewPackageFlagGroup(),
-		RemoteFlagGroup:        flag.NewClientFlags(), // for client/server mode
+		RemoteFlagGroup:        flag.NewClientFlags(),       // for client/server mode
+		RegistryFlagGroup:      flag.NewRegistryFlagGroup(), // for DBs in private registries
 		ReportFlagGroup:        reportFlagGroup,
 		ScanFlagGroup:          scanFlagGroup,
 		VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(),

pkg/fanal/analyzer/pkg/rpm/archive.go

@@ -136,7 +136,14 @@ func (a *rpmArchiveAnalyzer) generatePURL(pkg *types.Package) *packageurl.Packag
 	case strings.Contains(vendor, "suse"):
 		ns = "suse"
 	}
-	return packageurl.NewPackageURL(packageurl.TypeRPM, ns, pkg.Name, utils.FormatVersion(*pkg), nil, "")
+	var qualifiers packageurl.Qualifiers
+	if pkg.Arch != "" {
+		qualifiers = append(qualifiers, packageurl.Qualifier{
+			Key:   "arch",
+			Value: pkg.Arch,
+		})
+	}
+	return packageurl.NewPackageURL(packageurl.TypeRPM, ns, pkg.Name, utils.FormatVersion(*pkg), qualifiers, "")
 }
 
 func (a *rpmArchiveAnalyzer) unexpectedError(err error) error {

pkg/fanal/analyzer/pkg/rpm/archive_test.go

@@ -52,6 +52,12 @@ func Test_rpmArchiveAnalyzer_Analyze(t *testing.T) {
 										Namespace: "redhat",
 										Name:      "socat",
 										Version:   "1.7.3.2-2.el7",
+										Qualifiers: packageurl.Qualifiers{
+											{
+												Key:   "arch",
+												Value: "x86_64",
+											},
+										},
 									},
 								},
 							},

pkg/javadb/client.go

@@ -104,10 +104,10 @@ func (u *Updater) downloadDB(ctx context.Context) error {
 		Quiet:     u.quiet,
 	}
 	if err := artifacts.Download(ctx, u.dbDir, downloadOpt); err != nil {
-		return xerrors.Errorf("failed to download vulnerability DB: %w", err)
+		return xerrors.Errorf("failed to download Java DB: %w", err)
 	}
 
-	return xerrors.New("failed to download Java DB from any source")
+	return nil
 }
 
 func Init(cacheDir string, javaDBRepositories []name.Reference, skip, quiet bool, registryOption ftypes.RegistryOptions) {