docs: provide more information on scanning Google's GCR (#1426)

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

.github/workflows/publish-chart.yaml

@@ -1,45 +1,82 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
   push:
     branches: [main]
     paths:
       - 'helm/trivy/**'
-  workflow_dispatch:
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
-  release:
+  test-chart:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
         with:
           version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        with:
+          fetch-depth: 0
       - name: Install chart-releaser
         run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
       - name: Package helm chart
         run: |
           ./cr package ${{ env.CHART_DIR }}
       - name: Upload helm chart
         # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
         continue-on-error: true
-        ## Upload the tar in the Releases repository
         run: |
           ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
       - name: Index helm chart
         run: |
           ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
       - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.1.1
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
         env:
           API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
         with:

.github/workflows/test.yaml

@@ -75,7 +75,7 @@ jobs:
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
-        version: v0.164.0
+        version: v0.183.0
         args: release --snapshot --rm-dist --skip-publish
 
   build-documents:

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

ci/deploy-deb.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported-esm)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 
 cd trivy-repo/deb
 

contrib/sarif.tpl

@@ -39,6 +39,10 @@
                   {{- else -}}
                   ,
                   {{- end }}
+                  "help": {
+                    "text": {{ printf "Vulnerability %v\n%v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},                    
+                    "markdown": {{ printf "**Vulnerability %v**\n%v\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}                    
+                  },
                   "properties": {
                     "tags": [
                       "vulnerability",
@@ -68,7 +72,7 @@
           "ruleIndex": {{ index $rules .VulnerabilityID }},
           "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
           "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
+            "text": {{ printf "Package: %v\nInstalled Version: %v\nVulnerability %v\nSeverity: %v\nFixed Version: %v\nLink: [%v](%v)" .PkgName .InstalledVersion .VulnerabilityID .Vulnerability.Severity .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
           },
           "locations": [{
             "physicalLocation": {

docs/advanced/air-gap.md

@@ -2,7 +2,10 @@
 
 Trivy can be used in air-gapped environments.
 
-## Download the vulnerability database
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
 Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
 If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
@@ -11,14 +14,14 @@ If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--ligh
 $ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
 ```
 
-## Transfer the DB file into the air-gapped environment
+### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 
 ```
 $ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
 ```
 
-## Put the DB file in Trivy's cache directory
+### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.
 
 ```
@@ -47,11 +50,69 @@ $ rm trivy-offline.db.tgz
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-## Run Trivy with --skip-update option
+### Run Trivy with --skip-update option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
 
 ```
 $ trivy image --skip-update alpine:3.12
 ```
 
+## Air-Gapped Environment for misconfigurations
+
+### Download misconfiguration policies
+At first, you need to download misconfiguration policies for use in air-gapped environments.
+Please follow [oras installation instruction][oras]. \
+Download `bundle.tar.gz`:
+
+```
+$ oras pull ghcr.io/aquasecurity/appshield:latest -a
+```
+
+### Transfer misconfiguration policies into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
+```
+
+### Put the misconfiguration policies in Trivy's cache directory
+You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the misconfiguration policies file in the cache directory + `/policy/content`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/policy/content
+$ cd /home/myuser/.cache/trivy/policy/content
+$ mv /path/to/bundle.tar.gz .
+```
+
+Then, decompress it.
+`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
+
+```
+$ tar xvf bundle.tar.gz 
+x ./docker/
+...
+x ./kubernetes/
+...
+x ./.manifest
+$ rm bundle.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
+
+### Run Trivy with --skip-policy-update option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
 [trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+[oras]: https://oras.land/cli/

docs/advanced/private-registries/gcr.md

@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 
-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```

docs/misconfiguration/comparison/cfsec.md

@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec

docs/misconfiguration/comparison/tfsec.md

@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.
 
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec

docs/vulnerability/detection/os.md

@@ -4,7 +4,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 
 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.13                    | Installed by apk              |                  NO                  |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |

docs/vulnerability/scanning/git-repository.md

@@ -6,8 +6,6 @@ Scan your remote git repository
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
 ```
 
-Only public repositories are supported.
-
 <details>
 <summary>Result</summary>
 
@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 ```
 
 </details>
+
+## Scanning Private Repositories
+
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+$
+$ # or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1
+	github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e
 	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
@@ -33,7 +33,6 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5

go.sum

@@ -202,16 +202,12 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/cfsec v0.0.12 h1:6zvaJ34qKbElT5CyeMDre5WxtphPCt+XXKqz0Atj14s=
-github.com/aquasecurity/cfsec v0.0.12/go.mod h1:26CqZRuXnPWAEqN2duORHQAPfz8Fh5FjVE+AT0wu78k=
-github.com/aquasecurity/defsec v0.0.30 h1:7GSGUUH0xeWRlyLeksdYz+PLZqQu6taICzapGvdlu4c=
-github.com/aquasecurity/defsec v0.0.30/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
-github.com/aquasecurity/fanal v0.0.0-20211110131215-96dc24c75898 h1:CojeyVbNSHbHAWlJumBNHywuUA6dUZsM6BD25ZVusgs=
-github.com/aquasecurity/fanal v0.0.0-20211110131215-96dc24c75898/go.mod h1:TETFypWo0TpXcEv2tE7Hk+hpRweR4Kc0nhFGs0UveG0=
-github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1 h1:DcI5huCvagGpr76rSSlCdVswddg2EhJwFvd4mz1th6M=
-github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1/go.mod h1:7ccP6Dl7W77nc1rX+T+beH5IHPTDwoFqE2bW9nnEFTY=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220 h1:4ck6/2PNmzcNPUgFT3gCq6oVFB/Do/qiasRuBL9xGDI=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
+github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz1no=
+github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
+github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
+github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e h1:8cdrjNJ3aMcNglPK80y37T9B733dBoe7118hLC2XWBA=
+github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e/go.mod h1:tfiYxqoK/3PDW8Ut3UnxP7rKqFaSw1X6owKjAHjM1NA=
 github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 h1:zYNhYU4HUqJq+Lqhwf68gvd+v0cKqM2XOmggtHYLkoU=
 github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -225,9 +221,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
-github.com/aquasecurity/tfsec v0.58.14/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
-github.com/aquasecurity/tfsec v0.59.0 h1:HATgpKbiUEWnJ8PU3CJpHMJCEhVgJG9E32m7uEp44oo=
-github.com/aquasecurity/tfsec v0.59.0/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
+github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa h1:mgG6allqccyBmaE0qnWFl39ju156yqNVTd0D/xwuVko=
+github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b h1:RaS93vlHzgreZk3CYqcNgoqukwbsBEYhAiE6qmhLwB0=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b/go.mod h1:5h8GV7Qxp/SMJ4awWHs0KRxwVkKzcwOnRkORWOnCXRU=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
@@ -1172,7 +1167,6 @@ github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
 github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/owenrumney/go-sarif v1.0.10/go.mod h1:sgJM0ZaZ28jT8t8Iq3/mUCFBW9cX09EobIBXYOhiYBc=
-github.com/owenrumney/go-sarif v1.0.11/go.mod h1:hTBFbxU7GuVRUvwMx+eStp9M/Oun4xHCS3vqpPvket8=
 github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
 github.com/owenrumney/squealer v0.2.28 h1:LYsqUHal+5QlANjbZ+h44SN5kIZSfHCWKUzBAS1KwB0=
 github.com/owenrumney/squealer v0.2.28/go.mod h1:wwVPzhjiUBILIdDtnzGSEcapXczIj/tONP+ZJ49IhPY=
@@ -1442,7 +1436,6 @@ github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
 github.com/zclconf/go-cty v1.6.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.8.4/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
 github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=

goreleaser.yml

@@ -20,6 +20,7 @@ builds:
       - arm
       - arm64
       - ppc64le
+      - s390x
     goarm:
       - 7
     ignore:
@@ -98,7 +99,7 @@ dockers:
       - "ghcr.io/aquasecurity/trivy:latest-amd64"
       - "public.ecr.aws/aquasecurity/trivy:latest-amd64"
       - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
-    use_buildx: true
+    use: buildx
     goos: linux
     goarch: amd64
     ids:
@@ -122,7 +123,7 @@ dockers:
       - "ghcr.io/aquasecurity/trivy:latest-arm64"
       - "public.ecr.aws/aquasecurity/trivy:latest-arm64"
       - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
-    use_buildx: true
+    use: buildx
     goos: linux
     goarch: arm64
     ids:

helm/trivy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.5
-appVersion: "0.18.3"
+version: 0.4.7
+appVersion: "0.21.0"
 description: Trivy helm chart
 keywords:
   - scanner

helm/trivy/templates/ingress.yaml

@@ -1,9 +1,11 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
 apiVersion: networking.k8s.io/v1
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
@@ -34,8 +36,8 @@ spec:
     - host: {{ .host | quote }}
       http:
         paths:
-          {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
           - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
             pathType: {{ $.Values.ingress.pathType }}
             backend:
               service:
@@ -43,7 +45,6 @@ spec:
                 port:
                   number: {{ $.Values.service.port -}}
           {{- else }}
-          - path: {{ $.Values.ingress.path }}
             backend:
               serviceName: {{ $fullName }}
               servicePort: {{ $.Values.service.port -}}

helm/trivy/values.yaml

@@ -4,7 +4,7 @@ fullnameOverride: ""
 image:
   registry: docker.io
   repository: aquasec/trivy
-  tag: 0.18.3
+  tag: 0.21.0
   pullPolicy: IfNotPresent
   pullSecret: ""
 
@@ -85,7 +85,7 @@ trivy:
   cache:
     redis:
       enabled: false
-      url: "" # e.g. redis://redis.redis.svc:6379
+      url: ""  # e.g. redis://redis.redis.svc:6379
 
 service:
   # type Kubernetes service type

integration/testdata/alpine-310.sarif.golden

@@ -23,6 +23,10 @@
                     "level": "warning"
                   },
                   "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1549\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",                    
+                    "markdown": "**Vulnerability CVE-2019-1549**\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"                    
+                  },
                   "properties": {
                     "tags": [
                       "vulnerability",
@@ -44,6 +48,10 @@
                     "level": "warning"
                   },
                   "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1551\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",                    
+                    "markdown": "**Vulnerability CVE-2019-1551**\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"                    
+                  },
                   "properties": {
                     "tags": [
                       "vulnerability",
@@ -65,6 +73,10 @@
                     "level": "warning"
                   },
                   "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1563\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",                    
+                    "markdown": "**Vulnerability CVE-2019-1563**\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"                    
+                  },
                   "properties": {
                     "tags": [
                       "vulnerability",
@@ -86,6 +98,10 @@
                     "level": "note"
                   },
                   "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1547\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: LOW\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",                    
+                    "markdown": "**Vulnerability CVE-2019-1547**\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"                    
+                  },
                   "properties": {
                     "tags": [
                       "vulnerability",
@@ -102,7 +118,7 @@
           "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
           "locations": [{
             "physicalLocation": {
@@ -121,7 +137,7 @@
           "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
           "locations": [{
             "physicalLocation": {
@@ -140,7 +156,7 @@
           "ruleIndex": 2,
           "level": "warning",
           "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
           },
           "locations": [{
             "physicalLocation": {
@@ -159,7 +175,7 @@
           "ruleIndex": 3,
           "level": "note",
           "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
           },
           "locations": [{
             "physicalLocation": {
@@ -178,7 +194,7 @@
           "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
           "locations": [{
             "physicalLocation": {
@@ -197,7 +213,7 @@
           "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
           "locations": [{
             "physicalLocation": {
@@ -216,7 +232,7 @@
           "ruleIndex": 2,
           "level": "warning",
           "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
           },
           "locations": [{
             "physicalLocation": {
@@ -235,7 +251,7 @@
           "ruleIndex": 3,
           "level": "note",
           "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
           },
           "locations": [{
             "physicalLocation": {

integration/testdata/nodejs.json.golden

@@ -24,7 +24,7 @@
           "VulnerabilityID": "CVE-2019-11358",
           "PkgName": "jquery",
           "InstalledVersion": "3.3.9",
-          "FixedVersion": "3.4.0",
+          "FixedVersion": ">=3.4.0",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
           "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
@@ -128,7 +128,7 @@
           "VulnerabilityID": "CVE-2018-16487",
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
-          "FixedVersion": "4.17.11",
+          "FixedVersion": ">=4.17.11",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
           "Title": "lodash: Prototype pollution in utilities function",
@@ -195,7 +195,7 @@
           "VulnerabilityID": "CVE-2018-3721",
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
-          "FixedVersion": "4.17.5",
+          "FixedVersion": ">=4.17.5",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
           "Title": "lodash: Prototype pollution in utilities function",

mkdocs.yml

@@ -66,6 +66,7 @@ nav:
       - Comparison:
           - vs Conftest: misconfiguration/comparison/conftest.md
           - vs tfsec: misconfiguration/comparison/tfsec.md
+          - vs cfsec: misconfiguration/comparison/cfsec.md
   - Advanced:
       - Overview: advanced/index.md
       - Plugins: advanced/plugins.md

pkg/commands/artifact/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package artifact
 

pkg/commands/client/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package client
 

pkg/commands/operation/inject.go

@@ -1,3 +1,4 @@
+//go:build wireinject
 // +build wireinject
 
 package operation

pkg/commands/operation/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package operation
 

pkg/detector/library/driver.go

@@ -89,41 +89,34 @@ func (d *Driver) Type() string {
 
 func newRubyGemsDriver() Driver {
 	c := bundler.RubyGemsComparer{}
-	return Aggregate(vulnerability.RubyGems, ghsa.NewAdvisory(ecosystem.Rubygems, c), bundler.NewAdvisory(),
-		NewAdvisory(vulnerability.RubyGems, c))
+	return Aggregate(vulnerability.RubyGems, NewAdvisory(vulnerability.RubyGems, c), bundler.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Rubygems, c))
 }
 
 func newComposerDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.Composer, ghsa.NewAdvisory(ecosystem.Composer, c), composer.NewAdvisory(),
-		NewAdvisory(vulnerability.Composer, c))
+	return Aggregate(vulnerability.Composer, NewAdvisory(vulnerability.Composer, c), composer.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Composer, c))
 }
 
 func newCargoDriver() Driver {
-	return Aggregate(vulnerability.Cargo, cargo.NewAdvisory(),
-		NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}))
+	return Aggregate(vulnerability.Cargo, NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}), cargo.NewAdvisory())
 }
 
 func newNpmDriver() Driver {
 	c := npm.Comparer{}
-	return Aggregate(vulnerability.Npm, ghsa.NewAdvisory(ecosystem.Npm, c),
-		npm.NewAdvisory(), NewAdvisory(vulnerability.Npm, c))
+	return Aggregate(vulnerability.Npm, NewAdvisory(vulnerability.Npm, c), npm.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Npm, c))
 }
 
 func newPipDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.Pip, ghsa.NewAdvisory(ecosystem.Pip, c),
-		python.NewAdvisory(), NewAdvisory(vulnerability.Pip, c))
+	return Aggregate(vulnerability.Pip, NewAdvisory(vulnerability.Pip, c), python.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Pip, c))
 }
 
 func newNugetDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.NuGet, ghsa.NewAdvisory(ecosystem.Nuget, c),
-		NewAdvisory(vulnerability.NuGet, c))
+	return Aggregate(vulnerability.NuGet, NewAdvisory(vulnerability.NuGet, c), ghsa.NewAdvisory(ecosystem.Nuget, c))
 }
 
 func newMavenDriver() Driver {
 	c := maven.Comparer{}
-	return Aggregate(vulnerability.Maven, ghsa.NewAdvisory(ecosystem.Maven, c),
-		NewAdvisory(vulnerability.Maven, c))
+	return Aggregate(vulnerability.Maven, NewAdvisory(vulnerability.Maven, c), ghsa.NewAdvisory(ecosystem.Maven, c))
 }

pkg/detector/ospkg/alpine/alpine.go

@@ -41,6 +41,7 @@ var (
 		"3.12": time.Date(2022, 5, 1, 23, 59, 59, 0, time.UTC),
 		"3.13": time.Date(2022, 11, 1, 23, 59, 59, 0, time.UTC),
 		"3.14": time.Date(2023, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.15": time.Date(2023, 11, 1, 23, 59, 59, 0, time.UTC),
 	}
 )
 

pkg/rpc/convert.go

@@ -269,6 +269,9 @@ func ConvertFromRPCMisconfs(rpcMisconfs []*common.DetectedMisconfiguration) []ty
 
 // ConvertFromRPCLayer converts *common.Layer to fanal.Layer
 func ConvertFromRPCLayer(rpcLayer *common.Layer) ftypes.Layer {
+	if rpcLayer == nil {
+		return ftypes.Layer{}
+	}
 	return ftypes.Layer{
 		Digest: rpcLayer.Digest,
 		DiffID: rpcLayer.DiffId,

pkg/rpc/server/inject.go

@@ -1,3 +1,4 @@
+//go:build wireinject
 // +build wireinject
 
 package server

pkg/rpc/server/server_test.go

@@ -329,6 +329,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
 											DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 										},
 									},
+									{
+										Name:       "node-minimal",
+										Version:    "17.1.0",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "node",
+										SrcVersion: "17.1.0",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+										Layer:      nil,
+									},
 								},
 							},
 						},
@@ -398,6 +410,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
 											DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 										},
 									},
+									{
+										Name:       "node-minimal",
+										Version:    "17.1.0",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "node",
+										SrcVersion: "17.1.0",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+										Layer:      ftypes.Layer{},
+									},
 								},
 							},
 						},

pkg/rpc/server/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package server
 

pkg/utils/utils.go

@@ -5,11 +5,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
-
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/trivy/pkg/log"
 )
 
 var cacheDir string
@@ -33,47 +28,6 @@ func SetCacheDir(dir string) {
 	cacheDir = dir
 }
 
-// FileWalk walks the directory and performs operations on files defined by walkFn
-func FileWalk(root string, targetFiles map[string]struct{}, walkFn func(r io.Reader, path string) error) error {
-	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if info.IsDir() {
-			return nil
-		}
-
-		rel, err := filepath.Rel(root, path)
-		if err != nil {
-			return xerrors.Errorf("error in filepath rel: %w", err)
-		}
-
-		if _, ok := targetFiles[rel]; !ok {
-			return nil
-		}
-
-		if info.Size() == 0 {
-			log.Logger.Debugf("invalid size: %s", path)
-			return nil
-		}
-
-		f, err := os.Open(path)
-		if err != nil {
-			return xerrors.Errorf("failed to open file: %w", err)
-		}
-		defer f.Close()
-
-		if err = walkFn(f, path); err != nil {
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return xerrors.Errorf("error in file walk: %w", err)
-	}
-	return nil
-}
-
 // StringInSlice checks if strings exist in list of strings
 func StringInSlice(a string, list []string) bool {
 	for _, b := range list {
@@ -84,24 +38,6 @@ func StringInSlice(a string, list []string) bool {
 	return false
 }
 
-// FilterTargets filters the target based on prefixPath
-func FilterTargets(prefixPath string, targets map[string]struct{}) (map[string]struct{}, error) {
-	filtered := map[string]struct{}{}
-	for filename := range targets {
-		if strings.HasPrefix(filename, prefixPath) {
-			rel, err := filepath.Rel(prefixPath, filename)
-			if err != nil {
-				return nil, xerrors.Errorf("error in filepath rel: %w", err)
-			}
-			if strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
-				continue
-			}
-			filtered[rel] = struct{}{}
-		}
-	}
-	return filtered, nil
-}
-
 // CopyFile copies the file content from scr to dst
 func CopyFile(src, dst string) (int64, error) {
 	sourceFileStat, err := os.Stat(src)

pkg/utils/utils_test.go

@@ -1,14 +1,9 @@
 package utils
 
 import (
-	"io"
 	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
 	"testing"
 
-	"github.com/kylelemons/godebug/pretty"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -30,116 +25,6 @@ func write(t *testing.T, name string, content string) {
 	}
 }
 
-func TestFileWalk(t *testing.T) {
-	td, err := os.MkdirTemp("", "walktest")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(td)
-
-	if err := os.MkdirAll(filepath.Join(td, "dir"), 0755); err != nil {
-		t.Fatal(err)
-	}
-	touch(t, filepath.Join(td, "dir/foo1"))
-	touch(t, filepath.Join(td, "dir/foo2"))
-	write(t, filepath.Join(td, "dir/foo3"), "foo3")
-	write(t, filepath.Join(td, "dir/foo4"), "foo4")
-
-	sawDir := false
-	sawFoo1 := false
-	sawFoo2 := false
-	sawFoo4 := false
-	var contentFoo3 []byte
-	walker := func(r io.Reader, path string) error {
-		if strings.HasSuffix(path, "dir") {
-			sawDir = true
-		}
-		if strings.HasSuffix(path, "foo1") {
-			sawFoo1 = true
-		}
-		if strings.HasSuffix(path, "foo2") {
-			sawFoo2 = true
-		}
-		if strings.HasSuffix(path, "foo3") {
-			contentFoo3, err = io.ReadAll(r)
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-		if strings.HasSuffix(path, "foo4") {
-			sawFoo4 = true
-		}
-		return nil
-	}
-
-	targetFiles := map[string]struct{}{
-		filepath.Join("dir", "foo2"): {},
-		filepath.Join("dir", "foo3"): {},
-	}
-	err = FileWalk(td, targetFiles, walker)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if sawDir {
-		t.Error("directories must not be passed to walkFn")
-	}
-	if sawFoo1 || sawFoo4 {
-		t.Error("a file not included in targetFiles must not be passed to walkFn")
-	}
-	if sawFoo2 {
-		t.Error("an empty file must not be passed to walkFn")
-	}
-	if string(contentFoo3) != "foo3" {
-		t.Error("The file content is wrong")
-	}
-}
-func TestFilterTargets(t *testing.T) {
-	vectors := map[string]struct {
-		prefix   string
-		targets  map[string]struct{} // Target files
-		expected map[string]struct{}
-		err      error // Expected error to occur
-	}{
-		"normal": {
-			prefix: "dir",
-			targets: map[string]struct{}{
-				filepath.Join("dir", "file1"): {},
-				filepath.Join("dir", "file2"): {},
-				filepath.Join("foo", "bar"):   {},
-			},
-			expected: map[string]struct{}{
-				"file1": {},
-				"file2": {},
-			},
-			err: nil,
-		},
-		"other directory with the same prefix": {
-			prefix: "dir",
-			targets: map[string]struct{}{
-				filepath.Join("dir", "file1"):  {},
-				filepath.Join("dir2", "file2"): {},
-			},
-			expected: map[string]struct{}{
-				"file1": {},
-			},
-			err: nil,
-		},
-	}
-
-	for testName, v := range vectors {
-		t.Run(testName, func(t *testing.T) {
-			actual, err := FilterTargets(v.prefix, v.targets)
-			if err != nil {
-				t.Errorf("err: got %v, want %v", v.err, err)
-			}
-			if !reflect.DeepEqual(actual, v.expected) {
-				t.Errorf("[%s]\n%s", testName, pretty.Compare(v.expected, actual))
-
-			}
-		})
-	}
-}
-
 func TestCopyFile(t *testing.T) {
 	type args struct {
 		src string