* feat: filter artifacts on --exclude-owned flag
- filter artifacts using trivy-kubernetes library
- upgrade dependencies
- generate docs
* chore: remove shorthand flag for --exclude-owned flag
* return nil for advisories, if len of refs == 0
add marshal test
* add integration test for cyclonedx with vulns
* use existing testcase
* test(pom): add ID for cyclondedx integration golden file
* test(integration): add sorting cyclonedx vulns
* adding a terraform tutorial to the docs
* modifying Terraform tutorial
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* changes to the terraform tutorial in accoradance with the feedback
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* updates to the terraform tutorial based on PR feedback
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
---------
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* add Package.resolved files analyzer
* add Swift detector and integration test
* refactor after go-dep-parser changes
* bump go-dep-parser
* remove replaces
* use filePath for Required func
* add ID field
* docs: add coverage
* add more pages
* add dart, dotnet, elixir languages.
* add C, ruby, cocoapods. Update links
* rename headers for dart and elixir
* docs: add Google Distroless and Photon OS
* docs: add IaC
* docs: put vulnerability into a single page
* fixed broken links
* docs: add coverage overview
* update some links
* add note about arch for Rocky linux
* docs: fix typo
* fix typo
* docs: add footnotes
* docs: add a link to coverage in the license section
* docs: add a conversion table
* docs: get aligned
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* adding blog post on ec2
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* update title of section
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* changing the location of the article to be under Vulnerabilities
---------
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
* docs(cli): update help string for file and dir skipping
- Update the contextual help messages
- Add some additional examples (and clarify YAML file configuration) for
globbing
- Update docs
- Fix broken link in skipping docs
See also #3754
Signed-off-by: William Yardley <wyardley@users.noreply.github.com>
* docs: revert
---------
Signed-off-by: William Yardley <wyardley@users.noreply.github.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat(repo): support local repositories
* fix tests
* test: fix client/server tests
* docs: update
* test: add fs tests
* test: do not update golden files if overridden
* docs: remove a comment about fs deprecation
* feat: support vulnerability status
* feat: show status in table
* don't add `fixed` status in debian/redhat
* update test golden files
* add Status in rpc
* update docs
* update ignore-status example
* add ignore-status in integration test
* docs: add the explanation for statuses
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* feat(misconf): Support custom URLs for policy bundle
This PR adds support for custom policy bundles to be specified
with a flag `--policy-bundle-url` as an option to Trivy.
Fixes: https://github.com/aquasecurity/trivy/issues/4672
Signed-off-by: Simar <simar@linux.com>
* update docs
Signed-off-by: Simar <simar@linux.com>
* rename flag to `--policy-bundle-repository`
Signed-off-by: Simar <simar@linux.com>
* fix field
* rebase and update docs
Signed-off-by: Simar <simar@linux.com>
* set policyBundleRepo on client
Signed-off-by: Simar <simar@linux.com>
---------
Signed-off-by: Simar <simar@linux.com>
* fix(report): close the file
* refactor: add the format type
* fix: return errors in version printing
* fix: lint issues
* fix: do not fail on bogus cache dir
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* fix(license): using common way for splitting licenses
* add test cases
* TEST new regex
* extract function
* fix version detection
---------
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
* match with img platform instead of host platform
* client matching pull spec
* use default platform
* pull with platforms default strict
* use withplatform to pull and add debug log
* looks like we are trying to scan a i386 image
* revert changes on test, use the right platform match
* try with Config.Platform
* use spect.platform
* fix function usage
* try another way to retrieve the platform
* fix compilation
* read platforms from config manifest
* use platform from RegistryOptions if available, otherwise get the actual platform
* goimport
* put platform in containerd client
* fix panic
* use DefaultStrict as default
* feat(misconf): enable --policy flag to accept directory and files both
* fix test
* Revert "clarifying a dir path is required for custom policies (#4716)"
This reverts commit 8a1aa448a1.
* update doc
* update the flag description
* Update tar.go
The comment before the following w.processFile(filePath, tr, hdr.FileInfo(), analyzeFn) call says: // A symbolic/hard link or regular file will reach here.
But defualt's processing causes the symbolic/hard link to not reach the processFile function location
* Update tar.go
update tar.go comment
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script #4747
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script #4747
* add multi-arch support for rocky linux advisories
* feat: comply with the new signagure
* bump trivy-db
* fix tests
* chore(deps): remove fork replace
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* add Dev field for Package
* fix integration test
* update docs
* feat(cli): add include-dev flag
* bump go-dep-parser
* update docs
* add integration test
* refactor
* refactor
* fix integration test
* refactor: rename flag to include-dev-deps
* update docs
* update docs
* filter dev deps when scanning packages
* add flag support for server mode
* refactor: remove comment that might confuse
* refactor: move --include-dev-deps to the scanner flag group
* refactor: not return apps
* docs: update
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* feat: add support for mTLS authentication when connecting to registry
* feat: add support for mTLS authentication when connecting to registry - added error handling
* feat: add support for mTLS authentication when connecting to registry
- code quality improvements
* feat: add support for mTLS authentication when connecting to registry
- code quality improvements
* wrap errors
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* chore(deps): update ext4-filesystem parser for parse multi block extents
* test(vm): update integration-vm test fixtures
* test(vm): add gzip decompresser for sparse file
* test(vm): add mage command update golden file for vm integration test
* chore(magefile): [WIP] change test repository
* Revert "chore(magefile): [WIP] change test repository"
This reverts commit c015c8892f.
* fix(test): update fixtures and golden file
* fix(test): revert fixVersion and PkgID
* fix(debian): update EOL for Debian 12
Debian 12 was released on 2023-06-10 and will be supported for five
years - see https://www.debian.org/News/2023/20230610.
* Update docs
Downloaded file name is `javadb.tar.gz` rather than `db.tar.gz`.
Also `--skip-update` is deprecated in favor of `--skip-db-update` and `--skip-java-db-update`.
* adding a fix for update-cache that was not applied on AWS scans.
* removing unneeded code
---------
Co-authored-by: Gio Rodriguez <giovanni.rodriguez@aquasec.com>
* Add test for filter with both duplicates and different package paths
* Add package path in key of uniqVulns map
* Add package path to the sorting logic
This commit bumps the go-dep-parser version. This revents Trivy from detecting vulnerabilities in Poetry dev-dependency, so the document is also updated.
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
For images with single layer, the layer key was directly being used as merged cache key.
This was posing an issue of data override and any other image having the same layer could get incorrect data.
So, fixed:
1. Even for 1 layer - merged layer key hash will be calculated
2. We will not go with assumption that merged data will have only 1 pkgInfo
3. We are setting a SchemaVersion in blob being generated in ToBlobInfo
YAML files can also have the `.yml` file extension. So the helm config should take that into account.
Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
While analyzing failure of the report schema validation i found URL looks like that: `https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)`. This causing gitlab to mark report as invalid. Patch provided just using first word of the url word.
* chore: add integration label and merge security label
* use the kind/security label for vulnerabilities
Co-authored-by: knqyf263 <knqyf263@gmail.com>
2022-06-22 12:11:37 +03:00
2819 changed files with 262928 additions and 32881 deletions
label:"[Optional] Can you provide us with a quote on your favourite part of Trivy? This may be used on the trivy.dev website, posted on Twitter (@AquaTrivy) or similar marketing material."
validations:
required:false
- type:checkboxes
attributes:
label:"[Optional] Which targets are you scanning with Trivy?"
options:
- label:"Container Image"
- label:"Filesystem"
- label:"Git Repository"
- label:"Virtual Machine Image"
- label:"Kubernetes"
- label:"AWS"
- label:"SBOM"
validations:
required:false
- type:checkboxes
attributes:
label:"[Optional] What kind of issues are scanning with Trivy?"
options:
- label:"Software Bill of Materials (SBOM)"
- label:"Known vulnerabilities (CVEs)"
- label:"IaC issues and misconfigurations"
- label:"Sensitive information and secrets"
- label:"Software licenses"
- type:markdown
attributes:
value:|
## Get in touch
We are always looking for
* User feedback
* Collaboration with other companies and organisations
* Or just to have a chat with you about trivy.
If any of this interests you or your marketing team, please reach out at: oss@aquasec.com
Feel free to raise a bug report if something doesn't work as expected.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
If you see any false positives or false negatives, please file a ticket [here](https://github.com/aquasecurity/trivy/discussions/new?category=false-detection).
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Description
description:Briefly describe the problem you are having in a few paragraphs.
validations:
required:true
- type:textarea
attributes:
label:Desired Behavior
description:What did you expect to happen?
validations:
required:true
- type:textarea
attributes:
label:Actual Behavior
description:What happened instead?
validations:
required:true
- type:textarea
attributes:
label:Reproduction Steps
description:How do you trigger this bug? Please walk us through it step by step.
value:|
1.
2.
3.
...
render:bash
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:false
- type:dropdown
attributes:
label:Scanner
description:Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:false
- type:dropdown
attributes:
label:Output Format
description:Which output format are you using?
options:
- Table
- JSON
- Template
- SARIF
- CycloneDX
- SPDX
validations:
required:false
- type:dropdown
attributes:
label:Mode
description:Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
options:
- Standalone
- Client/Server
validations:
required:false
- type:textarea
attributes:
label:Debug Output
description:Output of run with `--debug`
placeholder:"$ trivy <target> <subject> --debug"
render:bash
validations:
required:true
- type:input
attributes:
label:Operating System
description:Onwhat operating system are you running Trivy?
Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Description
description:Briefly describe the what has been unclear in the existing documentation
validations:
required:true
- type:textarea
attributes:
label:Link
description:Please provide a link to the current documentation or where you thought to find the information you were looking for
validations:
required:false
- type:textarea
attributes:
label:Suggestions
description:What would you like to have added or changed in the documentation?
Feel free to raise a bug report if something doesn't work as expected.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:input
attributes:
label:IDs
description:List the IDs of vulnerabilities, misconfigurations, secrets, or licenses that are either not detected or mistakenly detected.
placeholder:"e.g. CVE-2021-44228, CVE-2022-22965"
validations:
required:true
- type:textarea
attributes:
label:Description
description:Describe the false detection.
validations:
required:true
- type:textarea
attributes:
label:Reproduction Steps
description:How do you trigger this bug? Please walk us through it step by step.
value:|
1.
2.
3.
...
render:bash
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:true
- type:dropdown
attributes:
label:Scanner
description:Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:true
- type:input
attributes:
label:Target OS
description:What operating system are you scanning? Fill in this field if the scanning target is an operating system.
Please ensure that you're not creating a duplicate ticket by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Description
description:Describe your idea.
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target is your idea related to?
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:false
- type:dropdown
attributes:
label:Scanner
description:Which scanner is your idea related to?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:false
- type:markdown
attributes:
value:|
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters).
If you have any troubles/questions, feel free to ask.
Please ensure that you're not asking a duplicate question by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
- type:textarea
attributes:
label:Question
description:What kind of problem are you facing? Or, what questions do you have?
validations:
required:true
- type:dropdown
attributes:
label:Target
description:Which target are you scanning? It is equal to which subcommand you are using.
options:
- Container Image
- Filesystem
- Git Repository
- Virtual Machine Image
- Kubernetes
- AWS
- SBOM
validations:
required:false
- type:dropdown
attributes:
label:Scanner
description:Which scanner are you using?
options:
- Vulnerability
- Misconfiguration
- Secret
- License
validations:
required:false
- type:dropdown
attributes:
label:Output Format
description:Which output format are you using?
options:
- Table
- JSON
- Template
- SARIF
- CycloneDX
- SPDX
validations:
required:false
- type:dropdown
attributes:
label:Mode
description:Which mode are you using? Specify "Standalone" if you are not using `trivy server`.
options:
- Standalone
- Client/Server
validations:
required:false
- type:input
attributes:
label:Operating System
description:What operating system are you using?
placeholder:"Example: macOS Big Sur"
validations:
required:false
- type:textarea
attributes:
label:Version
description:Output of `trivy --version`
placeholder:"$ trivy --version"
render:bash
validations:
required:false
- type:markdown
attributes:
value:|
We would be happy if you could share how you are using Trivy [here](https://github.com/aquasecurity/trivy/discussions/new?category=adopters.
Trivy (`tri`pronounced like **tri**gger, `vy` pronounced like en**vy**) is a comprehensive security scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
Trivy ([pronunciation][pronunciation]) is a comprehensive and versatile security scanner.
Trivy has *scanners* that look for security issues, and *targets* where it can find those issues.
Trivy has different *scanners* that look for different security issues, and different *targets* where it can find those issues.
Targets (what Trivy can scan):
Targets:
- Container Image
- Filesystem
- Git repository (remote)
-Kubernetes cluster or resource
- Git Repository (remote)
-Virtual Machine Image
- Kubernetes
- AWS
Scanners (what Trivy can find there):
Scanners:
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC misconfigurations
- IaC issues and misconfigurations
- Sensitive information and secrets
- Software licenses
Much more scanners and targets are coming up. Missing something? Let us know!
Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the [Scanning Coverage] page.
Read more in the [Trivy Documentation][docs]
To learn more, go to the [Trivy homepage][homepage] for feature highlights, or to the [Documentation site][docs] for detailed information.
## Quick Start
### Get Trivy
Get Trivy by your favorite installation method. See [installation] section in the documentation for details. For example:
Trivy is available in most common distribution channels. The full list of installation options is available in the [Installation] page. Here are a few popular examples:
-`apt-get install trivy`
-`yum install trivy`
-`brew install aquasecurity/trivy/trivy`
-`brew install trivy`
-`docker run aquasec/trivy`
- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
- Download binary from <https://github.com/aquasecurity/trivy/releases/latest/>
- See [Installation] for more
Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the [Ecosystem] page. Here are a few popular examples:
There are canary builds ([Docker Hub](https://hub.docker.com/r/aquasec/trivy/tags?page=1&name=canary), [GitHub](https://github.com/aquasecurity/trivy/pkgs/container/trivy/75776514?tag=canary), [ECR](https://gallery.ecr.aws/aquasecurity/trivy#canary) images and [binaries](https://github.com/aquasecurity/trivy/actions/workflows/canary.yaml)) as generated every push to main branch.
Please be aware: canary builds might have critical bugs, it's not recommended for use in production.
Find out more in the [Trivy Documentation][docs] - [Getting Started][getting-started]
## FAQ
### How to pronounce the name "Trivy"?
## Highlights
`tri` is pronounced like **tri**gger, `vy` is pronounced like en**vy**.
- Comprehensive vulnerability detection
- OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
- High accuracy, especially [Alpine Linux][alpine] and RHEL/CentOS
- Supply chain security (SBOM support)
- Support CycloneDX
- Support SPDX
- Misconfiguration detection (IaC scanning)
- Wide variety of security checks are provided **out of the box**
- Kubernetes, Docker, Terraform, and more
- User-defined policies using [OPA Rego][rego]
- Secret detection
- A wide variety of built-in rules are provided **out of the box**
- User-defined patterns
- Efficient scanning of container images
- Simple
- Available in apt, yum, brew, dockerhub
- **No pre-requisites** such as a database, system libraries, or eny environmental requirements. The binary runs anywhere.
- The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish instantaneously.
- Fits your workflow
- **Great for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
- Available as extension for IDEs such as vscode, jetbrains, vim
- Available as extension for Docker Desktop, Rancher Desktop
- See [integrations] section in the documentation.
## Want more? Check out Aqua
---
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md).
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
## Community
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
Join our [Slack community][slack] to stay up to date with community efforts.
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
This directory contains media assets, such as the Trivy logo.
Assets under this directory are provided under the Creative Commons - BY 4.0 License. For more details, see here: <https://creativecommons.org/licenses/by/4.0/>
Thank you for taking interest in contributing to Trivy!
Trivy uses [GitHub Discussion](https://github.com/aquasecurity/trivy/discussions) for bug reports, feature requests, and questions.
If maintainers decide to accept a new feature or confirm that it is a bug, they will close the discussion and create a [GitHub Issue](https://github.com/aquasecurity/trivy/issues) associated with that discussion.
- Feel free to open discussions for any reason. When you open a new discussion, you'll have to select a discussion category as described below.
- Please spend a small amount of time giving due diligence to the issue/discussion tracker. Your discussion might be a duplicate. If it is, please add your comment to the existing issue/discussion.
- Remember that users might search for your issue/discussion in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
## False detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
1. Run Trivy with `-f json` that shows data sources.
2. According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
### GitHub Advisory Database
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
Thank you for taking interest in contributing to Trivy!
- Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
## Wrong detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
1. Run Trivy with `-f json` that shows data sources.
2. According to the shown data source, make sure that the security advisory in the data source is correct.
If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
### GitHub Advisory Database
Visit [here](https://github.com/advisories) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
### GitLab Advisory Database
Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
### Red Hat CVE Database
Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
Trivy uses [GitHub Discussion](./discussion.md) for bug reports, feature requests, and questions.
!!! warning
Issues created by non-maintainers will be immediately closed.
@@ -9,11 +9,71 @@ Thank you for taking interest in contributing to Trivy!
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
1. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
### Title
## Development
Install the necessary tools for development by following their respective installation instructions.
- [Go](https://go.dev/doc/install)
- [Mage](https://magefile.org/)
### Build
After making changes to the Go source code, build the project with the following command:
```shell
$ mage build
$ ./trivy -h
```
### Lint
You must pass the linter checks:
```shell
$ mage lint:run
```
Additionally, you need to have run `go mod tidy`, so execute the following command as well:
```shell
$ mage tidy
```
To autofix linters use the following command:
```shell
$ mage lint:fix
```
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
```
$ mage test:unit
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ mage test:integration
```
### Documentation
If you update CLI flags, you need to generate the CLI references.
The test will fail if they are not up-to-date.
```shell
$ mage docs:generate
```
You can build the documents as below and view it at http://localhost:8000.
```
$ mage docs:serve
```
## Title
It is not that strict, but we use the title conventions in this repository.
Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
#### Format of the title
### Format of the title
```
<type>(<scope>): <subject>
@@ -42,6 +102,7 @@ checks:
- vuln
- misconf
- secret
- license
mode:
@@ -49,7 +110,10 @@ mode:
- fs
- repo
- sbom
- k8s
- server
- aws
- vm
os:
@@ -76,6 +140,8 @@ language:
- dotnet
- java
- go
- elixir
- dart
vuln:
@@ -101,16 +167,23 @@ cli:
- cli
- flag
SBOM:
- cyclonedx
- spdx
- purl
others:
- helm
- report
- db
- parser
- deps
The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
#### Example titles
### Example titles
```
feat(alma): add support for AlmaLinux
@@ -131,33 +204,15 @@ chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
### Unit tests
Your PR must pass all the unit tests. You can test it as below.
## Commits
```
$ make test
```
### Integration tests
Your PR must pass all the integration tests. You can test it as below.
```
$ make test-integration
```
### Documentation
You can build the documents as below and view it at http://localhost:8000.
```
$ make mkdocs-serve
```
## Understand where your pull request belongs
Trivy is composed of several repositories that work together:
- [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerability database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo**
- [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
- [go-dep-parser](https://github.com/aquasecurity/go-dep-parser) is a library for parsing lock files such as package-lock.json and Gemfile.lock.
This document outlines the guiding principles and governance framework for the Trivy project.
## Core Principles
Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core.
All new proposals to the project must adhere to the following principles.
### Static Analysis (No Runtime Required)
Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime.
This approach enhances security and efficiency by minimizing dependencies.
### External Dependency Free (Single Binary)
Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes.
If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions.
Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
### No Setup Required
Trivy must be ready to use immediately after installation.
It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default.
Such setups should only be necessary for users requiring specific customizations.
Security often isn't a top priority for many organizations and can be easily deferred.
Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
### Security Focus
Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images.
It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
Trivy serves as a tool with opinions on security, used to warn users about potential issues.
### Detecting Unintended States
Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet.
The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
## Out of Scope Features
Aqua Security offers a premium version with several features not available in the open-source Trivy project.
While detailed information can be found [here][trivy-aqua], it's beneficial to highlight specific functionalities frequently inquired about:
### Runtime Security
As mentioned in [the Core Principles](#static-analysis-no-runtime-required), Trivy is a static analysis security scanner, making runtime security outside its scope.
Runtime security needs are addressed by [Tracee][tracee] or [the commercial version of Aqua Security]().
### Intentional Attacks
As mentioned in [the Core Principles](#detecting-unintended-states), detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in [the commercial version][aqua].
### User Interface
Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links. |
You have to know where to put the DB files. The following command shows the default cache directory.
```
$ ssh user@host
$ trivy -h | grep cache
--cache-dir value cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
```
=== "Vulnerability db"
Put the DB file in the cache directory + `/db`.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
Put the DB file in the cache directory + `/db`.
=== "Java index db[^1]"
Put the DB file in the cache directory + `/java-db`.
```
$ mkdir -p /home/myuser/.cache/trivy/java-db
$ cd /home/myuser/.cache/trivy/java-db
$ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
x trivy-java.db
x metadata.json
$ rm /path/to/javadb.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
### Run Trivy with the specific flags.
In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
```
$ mkdir -p /home/myuser/.cache/trivy/db
$ cd /home/myuser/.cache/trivy/db
$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
x trivy.db
x metadata.json
$ rm /path/to/db.tar.gz
```
In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities.
### Run Trivy with --skip-update and --offline-scan option
In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
This feature might change without preserving backwards compatibility.
Trivy’s compliance flag lets you curate a specific set of checks into a report. In a typical Trivy scan, there are hundreds of different checks for many different components and configurations, but sometimes you already know which specific checks you are interested in. Often this would be an industry accepted set of checks such as CIS, or some vendor specific guideline, or your own organization policy that you want to comply with. These are all possible using the flexible compliance infrastructure that's built into Trivy. Compliance reports are defined as simple YAML documents that select checks to include in the report.
## Usage
Compliance report is currently supported in the following targets (trivy sub-commands):
-`trivy image`
-`trivy aws`
-`trivy k8s`
Add the `--compliance` flag to the command line, and set it's value to desired report.
For example: `trivy k8s cluster --compliance k8s-nsa` (see below for built-in and custom reports)
### Options
The following flags are compatible with `--compliance` flag and allows customizing it's output:
You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
```yaml
spec:
id:"k8s-myreport"# report unique identifier. this should not container spaces.
title:"My custom Kubernetes report"# report title. Any one-line title.
description:"Describe your report"# description of the report. Any text.
relatedResources :
- https://some.url# useful references. URLs only.
version:"1.0"# spec version (string)
controls:
- name:"Non-root containers"# Name for the control (appears in the report as is). Any one-line name.
description:'Check that container is not running as root'# Description (appears in the report as is). Any text.
id:"1.0"# control identifier (string)
checks:# list of existing Trivy checks that define the control
- id:AVD-KSV-0012# check ID. Must start with `AVD-` or `CVE-`
severity:"MEDIUM"# Severity for the control (note that checks severity isn't used)
- name:"Immutable container file systems"
description:'Check that container root file system is immutable'
id:"1.1"
checks:
- id:AVD-KSV-0014
severity:"LOW"
```
The check id field (`controls[].checks[].id`) is referring to existing check by it's "AVD ID". This AVD ID is easily located in the check's source code metadata header, or by browsing [Aqua vulnerability DB](https://avd.aquasec.com/), specifically in the [Misconfigurations](https://avd.aquasec.com/misconfig/) and [Vulnerabilities](https://avd.aquasec.com/nvd) sections.
Once you have a compliance spec, you can select it by file path: `trivy --compliance @</path/to/compliance.yaml>` (note the `@` indicating file path instead of report id).
Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
`trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
## Java Index Database
The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
!!! Note
In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
Trivy provides various methods for filtering the results.
```mermaid
flowchart LR
Issues("Detected\nIssues") --> Severity
subgraph Filtering
subgraph Prioritization
direction TB
Severity("By Severity") --> Status("By Status")
end
subgraph Suppression
Status --> Ignore("By Finding IDs")
Ignore --> Rego("By Rego")
Rego --> VEX("By VEX")
end
end
VEX --> Results
```
Similar to the functionality of filtering results, you can also limit the sub-targets for each scanner.
For information on these settings, please refer to the scanner-specific documentation ([vulnerability](../scanner/vulnerability.md) , [misconfiguration](../scanner/misconfiguration/index.md), etc.).
## Prioritization
You can filter the results by
- [Severity](#by-severity)
- [Status](#by-status)
### By Severity
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
Use `--severity` option.
```bash
$ trivy image --severity HIGH,CRITICAL ruby:2.4.0
```
<details>
<summary>Result</summary>
```bash
2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...
2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Trivy supports the following vulnerability statuses:
-`unknown`
-`not_affected`: this package is not affected by this vulnerability on this platform
-`affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
-`fixed`: this vulnerability is fixed on this platform
-`under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
-`will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
-`fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
-`end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
Some statuses are supported in limited distributions.
| OS | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
| id | ✓ | string | The identifier of the vulnerability, misconfiguration, secret, or license[^1]. |
| paths[^2] | | string array | The list of file paths to ignore. If `paths` is not set, the ignore finding is applied to all files. |
| purls | | string array | The list of PURLs to ignore packages. If `purls` is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. |
| expired_at | | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
| statement | | string | The reason for ignoring the finding. (This field is not used for filtering.) |
2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled
2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled
2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-31T11:10:27.155+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine
2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...
2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1
2023-08-31T11:10:29.170+0600 INFO Detecting python-pkg vulnerabilities...
This feature might change without preserving backwards compatibility.
[Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) is a policy language that allows you to express decision logic in a concise syntax.
Rego is part of the popular [Open Policy Agent (OPA)](https://www.openpolicyagent.org) CNCF project.
For advanced filtering, Trivy allows you to use Rego language to filter vulnerabilities.
Use the `--ignore-policy` flag which takes a path to a Rego file that defines the filtering policy.
The Rego package name must be `trivy` and it must include a "rule" named `ignore` which determines if each individual scan result should be excluded (ignore=true) or not (ignore=false).
The `input` for the evaluation is each [DetectedVulnerability](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/vulnerability.go#L9) and [DetectedMisconfiguration](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/misconfiguration.go#L6).
A practical way to observe the filtering policy input in your case, is to run a scan with the `--format json` option and look at the resulting structure:
For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
### By Vulnerability Exploitability Exchange (VEX)
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |
Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
[^1]: license name is used as id for `.trivyignore.yaml` files.
[^2]: This doesn't work for os package licenses (e.g. apk, dpkg, rpm). For projects which manage dependencies through a dependency file (e.g. go.mod, yarn.lock) `path` should point to that particular file.
However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,45 +109,19 @@ Also, **glob-parent@3.1.0** with some vulnerabilities is included through chain
Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to resolve vulnerabilities in **follow-redirects@1.14.6** and **glob-parent@3.1.0**.
!!! note
Only Node.js (package-lock.json) is supported at the moment.
### JSON
## JSON
Similar structure is included in JSON output format
```json
"VulnerabilityID": "CVE-2022-0235",
"PkgID": "node-fetch@1.7.3",
"PkgName": "node-fetch",
"PkgParents": [
{
"ID": "isomorphic-fetch@2.2.1",
"Parents": [
{
"ID": "fbjs@0.8.18",
"Parents": [
{
"ID": "styled-components@3.1.3"
}
]
}
]
}
],
```
!!! caution
As of May 2022 the feature is supported for `npm` dependency parser only
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-dirs "./testdata/*" .
```
This will skip all subdirectories of the testdata directory.
```bash
$ trivy config --skip-dirs "**/.terraform" .
```
This will skip subdirectories at any depth named `.terraform/`. (Note: this will match `./foo/.terraform` or
`./foo/bar/.terraform`, but not `./.terraform`.)
!!! tip
Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
### Advanced globbing
Trivy also supports bash style [extended](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) glob pattern matching.
```bash
$ trivy image --skip-files "**/foo" image:tag
```
This will skip the file `foo` that happens to be nested under any parent(s).
## File patterns
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | |
| License | ✓[^1] |
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
Trivy supports two types of Helm scanning, templates and packaged charts.
The following scanners are supported.
| Format | [Misconfiguration] | [Secret] |
| -------- | :----------------: | :------: |
| Template | ✓ | ✓ |
| Chart | ✓ | - |
## Misconfiguration
Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
### Value overrides
There are a number of options for overriding values in Helm charts.
When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
Whenever Trivy scans either of these Kubernetes resources, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Container image is scanned for:
- Vulnerabilities
- Misconfigurations
- Exposed secrets
Kubernetes resource definition is scanned for:
- Vulnerabilities - partially supported through [KBOM scanning](#KBOM)
- Misconfigurations
- Exposed secrets
To learn more, please see the [documentation for Kubernetes scanning](../target/kubernetes.md).
In order to detect dependencies, Trivy searches for `pubspec.lock`.
Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options to separate root and dev transitive dependencies.
So Trivy includes all dependencies in report.
To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
!!! note
Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.
Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.
## packages.config
Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.
## *Packages.props
Trivy parses `*Packages.props` files. Both legacy `Packages.props` and modern `Directory.Packages.props` are supported.
### license detection
`packages.config` files don't have information about the licenses used.
Trivy uses [*.nuspec][nuspec] files from [global packages folder][global-packages] to detect licenses.
!!! note
The `licenseUrl` field is [deprecated][license-url]. Trivy doesn't parse this field and only checks the [license] field (license `expression` type only).
Currently only the default path and `NUGET_PACKAGES` environment variable are supported.
## packages.lock.json
Don't forgot to [enable][enable-lock] lock files in your project.
!!! tip
Please make sure your lock file is up-to-date after modifying dependencies.
This is because Trivy primarily categorizes targets into two groups:
- Pre-build
- Post-build
If the target is a pre-build project, like a code repository, Trivy will analyze files used for building, such as lock files.
On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
[^3]: `envs/*/conda-meta/*.json`
[^4]: `*.jar`, `*.war`, `*.par` and `*.ear`
[^5]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^6]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^9]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
[^10]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns)
[^11]: `Directory.Packages.props` and legacy `Packages.props` file names are supported
These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
## JAR/WAR/PAR/EAR
To find information about your JAR[^2] file, Trivy parses `pom.properties` and `MANIFEST.MF` files in your JAR[^2] file and takes required properties[^3].
If those files don't exist or don't contain enough information - Trivy will try to find this JAR[^2] file in [trivy-java-db](https://github.com/aquasecurity/trivy-java-db).
The Java DB will be automatically downloaded/updated when any JAR[^2] file is found.
It is stored in [the cache directory](../../configuration/cache.md#cache-directory).
!!! warning "EXPERIMENTAL"
Finding JARs in `trivy-java-db` is an experimental function.
Base JAR[^2] may contain inner JARs[^2] within itself.
To find information about these JARs[^2], the same logic is used as for the base JAR[^2].
`table` format only contains the name of root JAR[^2] . To get the full path to inner JARs[^2] use the `json` format.
## pom.xml
Trivy parses your `pom.xml` file and tries to find files with dependencies from these local locations.
- project directory[^4]
- relativePath field[^5]
- local repository directory[^6].
If your machine doesn't have the necessary files - Trivy tries to find the information about these dependencies in the [maven repository](https://repo.maven.apache.org/maven2/).
!!! Note
Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
You can disable connecting to the maven repository with the `--offline-scan` flag.
The `--offline-scan` flag does not affect the Trivy database.
The vulnerability database will be downloaded anyway.
!!! Warning
Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
### maven-invoker-plugin
Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
Trivy marks dependencies from these files as the development dependencies and skip them by default.
If you need to show them, use the `--include-dev-deps` flag.
## Gradle.lock
`gradle.lock` files only contain information about used dependencies.
!!!note
All necessary files are checked locally. Gradle file scanning doesn't require internet access.
### Dependency-tree
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy finds child dependencies from `*.pom` files in the cache[^8] directory.
But there is no reliable way to determine direct dependencies (even using other files).
Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
### Licenses
Trity also can detect licenses for dependencies.
Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
[^1]: Uses maven repository to get information about dependencies. Internet access required.
[^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
[^3]: `ArtifactID`, `GroupID` and `Version`
[^4]: e.g. when parent pom.xml file has `../pom.xml` path
[^5]: When you use dependency path in `relativePath` field in pom.xml file
[^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
[^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
[^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
