gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-09 06:10:47 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.51.1
Branches Tags
gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:v0.50.2
Branches Tags
gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

4 Commits
v0.51.1 ... v0.50.2

Author SHA1 Message Date
DmitriyLewen
9aa9e173bf ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533) 2024-04-22 17:24:10 +04:00
dependabot[bot]
058f4839db chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2024-04-22 12:54:46 +04:00
l-qing
9e3d2c5f95 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523) 2024-04-22 12:52:20 +04:00
DmitriyLewen
2ad8e332e8 fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (#6412) 2024-04-22 12:51:14 +04:00
585 changed files with 9542 additions and 20028 deletions
Expand all files Collapse all files

4
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5
@@ -20,7 +20,7 @@ jobs:
go-version-file: go.mod
- name: Install aqua tools
uses: aquaproj/aqua-installer@v3.0.0
uses: aquaproj/aqua-installer@v2.2.0
with:
aqua_version: v1.25.0

2
.github/workflows/canary.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v4.0.2
uses: actions/cache@v4.0.0
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

2
.github/workflows/mkdocs-dev.yaml vendored
View File

@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
persist-credentials: true

2
.github/workflows/mkdocs-latest.yaml vendored
View File

@@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout main
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
persist-credentials: true

6
.github/workflows/publish-chart.yaml vendored
View File

@@ -22,11 +22,11 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
with:
version: v3.5.0
- name: Set up python
@@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
- name: Install chart-releaser

6
.github/workflows/release.yaml vendored
View File

@@ -19,12 +19,12 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v4.0.2
uses: actions/cache@v4.0.0
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -35,7 +35,7 @@ jobs:
sudo apt-get -y install rpm reprepro createrepo-c distro-info
- name: Checkout trivy-repo
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
repository: ${{ github.repository_owner }}/trivy-repo
path: trivy-repo

7
.github/workflows/reusable-release.yaml vendored
View File

@@ -36,7 +36,7 @@ jobs:
remove-haskell: 'true'
- name: Cosign install
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
@@ -69,7 +69,7 @@ jobs:
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Checkout code
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
@@ -77,7 +77,6 @@ jobs:
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v2
@@ -128,7 +127,7 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v4.0.2
uses: actions/cache@v4.0.0
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.

8
.github/workflows/roadmap.yaml vendored
View File

@@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
# 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
- uses: actions/add-to-project@v1.0.0 # add new issue to project
- uses: actions/add-to-project@v0.4.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
field-values: Backlog
# 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
- uses: actions/add-to-project@v1.0.0 # add new issue to project
- uses: actions/add-to-project@v0.4.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
field-values: Important (long-term)
# 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
- uses: actions/add-to-project@v1.0.0 # add new issue to project
- uses: actions/add-to-project@v0.4.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
field-values: Important (soon)
# 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
- uses: actions/add-to-project@v1.0.0 # add new issue to project
- uses: actions/add-to-project@v0.4.1 # add new issue to project
with:
project-url: https://github.com/orgs/aquasecurity/projects/25
github-token: ${{ secrets.ORG_PROJECT_TOKEN }}

2
.github/workflows/scan.yaml vendored
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Run Trivy vulnerability scanner and create GitHub issues
uses: knqyf263/trivy-issue-action@v0.0.5

1
.github/workflows/semantic-pr.yaml vendored
View File

@@ -75,7 +75,6 @@ jobs:
dart
swift
bitnami
conda
os
lang

2
.github/workflows/test-docs.yaml vendored
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
persist-credentials: true

26
.github/workflows/test.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
remove-haskell: "true"
if: matrix.operating-system == 'ubuntu-latest'
- uses: actions/checkout@v4.1.4
- uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5
@@ -45,8 +45,8 @@ jobs:
id: lint
uses: golangci/golangci-lint-action@v4.0.0
with:
version: v1.57
args: --timeout=30m --out-format=line-number
version: v1.54
args: --deadline=30m --out-format=line-number
skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
if: matrix.operating-system == 'ubuntu-latest'
@@ -57,7 +57,7 @@ jobs:
if: ${{ failure() && steps.lint.conclusion == 'failure' }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.0
uses: aquaproj/aqua-installer@v2.2.0
with:
aqua_version: v1.25.0
aqua_opts: ""
@@ -79,7 +79,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5
@@ -87,7 +87,7 @@ jobs:
go-version-file: go.mod
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.0
uses: aquaproj/aqua-installer@v2.2.0
with:
aqua_version: v1.25.0
@@ -108,7 +108,7 @@ jobs:
remove-haskell: "true"
- name: Check out code into the Go module directory
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5
@@ -116,7 +116,7 @@ jobs:
go-version-file: go.mod
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.0
uses: aquaproj/aqua-installer@v2.2.0
with:
aqua_version: v1.25.0
@@ -128,7 +128,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5
@@ -136,7 +136,7 @@ jobs:
go-version-file: go.mod
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.0
uses: aquaproj/aqua-installer@v2.2.0
with:
aqua_version: v1.25.0
@@ -159,14 +159,14 @@ jobs:
remove-haskell: 'true'
- name: Checkout
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.0
uses: aquaproj/aqua-installer@v2.2.0
with:
aqua_version: v1.25.0
- name: Run vm integration tests
@@ -193,7 +193,7 @@ jobs:
if: matrix.operating-system == 'ubuntu-latest'
- name: Checkout
uses: actions/checkout@v4.1.4
uses: actions/checkout@v4.1.1
- name: Set up Go
uses: actions/setup-go@v5

10
.golangci.yaml
View File

@@ -88,16 +88,14 @@ linters:
- gocritic
run:
go: '1.22'
issues:
exclude-files:
go: '1.21'
skip-files:
- ".*_mock.go$"
- ".*_test.go$"
- "integration/*"
- "examples/*"
exclude-dirs:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
issues:
exclude-rules:
- linters:
- gosec

6
Dockerfile.protoc
View File

@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 golang:1.22
FROM --platform=linux/amd64 golang:1.21
# Set environment variable for protoc
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
@@ -14,7 +14,7 @@ RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/down
# Install Go tools
RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.0
RUN go install github.com/magefile/mage@v1.15.0
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
RUN go install github.com/magefile/mage@v1.14.0
ENV TRIVY_PROTOC_CONTAINER=true

2
aqua.yaml
View File

@@ -5,6 +5,6 @@ registries:
- type: standard
ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.31.1
- name: tinygo-org/tinygo@v0.29.0
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0

8
cmd/trivy/main.go
View File

@@ -2,7 +2,6 @@ package main
import (
"context"
"errors"
"os"
"golang.org/x/xerrors"
@@ -10,18 +9,13 @@ import (
"github.com/aquasecurity/trivy/pkg/commands"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/plugin"
"github.com/aquasecurity/trivy/pkg/types"
_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
)
func main() {
if err := run(); err != nil {
var exitError *types.ExitError
if errors.As(err, &exitError) {
os.Exit(exitError.Code)
}
log.Fatal("Fatal error", log.Err(err))
log.Fatal(err)
}
}

2
docs/docs/advanced/air-gap.md
View File

@@ -137,6 +137,6 @@ $ trivy conf --skip-policy-update /path/to/conf
```
[allowlist]: ../references/troubleshooting.md
[oras]: https://oras.land/docs/installation
[oras]: https://oras.land/cli/
[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)

2
docs/docs/configuration/cache.md
View File

@@ -70,7 +70,7 @@ $ trivy server --cache-backend redis://localhost:6379 \
[trivy-db]: ./db.md#vulnerability-database
[trivy-java-db]: ./db.md#java-index-database
[misconf-policies]: ../scanner/misconfiguration/check/builtin.md
[misconf-policies]: ../scanner/misconfiguration/policy/builtin.md
[^1]: Downloaded when scanning for vulnerabilities
[^2]: Downloaded when scanning `jar/war/par/ear` files

3
docs/docs/configuration/filtering.md
View File

@@ -237,9 +237,6 @@ You can filter the results by
To show the suppressed results, use the `--show-suppressed` flag.
!!! note
This flag is currently available only in the table format.
```bash
$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
...

2
docs/docs/coverage/iac/helm.md
View File

@@ -11,7 +11,7 @@ The following scanners are supported.
Trivy recursively searches directories and scans all found Helm files.
It evaluates variables, functions, and other elements within Helm templates and resolve the chart to Kubernetes manifests then run the Kubernetes checks.
See [here](../../scanner/misconfiguration/check/builtin.md) for more details on the built-in policies.
See [here](../../scanner/misconfiguration/policy/builtin.md) for more details on the built-in policies.
### Value overrides
There are a number of options for overriding values in Helm charts.

29
docs/docs/coverage/language/c.md
View File

@@ -1,34 +1,23 @@
# C/C++
Trivy supports Conan C/C++ Package Manager ([v1][conanV1] and [v2][conanV2] with limitations).
Trivy supports [Conan][conan] C/C++ Package Manager.
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Conan | ✓ | ✓ | ✓[^1] |
| Package manager | SBOM | Vulnerability | License |
| --------------- | :---: | :-----------: | :-----: |
| Conan | ✓ | ✓ | - |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Conan (lockfile v1) | conan.lock[^2] | ✓ | Excluded | ✓ | ✓ |
| Conan (lockfile v2) | conan.lock[^2] | ✓ [^3] | Excluded | - | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
| --------------- | -------------- | :---------------------: | :--------------: | :----------------------------------: | :------: |
| Conan | conan.lock[^1] | ✓ | Excluded | ✓ | ✓ |
## Conan
In order to detect dependencies, Trivy searches for `conan.lock`[^1].
[conanV1]: https://docs.conan.io/1/index.html
[conanV2]: https://docs.conan.io/2/
### Licenses
The Conan lock file doesn't contain any license information.
To obtain licenses we parse the `conanfile.py` files from the [conan cache directory][conan-cache-dir].
To correctly detection licenses, ensure that the cache directory contains all dependencies used.
[conan-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
[conan]: https://docs.conan.io/1/index.html
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[^1]: The local cache should contain the dependencies used. See [licenses](#licenses).
[^2]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns).
[^3]: For `conan.lock` in version 2, indirect dependencies are included in analysis but not flagged explicitly in dependency tree
[^1]: `conan.lock` is default name. To scan a custom filename use [file-patterns](../../configuration/skipping.md#file-patterns)

27
docs/docs/coverage/language/golang.md
View File

@@ -1,9 +1,5 @@
# Go
## Data Sources
The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages.
## Features
Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
@@ -16,10 +12,10 @@ The following scanners are supported.
The table below provides an outline of the features Trivy offers.
| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
| Modules | ✅ | Include | ✅[^2] | - |
| Binaries | ✅ | Exclude | - | ✅[^4] |
| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |
|----------|:-----------:|:-----------------|:----------------------------------:|
| Modules | ✅ | Include | ✅[^2] |
| Binaries | ✅ | Exclude | - |
!!! note
Trivy scans only dependencies of the Go project.
@@ -78,20 +74,7 @@ $ trivy rootfs ./your_binary
!!! note
It doesn't work with UPX-compressed binaries.
#### Empty versions
There are times when Go uses the `(devel)` version for modules/dependencies.
- Only Go binaries installed using the `go install` command contain correct (semver) version for the main module.
In other cases, Go uses the `(devel)` version[^3].
- Dependencies replaced with local ones use the `(devel)` versions.
In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version
empty if it cannot do so[^5]. For the second case, the version of such packages is empty.
[^1]: It doesn't require the Internet access.
[^2]: Need to download modules to local cache beforehand
[^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities
[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

4
docs/docs/coverage/language/nodejs.md
View File

@@ -55,9 +55,6 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
!!! note
Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
### Bun
Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
@@ -72,6 +69,5 @@ Trivy searches for `package.json` files under `node_modules` and identifies inst
It only extracts package names, versions and licenses for those packages.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
[^1]: [yarn.lock](#bun) must be generated

36
docs/docs/coverage/os/conda.md
View File

@@ -1,36 +0,0 @@
# Conda
Trivy supports the following scanners for Conda packages.
| Scanner | Supported |
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | - |
| License | ✓[^1] |
## SBOM
Trivy detects packages that have been installed with `Conda`.
### `<package>.json`
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
### `environment.yml`[^2]
Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
!!! note
License detection is currently not supported.
`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
!!! note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
[^1]: License detection is only supported for `<package>.json` files
[^2]: Trivy supports both `yaml` and `yml` extensions.
[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs

35
docs/docs/coverage/os/index.md
View File

@@ -9,24 +9,23 @@ Trivy supports operating systems for
## Supported OS
| OS | Supported Versions | Package Managers |
|--------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.19, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [OSs with installed Conda](conda.md) | - | conda |
| OS | Supported Versions | Package Managers |
|-----------------------------------------------|-------------------------------------|------------------|
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.19, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm |
| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm |
| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm |
| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm |
| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm |
| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
## Supported container images

16
docs/docs/references/configuration/cli/trivy_aws.md
View File

@@ -69,17 +69,13 @@ trivy aws [flags]
--account string The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
--arn string The AWS ARN to show results for. Useful to filter results once a scan is cached.
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--compliance string compliance report to generate (aws-cis-1.2,aws-cis-1.4)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--endpoint string AWS Endpoint override
--exit-code int specify exit code when any security issues are found
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -89,16 +85,18 @@ trivy aws [flags]
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--max-cache-age duration The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
--max-cache-age duration The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--region string AWS Region to scan
--report string specify a report format for the output (all,summary) (default "all")
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-policy-update skip fetching rego policy updates
--skip-service strings Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules

14
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -12,18 +12,14 @@ trivy config [flags] DIR
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -38,17 +34,19 @@ trivy config [flags] DIR
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files

14
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -22,12 +22,10 @@ trivy filesystem [flags] PATH
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -37,8 +35,6 @@ trivy filesystem [flags] PATH
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -63,6 +59,8 @@ trivy filesystem [flags] PATH
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -71,18 +69,18 @@ trivy filesystem [flags] PATH
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a compliance report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files

14
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -36,12 +36,10 @@ trivy image [flags] IMAGE_NAME
```
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (docker-cis)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -53,8 +51,6 @@ trivy image [flags] IMAGE_NAME
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -83,6 +79,8 @@ trivy image [flags] IMAGE_NAME
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -92,18 +90,18 @@ trivy image [flags] IMAGE_NAME
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (all,summary) (default "summary")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode

46
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -2,56 +2,50 @@
[EXPERIMENTAL] Scan kubernetes cluster
### Synopsis
Default context in kube configuration will be used unless specified
```
trivy kubernetes [flags] [CONTEXT]
trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: pods, pod/NAME }
```
### Examples
```
# cluster scanning
$ trivy k8s --report summary
$ trivy k8s --report summary cluster
# cluster scanning with specific namespace:
$ trivy k8s --include-namespaces kube-system --report summary
# namespace scanning:
$ trivy k8s -n kube-system --report summary all
# cluster with specific context:
$ trivy k8s kind-kind --report summary
# resources scanning:
$ trivy k8s --report=summary deploy
$ trivy k8s --namespace=kube-system --report=summary deploy,configmaps
# resource scanning:
$ trivy k8s deployment/orion
```
### Options
```
-A, --all-namespaces fetch resources from all cluster namespaces
--burst int specify the maximum burst for throttle (default 10)
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--components strings specify which components to scan (workload,infra) (default [workload,infra])
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--context string specify a context to scan
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exclude-kinds strings indicate the kinds exclude from scanning (example: node)
--exclude-namespaces strings indicate the namespaces excluded from scanning (example: kube-system)
--exclude-nodes strings indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)
--exclude-owned exclude resources that have an owner reference
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,cyclonedx) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -62,14 +56,13 @@ trivy kubernetes [flags] [CONTEXT]
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes and exceptions, available with '--scanners misconfig'
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-n, --namespace string specify a namespace to scan
--no-progress suppress progress bar
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.0.9")
--node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
@@ -78,6 +71,8 @@ trivy kubernetes [flags] [CONTEXT]
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--qps float specify the maximum QPS to the master from this client (default 5)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
@@ -87,18 +82,17 @@ trivy kubernetes [flags] [CONTEXT]
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output (all,summary) (default "all")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tolerations strings specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)

14
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -22,12 +22,10 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--commit string pass the commit hash to be scanned
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -37,8 +35,6 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -63,6 +59,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -70,18 +68,18 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
--tag string pass the tag name to be scanned
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules

14
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -25,11 +25,9 @@ trivy rootfs [flags] ROOTDIR
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-data strings specify paths from which data for the Rego policies will be recursively loaded
--config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
@@ -40,8 +38,6 @@ trivy rootfs [flags] ROOTDIR
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -65,6 +61,8 @@ trivy rootfs [flags] ROOTDIR
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--policy-namespaces strings Rego namespaces
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -72,18 +70,18 @@ trivy rootfs [flags] ROOTDIR
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-policy-update skip fetching rego policy updates
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files

6
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -23,7 +23,6 @@ trivy vm [flags] VM_IMAGE
--aws-region string AWS region to scan
--cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--clear-cache clear image caches without scanning
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
@@ -36,8 +35,6 @@ trivy vm [flags] VM_IMAGE
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -57,13 +54,14 @@ trivy vm [flags] VM_IMAGE
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--reset-checks-bundle remove checks bundle
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

248
docs/docs/references/configuration/config-file.md
View File

@@ -81,15 +81,6 @@ severity:
- MEDIUM
- HIGH
- CRITICAL
scan:
# Same as '--compliance'
# Default is empty
compliance:
# Same as '--show-suppressed'
# Default is false
show-suppressed: false
```
## Scan Options
@@ -115,7 +106,7 @@ scan:
# Same as '--offline-scan'
# Default is false
offline: false
offline-scan: false
# Same as '--scanners'
# Default depends on subcommand
@@ -124,24 +115,6 @@ scan:
- misconfig
- secret
- license
-
# Same as '--parallel'
# Default is 5
parallel: 1
# Same as '--sbom-sources'
# Default is empty
sbom-sources:
- oci
- rekor
# Same as '--rekor-url'
# Default is 'https://rekor.sigstore.dev'
rekor-url: https://rekor.sigstore.dev
# Same as '--include-dev-deps'
# Default is false
include-dev-deps: false
```
## Cache Options
@@ -158,9 +131,6 @@ cache:
# Redis options
redis:
# Same as '--redis-tls'
# Default is false
tls:
# Same as '--redis-ca'
# Default is empty
ca:
@@ -178,25 +148,21 @@ cache:
```yaml
db:
# Same as '--no-progress'
# Default is false
no-progress: false
# Same as '--skip-db-update'
# Default is false
skip-update: false
# Same as '--db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-db:2'
repository: ghcr.io/aquasecurity/trivy-db:2
# Same as '--skip-java-db-update'
# Same as '--no-progress'
# Default is false
java-skip-update: false
no-progress: false
# Same as '--db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-db'
repository: ghcr.io/aquasecurity/trivy-db
# Same as '--java-db-repository'
# Default is 'ghcr.io/aquasecurity/trivy-java-db:1'
java-repository: ghcr.io/aquasecurity/trivy-java-db:1
# Default is 'ghcr.io/aquasecurity/trivy-java-db'
java-repository: ghcr.io/aquasecurity/trivy-java-db
```
## Registry Options
@@ -231,19 +197,7 @@ image:
# Same as '--platform'
# Default is empty
platform:
# Same as '--image-src'
# Default is 'docker,containerd,podman,remote'
source:
- podman
- docker
# Same as '--image-config-scanners'
# Default is empty
image-config-scanners:
- misconfig
- secret
platform:
docker:
# Same as '--docker-host'
@@ -270,67 +224,6 @@ vulnerability:
# Same as '--ignore-unfixed'
# Default is false
ignore-unfixed: false
# Same as '--ignore-unfixed'
# Default is empty
ignore-status:
- end_of_life
```
## License Options
Available with license scanning
```yaml
license:
# Same as '--license-full'
# Default is false
full: false
# Same as '--ignored-licenses'
# Default is empty
ignored:
- MPL-2.0
- MIT
# Same as '--license-confidence-level'
# Default is 0.9
confidenceLevel: 0.9
# Set list of forbidden licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L171
forbidden:
- AGPL-1.0
- AGPL-3.0
# Set list of restricted licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L199
restricted:
- AGPL-1.0
- AGPL-3.0
# Set list of reciprocal licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L238
reciprocal:
- AGPL-1.0
- AGPL-3.0
# Set list of notice licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L260
notice:
- AGPL-1.0
- AGPL-3.0
# Set list of permissive licenses
# Default is empty
permissive:
- AGPL-1.0
- AGPL-3.0
# Set list of unencumbered licenses
# Default is https://github.com/aquasecurity/trivy/blob/164b025413c5fb9c6759491e9a306b46b869be93/pkg/licensing/category.go#L334
unencumbered:
- AGPL-1.0
- AGPL-3.0
```
## Secret Options
@@ -346,15 +239,11 @@ secret:
## Rego Options
```yaml
rego:
rego
# Same as '--trace'
# Default is false
trace: false
# Same as '--skip-policy-update'
# Default is false
skip-policy-update: false
# Same as '--config-policy'
# Default is empty
policy:
@@ -382,10 +271,6 @@ misconfiguration:
# Same as '--include-non-failures'
# Default is false
include-non-failures: false
# Same as '--policy-bundle-repository'
# Default is 'ghcr.io/aquasecurity/trivy-checks:0'
policy-bundle-repository: ghcr.io/aquasecurity/trivy-checks:0
# Same as '--miconfig-scanners'
# Default is all scanners
@@ -394,46 +279,36 @@ misconfiguration:
- terraform
# helm value override configurations
# set individual values
helm:
# set individual values
set:
- securityContext.runAsUser=10001
# set values with file
# set values with file
helm:
values:
- overrides.yaml
# set specific values from specific files
# set specific values from specific files
helm:
set-file:
- image=dev-overrides.yaml
# set as string and preserve type
# set as string and preserve type
helm:
set-string:
- name=true
# Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command.
api-versions:
- policy/v1/PodDisruptionBudget
- apps/v1/Deployment
# Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
kube-version: "v1.21.0"
# terraform tfvars overrrides
terraform:
vars:
- dev-terraform.tfvars
- common-terraform.tfvars
# Same as '--tf-exclude-downloaded-modules'
# Default is false
# Same as '--tf-exclude-downloaded-modules'
# Default is false
terraform:
exclude-downloaded-modules: false
# Same as '--cf-params'
# Default is false
cloudformation:
params:
- params.json
```
## Kubernetes Options
@@ -448,58 +323,6 @@ kubernetes:
# Same as '--namespace'
# Default is empty
namespace:
# Same as '--kubeconfig'
# Default is empty
kubeconfig: ~/.kube/config2
# Same as '--components'
# Default is 'workload,infra'
components:
- workload
- infra
# Same as '--k8s-version'
# Default is empty
k8s-version: 1.21.0
# Same as '--tolerations'
# Default is empty
tolerations:
- key1=value1:NoExecute
- key2=value2:NoSchedule
# Same as '--all-namespaces'
# Default is false
all-namespaces: false
node-collector:
# Same as '--node-collector-namespace'
# Default is 'trivy-temp'
namespace: ~/.kube/config2
# Same as '--node-collector-imageref'
# Default is 'ghcr.io/aquasecurity/node-collector:0.0.9'
imageref: ghcr.io/aquasecurity/node-collector:0.0.9
exclude:
# Same as '--exclude-owned'
# Default is false
owned: true
# Same as '--exclude-nodes'
# Default is empty
nodes:
- kubernetes.io/arch:arm64
- team:dev
# Same as '--qps'
# Default is 5.0
qps: 5.0
# Same as '--burst'
# Default is 10
burst: 10
```
## Repository Options
@@ -570,35 +393,6 @@ cloud:
# the aws account to use (this will be determined from your environment when not set)
account: 123456789012
# the aws specific services
service:
- s3
- ec2
# the aws specific arn
arn: arn:aws:s3:::example-bucket
# skip the aws specific services
skip-service:
- s3
- ec2
```
## Module Options
Available for modules
```yaml
module:
# Same as '--module-dir'
# Default is '$HOME/.trivy/modules'
dir: $HOME/.trivy/modules
# Same as '--enable-modules'
# Default is empty
enable-modules:
- trivy-module-spring4shell
- trivy-module-wordpress
```
[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml

21
docs/docs/scanner/misconfiguration/check/builtin.md
View File

@@ -1,21 +0,0 @@
# Built-in Checks
## Check Sources
Built-in checks are mainly written in [Rego][rego] and Go.
Those checks are managed under [trivy-checks repository][trivy-checks].
See [here](../../../coverage/iac/index.md) for the list of supported config types.
For suggestions or issues regarding policy content, please open an issue under the [trivy-checks][trivy-checks] repository.
## Check Distribution
Trivy checks are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
Those checks are then loaded into Trivy OPA engine and used for detecting misconfigurations.
If Trivy is unable to pull down newer checks, it will use the embedded set of checks as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
## Update Interval
Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
[trivy-checks]: https://github.com/aquasecurity/trivy-checks
[ghcr]: https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks

3
docs/docs/scanner/misconfiguration/custom/index.md
View File

@@ -101,8 +101,9 @@ In this case, `user.*` will be evaluated.
Any package prefixes such as `main` and `user` are allowed.
### Metadata
Metadata helps enrich Trivy's scan results with useful information.
The check must contain a [Rego Metadata](https://www.openpolicyagent.org/docs/latest/policy-language/#metadata) section. Trivy uses standard rego metadata to define the new policy and general information about it.
The annotation format is described in the [OPA documentation](https://www.openpolicyagent.org/docs/latest/annotations/).
Trivy supports extra fields in the `custom` section as described below.

13
docs/docs/scanner/misconfiguration/custom/schema.md
View File

@@ -4,7 +4,8 @@
Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
enables Trivy to show more detailed error messages when an invalid input is encountered.
In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json). Without input schemas, a policy would be as follows:
In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/dockerfile.json)
Without input schemas, a policy would be as follows:
!!! example
```
@@ -35,7 +36,7 @@ schema as such
```
Here `input: schema["dockerfile"]` points to a schema that expects a valid `Dockerfile` as input. An example of this
can be found [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json).
can be found [here](https://github.com/aquasecurity/defsec/blob/master/pkg/rego/schemas/dockerfile.json)
Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.
@@ -49,9 +50,9 @@ Now if this policy is evaluated against, a more descriptive error will be availa
Currently, out of the box the following schemas are supported natively:
1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
1. [Docker](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/dockerfile.json)
2. [Kubernetes](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/kubernetes.json)
3. [Cloud](https://github.com/aquasecurity/trivy-iac/blob/main/pkg/rego/schemas/cloud.json)
## Custom Policies with Custom Schemas
@@ -88,4 +89,4 @@ To use such a policy with Trivy, use the `--config-policy` flag that points to t
$ trivy --config-policy=/Users/user/my-custom-policies <path/to/iac>
```
For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
For more details on how to define schemas within Rego policies, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/schemas/#schema-annotations) that describes it in more detail.

4
docs/docs/scanner/misconfiguration/custom/testing.md
View File

@@ -22,7 +22,7 @@ For more details, see [Policy Testing][opa-testing].
}
```
To write tests for custom policies, you can refer to existing tests under [trivy-checks][trivy-checks].
To write tests for custom policies, you can refer to existing tests under [trivy-policies][trivy-policies].
## Go testing
[Fanal][fanal] which is a core library of Trivy can be imported as a Go library.
@@ -85,6 +85,6 @@ The following example stores allowed and denied configuration files in a directo
`Dockerfile.allowed` has one successful result in `Successes`, while `Dockerfile.denied` has one failure result in `Failures`.
[opa-testing]: https://www.openpolicyagent.org/docs/latest/policy-testing/
[defsec]: https://github.com/aquasecurity/trivy-checks/tree/main
[defsec]: https://github.com/aquasecurity/trivy-policies/tree/main
[table]: https://github.com/golang/go/wiki/TableDrivenTests
[fanal]: https://github.com/aquasecurity/fanal

43
docs/docs/scanner/misconfiguration/index.md
View File

@@ -381,7 +381,7 @@ If multiple variables evaluate to the same hostname, Trivy will choose the envir
### Skipping resources by inline comments
Trivy supports ignoring misconfigured resources by inline comments for Terraform and CloudFormation configuration files only.
Trivy supports ignoring misconfigured resources by inline comments for Terraform configuration files only.
In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
@@ -422,17 +422,6 @@ As an example, consider the following check metadata:
Long ID would look like the following: `aws-s3-enable-logging`.
Example for CloudFromation:
```yaml
AWSTemplateFormatVersion: "2010-09-09"
Resources:
#trivy:ignore:*
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: test-bucket
```
#### Expiration Date
You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
@@ -505,21 +494,8 @@ resource "aws_security_group_rule" "example" {
}
```
Checks can also be ignored by nested attributes, but certain restrictions apply:
- You cannot access an individual block using indexes, for example when working with dynamic blocks.
- Special variables like [each](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#the-each-object) and [count](https://developer.hashicorp.com/terraform/language/meta-arguments/count#the-count-object) cannot be accessed.
```tf
#trivy:ignore:*[logging_config.prefix=myprefix]
resource "aws_cloudfront_distribution" "example" {
logging_config {
include_cookies = false
bucket = "mylogs.s3.amazonaws.com"
prefix = "myprefix"
}
}
```
!!! note
Currently nested attributes are not supported. For example you will not be able to reference the `each.key` attribute.
#### Ignoring module issues
@@ -547,15 +523,4 @@ module "s3_bucket" {
bucket = each.value
}
```
#### Support for Wildcards
You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
```tf
# trivy:ignore:aws-s3-*:ws:dev-*
```
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
[custom]: custom/index.md
[custom]: custom/index.md

24
docs/docs/scanner/misconfiguration/policy/builtin.md Normal file
View File

@@ -0,0 +1,24 @@
# Built-in Policies
## Policy Sources
Built-in policies are mainly written in [Rego][rego] and Go.
Those policies are managed under [trivy-policies repository][trivy-policies].
See [here](../../../coverage/iac/index.md) for the list of supported config types.
For suggestions or issues regarding policy content, please open an issue under the [trivy-policies][trivy-policies] repository.
## Policy Distribution
Trivy policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
If Trivy is unable to pull down newer policies, it will use the embedded set of policies as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
## Update Interval
Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
[rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
[kubernetes-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/kubernetes/policies
[docker-policies]: https://github.com/aquasecurity/trivy-policies/tree/main/rules/docker/policies
[trivy-policies]: https://github.com/aquasecurity/trivy-policies
[ghcr]: https://github.com/aquasecurity/trivy-policies/pkgs/container/trivy-policies

14
docs/docs/scanner/misconfiguration/check/exceptions.md → docs/docs/scanner/misconfiguration/policy/exceptions.md
View File

@@ -28,6 +28,8 @@ The `exception` rule must be defined under `namespace.exceptions`.
This example exempts all built-in policies for Kubernetes.
For more details, see [an example][ns-example].
## Rule-based exceptions
There are some cases where you need more flexibility and granularity in defining which cases to exempt.
Rule-based exceptions lets you granularly choose which individual rules to exempt, while also declaring under which conditions to exempt them.
@@ -85,8 +87,12 @@ If you want to apply rule-based exceptions to built-in policies, you have to def
}
```
This exception is applied to [KSV012][ksv012] in trivy-checks.
You can get the package names in the [trivy-checks repository][trivy-checks] or the JSON output from Trivy.
This exception is applied to [KSV012][ksv012] in trivy-policies.
You can get the package names in the [trivy-policies repository][trivy-policies] or the JSON output from Trivy.
[ksv012]: https://github.com/aquasecurity/trivy-checks/blob/f36a5b732c4b1293a720c40baab0a7c106ea455e/checks/kubernetes/pss/restricted/3_runs_as_root.rego
[trivy-checks]: https://github.com/aquasecurity/trivy-checks/
For more details, see [an example][rule-example].
[ns-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/namespace-exception
[rule-example]: https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/examples/misconf/rule-exception
[ksv012]: https://github.com/aquasecurity/trivy-policies/blob/main/rules/kubernetes/policies/pss/restricted/3_runs_as_root.rego
[trivy-policies]: https://github.com/aquasecurity/trivy-policies/

2
docs/docs/scanner/vulnerability.md
View File

@@ -91,7 +91,6 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
| | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - |
| Java | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - |
| Go | [GitHub Advisory Database (Go)][go-ghsa] | ✅ | - |
| | [Go Vulnerability Database][go-vulndb] | ✅ | - |
| Rust | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅ | - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - |
| C/C++ | [GitLab Advisories Community][gitlab] | ✅ | 1 month |
@@ -256,7 +255,6 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
[go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
[swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift
[go-vulndb]: https://pkg.go.dev/vuln/
[php]: https://github.com/FriendsOfPHP/security-advisories
[ruby]: https://github.com/rubysec/ruby-advisory-db
[nodejs]: https://github.com/nodejs/security-wg

4
docs/docs/target/container_image.md
View File

@@ -110,7 +110,7 @@ It is disabled by default.
You can enable it with `--image-config-scanners config`.
```
$ trivy image --image-config-scanners misconfig [YOUR_IMAGE_NAME]
$ trivy image --image-config-scanners config [YOUR_IMAGE_NAME]
```
<details>
@@ -506,4 +506,4 @@ You can configure Podman daemon socket with `--podman-host`.
```shell
$ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE
```
```

148
docs/docs/target/kubernetes.md
View File

@@ -9,7 +9,7 @@ Trivy can also be installed *inside* your cluster as a Kubernetes Operator, and
When scanning a Kubernetes cluster, Trivy differentiates between the following:
1. Cluster infrastructure (e.g api-server, kubelet, addons)
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Application workloads (e.g nginx, postgresql).
When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
@@ -28,79 +28,60 @@ Kubernetes resource definition is scanned for:
## Kubernetes target configurations
```sh
trivy k8s [flags] [CONTEXT] - if the target name [CONTEXT] is not specified, the default will be used.
Trivy follows the behavior of the `kubectl` tool as much as possible.
### Scope
The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:
1. A Kubernetes Kind. e.g `pod`, `deployment`, etc.
2. A Kubernetes Resource. e.g `pods/mypod`, etc.
3. `all`. Scan common workload kinds, as listed [here](https://github.com/aquasecurity/trivy-kubernetes/blob/bf8cc2a00d9772e0aa271f06d375b936152b54b1/pkg/k8s/k8s.go#L296:L314)
4. `cluster` scan the entire cluster including all namespaced resources and cluster level resources.
Examples:
```
trivy k8s all
trivy k8s pods
trivy k8s deploy myapp
trivy k8s pod/mypod
trivy k8s pods,deploy
trivy k8s cluster
```
for example:
Note that the scope argument must appear last in the command line, after any other flag.
```sh
trivy k8s --report summary
```
### Cluster
By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.
You can also specify a `kubeconfig` using the `--kubeconfig` flag:
```sh
```
trivy k8s --kubeconfig ~/.kube/config2
```
By default, all cluster resource images will be downloaded and scanned.
### Namespace
### Skip-images
By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:
You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
Example:
```sh
trivy k8s --report summary --skip-images
```
### Include/Exclude Kinds
You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:
***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.
- `--include-kinds` will include the listed kinds in cluster scanning.
- `--exclude-kinds` will exclude the listed kinds from cluster scanning.
By default, all kinds will be included in cluster scanning.
Example:
```sh
trivy k8s --report summary --exclude-kinds node,pod
trivy k8s --kubeconfig ~/.kube/config2 --namespace default
```
### Node
### Include/Exclude Namespaces
You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:
***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.
- `--include-namespaces` will include the listed namespaces in cluster scanning.
- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.
By default, all namespaces will be included in cluster scanning.
Example:
```sh
trivy k8s --report summary --exclude-namespace dev-system,staging-system
```
trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
```
## Control Plane and Node Components Vulnerability Scanning
Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds.
Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds
To read more about KBOM, see the [documentation for Kubernetes scanning](./sbom.md#kbom).
```sh
trivy k8s --scanners vuln --report all
```
trivy k8s cluster --scanners vuln --report all
NodeComponents/kind-control-plane (kubernetes)
@@ -120,43 +101,13 @@ Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
```
## Node-Collector
Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.
### Components types
### Disable Node Collector
You can control whether the node scan-job (`node-collector`) will run in the cluster. To disable it, add the `--disable-node-collector` flag
- `--disable-node-collector` This flag will exclude findings related to Node (infra assessment) misconfigurations
By default, the node scan-job (`node-collector`) will run in the cluster.
Example:
```sh
trivy k8s --report summary --disable-node-collector
```
### Taints and Tolerations
The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
Example:
```sh
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule
```
### Exclude Nodes by Label
You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
```sh
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
```
You can control what kinds of components are discovered using the `--components` flag:
- `--components infra` will discover only cluster infrastructure components.
- `--components workloads` will discover only application workloads.
- If the flag is omitted: infra, workloads, and RBAC are discovered.
## Reporting and filtering
@@ -166,8 +117,8 @@ You can always choose the report granularity using the `--report summary`/`--rep
Scan a full cluster and generate a simple summary report:
```sh
trivy k8s --report=summary
```
$ trivy k8s --report=summary cluster
```
![k8s Summary Report](../../imgs/trivy-k8s.png)
@@ -175,15 +126,15 @@ trivy k8s --report=summary
Filter by severity:
```
trivy k8s --severity=CRITICAL --report=all
trivy k8s --severity=CRITICAL --report=all cluster
```
Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
```
trivy k8s --scanners=secret --report=summary
trivy k8s --scanners=secret --report=summary cluster
# or
trivy k8s --scanners=misconfig --report=summary
trivy k8s --scanners=misconfig --report=summary cluster
```
The supported output formats are `table`, which is the default, and `json`.
@@ -349,7 +300,6 @@ trivy k8s --format json -o results.json cluster
</details>
## Compliance
This section describes Kubernetes specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
@@ -368,7 +318,7 @@ Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:
```
trivy k8s --compliance=k8s-pss-baseline --report summary
$ trivy k8s cluster --compliance=k8s-pss-baseline --report summary
```
@@ -376,7 +326,7 @@ Get the detailed report for checks:
```
trivy k8s --compliance=k8s-cis --report all
$ trivy k8s cluster --compliance=k8s-cis --report all
```
@@ -384,7 +334,7 @@ Get summary report in JSON format:
```
trivy k8s --compliance=k8s-cis --report summary --format json
$ trivy k8s cluster --compliance=k8s-cis --report summary --format json
```
@@ -392,7 +342,7 @@ Get detailed report in JSON format:
```
trivy k8s --compliance=k8s-cis --report all --format json
$ trivy k8s cluster --compliance=k8s-cis --report all --format json
```
@@ -405,7 +355,7 @@ Trivy can generate KBOM in CycloneDX format:
```sh
trivy k8s --format cyclonedx --output mykbom.cdx.json
$ trivy k8s cluster --format cyclonedx --output mykbom.cdx.json
```
@@ -413,7 +363,7 @@ Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:
```sh
trivy sbom mykbom.cdx.json
$ trivy sbom mykbom.cdx.json
```

85
docs/getting-started/installation.md
View File

@@ -10,10 +10,11 @@ In this section you will find an aggregation of the different ways to install Tr
Add repository setting to `/etc/yum.repos.d`.
``` bash
RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\$basearch/
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
@@ -34,9 +35,9 @@ In this section you will find an aggregation of the different ways to install Tr
Add repository setting to `/etc/apt/sources.list.d`.
``` bash
sudo apt-get install wget apt-transport-https gnupg
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
```
@@ -85,29 +86,31 @@ References:
Nix package manager for Linux and MacOS.
=== "Command line"
`nix-env --install -A nixpkgs.trivy`
`nix-env --install -A nixpkgs.trivy`
=== "Configuration"
```nix
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
trivy
];
```
```nix
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
trivy
];
```
=== "Home Manager"
```nix
# your other config ...
home.packages = with pkgs; [
# your other packages ...
trivy
];
```
```nix
# your other config ...
home.packages = with pkgs; [
# your other packages ...
trivy
];
```
References:
- https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix
- <https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix>
### FreeBSD (Official)
@@ -117,48 +120,6 @@ References:
pkg install trivy
```
### asdf/mise (Community)
[asdf](https://github.com/asdf-vm/asdf) and [mise](https://github.com/jdx/mise) are quite similar tools you can use to install trivy.
See their respective documentation for more information of how to install them and use them:
- [asdf](https://asdf-vm.com/guide/getting-started.html)
- [mise](https://mise.jdx.dev/getting-started.html)
The plugin used by both tools is developped [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
=== "asdf"
A basic global installation is shown below, for specific version or/and local version to a directory see "asdf" documentation.
```shell
# Install plugin
asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git
# Install latest version
asdf install trivy latest
# Set a version globally (on your ~/.tool-versions file)
asdf global trivy latest
# Now trivy commands are available
trivy --version
```
=== "mise"
A basic global installation is shown below, for specific version or/and local version to a directory see "mise" documentation.
``` shell
# Install plugin and install latest version
mise install trivy@latest
# Set a version globally (on your ~/.tool-versions file)
mise use -g trivy@latest
# Now trivy commands are available
trivy --version
```
## Install from GitHub Release (Official)
### Download Binary

BIN
docs/imgs/trivy-k8s.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 330 KiB

After

Width:  |  Height:  |  Size: 397 KiB

2
docs/tutorials/integrations/gitlab-ci.md
View File

@@ -49,7 +49,7 @@ trivy:
cache:
paths:
- .trivycache/
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab Ultimate)
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
artifacts:
reports:
container_scanning: gl-container-scanning-report.json

45
docs/tutorials/kubernetes/cluster-scanning.md
View File

@@ -1,51 +1,58 @@
# Kubernetes Scanning Tutorial
## Prerequisites
## Prerequisites
To test the following commands yourself, make sure that youre connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, well use a one-node kind cluster.
Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
## Cluster Scanning
Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.
The `trivy k8s` command is part of the Trivy CLI.
The `trivy k8s` command is part of the Trivy CLI.
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
```sh
trivy k8s --report=summary
```
trivy k8s --report=summary cluster
```
To get detailed information for all your resources, just replace summary with all:
```sh
trivy k8s --report=all
```
trivy k8s --report=all cluster
```
However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details.
Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result:
```sh
trivy k8s --include-namespaces kube-system --report summary
```
trivy k8s -n kube-system --report=summary cluster
```
Again, if youd like to receive additional details, use the --report=all flag:
```sh
trivy k8s --include-namespaces kube-system --report all
```
trivy k8s -n kube-system --report=all cluster
```
Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities:
```sh
trivy k8s --severity=CRITICAL --report=summary
```
trivy k8s --severity=CRITICAL --report=summary cluster
```
Note that you can use any of the Trivy flags on the Trivy K8s command.
## Trivy Operator
With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment:
```
trivy k8s --namespace app --report=summary deployments/react-application
```
## Trivy Operator
The Trivy K8s command is an imperative model to scan resources. We wouldnt want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.
@@ -59,9 +66,15 @@ This has several benefits:
- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.
There are several ways that you can install the Trivy Operator in your cluster. In this guide, were going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
Please follow the Trivy Operator documentation for further information on:
- [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)
- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)

6
docs/tutorials/misconfiguration/custom-checks.md
View File

@@ -8,8 +8,8 @@ When you are writing a check, it's important to understand the input to the chec
Since Rego is primarily tailored to query JSON objects, all incoming configuration files needs to be first converted to structured objects, which is available to the Rego code as the input variable. This is nothing that users have to do manually in Trivy. Instead, Rego makes it possible to pass in custom Schemas that detail how files are converted. Once Rego has access to a custom Schema, it will know in which format to access configuration files such as a Dockerfile.
[Here you can find the schemas](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas) that define how different configuration files are converted to JSON by Trivy.
This tutorial will make use of the [dockerfile.json schema](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json). The schema will need to be parsed into your custom check.
[Here you can find the schemas](https://github.com/aquasecurity/defsec/tree/master/pkg/rego/schemas) that define how different configuration files are converted to JSON by Trivy.
This tutorial will make use of the [dockerfile.json schema](https://github.com/aquasecurity/defsec/tree/master/pkg/rego/schemas). The schema will need to be parsed into your custom check.
Users can also use the [Schema Explorer](https://aquasecurity.github.io/trivy-schemas/) to view the structure of the data provided to Rego.
@@ -108,4 +108,4 @@ Please replace:
* [Rego provides a long list of courses](https://academy.styra.com/collections) that can be useful in writing more complex checks
* [The Rego documentation provides detailed information on the different types, iterations etc.](https://www.openpolicyagent.org/docs/latest/)
* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-checks/tree/main/checks) for Trivy for inspiration on how to write custom checks.
* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-policies/tree/main/checks) for Trivy for inspiration on how to write custom checks.

223
go.mod
View File

@@ -1,13 +1,11 @@
module github.com/aquasecurity/trivy
go 1.22
toolchain go1.22.0
go 1.21
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
github.com/BurntSushi/toml v1.3.2
github.com/CycloneDX/cyclonedx-go v0.8.0
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
@@ -21,44 +19,44 @@ require (
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
github.com/aquasecurity/loading v0.0.5
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334
github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-aws v0.8.0
github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240425111126-a549f8de71bb
github.com/aws/aws-sdk-go-v2 v1.26.1
github.com/aws/aws-sdk-go-v2/config v1.27.11
github.com/aws/aws-sdk-go-v2/credentials v1.17.11
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15
github.com/aws/aws-sdk-go-v2/service/ec2 v1.155.1
github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4
github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
github.com/aws/aws-sdk-go-v2/service/sts v1.28.6
github.com/aquasecurity/trivy-kubernetes v0.6.3
github.com/aquasecurity/trivy-policies v0.10.0
github.com/aws/aws-sdk-go-v2 v1.25.2
github.com/aws/aws-sdk-go-v2/config v1.27.4
github.com/aws/aws-sdk-go-v2/credentials v1.17.4
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.15
github.com/aws/aws-sdk-go-v2/service/ec2 v1.149.1
github.com/aws/aws-sdk-go-v2/service/ecr v1.24.6
github.com/aws/aws-sdk-go-v2/service/s3 v1.51.1
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
github.com/bmatcuk/doublestar/v4 v4.6.1
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.4
github.com/containerd/containerd v1.7.16
github.com/containerd/containerd v1.7.13
github.com/csaf-poc/csaf_distribution/v3 v3.0.0
github.com/docker/docker v26.0.2+incompatible
github.com/docker/docker v25.0.5+incompatible
github.com/docker/go-connections v0.5.0
github.com/fatih/color v1.16.0
github.com/go-git/go-git/v5 v5.11.0
github.com/go-openapi/runtime v0.28.0
github.com/go-openapi/strfmt v0.23.0
github.com/go-openapi/runtime v0.27.1
github.com/go-openapi/strfmt v0.22.0
github.com/go-redis/redis/v8 v8.11.5
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/golang/protobuf v1.5.4
github.com/google/go-containerregistry v0.19.1
github.com/golang/protobuf v1.5.3
github.com/google/go-containerregistry v0.19.0
github.com/google/licenseclassifier/v2 v2.0.0
github.com/google/uuid v1.6.0
github.com/google/wire v0.6.0
github.com/hashicorp/go-getter v1.7.4
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-retryablehttp v0.7.5
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/hashicorp/golang-lru/v2 v2.0.6
github.com/in-toto/in-toto-golang v0.9.0
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
@@ -80,16 +78,17 @@ require (
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
github.com/moby/buildkit v0.12.5
github.com/open-policy-agent/opa v0.64.1
github.com/open-policy-agent/opa v0.62.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/opencontainers/image-spec v1.1.0-rc6
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.3.0
github.com/package-url/packageurl-go v0.1.2
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/samber/lo v1.39.0
github.com/saracen/walker v0.1.3
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/rekor v1.3.6
github.com/sigstore/rekor v1.2.2
github.com/sirupsen/logrus v1.9.3
github.com/sosedoff/gitkit v0.4.0
github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
@@ -97,34 +96,34 @@ require (
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.18.2
github.com/stretchr/testify v1.9.0
github.com/testcontainers/testcontainers-go v0.30.0
github.com/testcontainers/testcontainers-go/modules/localstack v0.28.0
github.com/stretchr/testify v1.8.4
github.com/testcontainers/testcontainers-go v0.28.0
github.com/testcontainers/testcontainers-go/modules/localstack v0.26.0
github.com/tetratelabs/wazero v1.7.0
github.com/twitchtv/twirp v8.1.2+incompatible
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
go.etcd.io/bbolt v1.3.9
go.uber.org/zap v1.27.0 // indirect
go.etcd.io/bbolt v1.3.8
go.uber.org/zap v1.27.0
golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
golang.org/x/mod v0.16.0
golang.org/x/net v0.24.0
golang.org/x/mod v0.15.0
golang.org/x/net v0.23.0
golang.org/x/sync v0.6.0
golang.org/x/term v0.19.0
golang.org/x/term v0.18.0
golang.org/x/text v0.14.0
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
google.golang.org/protobuf v1.34.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/protobuf v1.33.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.29.3
k8s.io/api v0.29.1
k8s.io/utils v0.0.0-20231127182322-b307cd553661
modernc.org/sqlite v1.29.7
modernc.org/sqlite v1.28.0
)
require (
github.com/alecthomas/chroma v0.10.0
github.com/antchfx/htmlquery v1.3.0
github.com/apparentlymart/go-cidr v1.1.0
github.com/aws/smithy-go v1.20.2
github.com/aws/smithy-go v1.20.1
github.com/hashicorp/go-uuid v1.0.3
github.com/hashicorp/go-version v1.6.0
github.com/hashicorp/hc-install v0.6.3
@@ -133,24 +132,24 @@ require (
github.com/liamg/iamgo v0.0.9
github.com/liamg/memoryfs v1.6.0
github.com/mitchellh/go-homedir v1.1.0
github.com/olekukonko/tablewriter v0.0.5
github.com/owenrumney/squealer v1.2.2
github.com/zclconf/go-cty v1.14.4
github.com/zclconf/go-cty v1.14.1
github.com/zclconf/go-cty-yaml v1.0.3
golang.org/x/crypto v0.22.0
golang.org/x/crypto v0.21.0
helm.sh/helm/v3 v3.14.2
sigs.k8s.io/yaml v1.4.0
)
require (
cloud.google.com/go v0.112.1 // indirect
cloud.google.com/go/compute v1.25.0 // indirect
cloud.google.com/go v0.112.0 // indirect
cloud.google.com/go/compute v1.23.3 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.6 // indirect
cloud.google.com/go/storage v1.39.1 // indirect
cloud.google.com/go/iam v1.1.5 // indirect
cloud.google.com/go/storage v1.36.0 // indirect
dario.cat/mergo v1.0.0 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.29 // indirect
@@ -158,7 +157,7 @@ require (
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
github.com/Intevation/gval v1.3.0 // indirect
github.com/Intevation/jsonpath v0.2.1 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -177,13 +176,13 @@ require (
github.com/antchfx/xpath v1.2.3 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.51.16 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
github.com/aws/aws-sdk-go v1.49.21 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.2 // indirect
github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 // indirect
github.com/aws/aws-sdk-go-v2/service/apigateway v1.21.6 // indirect
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.18.6 // indirect
@@ -204,14 +203,14 @@ require (
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.25.0 // indirect
github.com/aws/aws-sdk-go-v2/service/emr v1.36.0 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.28.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.8.11 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.2 // indirect
github.com/aws/aws-sdk-go-v2/service/kafka v1.28.5 // indirect
github.com/aws/aws-sdk-go-v2/service/kinesis v1.24.6 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.27.7 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.49.6 // indirect
github.com/aws/aws-sdk-go-v2/service/mq v1.20.6 // indirect
github.com/aws/aws-sdk-go-v2/service/neptune v1.28.1 // indirect
@@ -220,8 +219,8 @@ require (
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sns v1.26.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sqs v1.29.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 // indirect
github.com/aws/aws-sdk-go-v2/service/workspaces v1.38.1 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
@@ -235,14 +234,14 @@ require (
github.com/containerd/fifo v1.1.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/containerd/ttrpc v1.2.3 // indirect
github.com/containerd/ttrpc v1.2.2 // indirect
github.com/containerd/typeurl/v2 v2.1.1 // indirect
github.com/cpuguy83/dockercfg v0.3.1 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/distribution/reference v0.5.0 // indirect
github.com/dlclark/regexp2 v1.4.0 // indirect
github.com/docker/cli v25.0.1+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -265,31 +264,32 @@ require (
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-openapi/analysis v0.21.5 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.1 // indirect
github.com/go-openapi/jsonreference v0.20.3 // indirect
github.com/go-openapi/loads v0.21.3 // indirect
github.com/go-openapi/spec v0.20.12 // indirect
github.com/go-openapi/swag v0.22.5 // indirect
github.com/go-openapi/validate v0.22.4 // indirect
github.com/go-sql-driver/mysql v1.7.1 // indirect
github.com/go-test/deep v1.1.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.9.5 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20230406165453-00490a63f317 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/googleapis/gax-go/v2 v2.12.3 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/gosuri/uitable v0.0.4 // indirect
@@ -308,13 +308,13 @@ require (
github.com/jmoiron/sqlx v1.3.5 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/klauspost/compress v1.17.2 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/lib/pq v1.10.9 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
@@ -324,7 +324,6 @@ require (
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/patternmatcher v0.6.0 // indirect
github.com/moby/spdystream v0.2.0 // indirect
@@ -339,7 +338,6 @@ require (
github.com/morikuni/aec v1.0.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/ncruces/go-strftime v0.1.9 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runtime-spec v1.1.0 // indirect
github.com/opencontainers/selinux v1.11.0 // indirect
@@ -347,12 +345,11 @@ require (
github.com/pelletier/go-toml/v2 v2.1.0 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
github.com/prometheus/client_golang v1.19.0 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.48.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
@@ -365,17 +362,13 @@ require (
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shirou/gopsutil/v3 v3.23.12 // indirect
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/tklauser/go-sysconf v0.3.12 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/ulikunitz/xz v0.5.11 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -383,50 +376,58 @@ require (
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/yashtewari/glob-intersection v0.2.0 // indirect
github.com/yuin/gopher-lua v1.1.0 // indirect
github.com/yusufpapurcu/wmi v1.2.3 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
go.opentelemetry.io/otel v1.24.0 // indirect
go.opentelemetry.io/otel/metric v1.24.0 // indirect
go.opentelemetry.io/otel/sdk v1.24.0 // indirect
go.opentelemetry.io/otel/trace v1.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
go.opentelemetry.io/otel v1.23.1 // indirect
go.opentelemetry.io/otel/metric v1.23.1 // indirect
go.opentelemetry.io/otel/sdk v1.23.1 // indirect
go.opentelemetry.io/otel/trace v1.23.1 // indirect
go.opentelemetry.io/proto/otlp v1.1.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/oauth2 v0.18.0 // indirect
golang.org/x/sys v0.19.0 // indirect
golang.org/x/oauth2 v0.16.0 // indirect
golang.org/x/sys v0.18.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.19.0 // indirect
google.golang.org/api v0.172.0 // indirect
golang.org/x/tools v0.17.0 // indirect
google.golang.org/api v0.155.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
google.golang.org/grpc v1.63.2 // indirect
google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
google.golang.org/grpc v1.62.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apiextensions-apiserver v0.29.0 // indirect
k8s.io/apimachinery v0.29.3 // indirect
k8s.io/apimachinery v0.29.1 // indirect
k8s.io/apiserver v0.29.0 // indirect
k8s.io/cli-runtime v0.29.3 // indirect
k8s.io/client-go v0.29.3 // indirect
k8s.io/component-base v0.29.3 // indirect
k8s.io/cli-runtime v0.29.0 // indirect
k8s.io/client-go v0.29.0 // indirect
k8s.io/component-base v0.29.0 // indirect
k8s.io/klog/v2 v2.120.0 // indirect
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
k8s.io/kubectl v0.29.3 // indirect
modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
modernc.org/libc v1.49.3 // indirect
k8s.io/kubectl v0.29.0 // indirect
lukechampine.com/uint128 v1.2.0 // indirect
modernc.org/cc/v3 v3.40.0 // indirect
modernc.org/ccgo/v3 v3.16.13 // indirect
modernc.org/libc v1.29.0 // indirect
modernc.org/mathutil v1.6.0 // indirect
modernc.org/memory v1.8.0 // indirect
modernc.org/strutil v1.2.0 // indirect
modernc.org/memory v1.7.2 // indirect
modernc.org/opt v0.1.3 // indirect
modernc.org/strutil v1.1.3 // indirect
modernc.org/token v1.1.0 // indirect
oras.land/oras-go v1.2.5 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
// testcontainers-go has a bug with versions v0.25.0 and v0.26.0
// ref: https://github.com/testcontainers/testcontainers-go/issues/1782
replace github.com/testcontainers/testcontainers-go => github.com/testcontainers/testcontainers-go v0.23.0

1124
go.sum
View File

File diff suppressed because it is too large Load Diff

4
integration/aws_cloud_test.go
View File

@@ -25,7 +25,7 @@ func TestAwsCommandRun(t *testing.T) {
{
name: "fail without region",
options: flag.Options{
RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
},
envs: map[string]string{
"AWS_ACCESS_KEY_ID": "test",
@@ -39,7 +39,7 @@ func TestAwsCommandRun(t *testing.T) {
"AWS_PROFILE": "non-existent-profile",
},
options: flag.Options{
RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
RegoOptions: flag.RegoOptions{SkipPolicyUpdate: true},
AWSOptions: flag.AWSOptions{
Region: "us-east-1",
},

17
integration/client_server_test.go
View File

@@ -283,9 +283,7 @@ func TestClientServer(t *testing.T) {
osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
}
runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
override: overrideUID,
})
runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{})
})
}
}
@@ -399,9 +397,7 @@ func TestClientServerWithFormat(t *testing.T) {
t.Setenv("AWS_ACCOUNT_ID", "123456789012")
osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{
override: overrideUID,
})
runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
})
}
}
@@ -479,10 +475,7 @@ func TestClientServerWithToken(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
override: overrideUID,
wantErr: tt.wantErr,
})
runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{wantErr: tt.wantErr})
})
}
}
@@ -508,9 +501,7 @@ func TestClientServerWithRedis(t *testing.T) {
osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
// Run Trivy client
runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{
override: overrideUID,
})
runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{})
})
// Terminate the Redis container

37
integration/integration_test.go
View File

@@ -192,10 +192,9 @@ func readSpdxJson(t *testing.T, filePath string) *spdx.Document {
return bom
}
type OverrideFunc func(t *testing.T, want, got *types.Report)
type runOptions struct {
wantErr string
override OverrideFunc
override func(want, got *types.Report)
fakeUUID string
}
@@ -263,11 +262,11 @@ func compareRawFiles(t *testing.T, wantFile, gotFile string) {
assert.EqualValues(t, string(want), string(got))
}
func compareReports(t *testing.T, wantFile, gotFile string, override func(t *testing.T, want, got *types.Report)) {
func compareReports(t *testing.T, wantFile, gotFile string, override func(want, got *types.Report)) {
want := readReport(t, wantFile)
got := readReport(t, gotFile)
if override != nil {
override(t, &want, &got)
override(&want, &got)
}
assert.Equal(t, want, got)
}
@@ -308,33 +307,3 @@ func validateReport(t *testing.T, schema string, report any) {
assert.True(t, valid, strings.Join(errs, "\n"))
}
}
func overrideFuncs(funcs ...OverrideFunc) OverrideFunc {
return func(t *testing.T, want, got *types.Report) {
for _, f := range funcs {
if f == nil {
continue
}
f(t, want, got)
}
}
}
// overrideUID only checks for the presence of the package UID and clears the UID;
// the UID is calculated from the package metadata, but the UID does not match
// as it varies slightly depending on the mode of scanning, e.g. the digest of the layer.
func overrideUID(t *testing.T, want, got *types.Report) {
for i, result := range got.Results {
for j, vuln := range result.Vulnerabilities {
assert.NotEmptyf(t, vuln.PkgIdentifier.UID, "UID is empty: %s", vuln.VulnerabilityID)
// Do not compare UID as the package metadata is slightly different between the tests,
// causing different UIDs.
got.Results[i].Vulnerabilities[j].PkgIdentifier.UID = ""
}
}
for i, result := range want.Results {
for j := range result.Vulnerabilities {
want.Results[i].Vulnerabilities[j].PkgIdentifier.UID = ""
}
}
}

56
integration/k8s_test.go
View File

@@ -31,7 +31,7 @@ func TestK8s(t *testing.T) {
"--cache-dir",
cacheDir,
"k8s",
"kind-kind-test",
"cluster",
"--report",
"summary",
"-q",
@@ -39,6 +39,10 @@ func TestK8s(t *testing.T) {
"5m0s",
"--format",
"json",
"--components",
"workload",
"--context",
"kind-kind-test",
"--output",
outputFile,
}
@@ -75,10 +79,12 @@ func TestK8s(t *testing.T) {
outputFile := filepath.Join(t.TempDir(), "output.json")
osArgs := []string{
"k8s",
"kind-kind-test",
"cluster",
"--format",
"cyclonedx",
"-q",
"--context",
"kind-kind-test",
"--output",
outputFile,
}
@@ -105,5 +111,51 @@ func TestK8s(t *testing.T) {
assert.True(t, lo.SomeBy(*got.Dependencies, func(r cdx.Dependency) bool {
return len(*r.Dependencies) > 0
}))
})
t.Run("specific resource scan", func(t *testing.T) {
// Set up the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
osArgs := []string{
"k8s",
"-n",
"default",
"deployments/nginx-deployment",
"-q",
"--timeout",
"5m0s",
"--format",
"json",
"--components",
"workload",
"--context",
"kind-kind-test",
"--output",
outputFile,
}
// Run Trivy
err := execute(osArgs)
require.NoError(t, err)
var got report.Report
f, err := os.Open(outputFile)
require.NoError(t, err)
defer f.Close()
err = json.NewDecoder(f).Decode(&got)
require.NoError(t, err)
// Flatten findings
results := lo.FlatMap(got.Resources, func(resource report.Resource, _ int) []types.Result {
return resource.Results
})
// Has vulnerabilities
assert.True(t, lo.SomeBy(results, func(r types.Result) bool {
return len(r.Vulnerabilities) > 0
}))
})
}

4
integration/registry_test.go
View File

@@ -202,12 +202,12 @@ func TestRegistry(t *testing.T) {
// Run Trivy
runTest(t, osArgs, tc.golden, "", types.FormatJSON, runOptions{
wantErr: tc.wantErr,
override: overrideFuncs(overrideUID, func(t *testing.T, _, got *types.Report) {
override: func(_, got *types.Report) {
got.ArtifactName = tc.imageName
for i := range got.Results {
got.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", tc.imageName)
}
}),
},
})
})
}

15
integration/repo_test.go
View File

@@ -37,7 +37,7 @@ func TestRepository(t *testing.T) {
name string
args args
golden string
override func(t *testing.T, want, got *types.Report)
override func(want, got *types.Report)
}{
{
name: "gomod",
@@ -341,15 +341,6 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/conda-cyclonedx.json.golden",
},
{
name: "conda environment.yaml generating CycloneDX SBOM",
args: args{
command: "fs",
format: "cyclonedx",
input: "testdata/fixtures/repo/conda-environment",
},
golden: "testdata/conda-environment-cyclonedx.json.golden",
},
{
name: "pom.xml generating CycloneDX SBOM (with vulnerabilities)",
args: args{
@@ -378,7 +369,7 @@ func TestRepository(t *testing.T) {
skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
},
golden: "testdata/gomod-skip.json.golden",
override: func(_ *testing.T, want, _ *types.Report) {
override: func(want, _ *types.Report) {
want.ArtifactType = ftypes.ArtifactFilesystem
},
},
@@ -392,7 +383,7 @@ func TestRepository(t *testing.T) {
input: "testdata/fixtures/repo/custom-policy",
},
golden: "testdata/dockerfile-custom-policies.json.golden",
override: func(_ *testing.T, want, got *types.Report) {
override: func(want, got *types.Report) {
want.ArtifactType = ftypes.ArtifactFilesystem
},
},

134
integration/sbom_test.go
View File

@@ -6,11 +6,11 @@ import (
"path/filepath"
"testing"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -25,7 +25,7 @@ func TestSBOM(t *testing.T) {
name string
args args
golden string
override OverrideFunc
override types.Report
}{
{
name: "centos7 cyclonedx",
@@ -35,17 +35,31 @@ func TestSBOM(t *testing.T) {
artifactType: "cyclonedx",
},
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.json"
want.ArtifactType = ftypes.ArtifactCycloneDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)"
require.Len(t, got.Results[0].Vulnerabilities, 3)
want.Results[0].Vulnerabilities[0].PkgIdentifier.BOMRef = "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"
want.Results[0].Vulnerabilities[1].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
want.Results[0].Vulnerabilities[2].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
override: types.Report{
ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.json",
ArtifactType: ftypes.ArtifactType("cyclonedx"),
Results: types.Results{
{
Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
},
},
{
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
{
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
},
},
},
},
},
{
@@ -74,17 +88,31 @@ func TestSBOM(t *testing.T) {
artifactType: "cyclonedx",
},
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl"
want.ArtifactType = ftypes.ArtifactCycloneDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)"
require.Len(t, got.Results[0].Vulnerabilities, 3)
want.Results[0].Vulnerabilities[0].PkgIdentifier.BOMRef = "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"
want.Results[0].Vulnerabilities[1].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
want.Results[0].Vulnerabilities[2].PkgIdentifier.BOMRef = "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"
override: types.Report{
ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
ArtifactType: ftypes.ArtifactType("cyclonedx"),
Results: types.Results{
{
Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
},
},
{
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
{
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
},
},
},
},
},
{
@@ -95,12 +123,14 @@ func TestSBOM(t *testing.T) {
artifactType: "spdx",
},
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.txt"
want.ArtifactType = ftypes.ArtifactSPDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)"
override: types.Report{
ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.txt",
ArtifactType: ftypes.ArtifactType("spdx"),
Results: types.Results{
{
Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
},
},
},
},
{
@@ -111,12 +141,14 @@ func TestSBOM(t *testing.T) {
artifactType: "spdx",
},
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.json"
want.ArtifactType = ftypes.ArtifactSPDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)"
override: types.Report{
ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.json",
ArtifactType: ftypes.ArtifactType("spdx"),
Results: types.Results{
{
Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
},
},
},
},
{
@@ -163,30 +195,20 @@ func TestSBOM(t *testing.T) {
osArgs = append(osArgs, tt.args.input)
// Run "trivy sbom"
runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{
override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override),
})
err := execute(osArgs)
assert.NoError(t, err)
// Compare want and got
switch tt.args.format {
case "json":
compareSBOMReports(t, tt.golden, outputFile, tt.override)
default:
require.Fail(t, "invalid format", "format: %s", tt.args.format)
}
})
}
}
func overrideSBOMReport(t *testing.T, want, got *types.Report) {
want.Metadata.ImageID = ""
want.Metadata.ImageConfig = v1.ConfigFile{}
want.Metadata.DiffIDs = nil
for i, result := range want.Results {
for j := range result.Vulnerabilities {
want.Results[i].Vulnerabilities[j].Layer.DiffID = ""
}
}
// when running on Windows FS
got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName))
for i, result := range got.Results {
got.Results[i].Target = filepath.ToSlash(filepath.Clean(result.Target))
}
}
// TODO(teppei): merge into compareReports
func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) {
want := readReport(t, wantFile)

3
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -57,8 +57,7 @@
"PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1",
"UID": "3f965238234faa63"
"PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1"
},
"InstalledVersion": "1:1.1.1k-4.el8",
"FixedVersion": "1:1.1.1k-5.el8_5",

12
integration/testdata/alpine-310.json.golden vendored
View File

@@ -59,8 +59,7 @@
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
"UID": "c6c116a4441ec6de"
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
@@ -132,8 +131,7 @@
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
"UID": "c6c116a4441ec6de"
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
@@ -215,8 +213,7 @@
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
"UID": "e132dcfcc51772ef"
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
@@ -288,8 +285,7 @@
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2",
"UID": "e132dcfcc51772ef"
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",

6
integration/testdata/alpine-39-high-critical.json.golden vendored
View File

@@ -59,8 +59,7 @@
"PkgID": "musl@1.1.20-r4",
"PkgName": "musl",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "d6abd271e71d3ce2"
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
@@ -105,8 +104,7 @@
"PkgID": "musl-utils@1.1.20-r4",
"PkgName": "musl-utils",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "8c341199f4077fc8"
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",

6
integration/testdata/alpine-39-ignore-cveids.json.golden vendored
View File

@@ -59,8 +59,7 @@
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
"UID": "d2c46e721bca75d3"
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
@@ -142,8 +141,7 @@
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
"UID": "e39a91b0fefcbb1d"
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",

18
integration/testdata/alpine-39.json.golden vendored
View File

@@ -59,8 +59,7 @@
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
"UID": "d2c46e721bca75d3"
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
@@ -132,8 +131,7 @@
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
"UID": "d2c46e721bca75d3"
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
@@ -215,8 +213,7 @@
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
"UID": "e39a91b0fefcbb1d"
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
@@ -288,8 +285,7 @@
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4",
"UID": "e39a91b0fefcbb1d"
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
@@ -371,8 +367,7 @@
"PkgID": "musl@1.1.20-r4",
"PkgName": "musl",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "d6abd271e71d3ce2"
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
@@ -417,8 +412,7 @@
"PkgID": "musl-utils@1.1.20-r4",
"PkgName": "musl-utils",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "8c341199f4077fc8"
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",

3
integration/testdata/alpine-distroless.json.golden vendored
View File

@@ -54,8 +54,7 @@
"PkgID": "git@2.35.1-r2",
"PkgName": "git",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16",
"UID": "d44ac4666246b919"
"PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16"
},
"InstalledVersion": "2.35.1-r2",
"FixedVersion": "2.35.2-r0",

3
integration/testdata/amazon-1.json.golden vendored
View File

@@ -58,8 +58,7 @@
"PkgID": "curl@7.61.1-11.91.amzn1.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03",
"UID": "9fafb1be522b1e7"
"PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03"
},
"InstalledVersion": "7.61.1-11.91.amzn1",
"FixedVersion": "7.61.1-12.93.amzn1",

6
integration/testdata/amazon-2.json.golden vendored
View File

@@ -58,8 +58,7 @@
"PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
"UID": "c5998529d683c5c3"
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
},
"InstalledVersion": "7.61.1-9.amzn2.0.1",
"FixedVersion": "7.61.1-12.amzn2.0.1",
@@ -130,8 +129,7 @@
"PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
"UID": "c5998529d683c5c3"
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
},
"InstalledVersion": "7.61.1-9.amzn2.0.1",
"FixedVersion": "7.61.1-11.amzn2.0.2",

6
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -58,8 +58,7 @@
"PkgID": "ammonia@1.9.0",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0",
"UID": "fa518cac41270ffe"
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
@@ -104,8 +103,7 @@
"PkgID": "ammonia@1.9.0",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0",
"UID": "fa518cac41270ffe"
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",

6
integration/testdata/centos-6.json.golden vendored
View File

@@ -80,8 +80,7 @@
"PkgID": "glibc@2.12-1.212.el6.x86_64",
"PkgName": "glibc",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10",
"UID": "24b11591bb7262c4"
"PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10"
},
"InstalledVersion": "2.12-1.212.el6",
"Status": "end_of_life",
@@ -137,8 +136,7 @@
"PkgID": "openssl@1.0.1e-57.el6.x86_64",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10",
"UID": "935959fd0ed81eb9"
"PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10"
},
"InstalledVersion": "1.0.1e-57.el6",
"FixedVersion": "1.0.1e-58.el6_10",

6
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

@@ -73,8 +73,7 @@
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
@@ -167,8 +166,7 @@
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",

3
integration/testdata/centos-7-medium.json.golden vendored
View File

@@ -73,8 +73,7 @@
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",

9
integration/testdata/centos-7.json.golden vendored
View File

@@ -70,8 +70,7 @@
"PkgID": "bash@4.2.46-31.el7.x86_64",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810",
"UID": "64aff37eb11b9c25"
"PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810"
},
"InstalledVersion": "4.2.46-31.el7",
"Status": "will_not_fix",
@@ -131,8 +130,7 @@
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
@@ -225,8 +223,7 @@
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",

6
integration/testdata/cocoapods.json.golden vendored
View File

@@ -25,8 +25,7 @@
"ID": "_NIODataStructures@2.41.0",
"Name": "_NIODataStructures",
"Identifier": {
"PURL": "pkg:cocoapods/_NIODataStructures@2.41.0",
"UID": "ddc948d6b5e15241"
"PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
},
"Version": "2.41.0",
"Layer": {}
@@ -38,8 +37,7 @@
"PkgID": "_NIODataStructures@2.41.0",
"PkgName": "_NIODataStructures",
"PkgIdentifier": {
"PURL": "pkg:cocoapods/_NIODataStructures@2.41.0",
"UID": "ddc948d6b5e15241"
"PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
},
"InstalledVersion": "2.41.0",
"FixedVersion": "2.29.1, 2.39.1, 2.42.0",

11
integration/testdata/composer.lock.json.golden vendored
View File

@@ -25,14 +25,12 @@
"ID": "guzzlehttp/guzzle@7.4.4",
"Name": "guzzlehttp/guzzle",
"Identifier": {
"PURL": "pkg:composer/guzzlehttp/guzzle@7.4.4",
"UID": "c26bf8868607a91c"
"PURL": "pkg:composer/guzzlehttp/guzzle@7.4.4"
},
"Version": "7.4.4",
"Licenses": [
"MIT"
],
"Relationship": "direct",
"DependsOn": [
"guzzlehttp/psr7@1.8.3"
],
@@ -48,15 +46,13 @@
"ID": "guzzlehttp/psr7@1.8.3",
"Name": "guzzlehttp/psr7",
"Identifier": {
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
"UID": "1730859e3ff83ab9"
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
},
"Version": "1.8.3",
"Licenses": [
"MIT"
],
"Indirect": true,
"Relationship": "indirect",
"Layer": {},
"Locations": [
{
@@ -72,8 +68,7 @@
"PkgID": "guzzlehttp/psr7@1.8.3",
"PkgName": "guzzlehttp/psr7",
"PkgIdentifier": {
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
"UID": "1730859e3ff83ab9"
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
},
"InstalledVersion": "1.8.3",
"FixedVersion": "1.8.4",

31
integration/testdata/conan.json.golden vendored
View File

@@ -25,12 +25,10 @@
"ID": "bzip2/1.0.8",
"Name": "bzip2",
"Identifier": {
"PURL": "pkg:conan/bzip2@1.0.8",
"UID": "6e2ff993df2d9107"
"PURL": "pkg:conan/bzip2@1.0.8"
},
"Version": "1.0.8",
"Indirect": true,
"Relationship": "indirect",
"Layer": {},
"Locations": [
{
@@ -43,12 +41,10 @@
"ID": "expat/2.4.8",
"Name": "expat",
"Identifier": {
"PURL": "pkg:conan/expat@2.4.8",
"UID": "71c2d92d60f7f21c"
"PURL": "pkg:conan/expat@2.4.8"
},
"Version": "2.4.8",
"Indirect": true,
"Relationship": "indirect",
"Layer": {},
"Locations": [
{
@@ -61,12 +57,10 @@
"ID": "openssl/1.1.1q",
"Name": "openssl",
"Identifier": {
"PURL": "pkg:conan/openssl@1.1.1q",
"UID": "13c605db6afa69dd"
"PURL": "pkg:conan/openssl@1.1.1q"
},
"Version": "1.1.1q",
"Indirect": true,
"Relationship": "indirect",
"Layer": {},
"Locations": [
{
@@ -79,12 +73,10 @@
"ID": "pcre/8.43",
"Name": "pcre",
"Identifier": {
"PURL": "pkg:conan/pcre@8.43",
"UID": "4e01c692a67e12e4"
"PURL": "pkg:conan/pcre@8.43"
},
"Version": "8.43",
"Indirect": true,
"Relationship": "indirect",
"DependsOn": [
"bzip2/1.0.8",
"zlib/1.2.12"
@@ -101,11 +93,9 @@
"ID": "poco/1.9.4",
"Name": "poco",
"Identifier": {
"PURL": "pkg:conan/poco@1.9.4",
"UID": "312753cebe80c0eb"
"PURL": "pkg:conan/poco@1.9.4"
},
"Version": "1.9.4",
"Relationship": "direct",
"DependsOn": [
"pcre/8.43",
"zlib/1.2.12",
@@ -125,12 +115,10 @@
"ID": "sqlite3/3.39.2",
"Name": "sqlite3",
"Identifier": {
"PURL": "pkg:conan/sqlite3@3.39.2",
"UID": "43bc9c58092c7c9e"
"PURL": "pkg:conan/sqlite3@3.39.2"
},
"Version": "3.39.2",
"Indirect": true,
"Relationship": "indirect",
"Layer": {},
"Locations": [
{
@@ -143,12 +131,10 @@
"ID": "zlib/1.2.12",
"Name": "zlib",
"Identifier": {
"PURL": "pkg:conan/zlib@1.2.12",
"UID": "d6faf8d6dfd1985"
"PURL": "pkg:conan/zlib@1.2.12"
},
"Version": "1.2.12",
"Indirect": true,
"Relationship": "indirect",
"Layer": {},
"Locations": [
{
@@ -164,8 +150,7 @@
"PkgID": "pcre/8.43",
"PkgName": "pcre",
"PkgIdentifier": {
"PURL": "pkg:conan/pcre@8.43",
"UID": "4e01c692a67e12e4"
"PURL": "pkg:conan/pcre@8.43"
},
"InstalledVersion": "8.43",
"FixedVersion": "8.45",

80
integration/testdata/conda-environment-cyclonedx.json.golden vendored
View File

@@ -1,80 +0,0 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000004",
"version": 1,
"metadata": {
"timestamp": "2021-08-25T12:20:30+00:00",
"tools": {
"components": [
{
"type": "application",
"group": "aquasecurity",
"name": "trivy",
"version": "dev"
}
]
},
"component": {
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000001",
"type": "application",
"name": "testdata/fixtures/repo/conda-environment",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
"type": "application",
"name": "environment.yaml",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "conda-environment"
}
]
},
{
"bom-ref": "pkg:conda/bzip2@1.0.8",
"type": "library",
"name": "bzip2",
"version": "1.0.8",
"purl": "pkg:conda/bzip2@1.0.8",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "conda-environment"
}
]
}
],
"dependencies": [
{
"ref": "3ff14136-e09f-4df9-80ea-000000000001",
"dependsOn": [
"3ff14136-e09f-4df9-80ea-000000000002"
]
},
{
"ref": "3ff14136-e09f-4df9-80ea-000000000002",
"dependsOn": [
"pkg:conda/bzip2@1.0.8"
]
},
{
"ref": "pkg:conda/bzip2@1.0.8",
"dependsOn": []
}
],
"vulnerabilities": []
}

3
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -61,8 +61,7 @@
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
"UID": "473f5eb9e3d4a2f2"
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",

6
integration/testdata/debian-buster.json.golden vendored
View File

@@ -58,8 +58,7 @@
"PkgID": "bash@5.0-4",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1",
"UID": "d45ab8ae65ffe67"
"PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1"
},
"InstalledVersion": "5.0-4",
"Status": "affected",
@@ -125,8 +124,7 @@
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
"UID": "473f5eb9e3d4a2f2"
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",

15
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -58,8 +58,7 @@
"PkgID": "bash@4.4-5",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9",
"UID": "6100d09336f565a0"
"PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "4.4-5",
"Status": "end_of_life",
@@ -125,8 +124,7 @@
"PkgID": "e2fslibs@1.43.4-2",
"PkgName": "e2fslibs",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "656652ce5818f7b6"
"PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
@@ -199,8 +197,7 @@
"PkgID": "e2fsprogs@1.43.4-2",
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "3d19fd957338dc06"
"PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
@@ -273,8 +270,7 @@
"PkgID": "libcomerr2@1.43.4-2",
"PkgName": "libcomerr2",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "6ba1fac685a0c068"
"PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
@@ -347,8 +343,7 @@
"PkgID": "libss2@1.43.4-2",
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "e507c185f61cd2e8"
"PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",

12
integration/testdata/distroless-base.json.golden vendored
View File

@@ -56,8 +56,7 @@
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -141,8 +140,7 @@
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
@@ -232,8 +230,7 @@
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -317,8 +314,7 @@
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",

12
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -73,8 +73,7 @@
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -158,8 +157,7 @@
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
@@ -249,8 +247,7 @@
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -334,8 +331,7 @@
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",

6
integration/testdata/dotnet.json.golden vendored
View File

@@ -24,8 +24,7 @@
{
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
"UID": "19955f480b8a6340"
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"Version": "9.0.1",
"Layer": {},
@@ -42,8 +41,7 @@
"VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
"UID": "19955f480b8a6340"
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"InstalledVersion": "9.0.1",
"FixedVersion": "13.0.1",

6
integration/testdata/fixtures/repo/conda-environment/environment.yaml vendored
View File

@@ -1,6 +0,0 @@
name: test-env
channels:
- defaults
dependencies:
- bzip2=1.0.8=h998d150_5
prefix: /opt/conda/envs/test-env

21
integration/testdata/fixtures/sbom/minikube-kbom.json vendored
View File

@@ -48,22 +48,6 @@
}
]
},
{
"bom-ref": "b6f66546-5a5c-4fe8-a30f-acb04013c151",
"type": "operating-system",
"name": "ubuntu",
"version": "22.04.2",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "os-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "ubuntu"
}
]
},
{
"bom-ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
"type": "application",
@@ -341,10 +325,6 @@
"ref": "5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"dependsOn": []
},
{
"ref": "b6f66546-5a5c-4fe8-a30f-acb04013c151",
"dependsOn": []
},
{
"ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
"dependsOn": [
@@ -356,7 +336,6 @@
"ref": "a6350ac3-52f6-4c5f-a3e3-184b9a634bef",
"dependsOn": [
"5262e708-f1a3-4fca-a1c3-0a8384f7f4a5",
"b6f66546-5a5c-4fe8-a30f-acb04013c151",
"a62abb1f-cb38-4fde-90f3-2bda3b87ddb2"
]
},

6
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -114,8 +114,7 @@
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2",
"UID": "14f80a7091a08e71"
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
@@ -186,8 +185,7 @@
"PkgName": "activesupport",
"PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
"PkgIdentifier": {
"PURL": "pkg:gem/activesupport@6.0.2.1",
"UID": "dedd4bd33ed812a3"
"PURL": "pkg:gem/activesupport@6.0.2.1"
},
"InstalledVersion": "6.0.2.1",
"FixedVersion": "6.0.3.1, 5.2.4.3",

3
integration/testdata/fluentd-multiple-lockfiles.json.golden vendored
View File

@@ -31,7 +31,6 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
"UID": "8ca99d0ea2f4b0a3",
"BOMRef": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2"
},
"InstalledVersion": "5.0-4",
@@ -96,7 +95,6 @@
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
"UID": "bd31ad93af9a5d2",
"BOMRef": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2"
},
"InstalledVersion": "2.0.5-1",
@@ -167,7 +165,6 @@
"PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
"PkgIdentifier": {
"PURL": "pkg:gem/activesupport@6.0.2.1",
"UID": "66a6de64809697cd",
"BOMRef": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
},
"InstalledVersion": "6.0.2.1",

12
integration/testdata/gomod-skip.json.golden vendored
View File

@@ -26,8 +26,7 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "de19cd663ca047a8"
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
@@ -53,8 +52,7 @@
"PkgID": "github.com/open-policy-agent/opa@v0.35.0",
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
"UID": "6b685002e082ffc5"
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
},
"InstalledVersion": "0.35.0",
"FixedVersion": "0.37.0",
@@ -100,8 +98,7 @@
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
"UID": "825dc613c0f39d45"
"PURL": "pkg:golang/golang.org/x/text@0.3.6"
},
"InstalledVersion": "0.3.6",
"FixedVersion": "0.3.7",
@@ -133,8 +130,7 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94376dc37054a7e8"
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",

15
integration/testdata/gomod.json.golden vendored
View File

@@ -26,8 +26,7 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "de19cd663ca047a8"
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
@@ -53,8 +52,7 @@
"PkgID": "github.com/open-policy-agent/opa@v0.35.0",
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
"UID": "6b685002e082ffc5"
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
},
"InstalledVersion": "0.35.0",
"FixedVersion": "0.37.0",
@@ -100,8 +98,7 @@
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
"UID": "825dc613c0f39d45"
"PURL": "pkg:golang/golang.org/x/text@0.3.6"
},
"InstalledVersion": "0.3.6",
"FixedVersion": "0.3.7",
@@ -133,8 +130,7 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94376dc37054a7e8"
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
@@ -167,8 +163,7 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94306cdcf85fb50a"
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",

6
integration/testdata/gradle.json.golden vendored
View File

@@ -26,8 +26,7 @@
"PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"UID": "7014f907b756006b"
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
@@ -92,8 +91,7 @@
"PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"UID": "7014f907b756006b"
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",

6
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -42,8 +42,7 @@
"VulnerabilityID": "CVE-2022-0261",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64",
"UID": "3f08cd76fa5ba73d"
"PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
},
"InstalledVersion": "8.2.4081-1.cm1",
"Status": "affected",
@@ -79,8 +78,7 @@
"VulnerabilityID": "CVE-2022-0158",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64",
"UID": "3f08cd76fa5ba73d"
"PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
},
"InstalledVersion": "8.2.4081-1.cm1",
"FixedVersion": "8.2.4082-1.cm1",

1
integration/testdata/minikube-kbom.json.golden vendored
View File

@@ -36,7 +36,6 @@
"PkgName": "k8s.io/kubelet",
"PkgIdentifier": {
"PURL": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",
"UID": "4cb15d0a98eeae67",
"BOMRef": "pkg:k8s/k8s.io%2Fkubelet@1.27.0"
},
"InstalledVersion": "1.27.0",

33
integration/testdata/mix.lock.json.golden vendored
View File

@@ -25,8 +25,7 @@
"ID": "castore@0.1.18",
"Name": "castore",
"Identifier": {
"PURL": "pkg:hex/castore@0.1.18",
"UID": "92fd0f5d45735c7c"
"PURL": "pkg:hex/castore@0.1.18"
},
"Version": "0.1.18",
"Layer": {},
@@ -41,8 +40,7 @@
"ID": "jason@1.4.0",
"Name": "jason",
"Identifier": {
"PURL": "pkg:hex/jason@1.4.0",
"UID": "b9cff6ce54a65dae"
"PURL": "pkg:hex/jason@1.4.0"
},
"Version": "1.4.0",
"Layer": {},
@@ -57,8 +55,7 @@
"ID": "phoenix@1.6.13",
"Name": "phoenix",
"Identifier": {
"PURL": "pkg:hex/phoenix@1.6.13",
"UID": "5b0d3fb75bef47e3"
"PURL": "pkg:hex/phoenix@1.6.13"
},
"Version": "1.6.13",
"Layer": {},
@@ -73,8 +70,7 @@
"ID": "phoenix_html@3.2.0",
"Name": "phoenix_html",
"Identifier": {
"PURL": "pkg:hex/phoenix_html@3.2.0",
"UID": "8c18e24394b53ab"
"PURL": "pkg:hex/phoenix_html@3.2.0"
},
"Version": "3.2.0",
"Layer": {},
@@ -89,8 +85,7 @@
"ID": "phoenix_pubsub@2.1.1",
"Name": "phoenix_pubsub",
"Identifier": {
"PURL": "pkg:hex/phoenix_pubsub@2.1.1",
"UID": "89226dc20d54eb50"
"PURL": "pkg:hex/phoenix_pubsub@2.1.1"
},
"Version": "2.1.1",
"Layer": {},
@@ -105,8 +100,7 @@
"ID": "phoenix_template@1.0.0",
"Name": "phoenix_template",
"Identifier": {
"PURL": "pkg:hex/phoenix_template@1.0.0",
"UID": "5cd9afe7111a31b7"
"PURL": "pkg:hex/phoenix_template@1.0.0"
},
"Version": "1.0.0",
"Layer": {},
@@ -121,8 +115,7 @@
"ID": "phoenix_view@2.0.1",
"Name": "phoenix_view",
"Identifier": {
"PURL": "pkg:hex/phoenix_view@2.0.1",
"UID": "2f4485f9653589ad"
"PURL": "pkg:hex/phoenix_view@2.0.1"
},
"Version": "2.0.1",
"Layer": {},
@@ -137,8 +130,7 @@
"ID": "plug@1.14.0",
"Name": "plug",
"Identifier": {
"PURL": "pkg:hex/plug@1.14.0",
"UID": "2390188ac1142ded"
"PURL": "pkg:hex/plug@1.14.0"
},
"Version": "1.14.0",
"Layer": {},
@@ -153,8 +145,7 @@
"ID": "plug_crypto@1.2.3",
"Name": "plug_crypto",
"Identifier": {
"PURL": "pkg:hex/plug_crypto@1.2.3",
"UID": "912b06dac071654"
"PURL": "pkg:hex/plug_crypto@1.2.3"
},
"Version": "1.2.3",
"Layer": {},
@@ -169,8 +160,7 @@
"ID": "telemetry@1.1.0",
"Name": "telemetry",
"Identifier": {
"PURL": "pkg:hex/telemetry@1.1.0",
"UID": "15879b8627da74b9"
"PURL": "pkg:hex/telemetry@1.1.0"
},
"Version": "1.1.0",
"Layer": {},
@@ -188,8 +178,7 @@
"PkgID": "phoenix@1.6.13",
"PkgName": "phoenix",
"PkgIdentifier": {
"PURL": "pkg:hex/phoenix@1.6.13",
"UID": "5b0d3fb75bef47e3"
"PURL": "pkg:hex/phoenix@1.6.13"
},
"InstalledVersion": "1.6.13",
"FixedVersion": "1.6.14",

55
integration/testdata/npm-with-dev.json.golden vendored
View File

@@ -25,10 +25,10 @@
"ID": "asap@2.0.6",
"Name": "asap",
"Identifier": {
"PURL": "pkg:npm/asap@2.0.6",
"UID": "199d95f873330bd3"
"PURL": "pkg:npm/asap@2.0.6"
},
"Version": "2.0.6",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -41,13 +41,13 @@
"ID": "jquery@3.3.9",
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/jquery@3.3.9",
"UID": "e19e84d31f72b60c"
"PURL": "pkg:npm/jquery@3.3.9"
},
"Version": "3.3.9",
"Licenses": [
"MIT"
],
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -60,10 +60,10 @@
"ID": "js-tokens@4.0.0",
"Name": "js-tokens",
"Identifier": {
"PURL": "pkg:npm/js-tokens@4.0.0",
"UID": "605df7770562762"
"PURL": "pkg:npm/js-tokens@4.0.0"
},
"Version": "4.0.0",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -76,10 +76,10 @@
"ID": "loose-envify@1.4.0",
"Name": "loose-envify",
"Identifier": {
"PURL": "pkg:npm/loose-envify@1.4.0",
"UID": "a40682339e264167"
"PURL": "pkg:npm/loose-envify@1.4.0"
},
"Version": "1.4.0",
"Indirect": true,
"DependsOn": [
"js-tokens@4.0.0"
],
@@ -95,10 +95,10 @@
"ID": "object-assign@4.1.1",
"Name": "object-assign",
"Identifier": {
"PURL": "pkg:npm/object-assign@4.1.1",
"UID": "ec3b70276c206ac2"
"PURL": "pkg:npm/object-assign@4.1.1"
},
"Version": "4.1.1",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -111,13 +111,13 @@
"ID": "promise@8.0.3",
"Name": "promise",
"Identifier": {
"PURL": "pkg:npm/promise@8.0.3",
"UID": "b60f9aaa4e3cba8f"
"PURL": "pkg:npm/promise@8.0.3"
},
"Version": "8.0.3",
"Licenses": [
"MIT"
],
"Indirect": true,
"DependsOn": [
"asap@2.0.6"
],
@@ -133,10 +133,10 @@
"ID": "prop-types@15.7.2",
"Name": "prop-types",
"Identifier": {
"PURL": "pkg:npm/prop-types@15.7.2",
"UID": "5a0c427e953b2a24"
"PURL": "pkg:npm/prop-types@15.7.2"
},
"Version": "15.7.2",
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"object-assign@4.1.1",
@@ -154,13 +154,13 @@
"ID": "react@16.8.6",
"Name": "react",
"Identifier": {
"PURL": "pkg:npm/react@16.8.6",
"UID": "da9140320b70dc57"
"PURL": "pkg:npm/react@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
],
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"object-assign@4.1.1",
@@ -179,13 +179,13 @@
"ID": "react-is@16.8.6",
"Name": "react-is",
"Identifier": {
"PURL": "pkg:npm/react-is@16.8.6",
"UID": "f50b67a44460b362"
"PURL": "pkg:npm/react-is@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
],
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -198,13 +198,13 @@
"ID": "redux@4.0.1",
"Name": "redux",
"Identifier": {
"PURL": "pkg:npm/redux@4.0.1",
"UID": "fbb7d7c45dbba492"
"PURL": "pkg:npm/redux@4.0.1"
},
"Version": "4.0.1",
"Licenses": [
"MIT"
],
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"symbol-observable@1.2.0"
@@ -221,10 +221,10 @@
"ID": "scheduler@0.13.6",
"Name": "scheduler",
"Identifier": {
"PURL": "pkg:npm/scheduler@0.13.6",
"UID": "9738f8ac302a0bb"
"PURL": "pkg:npm/scheduler@0.13.6"
},
"Version": "0.13.6",
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"object-assign@4.1.1"
@@ -241,10 +241,10 @@
"ID": "symbol-observable@1.2.0",
"Name": "symbol-observable",
"Identifier": {
"PURL": "pkg:npm/symbol-observable@1.2.0",
"UID": "b14a083f8b9e59bc"
"PURL": "pkg:npm/symbol-observable@1.2.0"
},
"Version": "1.2.0",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -257,14 +257,14 @@
"ID": "z-lock@1.0.0",
"Name": "z-lock",
"Identifier": {
"PURL": "pkg:npm/z-lock@1.0.0",
"UID": "f6ba8a4be50ce713"
"PURL": "pkg:npm/z-lock@1.0.0"
},
"Version": "1.0.0",
"Dev": true,
"Licenses": [
"MIT"
],
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -280,8 +280,7 @@
"PkgID": "jquery@3.3.9",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9",
"UID": "e19e84d31f72b60c"
"PURL": "pkg:npm/jquery@3.3.9"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",

51
integration/testdata/npm.json.golden vendored
View File

@@ -25,10 +25,10 @@
"ID": "asap@2.0.6",
"Name": "asap",
"Identifier": {
"PURL": "pkg:npm/asap@2.0.6",
"UID": "199d95f873330bd3"
"PURL": "pkg:npm/asap@2.0.6"
},
"Version": "2.0.6",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -41,13 +41,13 @@
"ID": "jquery@3.3.9",
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/jquery@3.3.9",
"UID": "e19e84d31f72b60c"
"PURL": "pkg:npm/jquery@3.3.9"
},
"Version": "3.3.9",
"Licenses": [
"MIT"
],
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -60,10 +60,10 @@
"ID": "js-tokens@4.0.0",
"Name": "js-tokens",
"Identifier": {
"PURL": "pkg:npm/js-tokens@4.0.0",
"UID": "605df7770562762"
"PURL": "pkg:npm/js-tokens@4.0.0"
},
"Version": "4.0.0",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -76,10 +76,10 @@
"ID": "loose-envify@1.4.0",
"Name": "loose-envify",
"Identifier": {
"PURL": "pkg:npm/loose-envify@1.4.0",
"UID": "a40682339e264167"
"PURL": "pkg:npm/loose-envify@1.4.0"
},
"Version": "1.4.0",
"Indirect": true,
"DependsOn": [
"js-tokens@4.0.0"
],
@@ -95,10 +95,10 @@
"ID": "object-assign@4.1.1",
"Name": "object-assign",
"Identifier": {
"PURL": "pkg:npm/object-assign@4.1.1",
"UID": "ec3b70276c206ac2"
"PURL": "pkg:npm/object-assign@4.1.1"
},
"Version": "4.1.1",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -111,13 +111,13 @@
"ID": "promise@8.0.3",
"Name": "promise",
"Identifier": {
"PURL": "pkg:npm/promise@8.0.3",
"UID": "b60f9aaa4e3cba8f"
"PURL": "pkg:npm/promise@8.0.3"
},
"Version": "8.0.3",
"Licenses": [
"MIT"
],
"Indirect": true,
"DependsOn": [
"asap@2.0.6"
],
@@ -133,10 +133,10 @@
"ID": "prop-types@15.7.2",
"Name": "prop-types",
"Identifier": {
"PURL": "pkg:npm/prop-types@15.7.2",
"UID": "5a0c427e953b2a24"
"PURL": "pkg:npm/prop-types@15.7.2"
},
"Version": "15.7.2",
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"object-assign@4.1.1",
@@ -154,13 +154,13 @@
"ID": "react@16.8.6",
"Name": "react",
"Identifier": {
"PURL": "pkg:npm/react@16.8.6",
"UID": "da9140320b70dc57"
"PURL": "pkg:npm/react@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
],
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"object-assign@4.1.1",
@@ -179,13 +179,13 @@
"ID": "react-is@16.8.6",
"Name": "react-is",
"Identifier": {
"PURL": "pkg:npm/react-is@16.8.6",
"UID": "f50b67a44460b362"
"PURL": "pkg:npm/react-is@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
],
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -198,13 +198,13 @@
"ID": "redux@4.0.1",
"Name": "redux",
"Identifier": {
"PURL": "pkg:npm/redux@4.0.1",
"UID": "fbb7d7c45dbba492"
"PURL": "pkg:npm/redux@4.0.1"
},
"Version": "4.0.1",
"Licenses": [
"MIT"
],
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"symbol-observable@1.2.0"
@@ -221,10 +221,10 @@
"ID": "scheduler@0.13.6",
"Name": "scheduler",
"Identifier": {
"PURL": "pkg:npm/scheduler@0.13.6",
"UID": "9738f8ac302a0bb"
"PURL": "pkg:npm/scheduler@0.13.6"
},
"Version": "0.13.6",
"Indirect": true,
"DependsOn": [
"loose-envify@1.4.0",
"object-assign@4.1.1"
@@ -241,10 +241,10 @@
"ID": "symbol-observable@1.2.0",
"Name": "symbol-observable",
"Identifier": {
"PURL": "pkg:npm/symbol-observable@1.2.0",
"UID": "b14a083f8b9e59bc"
"PURL": "pkg:npm/symbol-observable@1.2.0"
},
"Version": "1.2.0",
"Indirect": true,
"Layer": {},
"Locations": [
{
@@ -260,8 +260,7 @@
"PkgID": "jquery@3.3.9",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9",
"UID": "e19e84d31f72b60c"
"PURL": "pkg:npm/jquery@3.3.9"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",

11
integration/testdata/nuget.json.golden vendored
View File

@@ -25,11 +25,9 @@
"ID": "Newtonsoft.Json@12.0.3",
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3",
"UID": "d4249b2442e303e9"
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
},
"Version": "12.0.3",
"Relationship": "direct",
"Layer": {},
"Locations": [
{
@@ -42,11 +40,9 @@
"ID": "NuGet.Frameworks@5.7.0",
"Name": "NuGet.Frameworks",
"Identifier": {
"PURL": "pkg:nuget/NuGet.Frameworks@5.7.0",
"UID": "6fa0c117039de82a"
"PURL": "pkg:nuget/NuGet.Frameworks@5.7.0"
},
"Version": "5.7.0",
"Relationship": "direct",
"DependsOn": [
"Newtonsoft.Json@12.0.3"
],
@@ -65,8 +61,7 @@
"PkgID": "Newtonsoft.Json@12.0.3",
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3",
"UID": "d4249b2442e303e9"
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
},
"InstalledVersion": "12.0.3",
"FixedVersion": "13.0.1",

6
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -66,8 +66,7 @@
"PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
"PkgName": "libopenssl1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
"UID": "898b73ddd0412f57"
"PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
@@ -99,8 +98,7 @@
"PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
"PkgName": "openssl-1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1",
"UID": "58980d005de43f54"
"PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",

6
integration/testdata/oraclelinux-8.json.golden vendored
View File

@@ -67,8 +67,7 @@
"PkgID": "curl@7.61.1-8.el8.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
"UID": "6837a94bd82971ac"
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0"
},
"InstalledVersion": "7.61.1-8.el8",
"FixedVersion": "7.61.1-11.el8",
@@ -138,8 +137,7 @@
"PkgID": "curl@7.61.1-8.el8.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
"UID": "6837a94bd82971ac"
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0"
},
"InstalledVersion": "7.61.1-8.el8",
"FixedVersion": "7.61.1-12.el8",

6
integration/testdata/packagesprops.json.golden vendored
View File

@@ -25,8 +25,7 @@
"ID": "Newtonsoft.Json@9.0.1",
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
"UID": "a391c576ea549d63"
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"Version": "9.0.1",
"Layer": {}
@@ -38,8 +37,7 @@
"PkgID": "Newtonsoft.Json@9.0.1",
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
"UID": "a391c576ea549d63"
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"InstalledVersion": "9.0.1",
"FixedVersion": "13.0.1",

9
integration/testdata/photon-30.json.golden vendored
View File

@@ -68,8 +68,7 @@
"PkgID": "bash@4.4.18-1.ph3.x86_64",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/bash@4.4.18-1.ph3?arch=x86_64\u0026distro=photon-3.0",
"UID": "a092142482df7886"
"PURL": "pkg:rpm/photon/bash@4.4.18-1.ph3?arch=x86_64\u0026distro=photon-3.0"
},
"InstalledVersion": "4.4.18-1.ph3",
"FixedVersion": "4.4.18-2.ph3",
@@ -132,8 +131,7 @@
"PkgID": "curl@7.61.1-4.ph3.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/curl@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0",
"UID": "1f44492024a630e8"
"PURL": "pkg:rpm/photon/curl@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0"
},
"InstalledVersion": "7.61.1-4.ph3",
"FixedVersion": "7.61.1-5.ph3",
@@ -204,8 +202,7 @@
"PkgID": "curl-libs@7.61.1-4.ph3.x86_64",
"PkgName": "curl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/curl-libs@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0",
"UID": "434cc417a46529a9"
"PURL": "pkg:rpm/photon/curl-libs@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0"
},
"InstalledVersion": "7.61.1-4.ph3",
"FixedVersion": "7.61.1-5.ph3",

27
integration/testdata/pip.json.golden vendored
View File

@@ -24,8 +24,7 @@
{
"Name": "Flask",
"Identifier": {
"PURL": "pkg:pypi/flask@2.0.0",
"UID": "301ccf5fd90d6082"
"PURL": "pkg:pypi/flask@2.0.0"
},
"Version": "2.0.0",
"Layer": {}
@@ -33,8 +32,7 @@
{
"Name": "Jinja2",
"Identifier": {
"PURL": "pkg:pypi/jinja2@3.0.0",
"UID": "212193e1595e68cc"
"PURL": "pkg:pypi/jinja2@3.0.0"
},
"Version": "3.0.0",
"Layer": {}
@@ -42,8 +40,7 @@
{
"Name": "Werkzeug",
"Identifier": {
"PURL": "pkg:pypi/werkzeug@0.11",
"UID": "56b919b561299a48"
"PURL": "pkg:pypi/werkzeug@0.11"
},
"Version": "0.11",
"Layer": {}
@@ -51,8 +48,7 @@
{
"Name": "click",
"Identifier": {
"PURL": "pkg:pypi/click@8.0.0",
"UID": "d58cb56b4e8b1ffd"
"PURL": "pkg:pypi/click@8.0.0"
},
"Version": "8.0.0",
"Layer": {}
@@ -60,8 +56,7 @@
{
"Name": "itsdangerous",
"Identifier": {
"PURL": "pkg:pypi/itsdangerous@2.0.0",
"UID": "9bf39d440e409733"
"PURL": "pkg:pypi/itsdangerous@2.0.0"
},
"Version": "2.0.0",
"Layer": {}
@@ -69,8 +64,7 @@
{
"Name": "oauth2-client",
"Identifier": {
"PURL": "pkg:pypi/oauth2-client@4.0.0",
"UID": "ffc67df5ef686f77"
"PURL": "pkg:pypi/oauth2-client@4.0.0"
},
"Version": "4.0.0",
"Layer": {}
@@ -78,8 +72,7 @@
{
"Name": "python-gitlab",
"Identifier": {
"PURL": "pkg:pypi/python-gitlab@2.0.0",
"UID": "f9cbb9736717c4d4"
"PURL": "pkg:pypi/python-gitlab@2.0.0"
},
"Version": "2.0.0",
"Layer": {}
@@ -90,8 +83,7 @@
"VulnerabilityID": "CVE-2019-14806",
"PkgName": "Werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11",
"UID": "56b919b561299a48"
"PURL": "pkg:pypi/werkzeug@0.11"
},
"InstalledVersion": "0.11",
"FixedVersion": "0.15.3",
@@ -147,8 +139,7 @@
"VulnerabilityID": "CVE-2020-28724",
"PkgName": "Werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11",
"UID": "56b919b561299a48"
"PURL": "pkg:pypi/werkzeug@0.11"
},
"InstalledVersion": "0.11",
"FixedVersion": "0.11.6",

9
integration/testdata/pipenv.json.golden vendored
View File

@@ -24,8 +24,7 @@
{
"Name": "werkzeug",
"Identifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1",
"UID": "390fc5ac777dc4e0"
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"Version": "0.11.1",
"Layer": {},
@@ -42,8 +41,7 @@
"VulnerabilityID": "CVE-2019-14806",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1",
"UID": "390fc5ac777dc4e0"
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"InstalledVersion": "0.11.1",
"FixedVersion": "0.15.3",
@@ -99,8 +97,7 @@
"VulnerabilityID": "CVE-2020-28724",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1",
"UID": "390fc5ac777dc4e0"
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"InstalledVersion": "0.11.1",
"FixedVersion": "0.11.6",

Some files were not shown because too many files have changed in this diff Show More